Technical Questions Flashcards
ROE
The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client and the engineers working on a project know exactly what is being testing, when its being tested, and how its being tested.
SOW
Statement of work
This document is a formal agreement for you as a penetration tester to start your work. The purpose of this document is to define:
The expectations from the client
The scope of work
The schedule of the work
The pricing
The deliverables at the end of all the penetration tests
The payment terms
The legal agreements
Finally, the signatures
Differences between vulnerability assessment and penetration test
A vulnerability assessment just
identifies that there might be something an adversary can exploit, and a pentest shows
that it can be exploited and provides ways to mitigate the impact.
Where do you go to research the latest vulnerabilities, and why?
Your answer could include following specific security researchers on Twitter, following blogs such as Krebs and Threatpost, podcasts you listen to, and more.
There isn’t usually a wrong answer here, but the interviewer does want to see how you stay current on recent vulnerabilities and the latest cybersecurity news.
Do you have a favorite hacker in history, and why are they your favorite?
This question is asked to see how passionate you are about the history of hacking.
This is another question with no wrong answer, and you might not have a favorite,
which is OK. An example of a famous hacker in history is Kevin Mitnick.
What are some areas you are planning to improve in?
This question is being asked to see whether you are a continuous learner and to see how you identify areas of self-improvement. Even as a junior pentester, you should expect to be learning something new continuously, and you need to be able to assess your skill set and know the areas you need to improve in. For example, I’m good at social engineering but not so good at programming. As a pentester, I focused less practice on social engineering since that came naturally and focused instead on becoming better at coding so that I could write my own tools.
I need you to perform an internal pentest and I have an ROE document in place.
What do you do next?
The interviewer is identifying your methodology for approaching a pentest with
this question. If you’re interviewing for your first pentesting job, you always want to
make sure you review and verify the ROE (scoping) document to know what is off
limits and what you can attack. Clients sometimes list wrong IP addresses, so you
also need to verify that anything listed as available to attack is actually owned by the
client. Otherwise, you can get yourself into legal trouble
What are the types of cross-site scripting (XSS), and which is the most
dangerous?
There are three types of XSS, which are reflected, stored, and Document Object
Model (DOM)-based. The specific danger of each depends on the situation. Stored
XSS is typically more dangerous because it is stored on the server side and the payload
only has to be stored once to continue infecting anyone connecting to the server.
Can you explain XSS as though you were talking to a 10-year-old kid?
This question is designed to see whether you can break down complex cybersecurity
topics for stakeholders. Here in the US, statistics vary, but most people understand it
at an 8th-grade level or below, which means you have to communicate information
to stakeholders as though they are 10-year-old kids in many situations. I would
explain this one with something like this statement:
With XSS, you can log in to anyone’s account with a username and password. This
is important to fix because an attacker can use attacks such as XSS to perform illegal
transactions, which can lead to the company losing money.
When you’re presenting to corporate stakeholders, you can also mention how
XSS can lead to cookie stealing and be used to perform privilege escalation and in
phishing attacks
How can you perform XSS if tag script or alert tags are blocked?
If script tags are blocked, you could use things such as image payloads or
video payloads. Instead of using alert tags, you could use tags such as prompt and confirm.
What are some ways to mitigate XSS attacks?
You can use encoding, validate user input properly, sanitize output, and use web
application firewalls (WAFs).
What was the last script that you wrote, and what was its purpose?
I want to stress here that as a junior pentester, you don’t have to have coding skills,
but if you want to be successful in the long term, it’s important for you to learn at
least one language so that you can write new tools on the fly during an engagement.
This question is used to assess your scripting skills, and you might write something
simple such as a keylogger that you can show off during the interview
What are some types of threat actors?
This question is usually looking for your broader knowledge of threat actors, so
mentioning nation-state groups, state-sponsored groups, hacktivists, organized
criminal gangs, script kiddies, and insider threats is good for this question. It’s also
a good idea to stay current on cybersecurity breaches and the threat actors behind
them, or at least know a few of the well-known threat actor groups (that is, APT29)
from searching a website such as the MITRE Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK) website.
How do you scope out a pentesting engagement?
The first step is typically determining why the company wants a pentest. Are they
just doing the engagement to fulfill some type of legal or compliance requirement?
Does the organization have an initiative to improve overall organizational security?
Knowing why they want the pentest helps you understand how much buy-in you
will have from their team
What are some ways you can gather information on a target during a pentest?
Some of the common ways to get information on a target include more passive
activities, such as OSINT, and more active techniques, such as running a Network
Mapper (Nmap) scan. Your specific actions will depend on the scope of the pentest.
If you get this question in an interview, I would suggest asking a question back to
the interviewer about the scope of the pentest because that will help guide your
answer to this question.
What is social engineering?
Social engineering is basically the use of human psychology to influence someone
else’s behavior.
