- Enumeration
- The systematic discovery of hosts, ports, services, versions, and configurations — the most important OSCP skill; when stuck, enumerate more.
- Nmap
- The primary port scanner: discovers live hosts, open ports, and service versions that drive exploit research.
- Ping sweep (nmap -sn)
- Host discovery only — lists which hosts are alive across a range without scanning any ports.
- -Pn
- Nmap option that skips host discovery and scans a host even if it does not respond to ICMP (treats it as up).
- -p- (full port scan)
- Scans all 65,535 TCP ports — slow but catches a foothold service hidden on an uncommon high port.
- -sV
- Nmap service/version detection — reports each service's product name and version, the input for exploit research.
- -sC
- Runs Nmap's default category of NSE scripts during a scan to gather extra information and catch common issues.
- -sU
- Nmap UDP scan — reveals UDP services such as DNS and SNMP that a TCP scan will never show.
- Closed port
- An Nmap state meaning the port is reachable but no service is listening on it — it actively refuses connections.
- NSE (Nmap Scripting Engine)
- Nmap's scripting framework; run script categories like 'vuln' or 'smb-enum-shares' for deeper enumeration.
- Banner grabbing
- Reading a service's identifying banner (e.g. via Netcat) to learn its software and version for exploit research.
- gobuster
- A directory and file brute-forcer for web servers; in dir mode it appends extensions to each wordlist entry.
- ffuf
- A fast web fuzzer; filter results by status code, size, or words to discard noise like soft-404 responses.
- robots.txt
- A file that may reveal hidden or sensitive paths the site owner did not want indexed — useful for enumeration.
- enum4linux
- A wrapper tool that enumerates Windows/Samba hosts over SMB — domain, users, groups, shares, and policy.
- SMB null session
- An anonymous SMB connection with empty credentials that can reveal users, groups, and shares.
- smbclient
- A command-line SMB client to list and access shares; writable shares may allow uploading a payload.
- Anonymous FTP
- An FTP service allowing login with the 'anonymous' user; first step is to log in and list directories for readable files.
- Virtual host (vhost) enumeration
- Discovering name-based virtual hosts by varying the Host header; a wordlist may reveal internal-only sites on one IP.
- searchsploit
- A command-line search of the offline Exploit-DB archive bundled with Kali — works without internet.
- Exploit-DB
- A public archive of exploits and proof-of-concept code; match the exact product and version, then read and adapt the code.
- Proof-of-concept (PoC)
- Public exploit code that usually needs adapting — set the attacker IP/port, fix offsets, and replace shellcode before use.
- Vulnerability scanner
- A tool (e.g. Nessus, OpenVAS) that enumerates known weaknesses; authenticated scans (valid credentials) are most accurate.
- False positive
- A scanner finding that is not actually exploitable; always manually verify before relying on a reported vulnerability.
- Wordlist
- A list of candidate names/passwords (e.g. SecLists, rockyou.txt) chosen to fit the target's technology and language.
- Service principal name (SPN)
- An identifier that maps a service instance to a domain account; SPN-enabled accounts are the targets of Kerberoasting.
- DNS enumeration
- Collecting hostnames from DNS and certificates that point to a box, revealing additional virtual hosts and services.
- SQL injection (SQLi)
- Untrusted input alters a SQL query; can extract data, bypass authentication, or reach code execution.
- UNION-based SQLi
- Appends a UNION SELECT to exfiltrate data; first determine the column count with ORDER BY n.
- Blind / time-based SQLi
- No data is returned, so inject a payload that pauses (e.g. SLEEP) and infer values from the response delay.
- Error-based SQLi
- Forces the database to leak data inside its error messages, which the application displays on the page.
- Authentication bypass (SQLi)
- Submitting a value that closes the string and adds an always-true condition to log in without valid credentials.
- Second-order SQLi
- Input stored by one feature is later used unsafely in a query by a different, often more privileged feature.
- sqlmap
- Automates SQL injection: detect, then enumerate databases (--dbs), tables, and dump data; supports auth and request files.
- xp_cmdshell / FILE privilege
- MSSQL stored procedure (or MySQL FILE) that turns SQL injection into OS command execution or web-shell writing.
- Cross-site scripting (XSS)
- Injected script runs in a victim's browser — steal sessions and keystrokes or force state-changing requests.
- Reflected XSS
- A payload bounced straight back from a single request and executed in the victim's browser.
- Stored XSS
- A payload persisted by the app (e.g. a comment) that fires for every visitor — usually the most impactful XSS.
- Content Security Policy (CSP)
- A header restricting script sources; a strict CSP blocks inline payloads and must be bypassed for XSS.
- Session hijacking
- Stealing a victim's session cookie (often via XSS) to impersonate their authenticated session.
- Command injection
- User input reaches an OS shell; chain a separator (; | && ) and a command to execute arbitrary commands.
- Blind command injection
- No command output is returned, so confirm execution out of band — a time delay or a DNS/HTTP callback.
- Command substitution
- Using backticks or $(…) to run a command inside another; often slips past filters that strip other separators.
