197+ Free OSCP Practice Questions

Pass your Offensive Security Certified Professional (PEN-200) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~30-40% Pass Rate

197+ Questions

100% Free

1 / 197

Question 1

Score: 0/0

What does the Nmap flag -sS do?

Performs a TCP SYN scan (half-open scan)

Performs a UDP scan

Performs an ACK scan

Performs a NULL scan

to track

2026 Statistics

Key Facts: OSCP Exam

~30-40%

First-Attempt Pass Rate

Industry estimate

70/100

Passing Score

Offensive Security

23h 45m

Exam Duration

Offensive Security

$1,499+

Course + Exam

Offensive Security

24 hours

Report Due

Offensive Security

3 + 1 AD

Targets

OSCP Exam

The OSCP (Offensive Security Certified Professional) is the industry's most respected hands-on penetration testing certification. The 24-hour practical exam requires compromising 3 standalone targets (20 points each) and 1 Active Directory set (40 points) to achieve 70/100 passing score. This practice exam tests theoretical knowledge; actual OSCP requires live exploitation. PEN-200 course + exam package costs $1,499-$2,499.

Sample OSCP Practice Questions

Try these sample questions to test your OSCP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 197+ question experience with AI tutoring.

1What does the Nmap flag -sS do?

A.Performs a TCP SYN scan (half-open scan)

B.Performs a UDP scan

C.Performs an ACK scan

D.Performs a NULL scan

Explanation: The -sS flag performs a TCP SYN scan, also known as a half-open scan. It sends SYN packets and analyzes responses without completing the TCP handshake, making it stealthier than a full connect scan.

2Which Nmap flag enables OS detection?

A.-sV

B.-O

C.-A

D.-sC

Explanation: The -O flag enables OS detection in Nmap. It uses TCP/IP stack fingerprinting to determine the operating system of the target. Note that -A also enables OS detection along with other features.

3What is the purpose of the Nmap -sV flag?

A.Scan for vulnerabilities

B.Enable verbose output

C.Probe open ports to determine service/version info

D.Perform a version scan only on web services

Explanation: The -sV flag enables version detection. Nmap probes open ports to determine what service is running and its version number. This helps identify exploitable services.

4Which Nmap option performs a UDP scan?

A.-sU

B.-sT

C.-sS

D.-sA

Explanation: The -sU flag performs a UDP scan. UDP scans are typically slower than TCP scans because they rely on ICMP port unreachable messages or lack of response to determine port status.

5What does the Nmap -A flag enable?

A.Aggressive scan with OS detection, version detection, script scanning, and traceroute

B.Anonymous scan mode

C.ARP scan only

D.Active defense bypass

Explanation: The -A flag enables aggressive scanning, which includes OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute. It provides comprehensive information but is more detectable.

6Which NSE script category is used for vulnerability detection?

A.discovery

B.vuln

C.auth

D.intrusive

Explanation: The "vuln" category contains scripts that check for specific vulnerabilities. These scripts identify known CVEs and security weaknesses in target services.

7How do you run a specific NSE script in Nmap?

A.--script scriptname

B.-sE scriptname

C.--nse scriptname

D.-S scriptname

Explanation: The --script option is used to specify which NSE scripts to run. You can run a single script (--script smb-enum-shares), multiple scripts (--script http*,ssl*), or script categories (--script vuln).

8What is Gobuster primarily used for?

A.Network scanning

B.Directory and file brute-forcing on web servers

C.Password cracking

D.DNS enumeration

Explanation: Gobuster is a tool used for directory and file brute-forcing on web servers. It uses wordlists to discover hidden directories, files, and URIs on web applications.

9Which tool is commonly used for SMB enumeration in OSCP?

A.enum4linux

B.sqlmap

C.burpsuite

D.nikto

Explanation: enum4linux is a popular tool for SMB enumeration. It wraps various Samba tools to extract information like user lists, share names, password policies, and workgroup information from Windows systems.

10What command lists SMB shares using smbclient?

A.smbclient -L //target

B.smbclient --enum-shares target

C.smbclient -S target

D.smbclient --list-shares target

Explanation: The -L flag in smbclient lists available shares on a target. The syntax is "smbclient -L //target" which enumerates SMB shares without requiring authentication.