Components of a successful social engineering attack include an evaluation of
the target and their weaknesses, the ability to perform pretexting, the ability to
exploit human psychology for the attacker’s benefit, the ability to build a perceived
relationship with the target, and the ability to get the target to take some sort of
desired action
Here’s a simple example of social engineering. You and I are at a coffee shop, and I
convince you to buy me a cup of coffee. Perhaps I mention I left my wallet at home
because I’m stressed out that my kid is in hospital, and you feel sorry for me and buy
the cup of coffee because you have little kids of your own. In this example, I’m just
getting a cup of coffee, but what if I sent you an email with a malicious GoFundMe
link embedded with a keylogger and used the same story about my kid in the
hospital? You might click the link to donate, be redirected to the real GoFundMe
page, and make a donation to help. Meanwhile, I’ve dropped malware on your system
and now track every keystroke you make as you log in to your bank account to see
whether the GoFundMe donation has registered on your account balance.
One thing to keep in mind is that during an interview, you might be asked to
conduct a social engineering attack and then continue your (simulated) attack
through the organization after gaining initial entry. The next steps after entry
can include things such as enumerating user accounts on the system to identify
administrator accounts, privilege escalation, network enumeration, deploying
ransomware, and enumerating Active Directory with a tool such as BloodHound
(https://github.com/BloodHoundAD/BloodHound)
What are some ways to perform physical pentesting?
Before answering this question, it’s usually best to start with a short overview of what
could happen if physical security were breached. If you breach the physical security
of a target, you could steal devices, documents, and data, take photographs or videos
of restricted areas or proprietary systems and additional security defenses being used
to protect them, and then plant things such as keyloggers (via a Universal Serial Bus
(USB) drop attack) and set up rogue devices on the target’s network.
Common physical security controls that are put in place to stop attackers include
door locks (physical/electronic), surveillance cameras and security alarms, security
guards, perimeter walls and gates, security lights, motion sensors, and mantraps.
Physical pentesting can include dumpster diving, lock picking, cloning badges,
bypassing motion detectors, jumping fences or walls, bypassing or interrupting
the feeds of surveillance, cameras, and radio-frequency identification (RFID)
replay attacks.
What are the types of social engineering?
There are several types of social engineering attacks, including the following:
- Phishing attacks are typically done via email whereby the attacker is looking to
obtain sensitive information or get the recipient to perform a specific action (such
as transfer money to a bank account controlled by the attacker). There are several
forms of phishing attacks, such as these:
- Phishing emails are the most common form of phishing attacks, and you will
typically see them done against a broad range of targets—in the case of spam—
or more narrowly focused—in the case of business email compromise (BEC)
attacks. BEC attacks usually involve spear-phishing and whaling. Phishing attacks
are the most common entry point of attacks, including ransomware attacks.
- Spear-phishing attacks are targeted phishing attacks against a specific person
or group. The attacker would need to gain information about the target and
craft a message, across any medium, that would entice the victim to take some
sort of action. An example would be the attacker knowing you love drinking
coffee from Starbucks. Through social media posts, the attacker identifies two
locations you typically go to and then sends you a coupon link through social
media for a free cup of coffee at one of those locations. In one of my training
programs, a student was able to get an instructor to click a fake link with a
similar type of attack for a free donut. Fortunately for the instructor, this was
done in a controlled setting and the link was not really malicious.
- Another example of a spear-phishing attack is the threat actor noticing
employees at a company order from the same restaurant at lunch each day
and then compromising the restaurant’s website with malware so that each
employee visiting the website gets their system infected. This is known as a
watering-hole attack.
- Whaling attacks are another form of a targeted phishing attack. The main
difference between whaling attacks and spear-phishing attacks is that a whaling
attack focuses on a powerful or wealthy individual, such as the chief executive
officer (CEO) of a major company. A whaling attack is often harder to pull off
successfully, but the financial reward for the attacker could be in the millions.
- Tailgating is another social engineering attack where the adversary gains access
to a secure area by following an authorized employee in. In this case, the employee
does not know the attacker has followed them in, and this can happen if the
employee opens the door wide or if it takes time for the door to close after the
authorized employee. This attack is hard to pull off if there are security guards or if
the authorized employee is situationally aware.
- Piggybacking is an attack whereby the victim is tricked into letting the attacker in.
This can happen a lot at larger companies, where the attacker mentions they work
in a different department and just forgot their badge at home. Forgetting a badge
or other employee ID happens a lot in companies, and many employees would
empathize with the attacker and let them in the door.
I worked at a healthcare organization where every day, someone would forget their
badge to scan in and wait at the door for someone else to let them in. Even back
then, I implemented zero trust and would decline to let the person in, even if they
worked in my department. My argument was that I didn’t know whether HR had
fired them last night and they were unauthorized to be in the building. Needless
to say, that didn’t make me popular with some coworkers, but they did understand
my point of view a few months later when a man with a gun was able to gain entry
into the building because someone else thought he worked there and had just
forgotten his badge.
Some other attacks you might see referenced in certification study material
are hoaxes, elicitation, spam, and impersonation. In my experience, these are
normally coupled with the previous ones mentioned. For example, a hoax is
simply where the attacker presents a fictitious situation. An example of this is
when you receive a phishing email from your bank stating there is an issue with
your account, and you need to verify your identity by logging in to your account
from a link in the email. If you click the link, you are taken to a fake login page
that will capture your username and password.
How can a company protect against social engineering attacks?
