Offensive Security Certified OSCP Exam, Exams of Technology

The OSCP Exam certifies hands-on penetration testing skills. Topics include reconnaissance, vulnerability exploitation, privilege escalation, pivoting, and reporting. Candidates demonstrate the ability to compromise systems ethically and document findings professionally.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 91

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Offensive Security Certified OSCP Exam
**Question 1.** Which Nmap NSE script is most appropriate for retrieving SMB banner information
from a target host?
A) http-enum
B) smb-os-discovery
C) dns-brute
D) ssl-heartbleed
Answer: B
Explanation: The `smb-os-discovery` script queries SMB services to obtain OS version, domain, and other
banner details.
**Question 2.** When performing passive DNS enumeration, which of the following data sources is
least likely to provide subdomain information?
A) Certificate Transparency logs
B) Search engine cache
C) WHOIS records
D) Reverse DNS zones
Answer: D
Explanation: Reverse DNS zones map IPs to hostnames, not subdomains; the other sources often contain
subdomain entries.
**Question 3.** In the OSCP lab, which of the following is a prohibited usage of automated tools?
A) Using Nmap for port scanning
B) Using Nessus for vulnerability scanning
C) Using sqlmap for fullautomatic exploitation of SQLi
D) Using Gobuster for directory bruteforcing
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b

Partial preview of the text

Download Offensive Security Certified OSCP Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which Nmap NSE script is most appropriate for retrieving SMB banner information from a target host? A) http-enum B) smb-os-discovery C) dns-brute D) ssl-heartbleed Answer: B Explanation: The smb-os-discovery script queries SMB services to obtain OS version, domain, and other banner details. Question 2. When performing passive DNS enumeration, which of the following data sources is least likely to provide subdomain information? A) Certificate Transparency logs B) Search engine cache C) WHOIS records D) Reverse DNS zones Answer: D Explanation: Reverse DNS zones map IPs to hostnames, not subdomains; the other sources often contain subdomain entries. Question 3. In the OSCP lab, which of the following is a prohibited usage of automated tools? A) Using Nmap for port scanning B) Using Nessus for vulnerability scanning C) Using sqlmap for full‑automatic exploitation of SQLi D) Using Gobuster for directory brute‑forcing Answer: C

Explanation: The exam rules restrict fully automated exploitation tools like sqlmap; manual exploitation is required. Question 4. Which HTTP status code indicates that a directory listing is likely enabled on the web server? A) 200 OK B) 301 Moved Permanently C) 403 Forbidden D) 404 Not Found Answer: A Explanation: A 200 response with an HTML page showing files indicates directory listing is enabled. Question 5. Which payload type generated by msfvenom is most suitable for a Windows target where outbound connections are blocked but inbound connections are allowed? A) reverse_tcp B) bind_tcp C) reverse_http D) reverse_https Answer: B Explanation: bind_tcp opens a listener on the target, allowing the attacker to connect inbound. Question 6. In a Linux system, which permission bit on an executable file allows any user to execute it with the file owner’s privileges? A) setuid B) setgid C) sticky bit

A) EnableLUA B) EnableRemoteDesktop C) EnableInstaller D) EnableAdminShare Answer: C Explanation: The AlwaysInstallElevated policy allows Windows Installer packages to run with elevated privileges. Question 10. Which BloodHound collection method gathers information about group memberships and local admin rights? A) Session collection B) Local admin collection C) Trust collection D) ACL collection Answer: D Explanation: ACL (Access Control List) collection captures permissions such as group memberships and local admin rights. Question 11. When enumerating SMB shares, which command will list all accessible shares on a target without authentication? A) smbclient - L //target - N B) net view \\target C) nmap - p 445 --script=smb-enum-shares target D) rpcclient - U "" target Answer: A Explanation: The -N flag tells smbclient to use a null session, listing shares anonymously.

Question 12. Which HTTP parameter manipulation technique is most effective for detecting reflected XSS vulnerabilities? A) URL encoding the payload twice B) Using a base64‑encoded payload C) Inserting a script tag directly into a GET parameter D) Adding a null byte at the end of the payload Answer: C Explanation: Directly inserting <script> into a reflected parameter often triggers XSS if not properly sanitized. Question 13. Which of the following tools is specifically designed for enumerating DNS zone transfers? A) dig B) dnsrecon C) nslookup D) host Answer: B Explanation: dnsrecon automates zone transfer attempts and other DNS enumeration techniques. Question 14. In a web application, which HTTP header is most commonly used to mitigate Click‑jacking attacks? A) X‑Content‑Type‑Options B) X‑Frame‑Options C) Content‑Security‑Policy D) X‑XSS‑Protection

