Hakluke’s Ultimate OSCP Guide: Part 3 — Practical hacking tips and tricks

Luke Stephens (@hakluke)
14 min readMar 31, 2018
Man walks through door with large shadow. OFFENSIVE security logo dramatically appears in a red abyss.

So, you’ve finally signed up, paid the money, waited for the start date, logged in to the VPN, and are suddenly hit in the face with a plethora of vulnerable boxes and you have no idea where to start.

This part of the guide will show the general process I tend to use when approaching a new target in the OSCP labs. This is by no means a replacement for reading the PWK manual and doing the exercises, it’s a brief overview of some major vulnerability types and a few tips. You can always refer back to this post later, using it as a cheat sheet for command syntax.


First of all, we need to know what boxes exist on the network nmap run a ping scan:

nmap -sn

The above command will test whether all machines in the subnet are alive (– You may need to change this for the lab network.

Once I have chosen a host, the first thing I always do is:

nmap -A -oA nmap $targetip

This will scan the 1024 most common ports, run OS detection, run default nmap scripts, and save the results in a number of formats in the current directory.

Scanning more deeply:

nmap -v -p- -sT $targetip

This will scan all 65535 ports on $targetip with a full connect scan. This scan will probably take a very long time. The -v stands for verbose, so that when a new port is discovered, it will print it out straight away instead of having to wait until the end of the scan, scanning this many ports over the internet takes a long time. I would often leave the scan running overnight, or move on to a different box in the meantime.

Probing services

From these initial nmap scans, we should have gained a lot of information about machine — we know what ports are open, and usually what services they are running.


If the server is running HTTP or HTTPS, the next logical step is to check it out in a web browser. What does it display? Is it a potentially vulnerable web application? Is it a default web server page which reveals version…

Luke Stephens (@hakluke)