Top 35 penetration tester (Pentester) interview questions and answers for 2021.

If you are reading this post, chances are you have qualified for a pentesting job; however, the only hurdle left to overcome is an interview with a panel or an individual. We all know that going for an interview as a pentester can be pretty daunting, which is why in this post, we have researched some of the most asked questions interviewers ask aspiring pentesters before offering them a position in a company.

To make things easy, we have grouped these interview questions into tiers based on the position you are applying for. These tiers are beginner-level questions, intermediate-level questions, and expert-level questions. Also included are some bonus questions.

So, without wasting much time, let’s dive into them.

This article will be divided into the following topics:

• Beginner Level Questions & Answers.
• Intermediate Level Questions & Answers.
• Expert Level Questions & Answers.
• Bonus Questions.
• Conclusion.

Beginner-Level Questions and Answers:

Question – 1: What Is Ethical Hacking?

Ethical hacking is a form of hacking where a pentester is legally permitted to test a company’s security by by-passing the company’s system security. The goal of ethical hacking is to evaluate the system’s security by exploiting vulnerabilities.

Question – 2: Can You Filter Ports On a Firewall? If Yes, Why? If No, Why?

Yes, you can filter ports on a firewall. Filtering ports aim to prevent the network from irrelevant traffic or protect the company against malware attacks. For example, a company can block Port 19 (Chargen TCP/IP) to prevent the amplification of a DDoS attack.

Question – 3: What Is XSS (Cross-Site Scripting)?

This is a form of attack which involves a hacker injecting malicious code into a website’s script or application. The aim of an XSS attack is for the hacker to access the resources of the users that use that website.

Question – 4: What Is The Difference Between Cybersecurity and Pentesting?

A pentester performs ethical hacking to provide a report about the vulnerabilities of a company’s security system. In comparison, cybersecurity is the act of protecting a company’s program, systems, and networks from cyberattacks. So, pentesting is performed to test the strength of a company’s cybersecurity.

Question – 5: What Is The Difference Between Mac Address and IP Address?

An IP address is a unique numerical identifier assigned to each computer on the internet or a local area network. On the other hand, a MAC address is a unique identifier that is hardwired to the network interface card of a computer. The main difference between an IP address and a MAC address is that an IP address can be changed while your MAC address cannot be changed.

Question – 6: What Is An SQL Injection?

SQL attack is a form of attack designed to read, modify, and delete sensitive data from the backend database. An SQL attack can also be engineered to execute organizational administration operations.

Question – 7: What is the Difference Between an SQL attack and an XSS attack?

These two are the most common attacks hackers use; however, the difference between both is that an XSS attack aims to steal user’s information from the client’s side while an SQL attack aims to exploit vulnerabilities from the server-side.

Question – 8: How Does Traceroute and Tracert Work?

The traceroute, also popularly referred to as tracert is a network diagnosis feature used to evaluate the route from a host computer to a remote server or machine. It is used to determine if a packet has been redirected, or why the delivered or received packets took so long.

Question – 9: What is An Open Redirect?

This is a vulnerability in a website or application that redirects users that visit a website to a malicious URL. Hackers use open redirects to execute phishing attacks. Usually, hackers send open redirects to the emails of users of a specific website.

They achieve this by infiltrating the URL of a website with a redirect parameter of the malicious site and some superfluous parameters to make the attack less obvious. This URL is then sent to the victim, and when the victim clicks on it and inputs any credentials, these credentials are stolen by the hacker.

Question – 10: What is The Difference Between Symmetric and Asymmetric Encryption?

Symmetric encryptions involve using the same key to encrypt and decrypt information. Because the same key is used in symmetric encryption, keeping the key secret between the sender and receiver is important. Asymmetric encryption involves using two different cryptographic keys to encrypt and decrypt information. Due to this, symmetric encryption is faster.

These two keys are a public key and a private key. The public key allows people to encrypt data, while the private key allows only you to decrypt a specific message encrypted with a public key. Due to this process, asymmetric encryption is slower; however, it is more secure.

Question – 11: Which Cookie Security Flags Do Exist?

