Professional development

Top 30 penetration tester (Pentester) interview questions and answers

Ravi Das
November 30, 2018 by
Ravi Das

It seems like hardly has one cyber-threat appeared before many variants of it soon follow, affecting both individuals and corporations alike. But this is no coincidence: One of the key ways the cyber-attacker is able to act is by looking for vulnerabilities and weaknesses in the lines of defenses that are set up, and one threat often opens the door for another.

Many organizations simply think that by deploying the latest security technologies, they will be immune from any form of cyber-attack. However, this is far from the truth. What they fail to understand is that apart from implementing these tools, their entire IT Infrastructure needs to be thoroughly tested from the inside out.

How can this be done? Probably one of the best ways to do this is through what is known as penetration (pen) testing. In this kind of analysis, a team of experienced IT professionals actually behave like a real cyber-attacker, but within legal and ethical bounds.

The team’s primary goal is to launch just about any kind of attack that is imaginable in an effort to discover any unknown security gaps and weaknesses. Their findings are then summarized into a comprehensive report, supported with solutions as to how these vulnerabilities can be fixed.

Because of the dynamic nature of the cyber-threat landscape, the demand for pentesting is quite high, and is expected to be so into the coming future.

Becoming a penetration tester requires a mixture of both quantitative and qualitative skills. For example, he or she has to decipher the complex reports that are output by the pentesting tools, as well as having the patience to work very long hours and at odd times.

It takes years of experience to be a fully qualified pentester, and this particular individual must be able to keep with the latest trends and happenings in this field. In any job interview situation, you could be potentially asked just about question imaginable as it relates to pentesting. For instance, they could run the gamut from what pentesting means to what tool you should use in a particular situation to even what kind of cyber-attack you would launch and why.

In this article, we will review the top 30 questions you could face in a potential interview for a pentesting job, as well as useful additional information to help you succeed at your interview.

Cybersecurity interview guide

Cybersecurity interview guide

Ace your next interview with tips from our free ebook, “How to stand out, get hired and advance your career.”

Level 1 Questions

This group of questions will cover the basics of penetration testing, focused on the following areas:

  • A definition of pentesting
  • The purpose and goals of pentesting
  • The difference between vulnerability testing and pentesting
  • The types of pentesting methodologies
  • The teams that are required to conduct a pentesting exercise
  • The certs that are required in order to demonstrate deep skills and knowledge in pentesting
  • How a pentester should explain the results of a pentest to a C-level executive

1.What is a specific definition of pentesting?

Let’s ask the people in the know. Cloudflare.com says the following: “Penetration testing (or pentesting) is a security exercise where a cybersecurity expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of.”

2.What is the primary purpose of pentesting?

The main purpose of a pentest is to conduct a “deep dive” into the IT Infrastructure of a business or a corporation with the primary intention of gaining access to any (and if possible, all) of the electronic based assets that exist. It is important to note that the goal of the pentester is not to attempt to strike a hard blow right at the very beginning; rather, they escalate the intensity of the cyber-attack over a period of time.

3.What are the goals of conducting a pentesting exercise?

The goals are as follows:

  • To test adherence to the security policies that have been crafted and implemented by the organization
  • To test for employee proactiveness and awareness of the security environment that they are in
  • To fully ascertain how a business entity can face a massive security breach, and how quickly they react to it and restore normal business operations after being hit.

4.There is very often confusion between vulnerability testing and pentesting. What is the primary difference between the two?

With vulnerability testing, one is simply scanning for any weaknesses that may reside in any component of the IT Infrastructure. In a pentest, a full-scale cyber-attack or series of cyber-attacks is launched with explicit permission from the client (or whoever is requesting it) in order to specifically find any types or kinds of gaps that have not yet been discovered by the IT security staff.

5.What are the three types of pentesting methodologies?

The three types are as follows:

  • Black-Box Testing
  • White-Box Testing
  • Gray-Box Testing

6.Describe these tests in much more detail.

