Thilan Dissanayaka Interview Guides Jan 06

Penetration Testing - Interview preparation guide

Fundamentals of Penetration Testing

What is penetration testing?

Penetration testing, or ethical hacking, involves simulating cyberattacks on systems, networks, or applications to identify and address security vulnerabilities before malicious actors can exploit them.

What are the phases of a penetration test?

  • Reconnaissance: Gathering information about the target.

  • Scanning: Identifying open ports and services.

  • Gaining Access: Exploiting vulnerabilities to enter the system.

  • Maintaining Access: Establishing a persistent presence.

  • Covering Tracks: Erasing evidence of the intrusion.

What are the types of penetration testing?

  • Black Box: Tester has no prior knowledge of the system.

  • White Box: Tester has full knowledge of the system.

  • Gray Box: Tester has partial knowledge, simulating an insider threat.

Reconnaissance & Information Gathering

What is the difference between active and passive reconnaissance?

  • Active: Direct interaction with the target (e.g., port scanning).

  • Passive: Gathering information without direct interaction (e.g., WHOIS lookup).

What tools are used for reconnaissance?

Common tools include:

  • Nmap: Network scanning.

  • Wireshark: Packet analysis.

  • Maltego: Data mining and link analysis.

  • theHarvester: Email and domain harvesting.

Scanning & Enumeration

What is port scanning, and why is it important?

Port scanning identifies open ports and services on a target system, helping to determine potential entry points for exploitation.

Q7. What is banner grabbing? Banner grabbing involves capturing service banners to determine software versions and potential vulnerabilities. InfoSec Train +1 Reddit +1

Exploitation Techniques

Post-Exploitation

What is privilege escalation?

Privilege escalation involves gaining higher access rights, typically from a lower-privileged user to an administrator.

How do attackers maintain access?

Techniques include installing backdoors, creating new user accounts, or using scheduled tasks to regain access.

Tools & Frameworks

What is Metasploit?

Metasploit is a penetration testing framework that provides information about security vulnerabilities and aids in developing and executing exploit code.

How is Burp Suite used in penetration testing?

Burp Suite is a web vulnerability scanner that allows for testing web applications for security flaws like XSS, SQL injection, and more.

What is the role of Nmap in penetration testing?

Nmap is used for network discovery and security auditing, helping identify open ports, services, and potential vulnerabilities.

Reporting & Documentation

What should a penetration testing report include?

-Executive Summary: High-level findings.

  • Methodology: Testing approach.

  • Findings: Detailed vulnerabilities with evidence.

  • Recommendations: Remediation steps.

  • Appendices: Tools used, logs, and additional data.

How do you prioritize vulnerabilities?

  • Severity: Impact of the vulnerability.
  • Exploitability: Ease of exploitation.
  • Exposure: Accessibility to attackers.
  • Business Impact: Potential damage to the organization.

Behavioral & Scenario-Based Questions

Describe a challenging penetration test you've conducted.

[Provide a specific example, detailing the target, challenges faced, tools used, and the outcome.]

How do you handle a situation where a client disagrees with your findings?

[Discuss the importance of clear communication, providing evidence, and collaborating to reach a mutual understanding.]

Information Gathering & Reconnaissance

Tool Description
Nmap Network scanner for discovering hosts, open ports, services, and OS details.
theHarvester Harvests emails, subdomains, hosts, and employee names from public sources.
Recon-ng Web reconnaissance framework with modules for passive information gathering.
Maltego Graphical link analysis tool for mapping relationships between people, organizations, domains, etc.
Shodan Search engine for discovering internet-connected devices and their vulnerabilities.
FOCA Metadata extractor for documents, useful for gathering information about targets.

Scanning & Enumeration

Tool Description
Nessus Vulnerability scanner that identifies misconfigurations and known vulnerabilities.
OpenVAS Open-source vulnerability scanning tool similar to Nessus.
Nikto Web server scanner that tests for dangerous files, outdated software, and other issues.
Netcat Versatile networking tool for banner grabbing, port scanning, and debugging.
Enum4linux Linux tool for enumerating information from Windows machines using SMB.

