├── LICENSE.md
├── README.md
├── knowledge.md
├── open.md
├── other.md
└── scenario.md
/LICENSE.md:
--------------------------------------------------------------------------------
1 | Copyright (C) 2018 Micah Hoffman
2 |
3 | This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
4 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Purpose
2 | Collect a large sampling of interview questions to screen offensive (red team/pentest) candidates
3 |
4 | If you are a candidate and looking to find some good questions to ask employers, visits @doctorj's page here: [https://gitlab.com/doctorj/interview-questions/blob/master/interview-questions.yml](https://gitlab.com/doctorj/interview-questions/blob/master/interview-questions.yml)
5 |
6 | # Contributing
7 | 1. Use the standard method of forking this repository, making your changes and doing a "pull" request to have your content added
8 | - Format your questions as a numbered list, the question, your name (*@name*) if you'd like attribution, then any directions for the interviewer *in italics*. These are directions on what to look for or how to ask the question not answers to the questions.
9 | - Examples:
10 | 1. "What is CSRF and how is it different from XSS?" *@webbreacher*
11 | 1. "I have a /24 subnet on the Internet. You are a pentester. Tell me, start to finish, how you would execute this assessment." *@webbreacher* *Look for everything from scoping meeting and rules of engagement to the depth/detail of their responses.*
12 | 2. Alternatively, if you just want to copy/paste your content, we'll take that too! [Create an "Issue"](https://github.com/WebBreacher/offensiveinterview/issues) with your content and we will add for you. Please tell us if you'd like attribution ("this question came from @johndoe") or not.
13 |
14 | # Organization
15 | Questions should be organized (right now at least) in a couple different formats:
16 |
17 | 1. [Open-ended Questions](https://github.com/WebBreacher/offensiveinterview/blob/master/open.md)
18 | - These questions have multiple methods of achieving a "correct" response.
19 | - Examples:
20 | - "Describe how you would compromise a victim's laptop using a phishing attack."
21 | - "What would you do once you successfully got a shell on a database server?"
22 | 2. [Knowledge-based Questions](https://github.com/WebBreacher/offensiveinterview/blob/master/knowledge.md)
23 | - There is a specific right and wrong answer for these questions.
24 | - Examples:
25 | - "What is CSRF and how is it different from XSS?"
26 | - "What are the primary differences between ```netcat``` and ```ncat```?"
27 | 3. [Scenario-based Questions](https://github.com/WebBreacher/offensiveinterview/blob/master/scenario.md)
28 | - These questions are ones in which the interviewer sets up a situation and allows the candidate to respond. During their responses, the interviewer adds (more information | emulates a client | tells the candidate what happens when they take an action) in order to more fully understand the breadth and depth of a candidate's knowledge.
29 | - Examples:
30 | - "I have a /24 subnet on the Internet. You are a pentester. Tell me, start to finish, how you would execute this assessment."
31 | - "You have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to exfiltrate Active Directory hashes. How do you accomplish this?"
32 | 4. [Other Questions](https://github.com/WebBreacher/offensiveinterview/blob/master/other.md)
33 | - These questions do not fit in the other categories.
34 | - Examples:
35 | - *Right now I have no examples of this but you may!*
36 |
37 | # Chinese Translation
38 | If you would like to read a Chinese translation of this project, visit https://github.com/Leezj9671/offensiveinterview.