- Directory traversal
- Abusing ../ sequences to read files outside the web root, such as /etc/passwd or a Windows web.config.
- Local file inclusion (LFI)
- The app includes a referenced file in execution; can escalate to code execution via log poisoning or PHP wrappers.
- Log poisoning
- Injecting PHP into a log the application reads via LFI, then including the log to execute the injected code.
- php://filter
- A PHP wrapper that reads a file as a stream (often base64-encoded) to disclose source code safely via LFI.
- File upload bypass
- Defeating signature, extension allow-list, or MIME checks to upload an executable web shell the server runs.
- Web shell
- A script placed on a server that the server executes, giving remote command execution through the browser.
- Magic-byte (signature) check
- An upload filter validating leading file bytes; bypass by prepending a valid image signature to a script.
- Double-extension / case bypass
- Tricks like shell.php.jpg or shell.PHP that defeat naive or case-sensitive extension allow-lists on uploads.
- Client-side attack
- Delivering a payload a staff user opens — a malicious Office macro or a link using a custom URI handler.
- Malicious macro
- An embedded macro in an Office document that runs attacker code when the victim enables content.
- Burp Suite
- An intercepting web proxy used to view, modify, and replay HTTP requests during web application testing.
- Reverse shell
- The target connects back to a listener on the attacker — preferred when the target blocks inbound connections (NAT/firewall).
- Bind shell
- A listener opened on the target that the attacker connects to; exposed to anyone who scans the port.
- Netcat (nc)
- A networking utility used as a listener for reverse shells or to grab banners; a plain listener offers no encryption.
- socat
- A flexible relay tool used to create encrypted, more stable reverse shells than a plain netcat listener.
- TTY upgrade
- Turning a dumb shell into an interactive terminal — python3 pty.spawn /bin/bash, then stty raw -echo and export TERM/PATH.
- msfvenom
- Metasploit's standalone payload generator — builds EXE, raw shellcode, or web payloads with LHOST/LPORT set.
- Bad characters
- Bytes that break an exploit or are filtered by the target; specify them (msfvenom -b) so shellcode survives the parser.
- Privilege escalation
- Moving from a low-privileged user/service account to root or SYSTEM — the second 10 points on each OSCP machine.
- SUID binary
- A file that runs with its owner's privileges; a SUID-root program that spawns a shell is a path to root.
- bash -p
- Runs bash without dropping elevated privileges; the invocation that turns a SUID-root bash copy into a root shell.
- sudo -l
- Lists the commands the current user may run via sudo; many such binaries have a documented root-shell escape.
- GTFOBins
- A reference of Unix binaries that can be abused (via SUID, sudo, or capabilities) to escape restrictions and escalate.
- Linux capabilities (getcap)
- Fine-grained root powers on a binary; cap_setuid on an interpreter like python allows escalating to root.
- Cron job abuse
- A root-run scheduled job that is writable, uses a wildcard (tar *), or calls a command without a full path — exploit for root.
- Kernel exploit
- A local-root exploit against the running kernel version; a last resort — match the exact version and prefer a misconfiguration.
- SeImpersonatePrivilege
- A Windows privilege (common on service accounts) abused by 'Potato' attacks to impersonate a SYSTEM token.
- Potato attacks
- PrintSpoofer, RoguePotato, GodPotato and similar tools that escalate a SeImpersonate-holding service account to SYSTEM.
- SeBackupPrivilege
- A Windows privilege that lets the holder read protected files such as the SAM and SYSTEM registry hives.
- Unquoted service path
- A service path with spaces and no quotes; writing a binary to an earlier directory lets it run at the service's privilege.
- Writable service binary
- A service whose executable the current user can overwrite; replace it to run code as the service account on restart.
- DLL hijacking
- Placing a malicious DLL where an elevated app loads it; use Process Monitor to find a missing or writable DLL path.
- AlwaysInstallElevated
- A Windows policy that runs MSI installers as SYSTEM; if set, a malicious MSI yields SYSTEM privileges.
- Stored credentials (Windows)
- Passwords left in autologon registry values, Unattend.xml, or config files — recoverable for escalation or reuse.
- whoami /priv
- Lists the current Windows token's privileges; checking for SeImpersonate/SeBackup is a standard early escalation step.
- linPEAS
- An automated Linux enumeration script that highlights privilege-escalation findings by likelihood.
- winPEAS
- The Windows counterpart to linPEAS; may be quarantined by antivirus, so an obfuscated/in-memory run helps evade it.
- Hashcat
- A GPU password cracker; select the correct mode per hash type (e.g. 13100 Kerberoast, 18200 AS-REP) and use rules.
- John the Ripper
- A password cracker offering dictionary and incremental (brute-force) modes for cracking recovered hashes.
- Hydra
- An online brute-force tool against network services; lockout policies may force throttling or a different approach.
- Password spraying
- Trying one weak password against many accounts to avoid lockouts — effective early against a domain with no credentials.
- File transfer (target)
- Moving tools onto a foothold without outbound internet — a Python/SimpleHTTPServer, SMB share, or certutil download.