Exploitation

Tool Description
Metasploit Framework Powerful framework for developing, testing, and executing exploits.
SQLMap Automates detection and exploitation of SQL injection vulnerabilities.
Hydra Fast and flexible brute-forcer for various network services.
John the Ripper Password cracking tool using dictionary or brute-force attacks.
Hashcat Advanced password recovery tool for cracking various hash types using GPU acceleration.

Web Application Testing

Tool Description
Burp Suite Integrated platform for testing web application security (e.g., XSS, SQLi).
OWASP ZAP Free web application security scanner maintained by OWASP.
Wapiti Scanner that checks web applications for security flaws.
Dirb / Gobuster Directory and file brute-forcers for web servers.

Wireless Network Testing

Tool Description
Aircrack-ng Suite for assessing WiFi network security, including cracking WEP/WPA keys.
Kismet Wireless network detector, sniffer, and intrusion detection system.
Reaver Attacks WPS (WiFi Protected Setup) to retrieve WPA/WPA2 keys.
Wifite Automated tool to capture handshakes and crack WiFi passwords.

Social Engineering

Tool Description
Social-Engineer Toolkit (SET) Framework for simulating social engineering attacks like phishing.
BeEF (Browser Exploitation Framework) Exploits vulnerabilities in web browsers to control target systems.

Post Exploitation & Privilege Escalation

Tool Description
Mimikatz Extracts plaintext passwords, hashes, and Kerberos tickets from memory.
Empire Post-exploitation framework that supports PowerShell and Python agents.
LinPEAS / WinPEAS Scripts for finding privilege escalation paths on Linux/Windows.
BloodHound Visual tool to analyze Active Directory and find privilege escalation paths.

Wireless & Bluetooth Attacks

Tool Description
BlueMaho GUI for Bluetooth auditing and penetration testing.
Bluelog Bluetooth scanner for detecting nearby Bluetooth devices.

Container & Cloud Security

Tool Description
Kube-hunter Scans Kubernetes clusters for security issues.
ScoutSuite Multi-cloud security-auditing tool for AWS, GCP, and Azure.
Pacu AWS penetration testing framework.

Mobile Penetration Testing

Tool Description
MobSF (Mobile Security Framework) Automated framework for analyzing Android and iOS apps.
Drozer Android app security assessment framework.
Frida Dynamic instrumentation toolkit for testing mobile apps.

OSINT (Open Source Intelligence)

Tool Description
SpiderFoot Automated OSINT tool for discovering data from public sources.
Sherlock Searches usernames across social media platforms.
GHunt Investigates Google accounts using email or other metadata.

Miscellaneous

Tool Description
Wireshark Network protocol analyzer for deep packet inspection.
tcpdump Command-line packet analyzer.
Dnsenum / DNSrecon DNS enumeration tools.
Sublist3r Fast subdomain enumeration tool.
ALSO READ
AWS - Interview preparation guide
May 08 Interview Guides

## What is Amazon EC2 and what are its features? Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizable compute capacity in the cloud. It allows you to launch and manage....

 OWASP Top 10 explained - 2021
Mar 03 Application Security

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation focused on improving the security of software. It provides free, vendor-neutral tools, resources, and standards that....

Exploiting a Stack Buffer Overflow on Windows
May 17 Exploit development

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut....

How does SLL work?
May 17 Cryptography

Every time you see that small padlock icon in your browser's address bar, you're witnessing one of the internet's most important security technologies at work. This tiny symbol represents....

Common Web Application Attacks
May 17 Application Security

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these....

Singleton Pattern explained simply
Apr 26 Software Architecture

Ever needed just one instance of a class in your application? Maybe a logger, a database connection, or a configuration manager? This is where the Singleton Pattern comes in — one of the simplest....