C) lsass.exe D) mimikatz sekurlsa::logonpasswords Answer: D Explanation: Mimikatz’s sekurlsa::logonpasswords module extracts hashes from memory when executed with sufficient privileges. Question 18. Which SMB version is deprecated and should be disabled to reduce attack surface? A) SMBv B) SMBv C) SMBv2. D) SMBv Answer: A Explanation: SMBv1 is old, insecure, and often exploited (e.g., EternalBlue). Question 19. In the context of Kerberoasting, which service ticket is targeted for offline cracking? A) TGT (Ticket Granting Ticket) B.1) TGS (Ticket Granting Service) for user accounts B.2) TGS for service accounts (SPNs) C) AS‑REP ticket D) PAC (Privilege Attribute Certificate) Answer: B. Explanation: Kerberoasting extracts service tickets (TGS) for accounts with SPNs, which contain encrypted password hashes. Question 20. Which of the following is a common indicator that a Linux system has a world‑writable cron file?

A) /etc/crontab permission -rw-r--r-- B) /etc/cron.d/ directory permission drwxrwxrwx C) Presence of a file named root in /var/spool/cron/ D) /etc/cron.allow contains * Answer: B Explanation: A world‑writable cron.d directory allows any user to drop malicious cron jobs. Question 21. Which technique is used to bypass a web application firewall (WAF) by encoding payloads in multiple layers? A) Parameter pollution B) Double URL encoding C) HTTP smuggling D) Header injection Answer: B Explanation: Double URL encoding can evade simple pattern‑matching WAF rules. Question 22. Which PowerShell cmdlet can retrieve a list of domain users and their last logon timestamps? A) Get-ADUser - Properties LastLogon B) net user /domain C) dsquery user - o rdn D) Get-LocalUser Answer: A Explanation: Get-ADUser with the LastLogon property queries AD for that information.

Question 26. Which HTTP response header can be used by a server to prevent MIME‑type sniffing attacks? A) X‑Content‑Type‑Options: nosniff B) X‑Frame‑Options: DENY C) Content‑Security‑Policy: default-src 'self' D) X‑XSS‑Protection: 1; mode=block Answer: A Explanation: The nosniff directive tells browsers not to guess the MIME type. Question 27. What is the primary purpose of the searchsploit utility in OSCP labs? A) To perform network scanning B) To locate publicly available exploits matching a keyword or CVE C) To generate shellcode payloads D) To enumerate AD users Answer: B Explanation: searchsploit queries the local Exploit‑DB archive for relevant exploits. Question 28. Which of the following Windows registry keys is commonly checked for the AlwaysInstallElevated policy? A) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System B) HKLM\Software\Policies\Microsoft\Windows\Installer C) HKCU\Software\Microsoft\Windows\CurrentVersion\Run D) HKLM\System\CurrentControlSet\Services Answer: B

Explanation: The AlwaysInstallElevated value resides under the Installer policy key. Question 29. When performing a Kerberos AS‑REP roasting attack, which condition must be true for the target user? A) The user must have a strong password B) Pre‑authentication must be disabled for the account C) The user must be a member of the Domain Admins group D) The account must have a Service Principal Name (SPN) Answer: B Explanation: AS‑REP roasting exploits accounts with “Do not require Kerberos pre‑authentication”. Question 30. Which of the following Linux files often contains sudo permissions that can be abused for privilege escalation? A) /etc/passwd B) /etc/shadow C) /etc/sudoers D) /var/log/auth.log Answer: C Explanation: Misconfigured entries in /etc/sudoers can allow users to run commands as root. Question 31. Which Metasploit auxiliary module can be used to enumerate Windows SMB shares without credentials? A) auxiliary/scanner/smb/smb_version B) auxiliary/scanner/smb/smb_enumshares C) auxiliary/scanner/ssh/ssh_version D) auxiliary/scanner/http/http_version

D) Performing a directory traversal attack on the login page Answer: A Explanation: IDOR vulnerabilities allow attackers to change identifiers to access unauthorized resources. Question 35. Which flag in the msfvenom command creates a staged payload that connects back to the attacker’s host on port 4444? A) -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 - f exe - o shell.exe B) -p windows/meterpreter/bind_tcp RHOST=10.0.0.1 RPORT=4444 - f exe - o shell.exe C) -p linux/x86/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=4444 - f elf - o shell.elf D) -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=4444 - f raw - o shell.php Answer: A Explanation: The reverse_tcp payload creates a staged reverse connection to the specified LHOST/LPORT. Question 36. Which LDAP query can be used to enumerate all domain computers in Active Directory? A) (&(objectClass=user)(objectCategory=person)) B) (&(objectClass=computer)(operatingSystem=*)) C) (&(objectClass=group)(member=*)) D) (&(objectClass=organizationalUnit)(name=*)) Answer: B Explanation: Filtering on objectClass=computer returns computer objects; adding operatingSystem=* ensures inclusion of all. Question 37. When conducting a manual SQL injection on a login form, which technique is most reliable for extracting data without relying on error messages?