39 |
40 | # License
41 | 
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
42 |
--------------------------------------------------------------------------------
/knowledge.md:
--------------------------------------------------------------------------------
1 | # Knowledge-Based Questions #
2 |
3 | *These questions have a right or wrong answer. They should have discrete answers.*
4 |
5 | ## Tech Questions ##
6 |
7 | ### General Pentest ###
8 |
9 | 1. What are the phases of a penetration test? *@whereistehnarwhal, reddit*
10 | 2. What is the difference between a risk assessment, a vulnerability assessment, and a penetration test? *@whereistehnarwhal, reddit*
11 | 3. When running an nmap scan, what source port can you specify to scan from to commonly bypass firewall rules? *@jstnkndy*
12 | 4. Construct an Nmap SYN scan that does not do DNS lookups, does not ping the host, and only returns open ports for tcp/139 and tcp/445. *@whereistehnarwhal, reddit*
13 | 5. What kind of attack is ARP Spoofing considered and how could you leverage it on a penetration test? *@jstnkndy*
14 | 6. Explain what NBNS poisoning is and how it can be leveraged on a penetration test. *@jstnkndy*
15 | 7. Answer true or false and explain your answer: two-factor authentication protects against session hijacking. *@jstnkndy*
16 | 8. Explain what happens when a connection from your webbrowser to a webserver is initiated on every OSI layer (as detailed as you like). *@dhauenstein*
17 |
18 | ### Crypto / Hashes / Passwords ###
19 |
20 | 1. Describe the basics of input and output of a stream cipher. *@jstnkndy*
21 | 2. List a couple block ciphers and their characteristics and security concerns. *@jstnkndy*
22 | 3. Describe when you would use a null byte during an application penetration test. *@jstnkndy*
23 | 4. What is the problem with LM hashes? *@jstnkndy* *[According to Justin, "When asking #4 you have to make sure to do it in a Jerry Seinfeld "What's the deal with airplane food?" voice"]*
24 | 5. What is the difference between netNTLM and NTLM hashes? *@jstnkndy*
25 | 6. What is pass the hash? *@jstnkndy*
26 | 7. What is token impersonation? *@jstnkndy*
27 |
28 | ### Web Application ###
29 |
30 | 1. Describe what SQL Injection is and how you would test for it? *@jstnkndy*
31 | 2. What about Blind SQL Injection and how is it different from other kinds? *@jstnkndy*
32 | 3. How can SQL Injection lead to remote code execution? *@morgoroth*
33 | 4. How can you execute OS command with mssql injection? *@enddo*
34 | 5. Describe a webshell and how you would upload/use one. *@enddo*
35 | 1. How would you bypass uploader protections? *@enddo*
36 | 6. Describe Remote Command Execution (RCE). *@enddo*
37 | 1. How would you prevent it in PHP? *@enddo*
38 | 7. Describe Cross Site Request Forgery. *@jstnkndy*
39 | 1. How would you prevent it?
40 | 8. Describe the different types of Cross Site Scripting. *@jstnkndy*
41 | 1. How would you exploit XSS?
42 | 9. What is the purpose of the same origin policy with relation to the document object model? *@jstnkndy*
43 | 10. Describe the basics of input and output of a block cipher. *@jstnkndy*
44 | 11. How does the Heartbleed vulnerability work? *@webbreacher*
45 | 12. How do you exploit the Shellshock vulnerability and what can an attacker do with it? *@webbreacher*
46 |
47 | ### Exploit Development ###
48 |
49 | 1. Describe what Buffer overflow is and how you would test for it? *@enddo*
50 | 2. Describe what SEH is and how you exploit it? *@enddo*
51 | 3. Describe how debugger modules and plugins can speed up basic exploit development? *@enddo*
52 | 4. How would you bypass DEP or ASLR in Windows 7? *@enddo*
53 | 5. How would you bypass SafeSEH? *@enddo*
54 |
55 | ### Mobile ###
56 |
57 | 1. Describe how you root an Android device or Jailbreak an iOS device. *@webbreacher*
58 |
59 | ### Active Directory ###
60 |
61 | 1. What is kerberoasting? *@leesoh*
62 | 2. What is a golden ticket? *@leesoh*
63 | 3. What is a silver ticket? *@leesoh*
64 |
--------------------------------------------------------------------------------
/open.md:
--------------------------------------------------------------------------------
1 | # Open-ended Questions #
2 |