Black-Box Testing

In some instances, the cyber-attacker may know nothing about their intended target. So in an effort to try to break through the lines of defense, the cyber-attacker will carry an all-out attack, also known as a brute-force Attack. In a black-box scenario, the pentester will not have any knowledge whatsoever about the target(s) they are going to hit. As a result, this kind of pentest can take a very long time to conduct, and automated tools are heavily relied upon. This kind of exercise is also known as a trial-and-error approach.

White-Box Testing

This kind of pentest is also known as clear-box testing. In these instances, the pentester has advanced knowledge to some degree about the Web application that they are about to hit and its underlying source code. This kind of attack takes a shorter amount of time to launch when compared to the black-box test.

Gray-Box Testing

This kind of pentesting is a combination of both of black-box and white-box testing. This simply means that the pentester has some advanced knowledge on the targets they plan to attack. This kind of exercise requires both the use of automated and manual tools. When compared to the other two tests, this one offers the highest chances of discovering unknown security holes and weaknesses.

7.What are the teams that can carry out a pentest?

The teams are as follows:

  • The Red Team
  • The Blue Team
  • The Purple Team

8.Can you describe these teams in more detail?

The functionalities of these three teams can be described as follows:

The Red Team

This group of pentesters acts like the actual cyber-attack. That means this team is the one that launches the actual threat, in order to break down the lines of defense of the business or corporation and attempt to further exploit any weaknesses that are discovered.

The Blue Team

These are the pentesters that act like the actual IT staff in an organization. Their main objective is to thwart any cyber-attacks that are launched by the Red Team. They assume a mindset of being proactive as well as maintaining a strong sense of security consciousness.

The Purple Team

This is a combination of both the Red Team and the Blue Team. For example, they have the security arsenal that is used by the Blue Team and possess a working knowledge of what the Red Team is planning to attack. It is the primary job of the Purple Team to help out both these teams out. Because of that, the pentesters of the Purple team cannot be biased in any regard and have to maintain a neutral point of view.

9.What kinds of certifications in the most demand for penetration testing?

There is no doubt that in the cybersecurity field, there an endless number of certs one can pursue. But if a pentester is to be recognized as the top in their field, the following certs are a must-have:

  • The Certified Ethical Hacker (aka CEH – this is administered by the EC Council)
  • The Offensive Security Certified Professional (aka OSCP – this is administered by Offensive Security)

10.The results of a pentesting exercise have to be made available not only to the IT staff, but also to the C-level executives. The latter may not possess a strong technical knowledge like their IT staff does. How would you explain the results to them?

The C-suite can understand results when they are explained to them in terms of financial impact. Thus, a pentesting report should also include a risk analysis which demonstrates the benefit versus the cost of any of the vulnerabilities that are discovered and not fixed. It should also have financial calculations demonstrating the impacts of a security breach.

Level 2 Questions

In this section, we’ll look at some intermediate-level questions about penetration testing concepts. These will focus on the following:

  • Cross-site scripting
  • Data packet sniffing
  • Various abbreviations that are used in pentesting
  • Common network security vulnerabilities
  • Pentesting techniques
  • The various network ports
  • SQL injection attacks
  • Asymmetric/symmetric cryptography
  • SSL/TLS

11.Explain what cross-site scripting (XSS) is all about.

This is a type of cyber-attack where malicious pieces of code, or even scripts, can be covertly injected into trusted websites. These kinds of attacks typically occur when the attacker uses a vulnerable Web-based application to insert the malicious lines of code. This can occur on the client side or the browser side of the application. As a result, when an unsuspecting victim runs this particular application, their computer is infected and can be used to access sensitive information and data. A perfect example of this is the contact form, which is used on many websites. The output that is created when the end user submits their information is often not encoded, nor is it encrypted.

12.What exactly is data packet sniffing, and what are some of the most widely used tools?

Data packet sniffing is a specific process in which network traffic can be captured ether across the entire IT Infrastructure, or just certain parts of it. Once this has been accomplished, then a deep analysis of the data packets in question can then be made.

For example, if a business or a corporation is hit by a cyber-attack, examining the network traffic and the data packets that were associated with it at the time of the security breach occurred becomes extremely crucial, especially from the standpoint of forensics. Even if no attack is imminent, it is still very crucial for the IT staff to conduct a check on their network traffic in order to determine if there is any sort of anomaly that is present. There are many data packet sniffing tools that are available today, but probably the most widely-used one is Wireshark.