A) UNION‑based injection B) Boolean‑based blind injection C) Time‑based blind injection D) Out‑of‑band (OOB) injection Answer: A Explanation: UNION‑based injection returns query results directly in the response, making data extraction straightforward. Question 38. Which of the following Linux commands can reveal the kernel version, useful for determining potential kernel exploits? A) cat /etc/passwd B) uname - a C) lsb_release - a D) dpkg - l Answer: B Explanation: uname - a displays the kernel version and build information. Question 39. Which of these is a recommended practice for enumerating open ports on a target while staying under the radar of IDS? A) Use a single SYN scan with -sS and a slow timing template B) Perform a full TCP connect scan with -sT at maximum speed C) Use a UDP scan on all ports simultaneously D) Run an aggressive OS detection scan with -O Answer: A Explanation: A SYN scan (-sS) with a slower timing (-T2 or -T1) reduces IDS noise.

Question 43. In a Linux environment, what does the presence of the NOPASSWD: directive in /etc/sudoers indicate? A) The user must provide a password for sudo commands B) The user can execute specified commands without a password C) The user is denied sudo access entirely D) The user can only run commands as root, not as other users Answer: B Explanation: NOPASSWD: permits password‑less execution of designated commands. Question 44. Which of the following is a typical sign that a web server is vulnerable to Remote File Inclusion (RFI)? A) The application accepts a URL parameter that is directly included in a require or include statement B) The server returns a 403 Forbidden for all POST requests C) The server redirects all HTTP traffic to HTTPS D) The application uses prepared statements for database queries Answer: A Explanation: Directly including user‑supplied URLs can lead to RFI. Question 45. Which PowerShell command can be used to extract the list of installed Windows updates, often useful for identifying missing patches? A) Get-HotFix B) Get-Service C) Get-Process D) Get-EventLog - LogName System Answer: A

Explanation: Get-HotFix enumerates installed patches and updates. Question 46. Which of the following techniques can be used to bypass a basic authentication prompt on a web application that uses HTTP Basic Auth? A) Sending the credentials in the URL: http://user:pass@host/ B) Adding a custom header X-Auth-Token C) Using a POST request with JSON payload D) Changing the request method to HEAD Answer: A Explanation: Embedding credentials in the URL automatically supplies the Authorization header. Question 47. When performing a Kerberoasting attack, which tool is commonly used to extract service tickets from memory? A) Impacket’s GetUserSPNs.py B) Mimikatz’s sekurlsa::logonpasswords C) BloodHound’s SharpHound D) Nmap’s smb-enum-users script Answer: A Explanation: GetUserSPNs.py requests service tickets for accounts with SPNs, which can then be cracked. Question 48. Which Nmap NSE script can detect the presence of the Heartbleed vulnerability on an HTTPS server? A) ssl-heartbleed B) ssl-enum-ciphers C) tls-nextprotoneg

B) kernel.modules_disabled C) fs.protected_symlinks D) net.ipv4.ip_forward Answer: B Explanation: kernel.modules_disabled=0 disables loading of new kernel modules; if set incorrectly, it can affect exploitability. Question 52. Which of the following is the most common way to enumerate SMB users without credentials? A) enum4linux - U target B) nmap - p 445 --script=smb-enum-users target C) rpcclient - U "" target D) All of the above Answer: D Explanation: All three methods can enumerate SMB users via anonymous connections. Question 53. Which of the following HTTP status codes is most indicative of a successful directory traversal attempt that returned a file? A) 200 OK B) 301 Moved Permanently C) 403 Forbidden D) 404 Not Found Answer: A Explanation: A 200 response means the server successfully retrieved the requested resource.

Question 54. In the context of Windows token impersonation, which API call is used to duplicate a token for later use? A) CreateProcessAsUser B) DuplicateTokenEx C) LogonUser D) ImpersonateLoggedOnUser Answer: B Explanation: DuplicateTokenEx creates a copy of an existing token that can be used for impersonation. Question 55. Which of the following Nmap scripts can be used to enumerate the version of the SSH server running on a target? A) ssh-hostkey B) ssh-auth-methods C) ssh2-enum-algos D) ssh-version Answer: D Explanation: The ssh-version script extracts the SSH server banner and version. Question 56. Which registry key stores the list of programs that run automatically at Windows startup for all users? A) HKLM\Software\Microsoft\Windows\CurrentVersion\Run B) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce C) HKLM\System\CurrentControlSet\Services D) HKCU\Environment Answer: A Explanation: The Run key under HKLM defines system‑wide startup programs.