3 | *These questions have no right or wrong answer. They should allow the candidate to provide full responses. The interviewers here are not just looking for complete answers but also keeping track of HOW a candidate responds (rambles, gets distracted, doesn't answer the question, etc.).*
4 |
5 | ## People Questions ##
6 |
7 | 1. Do you have a blog and, if so, what is the URL? *@digininja*
8 | 2. Do you contribute to open source projects and, if so, which and at what level? *@digininja*
9 | 3. How do you participate in the information security community? *@jstnkndy*
10 | 4. What conferences do you attend? *@digininja*
11 | 5. What conferences have you spoken at? *@digininja*
12 | 6. Name a couple of people in the industry that you'd look to for advice/trust their advice. *Asking this to make sure they are active and know who does what, if they are claiming to be wifi experts and don't name people like Josh Wright then they are lying.* *@digininja*
13 | 7. What methods or sources of information do you use for keeping up to date in the security industry? *@jstnkndy*
14 | 8. If you could have any job in infosec, what would it be an why? *@webbreacher*
15 | 9. What is the coolest thing you have done in infosec? *@webbreacher*
16 | 10. Why would you like to work here? *@webbreacher*
17 | 11. Describe how you learn best? *@webbreacher*
18 | 12. What was the last or most interesting tech project you worked on in your personal time *@cdiaz1971*
19 | 13. Have you participated in any Capture The Flag (CTF) competitions? *@sml555_*
20 | 14. Have you created any CTF challenges (as an organiser)? *@sml555_*
21 |
22 | ## Tech Questions ##
23 |
24 | ### General Pentest ###
25 |
26 | 1. You are performing a blackbox penetration test for a client. The only allowable attack vectors are network and application level attacks. Where do you start? *@jstnkndy*
27 | 1. Describe how you would find all domains associated with the client *(if they didn’t answer)*
28 | 2. Describe how you would find all network ranges associated with the client. *(if they didn’t answer)*
29 | 2. During the penetration test you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this. *@jstnkndy*
30 | 1. Describe how you would find potential usernames to use. *(if they didn’t answer)*
31 | 2. Describe how you would pick which passwords to use. *(if they didn’t answer)*
32 | 3. Describe how you would avoid account lockouts. *(if they didn’t answer)*
33 | 3. If you run the following scan without root privileges, describe what would happen: ```nmap www.google.com``` *@jstnkndy*
34 | 1. What kind of scan was performed? *(if they didn’t answer)*
35 | 2. How many ports were scanned? *(if they didn’t answer)*
36 | 3. If you ran the same command as root, describe the differences. *(if they didn’t answer)*
37 | 4. You are launching a Metasploit reverse https meterpreter payload against a host that you know is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?) *@jstnkndy*
38 | 5. You have successfully initiated a meterpreter session against a Windows host. What type of post exploitation do you perform? *@jstnkndy*
39 | 1. How would you extract the local password hashes?
40 | 2. How would you gather cleartext credentials from the machine?
41 | 1. In your report, what would your recommendation be to prevent this? *@leesoh*
42 | 3. You attempt to run mimikatz but error occurs, how do you debug this? (or what would you do to try and fix the error?)
43 | 6. Using the same meterpreter session as previous, you are able to dump the local machine hashes, describe what you would do with these. *@jstnkndy*
44 | 7. You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials? *@jstnkndy*
45 | 1. What types of attack could you execute with them? *@leesoh*
46 | 8. Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their network. You don't have credentials for the domain or local machine. You also have your own laptop. How would you begin testing? *@jstnkndy*
47 | 9. How would you avoid anti virus?
48 | 10. How would you target a database that you know lies behing a jump server with an unkown IP address?
49 | 11. What are commonly vulnerable ports/services/applications?
50 | 12. You have unprivileged Windows credentials, how can you elevate your privileges?
51 | 13. How can SQL Injection lead to remote code execution?