13.Please provide the exact names of the following abbreviations that are commonly used in pentesting: 2FA, 2S2D, 2VPCP, 3DES, 3DESE, 3DESEP.

The acronyms stand for the following:

  • 2FA means “Two-Factor Authentication”
  • 2SD2D means “Double-Sided, Double Density”
  • 2VPCP means “Two-Version Priority Ceiling Protocol”
  • 3DES means “Triple Data Encryption Standard”
  • 3DESE means “Triple Data Encryption Standard Encryption”
  • 3DESEP means “Triple Data Encryption Standard Encryption Protocol”

14.What are some of the most common network security vulnerabilities that a pentester comes across?

Of course, there are countless numbers of issues that can impact the network infrastructure of an organization, and you probably have your own stories about what you’ve encountered. The following vulnerabilities are some of the most prevalent:

  • The usage of extremely weak passwords in the network security tools themselves, which include the routers, firewalls, network intrusion devices and so on. Very often, business entities are in a rush to deploy these kinds of technologies, and they forget to create a robust and secure password. This leads to them using the insecure default one set up by the vendor
  • Implementing security patches on the wrong servers and related network components. There are also times when a security patch is installed on the right machine but not configured properly, thus leaving it wide open to a cyber-attack
  • The misconfiguration of network devices, as described previously
  • The use of infected portable media devices (primarily USB drives) and inserting them into a server and other related network components
  • The lack of a coherent network security policy; even if one was implemented, compliance is still a huge issue

15.What are the different pentesting techniques?

Pentesting techniques fall into these following categories:

  • Web Application Testing
  • Wireless Network/Wireless Device Testing
  • Network Infrastructure Services
  • Social Engineering Testing
  • Client-Side Application Testing

1.6What network ports are commonly examined in a pentesting exercise, and what tool can be used for this?

They are as follows:

  • HTTPS (Port #443)
  • FTP (Port #’s 20 & 21)
  • NTP (Port #123)
  • SSH (Port #22)
  • HTTP (Port #80)
  • Telnet (Port #23)
  • SMTP (Port #25)

In these particular instances, “Nmap” is the most commonly used tool.

17.Describe in detail what SQL injection is.

This is a method in which malicious SQL code is inserted into the database or the back end of the Web-based application. These are typically deployed into an entry-level field so that the malicious code can be executed. This kind of attack is used primarily for heavy data-driven applications in which multiple security vulnerabilities can be found and exploited. It should be noted that although SQL injection attacks are primarily used to hit Web-based applications, the attacker can also target the SQL database just by itself as well.

18.What is the primary difference between asymmetric and symmetric cryptography? Give an example of the former.

Only one type of key is used in symmetric cryptography, and this key is known as the Private Key. Although the main advantage of this is that this type of system is relatively easy to deploy, the primary disadvantage of it is that if the Private Key falls outside the reach of the sending and receiving parties, the cyber-attacker can easily capture the ciphertext and decrypt it very easily.

With asymmetric cryptography, two keys are used: the Public Key and the Private Key. The advantage of this system is that it offers far greater levels of security as opposed to just using a Private Key, but it requires considerably more processing power resources. An example of an asymmetric cryptography system is Public Key Infrastructure, also known as PKI.

19.What are the permutations required for a robust SSL connection to take place?

The following characteristics are required:

  • The session identifier
  • A peer certificate
  • An established compression method
  • Any associated cipher specs

20.What are SSL and TSL?

SSL stands for “Secure Sockets Layer.” This is the de facto standard to keep all Internet connections safe and secure. You will know that a particular website can be safely accessed when it has “HTTPS” in its URL address. SSLs are used most in e-commerce-based applications, in which credit card and other personal information and data is transmitted to the online merchant.

TSL stands for “Transport Layer Security” and is actually a much more updated and advanced version of SSL. It is important to note that with TSL, it can come with three types of encryption:

  • Elliptical Curve Cryptography (ECC)
  • Rivest–Shamir–Adleman (RSA)
  • Digital Signature Algorithm (DSA)

Cybersecurity interview guide

Cybersecurity interview guide

Ace your next interview with tips from our free ebook, “How to stand out, get hired and advance your career.”

