Skip to content

Interview Q & A

// Knowledge based //

  1. What are the phases of a penetration test?
  2. What is the difference between a risk assessment, a vulnerability assessment, and a penetration test?
  3. When running an nmap scan, what source port can you specify to scan from to commonly bypass firewall rules?
  4. Construct an Nmap SYN scan that does not do DNS lookups, does not ping the host, and only returns open ports for tcp/139 and tcp/445.
  5. What kind of attack is ARP Spoofing considered and how could you leverage it on a penetration test?
  6. Explain what NBNS poisoning is and how it can be leveraged on a penetration test.
  7. Answer true or false and explain your answer: two-factor authentication protects against session hijacking.
  8. Explain what happens when a connection from your web browser to a web server is initiated on every OSI layer (as detailed as you like).
  9. Describe the basics of input and output of a stream cipher.
  10. List a couple block ciphers and their characteristics and security concerns.
  11. Describe when you would use a null byte during an application penetration test.
  12. What is the problem with LM hashes?
  13. What is the difference between netNTLM and NTLM hashes?
  14. What is pass the hash?
  15. What is token impersonation?
  16. Describe what SQL Injection is and how you would test for it?
  17. What about Blind SQL Injection and how is it different from other kinds?
  18. How can SQL Injection lead to remote code execution?
  19. How can you execute OS command with mssql injection?
  20. Describe a webshell and how you would upload/use one.
  21. How would you bypass uploader protections?
  22. Describe Remote Command Execution (RCE). How would you prevent it in PHP?
  23. Describe Cross Site Request Forgery. How would you prevent it?
  24. Describe the different types of Cross Site Scripting. How would you exploit XSS?
  25. What is the purpose of the same origin policy with relation to the document object model?
  26. Describe the basics of input and output of a block cipher.
  27. How does the Heartbleed vulnerability work?
  28. How do you exploit the Shellshock vulnerability and what can an attacker do with it?
  29. Describe what Buffer overflow is and how you would test for it?
  30. Describe what SEH is and how you exploit it?
  31. Describe how debugger modules and plugins can speed up basic exploit development?
  32. How would you bypass DEP or ASLR in Windows 7?
  33. How would you bypass SafeSEH?
  34. Describe how you root an Android device or Jailbreak an iOS device.
  35. What is kerberoasting?
  36. What is a golden ticket?
  37. What is a silver ticket?

// Scenario Based //

  1. “I am your customer. I have a /24 subnet of hosts on the Internet that I’d like you to pentest. Take me through, in detail, all the steps that you will go through in this assessment.”
    1. This question is good to not only see if the candidate thinks about pre-assessment things like Rules of Engagement and Scoping meetings, but the interviewer can (and should!) say “Tell me more about that…” each step of the way to ensure that the candidate gives sufficiently deep answers.
    2. The interviewer should have an idea of where they want the assessment to go, “You ran your scan and found two servers. One has TCP ports 23, 53, 80 open and the other has 80, 443 and 3306. What do you do next?” Provide direction but don’t lead.
  2. For in-person interviews I like asking the candidate to “go to a white board (or paper taped to the wall). You have an unlimited budget and resources. Please draw the most secure corporate network for my organization. It must have certain components including but not limited to: the Internet, one user subnet, at least one Active Directory server, one web server (with backend database) on the Internet, one Human Resources server, Wifi for your users, a VPN, etc.”
    1. The interviewer is looking for completeness.
      1. Do they put all the required components in?
      2. Are they in secure places?
      3. Did they add in other security devices/conventions (IDS/IPS, FW, DMZ, SIEM…)?
      4. Does their architecture make sense? If not, call them on it and ask them to fix it.
    2. Once the candidate has completed their drawing, the interviewer goes to the board and draws a stick figure person attached to the Internet. “This is you. You are an attacker on the Internet. I want you to tell me how you are going to compromise the AD server here (circle it in the drawing) and exfiltrate the AD user hashes.”
      1. At this point the candidate can use any number of techniques to compromise the network and systems. The interviewer is looking for plausible attacks. Ask for more details at each step of their attack. Provide them challenges (“Our firm uses egress filter for servers so they cannot talk right to the Internet.”) and see how they roll with them.
  3. On an assessment, you have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to exfiltrate Active Directory hashes from the AD servers. How do you accomplish this?

// Open Ended //

  1. You are performing a blackbox penetration test for a client. The only allowable attack vectors are network and application level attacks. Where do you start?
    1. Describe how you would find all domains associated with the client (if they didn’t answer)
    2. Describe how you would find all network ranges associated with the client. (if they didn’t answer)
  2. During the penetration test you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this.
    1. Describe how you would find potential usernames to use. (if they didn’t answer)
    2. Describe how you would pick which passwords to use. (if they didn’t answer)
    3. Describe how you would avoid account lockouts. (if they didn’t answer)
  3. If you run the following scan without root privileges, describe what would happen: nmap www.google.com
    1. What kind of scan was performed? (if they didn’t answer)
    2. How many ports were scanned? (if they didn’t answer)
    3. If you ran the same command as root, describe the differences. (if they didn’t answer)
  4. You are launching a Metasploit reverse https meterpreter payload against a host that you know is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?)
  5. You have successfully initiated a meterpreter session against a Windows host. What type of post exploitation do you perform?
    1. How would you extract the local password hashes?
    2. How would you gather cleartext credentials from the machine?
      1. In your report, what would your recommendation be to prevent this?
    3. You attempt to run mimikatz but error occurs, how do you debug this? (or what would you do to try and fix the error?)
  6. Using the same meterpreter session as previous, you are able to dump the local machine hashes, describe what you would do with these.
  7. You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials?
    1. What types of attack could you execute with them?
  8. Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their network. You don’t have credentials for the domain or local machine. You also have your own laptop. How would you begin testing?
  9. How would you avoid anti virus?
  10. How would you target a database that you know lies behing a jump server with an unkown IP address?
  11. What are commonly vulnerable ports/services/applications?
  12. You have unprivileged Windows credentials, how can you elevate your privileges?
  13. How can SQL Injection lead to remote code execution?
  14. You have a SYSTEM shell on an AD workstation. Describe the process you would take to escalate to Domain Admin.
  15. What was your favourite penetration test moment, and why?
  16. When you are on an engagement, how do you manage client data? Look specifically for awareness of the risk of exposure, encryption, and deletion once the engagement is complete.
  17. What is the relevance of WPAD on a penetration test and how can it be leveraged?
  18. How would you conduct a pass-the-hash attack using NTLMv1/v2 (or netNTLM if you’re a heathen) hashes? Trick question! These hashes cannot be passed.
  19. You are performing an application penetration test and you come across a Java applet, describe what you might do with it.
  20. What would you inject into an HTML page of a victim to get their Windows computer to send you their password hashes?
  21. What tests you would perform in the following scenarios: suppose you are assessing an application, the “forgot password” process consists of 3 steps:
    1. Enter your username
    2. Answer 3 security questions
    3. Set a new password
  22. You have found Local File Inclusion in a .php file on a webserver; you want to read the file contents of the local file config.php file on the webserver but the code is being interpreted. How do you gain access to the file contents of config.php?
  23. How would you turn a Local File Inclusion against a Linux host into Command Execution?
  24. Describe how and where in an application you might test for username enumeration.
  25. Are there any security concerns with scoping an authorization cookie to the parent domain?
  26. On a Linux host running MySQL, how would you go about gaining command execution leveraging SQL Injection?
  27. Describe how you can perform Man-In-The-Middle (MITM) attacks (to view and tamper with the traffic) against mobile devices.