Unlock OSCP success with these proven pentesting commands and exam tips. Learn the exact tools every OSCP candidate needs to master for real-world penetration testing and exam day — so you can pass with confidence.

Let me be honest: these are the commands that were absolutely essential for me while preparing for and passing the OSCP. As simple as some of them might seem, really mastering how they work, what their outputs mean, and how to troubleshoot their errors made all the difference in finally earning my certification. Don’t underestimate the power of truly knowing these basics — they’re the foundation that will carry you through the toughest moments in your exam and real-world engagements.

Getting ready for the OSCP isn’t just about reading theory — it’s about building muscle memory and knowing exactly which command to run when the clock is ticking. Below, I’m sharing the essential commands and tools that I found myself reaching for again and again. I’ll keep it practical, with just enough context so even if you’re a beginner, you’ll know why you’re running each command — not just how.

Before anything else, you need to map your target. Nmap is your best friend here. Get comfortable with these commands — they’ll save you more times than you can count.

Don’t skip the UDP scan — sometimes the only open port with a critical vulnerability is hiding there, and finding it can be the key to owning the box.

nmap -sSV -sC -Pn --open -v --min-rate=10000 -p- IP -oN XXX
# TCP scan – fast and comprehensive
nmap -sUV -Pn --open -v --min-rate=10000 -p- IP -oN XXX
# UDP scan

-sS -> TCP SYN scan (stealth scan)
-sV -> Detects service versions
-sC -> Runs default scripts
-sU -> UDP scan
-Pn -> Skip host discovery (treat all hosts as online)
— open -> Show only open ports
-v -> Verbose output
— min-rate=10000 -> Send packets quickly (minimum rate 10,000 packets/sec)
-p- -> Scan all ports (1–65535)
-oN XXX -> Output results in normal format to file XXX

With this command, you can quickly spot any strange or out-of-place files inside user directories on Windows machines. It helped me a lot, and to this day, it’s one of my go-to commands whenever I’m digging around during an assessment.

tree /f C:\\User

Sometimes you’ll find an open FTP server. Here’s how to grab all the files at once — just be sure you have permission, and always try passive mode off if you’re not seeing files.

Honestly, I ran into a lot of machines with unstable FTP connections. I’d log in, and within seconds the connection would drop. On top of that, using passive mode often wasted the few good minutes I had before everything timed out. The command below solves this problem by turning off passive mode and downloading all the content from that FTP server in one go. It’s a real lifesaver when you’re dealing with flaky connections.

wget -m <ftp://IP> --no-passive-ftp
# Download everything from FTP

The Swiss army knife for credentials — use responsibly. Mimikatz is fundamental for enumerating any machine inside an Active Directory environment. It has way more features than I can show here, but these commands will help you a lot. Once you get comfortable with Mimikatz, you’ll see just how powerful it can be for digging up credentials and understanding what’s happening behind the scenes.

.\\mimikatz.exe "privilege::debug" "Token::Elevate" \\
"sekurlsa::LogonPasswords" "lsadump::sam" "lsadump::secrets" \\
"lsadump::cache" "exit"

privilege::debug -> Enables debug privileges for Mimikatz (needed for most actions)
token::elevate -> Tries to elevate the current token to get SYSTEM privileges
sekurlsa::logonpasswords -> Dumps credentials from LSASS process memory (usernames, passwords, hashes)
lsadump::sam -> Dumps local user password hashes from the SAM database
lsadump::secrets -> Dumps secrets stored by Windows, like service passwords
lsadump::cache -> Dumps cached domain credentials for offline users
exit -> Exits Mimikatz

Netexec is a versatile tool for spraying passwords across services — and it’s fundamental when you find credentials and want to test them against all the target machines in an environment. It’s surprisingly common for a user to log into different machines with the same username and password, and within an Active Directory, that same user might have access to several systems. With netexec, you can test services like RDP, SMB, WinRM, and even SSH. And don’t forget to try local users too — you never know where that one password will open the next door.

netexec smb IPTARGET -u usernames.txt -p password.txt --continue-on-success
netexec wimrm IPTARGET -u usernames.txt -p password.txt --local-auth
netexec rdp IPTARGET -u usernames.txt -H 'HASHNTLM
netexec rdp IPTARGET -u usernames.txt -p password.txt

-u usernames.txt -> Uses a list of usernames
-p password.txt -> Uses a list of passwords
-H ‘HASHNTLM’ -> Uses an NTLM hash for authentication
— continue-on-success -> Keeps trying more credentials, even if login is successful
— local-auth -> Uses local authentication (not domain)

Gaining access to your first machine is just the beginning — real success in the OSCP often depends on your ability to pivot and move laterally within a network. That’s where tools like Ligolo-ng come in. Even though it isn’t officially taught in the course, Ligolo-ng is an incredibly versatile and user-friendly tunneling tool. Learning to use it effectively is one of my top recommendations for the exam. Mastering tunneling and pivoting doesn’t just make the OSCP easier; it’s a game-changer for real-world engagements and CTFs. Trust me, knowing how to set up quick, reliable tunnels will save you time and open up new paths when you’re stuck.

If I had to give only one piece of advice for your OSCP journey, it’s this: master the basics, but never stop experimenting. These commands aren’t just lines to copy — they’re your Swiss army knife for hacking under pressure. Practice them until you can run them in your sleep, tweak the flags, read the output, and — most importantly — understand what’s happening behind the scenes.

Found these commands useful? Share your own OSCP tips or stories in the comments — let’s help more people crush the exam! And if you want more practical guides like this, follow me on Medium for weekly hands-on infosec content.