< Back to Tester Interview Overview

Congratulations on making it to Phase 2 of PEN Consultants’ interview process – Talk-theTalk!

Instructions:

  • Don’t overthink this! We’re just looking to make sure you understand some general security topics. Each question should only take you a couple of minutes – a couple of sentences (max).
  • When you are finished, please respond to our original email with a PDF of your responses and a copy of your resume.
  • Honesty and transparency are always best. If you get into this and realize it’s not the type of work you were hoping for, it isn’t in line with your career goals, etc., feel free to respond with a “Thanks for the opportunity, however, I don’t believe I’m interested at this time” email.

Questions:

  1. Tools
    1. What are some common sys|net admin tools you’ve used?
    2. What are some “hacker” tools you’ve used before? Favorites? Stories? (“hacker tools” == tools that are commonly used by attackers, whether intended by the creator or not.)
  2. Networking
    1. How well do you understand networking and protocols?
    2. How are IP and TCP different?
    3. What service usually runs on ports: 22, 25, 53, 80, 443?
    4. Do you know CIDR addressing? How many IPs are in a /24?
    5. What are the three most common private, non-routable, IP ranges?
    6. What is the difference between a filtered and blocked port?
  3. Web
    1. What is OWASP? Name some of the top-10 weaknesses listed (any year)?
    2. What is: (1) XSS, (2), SQLi, (3) clickjacking, (4) CSRF?
    3. Is WordPress a good framework for a client’s basic, customer-facing website? Why or why not?
  4. Operating Systems (OSs)
    1. What OSs are you familiar with? Favorite/most used?
    2. Windows
      1. What is a common location of OS and global application settings?
      2. What command: (1) displays the IP address(es), (2) lists the routing information, (3) displays file contents on the command line?
    3. Linux/macOS
      1. What is a common location of OS and global application settings?
      2. What command: (1) lists files in a directory, (2) changes file/folder permissions, (3) displays file contents on the command line?
      3. What does “chmod 0777 *.sh” do? What are some security implications?
  5. Encryption
    1. For web traffic, is TLS 1.3 or SSL 3.0 more secure?
    2. Are MD5 or SHA256 password hashes harder to crack?
    3. What is the difference between encoding, encryption, and hashing?
    4. What are some common ways user passwords are stored in a database? Are certain ways better than others? Why?
    5. What is the best way for service account credentials (i.e. something the web app needs in order to interact with a 3rd party service) to be stored in a database?
  6. File Analysis / Reverse Engineering (RE)
    1. What are some tools you’d use to perform RE of a binary?
    2. What is UPX and why would one use it?
    3. Is a cryptographically secure file hash a good way to identify the majority of malicious files? How about identifying known good files? Why?
  7. Coding
    1. What programming languages have you coded in?
    2. What are the advantages and disadvantages of compiled, JIT compiled, and scripting languages?
  8. Password attacks
    1. What is a brute force attack?
    2. A dictionary attack?
    3. What is a password spray and how is it different from the above?
    4. Where are password hashes stored in Windows and Linux/macOS?
    5. What are some tools you’ve used to extract and crack password hashes?
    6. What is the difference in using (for example) JTR vs Hydra?
    7. What are rainbow tables, and what weakness are they exploiting?
  9. Wireless
    1. Is WEP or WPA more secure?
    2. What sets WPA-PSK/personal apart from WPA-enterprise?
    3. With WEP, all users’ traffic is encrypted using the same key, and, it is, therefore, easy to eavesdrop on other’s traffic. WPA-2 uses temporal keys (unique key for each client). Can one client still eavesdrop on another’s traffic? If so, how?
    4. Assuming all wireless clients have line-of-sight, is it better to have a small number of massively powerful APs, or a greater number of lower-powered APs? Why?
    5. What are some tests that cannot be performed efficiently on a remote-only wireless assessment versus on-site?
  10. Sysadmin
    1. What does GPO stand for, and why is it important?
    2. What does AD stand for, and why is it important?
    3. What are the pros and cons of using AD as the back-end authentication source/authority for all services across an organization?
    4. What is LLMNR and NBT-NS, and how can they be exploited?
  11. Cloud
    1. What are some of the most common cloud vulnerabilities, and how are they mitigated?
    2. Is it more secure to run a custom web app in the cloud or from an on-prem server that you manage? Why?
  12. Mobile
    1. What is the danger of allowing a mobile application to view/capture the screen when it is not at the forefront?
    2. What about allowing the app to access the clipboard?
    3. Is code obfuscation important or not? Explain.
  13. Social engineering
    1. Remote: What is the most common type of remote social engineering? Provide a convincing theme/pretext.
    2. Physical: If you were asked to social engineer your way into the data closet of a bank in the middle of the day to surreptitiously insert a hardware implant into their network|system, what pretext do you think could be successful?
  14. Misc / Split hairs
    1. How do you keep up with cybersecurity news, trends, new attacker techniques, etc?
    2. What, in your opinion, is the difference between a vulnerability scan, penetration test, and red teaming?
    3. What is the difference between Vulnerability, Threat, and Risk?
    4. Should passwords be force rotated every 90-120 days? Why or why not?
    5. Are windows in a data center okay? Why or why not? If existing windows are present, should anything be done? If so, what?
    6. If you’re on an engagement and find a vulnerability, how do you decide if you need to notify the client immediately vs waiting until the testing is complete? What are the pros/cons?
    7. Scenario: You gain VPN access using the creds test/test:
      1. Do you tell the client immediately so they can mitigate?
      2. How would them mitigating it affect testing?
      3. What’s a solution that would allow the client to mitigate the risk, but not negatively impact testing?
      4. Bonus: What if the client says “no” to your proposal and you lose access? What would be your response?

© PEN Consultants, LLC 2013 -