OSCP Practice Questions & Answers
Practise OSCP with 201 questions and 1 full-length mock exams on Exam Clue. Free sample questions with answers below.
Sample OSCP Questions
Free sample questions with the correct answer highlighted.
Q1. 1.An attacker is analyzing a target organization's public-facing infrastructure without sending packets to the target's network block. They discover several corporate email addresses, leaked credentials from historical breaches, and public code repositories containing hardcoded API keys. Which type of gathering is this, and what is the most high-value next step for assessing internal Windows alignment?
- A. Active Reconnaissance; map the external firewalls via traceroute.
- B. Passive Reconnaissance; analyze the naming conventions to predict internal Active Directory (sAMAccountName) structures. ✓
- C. External Enumeration; run an aggressive Nmap scan against the discovered IPs.
- D. Vulnerability Assessment; launch a Nikto scan against the code repositories.
Q2. 1. An analyst is performing passive reconnaissance against a Windows infrastructure. They perform an OSINT review of LinkedIn profiles to construct a targeted username directory for an upcoming assessment.
- A. Attempt an SMB authentication attack against public web servers.
- B. Launch a spear-phishing campaign instantly.
- C. Utilize standard WHOIS lookups to find internal account domains.
- D. Format names into common patterns like jsmith or john.smith. ✓
Q3. 2. Scenario 2: An analyst is performing passive reconnaissance against a Windows infrastructure. They execute a DNS zone transfer query using AXFR against the primary name server and successfully retrieve the full zone data.
- A. Decrypt the zone files using private keys.
- B. Inject unauthorized entries into the zone files.
- C. Review the A and AAAA records to locate internal Windows servers. ✓
- D. Report that the DNS server is immune to zone transfers.
Q4. 3. Scenario 3: An analyst is performing passive reconnaissance against a Windows infrastructure. They discover old email headers from internal corporate users that leak specific metadata inside the Received lines.
- A. Perform an off-line cracking attack on the mail header hash.
- B. Reset the corporate user domain policy.
- C. Forge a digital certificate to impersonate the mail server.
- D. Extract internal private IP addresses and naming layouts. ✓
Q5. 4. Scenario 4: An analyst is performing passive reconnaissance against a Windows infrastructure. They locate public repository files exposing Azure deployment configurations and active application connection strings.
- A. Run a full port scan on the Azure tenant endpoints.
- B. Brute-force the tenant ID using automated scripts.
- C. Analyze the repo commits for historical secrets. ✓
- D. Deploy an enterprise-grade WAF immediately.
Q6. 5. Scenario 5: An analyst is performing passive reconnaissance against a Windows infrastructure. They perform an OSINT review of LinkedIn profiles to construct a targeted username directory for an upcoming assessment.
- A. Launch a spear-phishing campaign instantly.
- B. Attempt an SMB authentication attack against public web servers.
- C. Utilize standard WHOIS lookups to find internal account domains.
- D. Format names into common patterns like jsmith or john.smith. ✓
Q7. 6. Scenario 6: An analyst is performing passive reconnaissance against a Windows infrastructure. They execute a DNS zone transfer query using AXFR against the primary name server and successfully retrieve the full zone data.
- A. Report that the DNS server is immune to zone transfers.
- B. Decrypt the zone files using private keys.
- C. Inject unauthorized entries into the zone files.
- D. Review the A and AAAA records to locate internal Windows servers. ✓
Q8. 7. Scenario 7: An analyst is performing passive reconnaissance against a Windows infrastructure. They discover old email headers from internal corporate users that leak specific metadata inside the Received lines.
- A. Forge a digital certificate to impersonate the mail server.
- B. Perform an off-line cracking attack on the mail header hash.
- C. Extract internal private IP addresses and naming layouts. ✓
- D. Reset the corporate user domain policy.