The HTTP-only flag.

Question – 12: What Is The Difference Between a Penetration Test and a Vulnerability Assessment?

Vulnerability assessment scans focus on finding potential vulnerabilities in a security system while penetration testing involves finding and exploiting vulnerabilities in a system.

Question – 13: What’s The Difference Between A Black Box, A Grey Box, and A White Box Test?

Black box testing is a type of pentest, where the tester has no prior knowledge about the details of the servers, networks, and applications in the system they are testing.

With white box testing, the tester has full knowledge and access to the system they are testing. With a gray box test, the tester is only given an overview of the system they are testing but not the details.

Question – 14: What Is ARP Poisoning, And How Can It Be Avoided?

ARP poisoning is a form of attack that involves an attacker flooding a local area network with malicious ARP packets. This is achieved by the hacker telling the router it is the recipient and telling the recipient that it is the router. This causes all packets intended to flow between the recipient and the router to go through the hacker.

ARP poisoning can be avoided using the following techniques:

Utilizing ARP Spoofing Softwares: This software will evaluate and validate packets before they are sent and block any spoofed packet.

Using Packet Filters: These filters can block out spoofed packets by filtering out packets that conflict with the source address.

Question – 15: What Are The Types Of Penetration Tests?

The forms of penetration tests include:

Segmentation Checks: These are series of tests used to prove that there is no connectivity between a less secure network and a highly secure one.

Internal Penetration Test: This is a type of test performed inside an organization’s network. It is aimed at testing the connectivity between segments to determine if there are any vulnerabilities between segments.

External Penetration Test: This involves a pen tester externally testing the firewalls, configurations, and devices to exploit any vulnerabilities.

Application Layer Test: This involves testing and exploiting flaws in a code used to write programs in a company’s network or system.

Intermediate-Level Questions and Answers:

Applying for an intermediate pentesting position means you have at least 3 to 5 years of experience. This means you should be used to different penetration test technologies and performed several ethical hacking jobs.

Question – 1: What Does A Good Pentest Report Entail?

A good pentest report should compose of the following:

• An overview of risk exposure for the tested assets.
• Recommendations on how to improve the security posture of the company. These recommendations should be both strategic and tactical.
• An explanation of any vulnerabilities that were identified during the test.
• The various risk levels associated with each vulnerability and the impact of the vulnerabilities that were detected.
• Recommendations to remediate these vulnerabilities.
• Debriefing the client to ensure they understand their security system’s risks and the remediation plan associated with each risk.

Question – 2: What Is A Boolean Blind SQL Injection?

This attack is aimed at websites that use SQL databases; however, they were written with poor codes. These attacks are commonly executed on login screens. What happens is that when a user submits their login credentials, these credentials are inserted into a SQL statement string to validate if such credentials exist on the server.

To execute such attacks, the hacker must first confirm if the website uses an SQL database. To do this, the hacker will enter a single quote to the username and password fields of the login page. An error message will be returned and in that message, the attack can deduce if the website uses a SQL database.

Once the attack confirms that the website uses a SQL database, the hacker then enters a command logic that will cause the database to select a valid username and password. This then allows the attacker to get a login with the credentials of the first users on the table. However, the attacks can input a range of commands at the login page to execute different commands.

To prevent this attack, companies must do the necessary string checking for special SQL characters. Or they can use automated software to evaluate their entire website for any vulnerabilities.

Question – 3: What Is Cowpatty?

The PSK authentication model is a tool used to create offline dictionary automated attacks against WPA-PSK networks or wireless systems such as WPA/WPA2 networks.

A PSK stands for PreShared Key, and it is commonly used in WPA, WEP, and WPA2 systems. PSK is manually entered to grant a user access to a network. Once it has been entered, the security algorithm takes over, and the key is used to encrypt data communications.

Question – 4: What Is Network Enumeration And What Are Some Techniques?

Network enumeration has to do with disclosing hosts, gadgets, devices, operating systems that use a network. It uses discovery protocols such as SCMP and ICMP to gather data. These protocols might scan other ports on remote hosts.

