Penetration Testing Interview Q&A

What is penetration testing?

An authorized security assessment where ethical hackers identify vulnerabilities by simulating real-world attacks.

VA vs Penetration Testing?

• Vulnerability Assessment identifies vulnerabilities.
• Penetration Testing validates whether those vulnerabilities can actually be exploited.

Phases of penetration testing?

• Planning
• Reconnaissance
• Scanning
• Exploitation
• Post Exploitation
• Reporting

What is reconnaissance?

Gathering information about the target before launching attacks. Examples: WHOIS, DNS Lookup, Google Dorking, Social Media Intelligence.

Black Box vs White Box vs Grey Box?

• Black Box: No information provided.
• White Box: Complete access and source code.
• Grey Box: Partial knowledge.

What is CVE?

Common Vulnerabilities and Exposures — a publicly disclosed security vulnerability identifier.

What is CVSS?

Common Vulnerability Scoring System measures vulnerability severity.

What is Exploitation?

The process of taking advantage of a vulnerability to gain unauthorized access.

What is Privilege Escalation?

Gaining higher-level permissions after initial access.

What is Lateral Movement?

Moving from one compromised machine to another inside a network.

Explain the OWASP Top 10.

• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable Components
• Authentication Failures
• Software Integrity Failures
• Logging Failures
• SSRF

What tools do you use?

• Nmap · Burp Suite · Metasploit
• Wireshark · Gobuster · SQLMap
• Hydra · Nikto · ffuf · BloodHound

Explain SQL Injection.

SQL Injection occurs when user input modifies SQL queries allowing unauthorized database access.

What is XSS?

Cross-Site Scripting allows attackers to execute JavaScript inside a victim's browser. Types: Stored, Reflected, DOM-based.

What is CSRF?

Cross-Site Request Forgery tricks authenticated users into performing unwanted actions.

What is SSRF?

Server-Side Request Forgery forces the server to send requests on behalf of the attacker.

Explain IDOR.

Insecure Direct Object Reference allows unauthorized access to objects by modifying identifiers.

What is RCE?

Remote Code Execution allows attackers to execute arbitrary commands remotely.

Explain Command Injection.

Executing operating system commands through vulnerable applications.

Authentication vs Authorization?

• Authentication verifies identity.
• Authorization determines permissions.

What is Kerberos?

Authentication protocol used in Active Directory environments.

Explain NTLM.

Legacy authentication protocol used in Windows environments.

What is Pass-the-Hash?

Attack where an attacker uses a hashed password to authenticate without the plaintext.

What is Golden Ticket Attack?

Forging a Kerberos TGT to gain unrestricted domain access.

What is Kerberoasting?

Requesting service tickets to crack service account passwords.

Explain LLMNR Poisoning.

Abusing LLMNR to intercept and relay authentication requests.

What is CSP?

Content Security Policy — helps prevent XSS by controlling resources.

Explain CORS.

Cross-Origin Resource Sharing — controls which domains can access resources.

What is Clickjacking?

UI redressing attack that tricks users into clicking hidden elements.

What is XXE?

XML External Entity injection that can disclose internal files.

Explain JWT attacks.

Attacks targeting JSON Web Tokens, including algorithm confusion and signature bypass.

TCP vs UDP?

• TCP: connection-oriented, reliable.
• UDP: connectionless, faster.

What is ARP Spoofing?

Manipulating ARP tables to intercept traffic on a local network.

What is VLAN Hopping?

Bypassing VLAN segmentation to access traffic from other VLANs.

Explain SMB Enumeration.

Enumerating SMB shares, users, and permissions for further attacks.

What is Pivoting?

Using a compromised machine to access otherwise unreachable internal systems.

AWS S3 Bucket Security?

Misconfigured buckets can expose sensitive data. Check permissions, encryption, and public access.

What is Cloud Metadata Exploitation?

Accessing cloud instance metadata to retrieve credentials.

Docker Security concerns?

Container escape, insecure configurations, and privileged containers.

What is IAM Misconfiguration?

Overly permissive roles and policies in cloud environments.

What is BOLA?

Broken Object Level Authorization — unauthorized access to API objects.

API authentication methods?

• API Keys · JWT · OAuth
• Basic Auth · Mutual TLS

GraphQL Security?

Over-fetching, introspection leaks, and injection attacks.

What is API Fuzzing?

Automated testing of API endpoints with unexpected input.

How do you write a pentest report?

Executive summary, methodology, findings, evidence, remediation, and conclusion.

What should executive summary include?

High-level overview, key risks, business impact, and recommendations.

What is proof of concept (PoC)?

Evidence that demonstrates how a vulnerability can be exploited.

How to prioritize vulnerabilities?

CVSS scores, exploitability, and business impact.

Tell us about yourself.

Briefly summarize your background, skills, and passion for security.

Why penetration testing?

Share your interest in problem-solving, security, and ethical hacking.

What certifications do you have?

List any relevant certifications like CEEH, CKCC, KLSFP, etc.

Explain your home lab.

Describe your setup, tools, and practice environments.