Level 3 Questions

This section covers advanced-level questions about penetration testing, focusing on the following:

  • The SSL/TSL handshake
  • The phases of a network intrusion attack
  • Diffie-Hellman public key exchanges
  • The establishment of network controls
  • Traceout/Tracert
  • Omniquad BorderSecure
  • The various pentesting models
  • The types of cross-site scripting (XSS)
  • Cross-site request forgery

21.How exactly does SSL/TSL work?

Establishing an SSL/TSL connection works in this fashion:

  • On the client side, the end user enters a URL address into their Web browser. This then initiates the SSL/TLS connection by transmitting a particular message to the server on which the website resides
  • This server then returns a Public Key (or even a certificate) back to the end user’s Web browser
  • The browser then closely inspects this Public Key, and if all looks good, a Symmetric Key is transmitted back to the server. If there are anomalies detected from within the Public Key, the communications are instantly cut off
  • Once the server gets the Symmetric Key, it then sends the encrypted webpage that is being requested back to the end user’s Web browser
  • The browser then decrypts the content into a form that can be easily understood by the end user

It is important to note that this entire process can also be referred to as the SSL/TSL Handshake.

22.Describe the different phases of a network intrusion attack.

The phases are as follows:

  • Reconnaissance: This is where the pentester learns more about the target they are about to hit. This can either be done on an active or passive basis. In this step, you learn more about the following:
    • The IP address range that the target is in
    • Finding out its domain name
    • DNS records
    • Scanning: This is the step where the pentester learns about the vulnerabilities of the particular target. Weaknesses are found in the network infrastructure and the associated software applications. For example, this include the following:
      • Ascertaining the services that are currently being run
      • Any open ports
      • The detection of any firewalls
      • Weaknesses of the operating system in question
  • Gaining the needed access: This is the part where the pentester starts to actually initiate the launch of the cyber-attack, based on the weaknesses and the vulnerabilities that they have discovered in the last step
  • Maintaining the access: The pentester has entered the target itself and tries to keep that access point open so that they can extract as much private information and data as possible
  • Covering their tracks: In this last step, the pentester ensures that any “footprints” left behind in the course of their attack are covered up so that they can’t be detected. For instance, this involves the following:
    • The deletion of any log-related files
    • Closing off any backdoors
    • Hiding all controls that may have been used

23.What is a specific pentesting exercise that can be done with a Diffie-Hellman exchange?

This was actually one of the first Public Key protocols to be put into place, and it is a methodology that can be utilized to securely exchange Public Keys over an open network line of communications. A pentest can be done here in order to determine and ascertain any kind of weak/TLS services that are associated with this exchange process.

24.After a pentest is conducted, what are some of the top network controls you would advise your client to implement?

The following types of controls should be implemented:

  • Only use those applications and software tools that are deemed “whitelisted”
  • Always implement a regular firmware upgrade and software patching schedule, and make sure that your IT staff sticks with the prescribed timetable
  • With regards to the last point, it is absolutely imperative that the operating systems(s) you utilize are thoroughly patched and upgraded
  • Establish a protocol for giving out administrative privileges only on an as-needed basis, and only to those individuals that absolutely require them

25.How does traceout/tracert exactly work?

This is used to determine exactly the route of where the data packets are exactly going. For example, this method can be used to ascertain if data packets are being maliciously redirected, they take too long to reach their destination, as well as the number of hops it takes for the data packets to go from the point of origination to the point of destination.

26.What is Omniquad BorderSecure?

This is a type of specific service that can help to perform network-based audits or even automated pentesting of an entire network infrastructure. It can give the pentesting team detailed information and data as to how the cyber-attacker can gain access to your network-based digital assets. It can also be used to help mitigate any form of threat that is launched by a malicious third party.

27.What number of vulnerabilities can the abovementioned service actually detect?

All types of network infrastructures can be pentested, and up to a thousand total vulnerabilities can be detected with this particular service.

