👨‍💻Most Common Pentesting Interview Questions👔

Robert Scocca
12 min readSep 19, 2024

--

With answers.

Ultimately, all interviews are enterprise sales. You are selling your time and skills. The company is buying. The better you can sell yourself, the better your career position and optionality. You want to be perceived as the professional hacker brimming with competence that you are, don’t you?

Real picture of me during an interview (it was sunny out (sweatpants on)).

As a bonus here are some general interviewing(remote) tips:

  • Dress in a nice dress shirt and sweat pants.
  • Look into your web cam, not at the faces on your screen.
  • Take notes during the interview or at least tell them that you are.
  • Don’t talk about pay until you get an offer letter.
  • Warm up to talking to people confidently by calling a friend before.
  • When they ask you vague, open-ended, scenario based technical questions, this is a gift. You can answer in any way you want. Answer in such a way to optimally showcase the skills you are most impressive in.
  • Answer technical questions with as much specificity and technical detail as you can possibly muster yet also balance being concise. Brevity is wit.
  • Be humble. Be able to say “I don’t know” gracefully. They will respect that a lot more than you trying to bullshit your way though a question. Emphasize your passion to learn.
  • Errors are information. Interviews are the best way to expose your weak spots. Take notes on every question and topic you are ignorant about and research later.
  • Be genuinely grateful that you are able to meet, be tested by and ask questions to experts in your field. This is extremely great for your professional growth irrespective if you get the job or not.

So what is your background? Introduce yourself.

This is the primo opportunity present yourself in the best light possible. For the love of God, please don’t summarize your resume. Instead, tell a compelling story. Tell it with some varying tone and affectation in your voice. If you don’t have a good story, come up with one. Give some genuine reflection on what led you to take this interview. They won’t remember how many years you worked at XYZ company but they will remember the warm and fuzzies from your story. Spin an emotionally striking narrative about your edgy hacker past, or your fascinating mentor, or the time you got hacked or some mildly traumatic event that lead you to your career in ethical hacking.

My Runescape account got hacked when I was twelve. Long story short, the scam artists at the Grand Exchange conned me. This transitions to discussions about social engineering, phishing campaigns, and initial compromise attacks. Can also lead to discussion about nostalgic video games, which builds rapport. These are the folks holding the future of your career in their clammy hands. Tell a distinct story to remember you by and you won’t be just another talking head going on about their boring work history.

What happens when you request google.com with a browser?

  1. Your browser queries for DNS resolution in the following order to resolve ‘google.com’ to it’s IP address: browser cache -> operating system cache -> DNS cache -> ISP DNS servers. Most likely you have browsed to google.com before and the DNS data is already in your browser cache.
  2. After the IP is gathered, your browser creates a TCP connection(skimming over the TCP handshake) to the web server over port 443 for HTTPS traffic.
  3. Your browser and the web server then establishes an TLS handshake, negotiates encryption protocols, exchanges keys, to establish a secure connection.
  4. Next your browser sends an HTTP GET request to the web server. If you were logging in to Google it’d be a HTTP POST request containing your credentials and other authentication data.
  5. The web server will process your request and respond with HTML, CSS, JavaScript and images to render the web page on your browser, displaying the google.com homepage.

How does encryption work in HTTPS?

  1. HTTPS uses TLS to encrypt data transmitted between your browser and the web server to secure your web traffic.
  2. A TLS Handshake starts, during which, the browser and web server negotiate encryption algorithms(cipher suites and max TLS version) and exchange keys.
  3. The web server verifies it’s identity by providing the browser with a digital certificate, containing information about the website but most importantly the certificates public key and digital signature.
  4. The browser checks if it can trust the digital certificate using a Certificate Authority, completing the TLS Handshake.
  5. Then the browser and the web server agree on a symmetric key using the servers public/private (asymmetric encryption) keys.
  6. Finally the HTTP data can be exchanged between browser and web server using this symmetric encryption, securing the web traffic.

Difference between UDP and TCP?

TCP is establishes a solid connection with a 3 way handshake(SYN, SYN/ACK, ACK) to ensure reliable data transfer. Flow control, error-checking and sequencing mechanisms are also implemented to maintain integrity of the session. Best for systems that need reliability such as web browsing, email, remote access and file transfer programs.

UDP does not establish a solid connection, sending each packet independently without reliability, acknowledgment or flow control. This lack of overhead makes UDP much faster, making it ideal for video streaming, some online gaming and VoIP.

What are the 3 types of XSS attacks? (Stored, Reflected, DOM-Based)?

  • Stored XSS is when malicious script(usually JavaScript) is stored on the web server in a database, forum, log or comment field then executed when a victim user accesses the stored data.
  • Reflected XSS is when malicious script is reflected off the web server in the form of a pop-up or error message which executes immediately when a victim users accesses the URL.
  • DOM Based XSS is when a malicious script exploits a vulnerability in the client side JavaScript code, modifying the DOM (Document Object Model) of the web page, leading to execution in the browser.