About the OSCP Exam

The OSCP is the world's premier hands-on penetration testing certification. Unlike traditional multiple-choice exams, OSCP requires candidates to exploit multiple target machines in a 24-hour practical exam. This practice test covers the theoretical knowledge needed: enumeration, exploitation techniques, privilege escalation, and Active Directory attacks.

Questions

200 scored questions

Time Limit

23h 45m + 24h reporting

Passing Score

70/100

Exam Fee

$1,499-$2,499 (Offensive Security)

OSCP Exam Content Outline

20%

Information Gathering & Enumeration

Nmap scanning, service enumeration, SMB/SNMP/web enumeration, and reconnaissance techniques

25%

Exploitation Techniques

Manual exploitation, buffer overflows, file transfers, shell upgrades, and payload delivery

25%

Privilege Escalation

Linux privilege escalation (SUID, sudo, kernel exploits), Windows privilege escalation (services, registry, scheduled tasks)

20%

Active Directory Attacks

AD enumeration, Kerberoasting, AS-REP roasting, lateral movement, BloodHound, and Impacket tools

10%

Post-Exploitation & Reporting

Pivoting, tunneling, data exfiltration, and professional report writing with proof compilation

How to Pass the OSCP Exam

What You Need to Know

Passing score: 70/100
Exam length: 200 questions
Time limit: 23h 45m + 24h reporting
Exam fee: $1,499-$2,499

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSCP Study Tips from Top Performers

1Master Nmap scanning and service enumeration — accurate enumeration is the foundation of successful exploitation

2Practice manual exploitation — OSCP rewards custom exploits and manual techniques over automated tools

3Build a comprehensive cheat sheet for privilege escalation on both Linux and Windows

4Learn Active Directory attacks thoroughly — the AD set is 40% of your exam score

5Practice buffer overflow exploitation for exploit development understanding (even though removed from exam)

6Develop a systematic methodology and stick to it during the exam

7Take detailed notes during your lab time — you can't remember everything

8Practice report writing — a great technical performance can fail with a poor report

9Complete 200+ practice questions and understand the concepts deeply

Frequently Asked Questions

What is the OSCP exam format?

The OSCP exam is a 24-hour hands-on penetration test starting at 6:00 AM ET. You must compromise 3 standalone machines (20 points each) and 1 Active Directory set (40 points total: 10 for initial access, 10 for each of 3 privilege escalations). You need 70 points to pass. After the exam, you have 24 hours to submit a professional penetration test report with detailed proof screenshots.

What are the OSCP exam restrictions?

Metasploit is restricted — you may only use it on ONE target of your choice. Commercial vulnerability scanners (Nessus Pro, Burp Suite Pro) are NOT allowed. No AI/LLM assistance. No spoofing attacks (ARP, DNS, etc.). You must document all exploits used and provide proof files (proof.txt, local.txt) for each compromised target.

How should I prepare for OSCP?

Complete the PEN-200 course materials and exercises. Practice on the PWK lab networks — aim to compromise 30+ machines including the "big three" (Pain, Sufferance, Ghost). Master buffer overflow exploitation (even though removed from exam, it builds exploit development skills). Practice Active Directory attacks extensively. Build a comprehensive methodology and stick to it. Document everything for your notes.

How hard is the OSCP exam?

OSCP has a 30-40% first-attempt pass rate. It requires both technical skill and mental stamina for the 24-hour exam. The exam tests practical exploitation skills, not just knowledge. Time management is critical — many candidates fail due to poor time allocation. The exam changed in November 2024: buffer overflow was removed, and Active Directory became mandatory with assumed-breach scenarios.

What jobs can I get with OSCP?

OSCP qualifies you for penetration testing roles: Junior Penetration Tester ($70,000-95,000), Penetration Tester ($95,000-140,000), Senior Penetration Tester ($130,000-180,000), Security Consultant ($100,000-160,000), Red Team Operator ($120,000-200,000). OSCP is often a required certification for penetration testing positions and is highly respected by employers.

Is this practice exam like the real OSCP?

No — this is a theoretical multiple-choice practice exam. The real OSCP is a hands-on practical exam where you must actually exploit vulnerable systems. This practice exam helps you learn the concepts, tools, and techniques. However, to pass OSCP, you must practice hands-on exploitation in labs. Use this practice exam to test your knowledge of methodology, tools, and techniques.