Some ways to help protect against social engineering attacks are two-factor
authentication (2FA), security awareness training, granular access control, logical
controls (such as blocking USB ports on hosts), and proper security policies.
When I did security awareness training for healthcare companies, I would always
relate each recommendation to how it impacted the employees’ day. For example, I
would ask the nursing staff what would happen to their license if they shared their
login credentials with me and I went in and altered 90% of their nursing notes
on patients. How would they know which notes I had altered? What would local,
state, and federal agencies do to them and their license? How would it impact their
patients and the care that they received? When you put training into context for
people, they are more likely to follow best practices.
What is the content of a well-written pentest report?
A pentest report is important and should contain the following items:
A cover page.
An executive summary should be one page or less and should highlight exciting
pieces of the report’s findings. Think of this part as marketing, and you need to get
the stakeholder to buy what you are selling so that they finish reading the full report.
A summary of vulnerabilities that you found. A simple pie-chart graphic works
well for this if you categorize the vulnerabilities.
Details of the testing team and tools that were used in the engagement.
A copy of the original scope of work that was signed as part of the contract. It’s
helpful to have this in the report as a reference for the client.
The main body content of the report that goes into detail in terms of your findings.
How can you identify whether a web application that you came across might be
vulnerable to a blind Structured Query Language (SQL) injection attack?
You can use the sleep command, and if the web app sleeps for a period of time, it
could indicate it is vulnerable.
What is a MITM attack?
In a man-in-the-middle (MITM) attack, the attacker acts as a relay between the
client and the server. You can use things such as HyperText Transfer Protocol
(HTTP) Strict Transport Security (HSTS) and digital signatures of packets to
protect against MITM attacks. Some popular tools for performing MITM attacks
are Wireshark, Ettercap, Nmap, Metasploit, and Netcat.
What is CSRF?
Cross-Site Request Forgery (CSRF) attacks take advantage of the trust
relationship that is established between the user and a website. The attacker uses
stored authentication in browser cookies on the user’s side to authenticate to the
website. An example is you have a login to a shopping website and you store the
authentication in cookies in your web browser so that each time you visit the
shopping website, it authenticates you and takes you into your account. An attacker
could craft a Uniform Resource Locator (URL) with a parameter to increase the
number of items added to your shopping cart when you are purchasing an item. You
might not notice this and end up purchasing the additional items
What is an open redirect attack?
In an open redirect attack, the parameter values of the HTTP GET request allow
information to be entered that can redirect the user to a different website. The
redirect could happen once on the loading of the website page or after the user has
taken an action such as logging in to the site.
In this example, the RelayState parameter is not being validated by the website,
so an attacker could replace the legitimate website with their malicious one and the
user would be redirected to the malicious site.
Correct URL: https://www.microsoft.com/login.
html?RelayState=http%3A%2F%2FMicrosoftGear.com%2Fnext
Attacker URL: https://www.microsoft.com/login.
html?RelayState=http%3A%2F%2FBadGuyWebsite.com
This type of attack is commonly used in phishing emails, where the victim is
redirected to a fake login page (for their bank, PayPal, and so on) after clicking
a link in the email. After they enter their login credentials, the victim is then
redirected to the real website and asked to enter their login credentials again
Which cookie security flags exist?
The HttpOnly flag can be used to block access to the cookie from the client side,
which can mitigate XSS attacks.
The Secure flag forces cookies to be transported over HTTP Secure (HTTPS)
instead of HTTP
How do you bypass common file upload restrictions in web applications?
One way to bypass restrictions is using Burp Suite to intercept and alter the request
parameters to bypass the restriction
What is the last pentest tool that you’ve improved, fixed, and/or contributed to?
This question is targeted toward experienced pentesters, and it’s designed to help
the hiring manager identify how you are giving back to the community
What is a Boolean blind SQL injection attack?
In a Boolean blind SQL injection attack, the attacker sends a SQL query to the
database to identify a true or false response. If the database is vulnerable to a
SQL injection attack, it will not return any information, and the attacker can then
send a query with a true condition, such as 1=1.
If you were able to successfully carry out the preceding blind SQL injection attack
and gained access to the company network, where would you go from there?
This question is designed to test your methodology. After gaining initial access and
establishing a shell, I would enumerate the domain controllers (DCs) and domain
using something such as BloodHound. Next, I would dump local password hashes
and do a password spray attack (using something such as Mimikatz) to gain access
to a machine with a domain admin token. I would then establish a session with a
DC and dump credentials to gain domain account admin access and then continue
causing chaos from there. A domain admin account allows me to control virtually
anything that is integrated with or controlled by Active Directory.
Can you identify the most common HTTP methods and how they can be used in
attacks against web applications?
Common HTTP methods include GET, POST, PUT, DELETE, and TRACE. GET
and POST are used in attacks by modifying the parameters. An attacker could use
PUT to upload arbitrary files on the web server. DELETE could be used in a denialof-service (DoS) attack. TRACE could be used to return the entire HTTP request,
which would include cookies. An attacker could leverage TRACE to perform a
cross-site tracing (XST) attack where the attacker uses XSS to retrieve HttpOnly
cookies and authorization headers