Could you list the OWASP Top 10?

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

What is the difference between a vulnerability assessment vs. penetration test vs. red team?

Vulnerability assessments are a comprehensive review of security weaknesses. Vulnerabilities are identified, classified, and prioritized without actually exploiting them, which would turn it into more of a penetration test. This sorting of vulnerabilities is commonly done with a standardized system internal to an organization or using an open source standard such as the Common Vulnerability Scoring System (CVSS). Nessus is a popular vulnerability scanner deployed by security teams to complete many of the vulnerability assessment requirements.

Penetration tests identifies vulnerabilities then performs actual attacks to exploit the vulnerabilities to further assess the security posture. It is very common to find false-positives in vulnerability assessments that can’t actively be exploited by a skilled attacker. It’s even more common that vulnerability assessments will miss security flaws that can only be enumerated though manual penetration testing.

Red Team’s simulate as closely as possible an Advanced Persistent Threat(APT). Testing the organizations detection/response capabilities in response to a stealthy, determined threat over a longer period of time. Then taking what they learned to strengthen their security posture. Kind of like a digital vaccine for an organization. Vulnerability assessments and penetration tests usually last a week or two to find as many vulnerabilities and exploits as possible. Red teams are more goal oriented and surgical, simulating realistic threats that an organization is facing and going after specific targets(payroll information, corporate secrets, PII). Time is not spent exploiting every possible vulnerability as that would not accurately simulate the actions of a real APT, compromising OPSEC with noise from needless exploitation.

Arguably, the most important part of any of these assessments it the report of findings and recommendations to improve the security of an organization. You can be the best hacker in the world but if you can’t communicate, you can’t provide value.

How do you scan a network?

You can just say Nmap and leave it at that, depending on the flow of the conversation. Otherwise, more detail can include what Nmap flags do you use and when? How do you tackle a large enterprise environment? Depending on the breadth of the network you are pentesting, you want to keep your scans to the--top-ports or perhaps being more surgical naming individual ports of high importance, maybe the top 25–50 most important ports with -p. Mention you need the --exclude flag for scoping restrictions. How do you parse the port scan data? You can use elegant grep and awk one liners up to more in-depth parsing scripts in python or bash depending on your needs and sophistication of the client’s network.

Explain how do you conduct a penetration test from start to finish.

This is a extremely open ended question that you can go in any number of directions. You could ask for clarifying questions that also show your knowledge like “is it a network or web app pentest?”, “external or internal network pentest?”, “is it black box or white box pentest?”, “is it a host/beacon based pentest or is their a jump box?”

The ideal move in my book is to steer the conversation to discuss whatever style of pentesting you happen to be most knowledgeable in. This way you are in your own wheel-house and can flex where you have the most depth of knowledge and expertise. If you’re best at web app assessments, talk about that, if you’re best at Active Directory pentesting, talk about that.

At a very high level, here are some talking points to base your answer:

  1. Pre-engagement (Scoping and Planning)

Have initial planning calls to understand your clients goals, scope, exclusions, time frames, security posture and maturity

2. Reconnaissance (Information Gathering)

Depending on the type and scope of the test, you would be searching the internet conducting OSINT on the targets in scope. Then progressing to active recon, enumerating target services.

3. Scanning and Enumeration

Kicking off Nmap, vulnerability scanners and other tools that help automate enumeration of vulnerabilities and low-hanging fruit.

4. Exploitation

Attempt to exploit identified vulnerabilities and validate identified security weaknesses. Attempt to seek higher privileges within systems exploited and/or pivoting to other systems.

5. Post-exploitation

  • Data Exfiltration: Identify and attempt to exfiltrate sensitive data to demonstrate impact.
  • Persistence: Test if persistent access can be maintained through backdoors or other methods.

6. Reporting

At the top of the report ought to be an executive summary to break things down for the non-technical C-Suite and up folks. Then breaking down findings into technical detail including all vulnerabilities, exploited systems, risk rating, impact, and remediation recommendations.

  • Documentation: Write a detailed report covering all findings, including vulnerabilities, exploited systems, and potential impacts.
  • Remediation Advice: Provide actionable recommendations to fix identified issues.
  • Executive Summary: Offer a high-level overview for non-technical stakeholders.

7. Clean-Up

Collect and backup evidence. Ensure any changes made during the testing to client systems are reverted. Camping rules: leave everything better than how you found it.

8. Debrief and Follow-up

Walk though the report with the client to properly communicate risks found and remediation steps. Re-testing particularly egregious exploits once they are fixed is a nice plus.

How does Kerberos authentication work in Active Directory?