28.Describe the theoretical constructs of a threat model that can be used in a pentesting exercise.

The constructs behind a threat model include the following:

  • Gathering the required documentation
  • Correctly identifying and categorizing the digital assets that are found within the IT infrastructure of a corporation or business
  • Correctly identifying and categorizing any type of kind of cyber-threat that can be targeted towards the digital assets
  • Properly correlating the digital assets with the cyber-threat that they are prone to (this is can also be considered as a mapping exercise where a digital asset is associated with its specific cyber-threat)

It is also important to note that there are three types of threat models that a pentesting team can use, and they are as follows:

  • Digital Asset-Centric
  • Cyber-Attacker-Centric
  • Software Application-Centric.

The above is an example of a Digital Asset-Centric Threat Model.

29.What are the three types of cross-site scripting (XSS)?

The three types are as follows:

  • Persistent/Stored XSS: This is where the malicious input is stored onto the target server, such as a database, and is reflected at the page where the end user entered in their information (such as a “Contact Us” form)
  • Reflected XSS: Any form of malicious user input is instantaneously returned by the Web-based application as an “Error Message.” As a result, this data is deemed to be unsafe by the Web browser, and it is not stored in any fashion
  • DOM-based XSS: This will actually for any type or kind of client scripting language (such as Java) to access and maliciously modify the end user input. It can also covertly alter the content, structure and even the particular style of a webpage. The types of objects that can be manipulated include the following:
    • Document.URL
    • Document.location
    • Document.referrer

30.What exactly is CSRF and how can it be prevented when executing a pentest exercise?

This stands for cross-site request forgery, and it takes advantage of the trust levels that are established in an authenticated user session. For example, in these scenarios, Web-based applications typically do not conduct any form of verification tests that a specific request actually came from an authenticated user; rather, the only form of verification is sent by the particular Web browser that the end user is utilizing. There are two ways to avoid this scenario:

  • Double-check the specific CSRF token that is being used
  • Confirm that the specific requests are coming from within the same origin

Cybersecurity interview guide

Cybersecurity interview guide

Ace your next interview with tips from our free ebook, “How to stand out, get hired and advance your career.”

Conclusion

Overall, we’ve looked at some of the interviews that you could be asked if you are applying for a pentesting job. These questions can also be asked of a pentester if they are currently employed in this field.

It is important to keep in mind that although answering these questions will demonstrate to the interviewer your in-depth knowledge of pentesting, it takes other qualitative skills as well in order to become a successful pentester. For instance, you must have the ability to work well with others in a team-oriented fashion and work long hours.

Pentesting also requires you to have a great deal of patience on your part, as it these kinds of exercises do not happen in just one day. A successful pentest can take weeks or even months to accomplish.

Finally, you must also have the ability to take all of the techno-jargon that is associated with the results you have obtained and bring it down to a level that your client can understand and implement. You will be gauged on these qualitative factors as well in your interview.

If you want to review more in-depth pentesting questions, click on the link here. Skillset is a practice exam engine featuring thousands of certification exam questions for security and IT pros. Users benefit from detailed question explanations and exam readiness scores, letting them know exactly when they are ready to sit their exams.

Good luck on your interview!

What to read other interview questions with answers? Check out these articles:

Top 50 Information Security Interview Questions

Top 30 Incident Responder Interview Questions and Answers for 2019

Top 30 Microsoft Certified Systems Engineer (MCSE) Interview Questions and Answers

Sources

  1. What Is Penetration Testing?, Cloudflare
  2. Penetration testing: what is it and what is its purpose?, Swascan
  3. Top 50 Interview Questions and Answers: Penetration Testing, All About Testing
  4. What is SSL, TLS and HTTPS?, Symantec
  5. Penetration Testing Interview Questions & Answers, Wisdom Jobs
  6. 11 Important Interview Questions for Network Penetration Testers, Aditi
  7. Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions with Answers: Part 1, DigiAware
  8. Network Security Assessment Questions and Answers, City of Kirkland
  9. Pentester interview questions, Sneakerhax
  10. The Top 5 Questions to ask a Prospective Penetration Tester, PCI Compliance Guide
Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.