The network enumeration can be used for the following:

• Determining the network range.
• Finding operating system fingerprints.
• Conducting a vulnerability test.
• Mapping other network resources.
• Finding open ports and services.

Question – 5: Why Are Network Protocols Important?

Network protocols are languages and rules that enable computers to communicate across a network. These rules determine how data is formatted and transmitted, and received between users. This allows computer devices of different infrastructures to communicate without any difficulty. For example, a network protocol makes it possible for a computer to communicate with a router.

There are three types of protocols. These include communication protocol, management protocols, and security protocols. These three main protocols can be subdivided into numerous protocols such as:

• HTTP (HyperText Transfer Protocol): This protocol allows users to interact with the backend web resources.
• FTP (File Transfer Protocol): This protocol allows users to download, and upload files on the internet.
• SMTP (Simple Mail Transport Protocol): This protocol allows users to send and receive emails.

Question – 6: What Is The Difference Between Spoofing and Phishing?

These are two techniques designed to achieve a common goal of stealing a victim’s information; however, these two are different attacks. Phishing is aimed at tricking the victim into providing confidential information such as usernames, credit card numbers, SSN, passwords, etc. The attacker achieves this by sending an email that seems to come from a credible source or client. The email usually compels the victim to click on a link that redirects to a malicious website.

Spoofing, on the other hand, compels the victim to click on a link. Clicking on this link will download malware on your device, which accesses any personal information stored on your phone. This link can also contain ransomware which logs you out of your computer and demands a ransom before granting you access again.

Question – 7: What Is Footprinting?

Footprinting is a technique used to gather as much information about a computer or network using various tools and technologies before invading that computer or network.

The steps used in footprinting include:

• Crawling: This is used to gather relevant information about a target by surfing the web. They achieve this by using applications such as Whois.
• Traceroute: Attackers can also use traceroutes to determine the pathway of packets.
• TCP Scans: The attacker can perform various TCP scans to scan ports to discover which services a network offers. Attackers either scan a single port or multiple ports over a range of IPs.

Question – 8: What’s The Difference Between Encryption and Hashing?

Encryption and hashing are two techniques used to encode data. Encryption ensures confidentiality; however, it is reversible. Hashing ensures integrity; however, it is not reversible.

Question – 9: What Are The Ethical Hacking Phases?

Ethical hacking includes 5 phases. These include:

1. Reconnaissance: This is when the pentester or hacker gathers information about the target relevant to the attack to be launched.
2. Scanning: This stage involves scanning each component on the network or system to find any vulnerabilities.
3. Gaining Access: Once the vulnerability has been determined, the next step is to try and exploit these vulnerabilities to gain access to the system.
4. Maintaining Access: This stage involves creating a backdoor to maintain access to the system. This can be achieved by generating your vulnerability.
5. Clearing Tracks: This means the attacker or pentester clears their records. They can either clear the history, log files, or change the registry files.

Question – 10: What Are Some Business Logic Vulnerabilities You’ve Found?

This question is to test your experience. It is an open question, and they expect that as someone applying for an intermediate position, you might have found a couple of business logic vulnerabilities.

Expert-Level Questions and Answers:

Applying for an expert or senior pentesting position means you have at least 8 to 10 years of experience.

Question – 1: What Is Threat Modeling?

This is a structured approach that helps us identify, quantify and mitigate the vulnerabilities posed on an organization’s security system. We use this approach to find threats or potential threats relevant to an organization and provide a pertinent countermeasure for each vulnerability found.

Threat modeling could be focused on the perspective of the attacker. This means it will be evaluating the goals of an attacker that is outside the organization’s network. A threat modeling scenario can also focus on the attacker being within the organization’s security system.

Threat modeling can also be focused on the architectural point of view. With this, each element or device in the network is analyzed and evaluated for vulnerabilities or potential vulnerabilities.

Threat modeling can be focused on the assets. For example, if a company has some critical resources, the model can attempt to demystify an attacker’s motive to get to those resources. This can include analyzing the work factor, the value of the assets, etc.

A good threat modeling evaluation covers all three areas, i.e., the perspective of the attackers, the architectural point, and the assets.