Kerberos, as opposed to an authentication system like NTLM, uses third-party verification (the Key Distribution Center) and stronger encryption that makes Kerberos more secure compared to NTLM alone.
Steps to authenticate with Kerberos:
1. Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
2. The KDC verifies the credentials and sends back an encrypted TGT and session key
3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key
4. The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)
If the client is requesting access to a service or another resource on the network:
5. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
6. The KDC verifies the TGT of the user and that the user has access to the service
7. TGS sends a valid session key for the service to the client
8. Client forwards the session key to the service to prove the user has access, and the service grants access.

How does Kerberoasting work?

  1. Service Ticket Request: A Domain User account is required. Use this to request Service Tickets (TGS tickets) for the service accounts in the Active Directory environment.
  2. Ticket Extraction: The Service Tickets are encrypted using the service account’s NTLM hash. These are the credentials we extract.
  3. Offline Cracking: The attacker attempts to crack the extracted tickets offline with Hashcat to retrieve the clear text password. Cross your fingers that they are using weaker RC4 as apposed to AES encryption and that they have weak passwords most of all.
  4. Privilege Escalation: Can then authenticate using the cleartext password with all the privileges of the service account. Check what groups the service account has access to, you may have Domain Admin.

How do you mitigate the risk of Kerberoasting?

Kerberoasting leverages a feature that is needed to make Kerberoast authentication work, so you can’t just turn something off to make it go away. The best you can do is use long, complex passphrases at least 30 characters long with a mix of character types, then regularly update these passwords for your service accounts. Their is a technology that automates this process called Managed Service Accounts (MSAs). It also helps that Kerberos service tickets use AES encryption as opposed to RC4 encryption to make it harder to crack offline. It is extremely important that service accounts have the minimum permissions to perform their tasks a la principal of least privilege. Do not put your service accounts in the Domain Admins group.

How do you monitor and detect Kerberoasting?

Windows event ID 4769 is logged on Domain controllers whenever a service ticket is requested. An unsophisticated attacker will request tickets for all service accounts at once, which is an unusual, detectable pattern that the Security Information and Event Management (SIEM) can be configured to alert on. Honeypot service accounts accomplish this goal of detecting a Kerberoast attack across all service accounts as well. For more OPSEC conscious attacks, that target individual service accounts, more correlations will have to be drawn to deduce suspicious activity such as requests for RC4 encryption, monitoring process creation logs and command line arguments for Rubeus or Impacket tools with Endpoint Detection and Response (EDR).

How does Responder work?

Responder is a tool used for LLMNR, NBT-NS, and MDNS poisoning(but can also leverage other protocols such as WPAD and HTTP). Responder does this by spinning up services on the pentesters host to interact with these protocols. It listens for broadcast queries for hostnames on the local subnet responder is positioned. When it receives such broadcast queries, it responds with its own IP address, tricking the querying machine into sending authentication credentials (typically NetNTLMv2 hashes) to the attacker.

How does NTLM Relaying work?

NTLM relaying is an attack in which an attacker intercepts an NTLM authentication request and forwards it to a computer that accepts the same credentials. This is typically done with the tool Responder in conjunction with ntlmlrelayx. The attacker relays the credentials without decrypting them, using them to authenticate to the target service, potentially gaining unauthorized access. This attack is effective when SMB signing or other mitigations are not enforced. If SMB signing is enabled on every windows hosts, you still have options with relaying between and across other protocols that can authenticate with NTLM, namely HTTP(S) and LDAP(S).

Describe an attack path to compromise Domain Admin.

Here are a few examples:

Password Spray -> Kerberoasting

  1. Enumerate valid Active Directory accounts with Kerbrute.
  2. Gain initial access to a Domain User through password spraying.
  3. Query the Domain Controller to see service accounts have Domain Admin privileges.
  4. Request service tickets for high-privilege accounts by Kerberoasting
  5. Crack the service ticket offline for a clear text password.
  6. Login with Domain Admin Credentials using Runas or PsExec.

NTLM Relay -> Credential Harvesting

  1. Use Responder to poison NetNTLMv2 authentication requests and capture hashes of a Domain User.
  2. Relay captured hash with ntlmrelayx to hosts that do not enforce SMB Signing.
  3. If able to gain Local Administrator access to a host, execute Mimikatz to harvest credentials.
  4. If able to gain NTLM hash for a Domain user can leverage this to enumerate a path to Domain Admin by executing Sharphound with Pass-the-Hash.
  5. See a Domain Admin account is logged into another computer that we can Pass-the-Hash authenticate to and harvest more credentials to gain the NTLM hash for Domain Admin.
  6. Pass-the-Hash to authenticate as Domain Admin.

Phishing -> ADCS ESC1

  1. Gain access to clear text credentials of a Domain User though a phishing campaign.
  2. Execute Certipy to enumerate vulnerable certificate templates and see that one certificate template is vulnerable to Active Directory Certificate Services (ADCS) Escalation Path 1 (ESC1).
  3. Request a Kerberos service ticket for a Domain Admin leveraging the vulnerable certificate template using our Domain User.
  4. Pass-the-Ticket to authenticate as Domain Admin.

--

--