Thilan Dissanayaka Interview Guides Jan 06

Penetration Testing - Interview preparation guide

Fundamentals of Penetration Testing

What is penetration testing?

Penetration testing, or ethical hacking, involves simulating cyberattacks on systems, networks, or applications to identify and address security vulnerabilities before malicious actors can exploit them.

What are the phases of a penetration test?

  • Reconnaissance: Gathering information about the target.

  • Scanning: Identifying open ports and services.

  • Gaining Access: Exploiting vulnerabilities to enter the system.

  • Maintaining Access: Establishing a persistent presence.

  • Covering Tracks: Erasing evidence of the intrusion.

What are the types of penetration testing?

  • Black Box: Tester has no prior knowledge of the system.

  • White Box: Tester has full knowledge of the system.

  • Gray Box: Tester has partial knowledge, simulating an insider threat.

Reconnaissance & Information Gathering

What is the difference between active and passive reconnaissance?

  • Active: Direct interaction with the target (e.g., port scanning).

  • Passive: Gathering information without direct interaction (e.g., WHOIS lookup).

What tools are used for reconnaissance?

Common tools include:

  • Nmap: Network scanning.

  • Wireshark: Packet analysis.

  • Maltego: Data mining and link analysis.

  • theHarvester: Email and domain harvesting.

Scanning & Enumeration

What is port scanning, and why is it important?

Port scanning identifies open ports and services on a target system, helping to determine potential entry points for exploitation.

Q7. What is banner grabbing? Banner grabbing involves capturing service banners to determine software versions and potential vulnerabilities. InfoSec Train +1 Reddit +1

Exploitation Techniques

Post-Exploitation

What is privilege escalation?

Privilege escalation involves gaining higher access rights, typically from a lower-privileged user to an administrator.

How do attackers maintain access?

Techniques include installing backdoors, creating new user accounts, or using scheduled tasks to regain access.

Tools & Frameworks

What is Metasploit?

Metasploit is a penetration testing framework that provides information about security vulnerabilities and aids in developing and executing exploit code.

How is Burp Suite used in penetration testing?

Burp Suite is a web vulnerability scanner that allows for testing web applications for security flaws like XSS, SQL injection, and more.

What is the role of Nmap in penetration testing?

Nmap is used for network discovery and security auditing, helping identify open ports, services, and potential vulnerabilities.

Reporting & Documentation

What should a penetration testing report include?

-Executive Summary: High-level findings.

  • Methodology: Testing approach.

  • Findings: Detailed vulnerabilities with evidence.

  • Recommendations: Remediation steps.

  • Appendices: Tools used, logs, and additional data.

How do you prioritize vulnerabilities?

  • Severity: Impact of the vulnerability.
  • Exploitability: Ease of exploitation.
  • Exposure: Accessibility to attackers.
  • Business Impact: Potential damage to the organization.

Behavioral & Scenario-Based Questions

Describe a challenging penetration test you've conducted.

[Provide a specific example, detailing the target, challenges faced, tools used, and the outcome.]

How do you handle a situation where a client disagrees with your findings?

[Discuss the importance of clear communication, providing evidence, and collaborating to reach a mutual understanding.]

Information Gathering & Reconnaissance

Tool Description
Nmap Network scanner for discovering hosts, open ports, services, and OS details.
theHarvester Harvests emails, subdomains, hosts, and employee names from public sources.
Recon-ng Web reconnaissance framework with modules for passive information gathering.
Maltego Graphical link analysis tool for mapping relationships between people, organizations, domains, etc.
Shodan Search engine for discovering internet-connected devices and their vulnerabilities.
FOCA Metadata extractor for documents, useful for gathering information about targets.

Scanning & Enumeration

Tool Description
Nessus Vulnerability scanner that identifies misconfigurations and known vulnerabilities.
OpenVAS Open-source vulnerability scanning tool similar to Nessus.
Nikto Web server scanner that tests for dangerous files, outdated software, and other issues.
Netcat Versatile networking tool for banner grabbing, port scanning, and debugging.
Enum4linux Linux tool for enumerating information from Windows machines using SMB.