Question – 2: How Do You Measure The Results Of A Penetration Test?

One way to measure the results of a penetration test is to compare the new test done to any previous ones done. You want to ensure that the new penetration test has key factors such as an executive summary, key findings, proposed solutions, and a debriefed section.

Also, questions must be asked to ensure that the pentester has no difficulties explaining themselves.

Question – 3: Explain an HTTP Desync Attack.

James Kittle of PortSwigger in 2019 discovered this attack. This attack is a vulnerability in the application layer, and it happens on the HTTP protocol. This attack is also known as a request smuggling attack and is where an attacker infiltrates a valid packet with a malicious packet to get a response from the server. The goal here is to destabilize and desynchronize a complex system on the web and make a server execute the malicious requests. This can be to poison some cache or access the admin page.

This attack is only applicable to HTTP 1.1 and not other HTTP versions.

An attacker can launch an HTTP desync attack by exploiting specific vulnerabilities found in the property of HTTP 1.1. These are:

The Keep-Alive property: When activator resues TCP streams, the hacker uses that to launch an attack.

Encoding chunk property, which, when enabled, causes the server and the client to send data in series of chunks. This property can also tell the length of the content, which means it knows how much is in the chunk.

These two properties can lead to a hacker infiltrating the next packet with additional data.

The HTTP desync attack can be used for various forms of attacks, including:

• Web cache poisoning
• By-passing a web application firewall
• Session Hijacking
• Web cache deception
• XSS

So, the HTTP desync itself isn’t catastrophic, but it can provide the attacker with enough information to cause other forms of attacks.

An HTTP desync attack can be detected by sending out a packet to timeout the server if the server has been vulnerable to such an attack.

Question – 4: What Is A Deserialization Attack?

A deserialization attack involves a server attempting to unpack data provided by an attacker without any validation, which can cause a malicious code to run. This malicious code gives the attacker access to serialized objects on the server, which causes the hacker to manipulate stuff saved on a server.

Question – 5: Difference Between RPO and RTO.

RTO and RPO are used to determine the downtime of a business operation.

RTO stands for Recovery Time Objective, and it refers to the time remaining before a system is functional and running back up again. RPO stands for Recovery Point Objective, and it relates to how much data you can afford to lose during an outage.

Bonus Questions and Answers:

Question – 1: Name some of the most common pentesting tools?

• The top pentesting tools for 2021 include.
• BURP SUITE PRO
• SQLMAP
• AIRCRACK-NG
• WIRESHARK
• NMAP
• METASPLOIT
• HASHCAT
• WPSCAN
• NESSUS
• MobSF (Mobile Security Framework)

Make yourself familiar with each tool and all their features.

Question – 2: What was the last penetration test tool you used?

This question is to test your experience. It is an open question. The interviewer wants to determine what tools you use at your current job. they may follow up this question with more detailed questions about the tool you pick as your answer

Question – 3: What Is A CSRF Attack?

This attack sends forged requests from a malicious site on behalf of an authenticated user.

Question – 4: What are the top network controls that you would recommend to your client after a pentest?

These types of controls should all be in place:

• Only use software and applications that have been “whitelisted”.
• Make sure your IT staff adheres to the schedule and implements a routine firmware update and software patching.
• Concerning the last point, it’s absolutely essential that your operating system(s) are fully patched.
• You should establish a protocol to allow administrative privileges to be granted only when absolutely necessary.

Question – 5: What media do you use for security vulnerability research?

This question is to test your experience. It is an open question. The interviewer wants to determine what tools you use at your current job. The interviewer wants to test if you know the best industry tools to get this task done. It is very common for interviewers to follow such questions with more detailed questions regarding the features of the tool you have picked, they may ask questions such as why the tool you have picked is better than another tool. They are trying to gauge your thought process and reasoning.

Conclusion

When an interviewer asks you a question, you first want to take your time and think before responding. Do not rush to give the interviewer an answer.

You do not have to know everything. When an interviewer asks you a question you have no answer to, tell them the truth.

Interested in kickstarting your career in Cybersecurity no matter your educational background or experience? Click Here to find out.