- docker group
- Membership lets a user mount the host filesystem in a container as root — a direct Linux privilege-escalation path.
- Active Directory (AD)
- Microsoft's directory service grouping computers and users into domains that share a database and security policy.
- Domain
- The logical boundary in AD that groups users and computers to share a directory database and authentication.
- Forest
- One or more AD domains combined into a larger structure that shares a common schema and configuration.
- Domain controller (DC)
- The server that hosts the AD database and authenticates the domain — the highest-value target in the AD set.
- Member server
- A domain-joined server that is not a domain controller; a lateral-movement stepping stone toward the DC.
- LDAP (port 389)
- The directory query protocol used to enumerate and interact with Active Directory objects.
- Kerberos
- AD's default authentication protocol using tickets (TGT and TGS) issued by the DC's Key Distribution Center.
- TGT (ticket-granting ticket)
- Issued after initial authentication; presented to obtain service tickets. Signed by the krbtgt key.
- TGS (service ticket)
- A ticket for a specific service, encrypted with that service account's key — the material Kerberoasting cracks.
- BloodHound
- A tool that graphs AD attack paths from a controlled account to high-value targets like Domain Admins.
- PowerView
- A PowerShell AD enumeration toolkit; functions reveal sessions, SPNs, group memberships, and rights.
- Kerberoasting
- Request TGS tickets for SPN-enabled accounts and crack them offline; needs only one valid domain credential.
- AS-REP Roasting
- Capture and crack the AS-REP of accounts with pre-authentication disabled; needs no credential, only usernames.
- Kerberos pre-authentication
- A control that, when disabled on an account, exposes it to AS-REP Roasting.
- NTLM hash
- A one-way representation of an account password used for NTLM authentication and reused in Pass-the-Hash.
- Pass-the-Hash (PtH)
- Authenticate with a captured NT hash without cracking it; defeats strong passwords, blunted by unique local passwords (LAPS).
- Pass-the-Ticket (PtT)
- Inject a stolen Kerberos TGT or TGS to impersonate a user; tickets expire, so they must be reasonably fresh.
- Golden ticket
- A forged TGT made from the krbtgt hash and domain SID — any user, any groups, domain-wide; reset krbtgt twice to kill it.
- Silver ticket
- A forged TGS made from one service account's hash — narrower scope and stealthier (no DC contact) than a golden ticket.
- krbtgt account
- The account whose key signs all Kerberos tickets; capturing its hash enables forging golden tickets.
- Mimikatz
- A tool that dumps credentials and Kerberos tickets from memory; needs elevated privileges to access LSASS.
- DCSync
- Abuses the replication protocol to request domain account hashes from a DC without touching NTDS.dit on disk.
- NTDS.dit
- The Active Directory database file on a domain controller; extracting it yields all domain password hashes.
- NTLM relay
- Forwarding captured authentication to another service (e.g. LDAP/SMB) to authenticate as the victim without the hash.
- SMB signing
- A control that defeats NTLM relay to SMB targets by ensuring messages are signed and cannot be forwarded.
- PsExec
- Remote command execution over SMB using a temporary service; a common but noisy lateral-movement method.
- WMI
- Windows Management Instrumentation — executes commands on a remote host with valid credentials or a hash.
- WinRM (5985/5986)
- Remote management providing an interactive PowerShell session; often preferred over PsExec for stealthier movement.
- Lateral movement
- Moving host-to-host using reused credentials (PtH, PtT, PsExec, WMI, WinRM) — the heart of the AD set's scoring.
- Credential reuse
- The same account or hash valid on many hosts; the engine that makes AD compromise fast once one credential is found.
- Pivot host
- A compromised, dual-homed host used to route traffic into a network the attacker cannot reach directly.
- SSH local forward (-L)
- Exposes one internal service on a local port of the attacker box through a Linux pivot you can SSH to.
- SSH remote forward (-R)
- Used when the pivot can reach the attacker but not vice versa; the pivot pushes an internal port out to you.
- SSH dynamic forward (-D)
- Opens a SOCKS proxy to route many tools at once into the internal network; pair with proxychains.
- Chisel
- A client-server SOCKS tunnel over HTTP for pivoting through a firewalled Windows host that lacks an SSH server.
- proxychains
- Forces a command-line tool's TCP connections through a SOCKS proxy; use TCP-connect scans, not ICMP/UDP.
- TCP connect scan (-sT)
- A full-handshake scan required through a SOCKS proxy, since half-open SYN, ping, and UDP do not traverse the tunnel.
- Dual-homed host
- A host with two interfaces on different subnets; ideal as a pivot to reach an otherwise unreachable network.
- Domain Admins
- The built-in group whose membership most directly equates to full control of the domain — the prime target.
- WriteDACL / GenericAll
- BloodHound ACL edges granting rights over an object that can be abused to take it over and escalate.
- Domain SID
- The domain's security identifier; combined with the krbtgt hash, it is needed to forge a golden ticket.
- AD set scoring
- The OSCP Active Directory chain is worth 40 points: 10 client + 10 second host + 20 domain controller.