Penetration Testing - Interview preparation guide
Fundamentals of Penetration Testing
What is penetration testing?
Penetration testing, or ethical hacking, involves simulating cyberattacks on systems, networks, or applications to identify and address security vulnerabilities before malicious actors can exploit them.
What are the phases of a penetration test?
-
Reconnaissance: Gathering information about the target.
-
Scanning: Identifying open ports and services.
-
Gaining Access: Exploiting vulnerabilities to enter the system.
-
Maintaining Access: Establishing a persistent presence.
-
Covering Tracks: Erasing evidence of the intrusion.
What are the types of penetration testing?
-
Black Box: Tester has no prior knowledge of the system.
-
White Box: Tester has full knowledge of the system.
-
Gray Box: Tester has partial knowledge, simulating an insider threat.
Reconnaissance & Information Gathering
What is the difference between active and passive reconnaissance?
-
Active: Direct interaction with the target (e.g., port scanning).
-
Passive: Gathering information without direct interaction (e.g., WHOIS lookup).
What tools are used for reconnaissance?
Common tools include:
-
Nmap: Network scanning.
-
Wireshark: Packet analysis.
-
Maltego: Data mining and link analysis.
-
theHarvester: Email and domain harvesting.
Scanning & Enumeration
What is port scanning, and why is it important?
Port scanning identifies open ports and services on a target system, helping to determine potential entry points for exploitation.
Q7. What is banner grabbing? Banner grabbing involves capturing service banners to determine software versions and potential vulnerabilities. InfoSec Train +1 Reddit +1
Exploitation Techniques
Post-Exploitation
What is privilege escalation?
Privilege escalation involves gaining higher access rights, typically from a lower-privileged user to an administrator.
How do attackers maintain access?
Techniques include installing backdoors, creating new user accounts, or using scheduled tasks to regain access.
Tools & Frameworks
What is Metasploit?
Metasploit is a penetration testing framework that provides information about security vulnerabilities and aids in developing and executing exploit code.
How is Burp Suite used in penetration testing?
Burp Suite is a web vulnerability scanner that allows for testing web applications for security flaws like XSS, SQL injection, and more.
What is the role of Nmap in penetration testing?
Nmap is used for network discovery and security auditing, helping identify open ports, services, and potential vulnerabilities.
Reporting & Documentation
What should a penetration testing report include?
-Executive Summary: High-level findings.
-
Methodology: Testing approach.
-
Findings: Detailed vulnerabilities with evidence.
-
Recommendations: Remediation steps.
-
Appendices: Tools used, logs, and additional data.
How do you prioritize vulnerabilities?
- Severity: Impact of the vulnerability.
- Exploitability: Ease of exploitation.
- Exposure: Accessibility to attackers.
- Business Impact: Potential damage to the organization.
Behavioral & Scenario-Based Questions
Describe a challenging penetration test you've conducted.
[Provide a specific example, detailing the target, challenges faced, tools used, and the outcome.]
How do you handle a situation where a client disagrees with your findings?
[Discuss the importance of clear communication, providing evidence, and collaborating to reach a mutual understanding.]
Information Gathering & Reconnaissance
| Tool | Description |
|---|---|
| Nmap | Network scanner for discovering hosts, open ports, services, and OS details. |
| theHarvester | Harvests emails, subdomains, hosts, and employee names from public sources. |
| Recon-ng | Web reconnaissance framework with modules for passive information gathering. |
| Maltego | Graphical link analysis tool for mapping relationships between people, organizations, domains, etc. |
| Shodan | Search engine for discovering internet-connected devices and their vulnerabilities. |
| FOCA | Metadata extractor for documents, useful for gathering information about targets. |
Scanning & Enumeration
| Tool | Description |
|---|---|
| Nessus | Vulnerability scanner that identifies misconfigurations and known vulnerabilities. |
| OpenVAS | Open-source vulnerability scanning tool similar to Nessus. |
| Nikto | Web server scanner that tests for dangerous files, outdated software, and other issues. |
| Netcat | Versatile networking tool for banner grabbing, port scanning, and debugging. |
| Enum4linux | Linux tool for enumerating information from Windows machines using SMB. |
Exploitation
| Tool | Description |
|---|---|
| Metasploit Framework | Powerful framework for developing, testing, and executing exploits. |
| SQLMap | Automates detection and exploitation of SQL injection vulnerabilities. |
| Hydra | Fast and flexible brute-forcer for various network services. |
| John the Ripper | Password cracking tool using dictionary or brute-force attacks. |
| Hashcat | Advanced password recovery tool for cracking various hash types using GPU acceleration. |
Web Application Testing
| Tool | Description |
|---|---|
| Burp Suite | Integrated platform for testing web application security (e.g., XSS, SQLi). |
| OWASP ZAP | Free web application security scanner maintained by OWASP. |
| Wapiti | Scanner that checks web applications for security flaws. |
| Dirb / Gobuster | Directory and file brute-forcers for web servers. |
Wireless Network Testing
| Tool | Description |
|---|---|
| Aircrack-ng | Suite for assessing WiFi network security, including cracking WEP/WPA keys. |
| Kismet | Wireless network detector, sniffer, and intrusion detection system. |
| Reaver | Attacks WPS (WiFi Protected Setup) to retrieve WPA/WPA2 keys. |
| Wifite | Automated tool to capture handshakes and crack WiFi passwords. |
Social Engineering
| Tool | Description |
|---|---|
| Social-Engineer Toolkit (SET) | Framework for simulating social engineering attacks like phishing. |
| BeEF (Browser Exploitation Framework) | Exploits vulnerabilities in web browsers to control target systems. |
Post Exploitation & Privilege Escalation
| Tool | Description |
|---|---|
| Mimikatz | Extracts plaintext passwords, hashes, and Kerberos tickets from memory. |
| Empire | Post-exploitation framework that supports PowerShell and Python agents. |
| LinPEAS / WinPEAS | Scripts for finding privilege escalation paths on Linux/Windows. |
| BloodHound | Visual tool to analyze Active Directory and find privilege escalation paths. |
Wireless & Bluetooth Attacks
| Tool | Description |
|---|---|
| BlueMaho | GUI for Bluetooth auditing and penetration testing. |
| Bluelog | Bluetooth scanner for detecting nearby Bluetooth devices. |
Container & Cloud Security
| Tool | Description |
|---|---|
| Kube-hunter | Scans Kubernetes clusters for security issues. |
| ScoutSuite | Multi-cloud security-auditing tool for AWS, GCP, and Azure. |
| Pacu | AWS penetration testing framework. |
Mobile Penetration Testing
| Tool | Description |
|---|---|
| MobSF (Mobile Security Framework) | Automated framework for analyzing Android and iOS apps. |
| Drozer | Android app security assessment framework. |
| Frida | Dynamic instrumentation toolkit for testing mobile apps. |
OSINT (Open Source Intelligence)
| Tool | Description |
|---|---|
| SpiderFoot | Automated OSINT tool for discovering data from public sources. |
| Sherlock | Searches usernames across social media platforms. |
| GHunt | Investigates Google accounts using email or other metadata. |
Miscellaneous
| Tool | Description |
|---|---|
| Wireshark | Network protocol analyzer for deep packet inspection. |
| tcpdump | Command-line packet analyzer. |
| Dnsenum / DNSrecon | DNS enumeration tools. |
| Sublist3r | Fast subdomain enumeration tool. |