Exploitation

Tool Description
Metasploit Framework Powerful framework for developing, testing, and executing exploits.
SQLMap Automates detection and exploitation of SQL injection vulnerabilities.
Hydra Fast and flexible brute-forcer for various network services.
John the Ripper Password cracking tool using dictionary or brute-force attacks.
Hashcat Advanced password recovery tool for cracking various hash types using GPU acceleration.

Web Application Testing

Tool Description
Burp Suite Integrated platform for testing web application security (e.g., XSS, SQLi).
OWASP ZAP Free web application security scanner maintained by OWASP.
Wapiti Scanner that checks web applications for security flaws.
Dirb / Gobuster Directory and file brute-forcers for web servers.

Wireless Network Testing

Tool Description
Aircrack-ng Suite for assessing WiFi network security, including cracking WEP/WPA keys.
Kismet Wireless network detector, sniffer, and intrusion detection system.
Reaver Attacks WPS (WiFi Protected Setup) to retrieve WPA/WPA2 keys.
Wifite Automated tool to capture handshakes and crack WiFi passwords.

Social Engineering

Tool Description
Social-Engineer Toolkit (SET) Framework for simulating social engineering attacks like phishing.
BeEF (Browser Exploitation Framework) Exploits vulnerabilities in web browsers to control target systems.

Post Exploitation & Privilege Escalation

Tool Description
Mimikatz Extracts plaintext passwords, hashes, and Kerberos tickets from memory.
Empire Post-exploitation framework that supports PowerShell and Python agents.
LinPEAS / WinPEAS Scripts for finding privilege escalation paths on Linux/Windows.
BloodHound Visual tool to analyze Active Directory and find privilege escalation paths.

Wireless & Bluetooth Attacks

Tool Description
BlueMaho GUI for Bluetooth auditing and penetration testing.
Bluelog Bluetooth scanner for detecting nearby Bluetooth devices.

Container & Cloud Security

Tool Description
Kube-hunter Scans Kubernetes clusters for security issues.
ScoutSuite Multi-cloud security-auditing tool for AWS, GCP, and Azure.
Pacu AWS penetration testing framework.

Mobile Penetration Testing

Tool Description
MobSF (Mobile Security Framework) Automated framework for analyzing Android and iOS apps.
Drozer Android app security assessment framework.
Frida Dynamic instrumentation toolkit for testing mobile apps.

OSINT (Open Source Intelligence)

Tool Description
SpiderFoot Automated OSINT tool for discovering data from public sources.
Sherlock Searches usernames across social media platforms.
GHunt Investigates Google accounts using email or other metadata.

Miscellaneous

Tool Description
Wireshark Network protocol analyzer for deep packet inspection.
tcpdump Command-line packet analyzer.
Dnsenum / DNSrecon DNS enumeration tools.
Sublist3r Fast subdomain enumeration tool.
ALSO READ
Application Security - Interview preparation guide
May 27 Interview Guides

# 1. What is application security? Application security refers to the measures and practices implemented to protect applications from security threats throughout their development lifecycle and....

OAuth: The Secret Behind
May 17 Application Security

Ever clicked that handy "Sign in with Google" button instead of creating yet another username and password? You're not alone! Behind that convenient button lies a powerful technology called OAuth....

Factory Pattern explained simply
Apr 26 Software Architecture

# Factory Pattern Imagine you want to create objects — but you don't want to expose the creation logic to the client and instead ask a factory class to **create objects for you**. That's....

Exploiting a  Stack Buffer Overflow  on Linux
May 11 Exploit development

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening.....

CSRF - Cross Site Request Forgery
May 27 Application Security

Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It occurs when a malicious website,....

SQL injection login bypass
Apr 26 Application Security

SQL Injection (SQLi) is one of the oldest and most fundamental web application vulnerabilities. While it’s becoming rarer in modern web apps due to better coding practices and frameworks,....