You are performing a blackbox penetration test for a client. The only allowable attack vectors are network and application level attacks. Where do you start?
a. Describe how you would find all domains associated with the client (if they didn’t)
b. Describe how you would find all network ranges associated with the client. (if they didn’t)
During the penetration test you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this.
a. Describe how you would find potential usernames to use. (if they didn’t)
b. Describe how you would pick which passwords to use. (if they didn’t)
c. Describe how you would avoid account lockouts. (if they didn’t)
If you run the following scan without root privileges, describe what would happen: nmap www.google.com
a. What kind of scan was performed? (if they didn’t answer)
b. How many ports were scanned? (if they didn’t answer)
c. If you ran the same command as root, describe the differences. (if they didn’t answer)
When running an nmap scan, what source port can you specify to scan from to commonly bypass firewall rules?
You are launching a Metasploit reverse https meterpreter payload against a host that you know is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?)
You have successfully initiated a meterpreter session against a Windows host. What type of post exploitation do you perform?
a. How would you extract the local password hashes?
b. How would you gather cleartext credentials from the machine?
c. You attempt to run mimikatz but error occurs, how do you debug this? (or what would you do to try and fix the error?)
Using the same meterpreter session as previous, you are able to dump the local machine hashes, describe what you would do with these.
You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials?
What kind of attack is ARP Spoofing considered and how could you leverage it on a penetration test?
You have found Local File Inclusion in a .php file on a webserver; you want to read the file contents of the local file config.php file on the webserver but the code is being interpreted. How do you gain access to the file contents of config.php?
How would you turn a Local File Inclusion against a Linux host into Command Execution?
Explain what NBNS poisoning is and how it can be leveraged on a penetration test.
Describe what SQL Injection is and how you would test for it?
a. What about Blind SQL Injection? (if they didn’t answer already)
b. On a Linux host running MySQL, how would you go about gaining command execution leveraging SQL Injection?
Describe Cross Site Request Forgery.
a. How would you prevent it?
Describe the different types of Cross Site Scripting.
Describe how and where in an application you might test for username enumeration.
Briefly, what is the purpose of the same origin policy with relation to the document object model?
Are there any security concerns with scoping an authorization cookie to the parent domain?
Describe the basics of input and output of a block cipher.
Describe the basics of input and output of a stream cipher.
List a couple block ciphers and their characteristics and security concerns.
Describe when you would use a null byte during an application penetration test.
What is the problem with LM hashes?
[According to Justin, "When asking #23 you have to make sure to do it in a Jerry Seinfeld "What's the deal with airplane food?" voice"]
What is the difference between netNTLM and NTLM hashes?
Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their network. You don't have credentials for the domain or local machine. You also have your own laptop. How would you begin testing?
What is pass the hash?
What is token impersonation?
What tests you would perform in the following scenarios: suppose you are assessing an application, the “forgot password” process consists of 3 steps:
a. Enter your username
b. Answer 3 security questions
c. Set a new password
You are performing an application penetration test and you come across a Java applet, describe what you might do with it.
What would you inject into an HTML page of a victim to get their Windows computer to send you their password hashes?
What is the relevance of WPAD on a penetration test and how can it be leveraged?
What methods or sources of information do you use for keeping up to date in the security industry?
Answer true or false and explain your answer: two-factor authentication protects against session hijacking.
Do you participate in the information security community in any way?
Where is your blog?
What projects do you contribute to?
What conferences do you attend?
What conferences have you spoken at?
Name a couple of people in the industry that you'd look to for advice/trust their advice. - Asking this to make sure they are active and know who does what, if they are claiming to be wifi experts and don't name people like Josh Wright then they are lying.