52 | 14. You have a SYSTEM shell on an AD workstation. Describe the process you would take to escalate to Domain Admin. *@leesoh*
53 | 15. What was your favourite penetration test moment, and why? *@leesoh*
54 | 16. When you are on an engagement, how do you manage client data? *@leesoh Look specifically for awareness of the risk of exposure, encryption, and deletion once the engagement is complete.*
55 |
56 | ### Crypto/Hashes/Passwords ###
57 |
58 | 1. What is the relevance of WPAD on a penetration test and how can it be leveraged? *@jstnkndy*
59 | 2. How would you conduct a pass-the-hash attack using NTLMv1/v2 (or netNTLM if you're a heathen) hashes? *@leesoh Trick question! These hashes cannot be passed.*
60 |
61 | ### Web Application ###
62 |
63 | 1. You are performing an application penetration test and you come across a Java applet, describe what you might do with it. *@jstnkndy*
64 | 2. What would you inject into an HTML page of a victim to get their Windows computer to send you their password hashes? *@jstnkndy*
65 | 3. What tests you would perform in the following scenarios: suppose you are assessing an application, the “forgot password” process consists of 3 steps: *@jstnkndy*
66 | 1. Enter your username
67 | 2. Answer 3 security questions
68 | 3. Set a new password
69 | 4. You have found Local File Inclusion in a .php file on a webserver; you want to read the file contents of the local file config.php file on the webserver but the code is being interpreted. How do you gain access to the file contents of config.php? *@jstnkndy*
70 | 5. How would you turn a Local File Inclusion against a Linux host into Command Execution? *@jstnkndy*
71 | 6. Describe how and where in an application you might test for username enumeration. *@jstnkndy*
72 | 7. Are there any security concerns with scoping an authorization cookie to the parent domain? *@jstnkndy*
73 | 8. On a Linux host running MySQL, how would you go about gaining command execution leveraging SQL Injection? *@jstnkndy*
74 |
75 | ### Mobile ###
76 |
77 | 1. Describe how you can perform Man-In-The-Middle (MITM) attacks (to view and tamper with the traffic) against mobile devices. *@webbreacher*
78 |
--------------------------------------------------------------------------------
/other.md:
--------------------------------------------------------------------------------
1 | # Other Questions #
2 | *These questions do not fit into the other categories.*
3 |
4 | ## Questions ##
5 |
--------------------------------------------------------------------------------
/scenario.md:
--------------------------------------------------------------------------------
1 | # Scenario Questions #
2 |
3 | *These questions have no right or wrong answer. They should allow the candidate to provide full responses. The interviewers here are not just looking for complete answers but also keeping track of HOW a candidate responds (rambles, gets distracted, doesn't answer the question, etc.).*
4 |
5 | ## Tech Questions ##
6 |
7 | ### General Pentest ###
8 |
9 | 1. "I am your customer. I have a /24 subnet of hosts on the Internet that I'd like you to pentest. Take me through, in detail, all the steps that you will go through in this assessment." *@webbreacher*
10 | 1. *This question is good to not only see if the candidate thinks about pre-assessment things like Rules of Engagement and Scoping meetings, but the interviewer can (and should!) say "Tell me more about that..." each step of the way to ensure that the candidate gives sufficiently deep answers.*
11 | 2. *The interviewer should have an idea of where they want the assessment to go, "You ran your scan and found two servers. One has TCP ports 23, 53, 80 open and the other has 80, 443 and 3306. What do you do next?" Provide direction but don't lead.*
12 |
13 | 2. For in-person interviews I like asking the candidate to "go to a white board (or paper taped to the wall). You have an unlimited budget and resources. Please draw the most secure corporate network for my organization. It must have certain components including but not limited to: the Internet, one user subnet, at least one Active Directory server, one web server (with backend database) on the Internet, one Human Resources server, Wifi for your users, a VPN, etc." *@webbreacher*
14 | 1. *The interviewer is looking for completeness.*
15 | 1. *Do they put all the required components in?*
16 | 2. *Are they in secure places?*
17 | 3. *Did they add in other security devices/conventions (IDS/IPS, FW, DMZ, SIEM...)?*
18 | 4. *Does their architecture make sense? If not, call them on it and ask them to fix it.*
19 | 2. *Once the candidate has completed their drawing, the interviewer goes to the board and draws a stick figure person attached to the Internet.* "This is you. You are an attacker on the Internet. I want you to tell me how you are going to compromise the AD server here (*circle it in the drawing*) and exfiltrate the AD user hashes."
20 | 1. *At this point the candidate can use any number of techniques to compromise the network and systems. The interviewer is looking for plausible attacks. Ask for more details at each step of their attack. Provide them challenges ("Our firm uses egress filter for servers so they cannot talk right to the Internet.") and see how they roll with them.*
21 | 3. On an assessment, you have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to exfiltrate Active Directory hashes from the AD servers. How do you accomplish this? *@webbreacher*
--------------------------------------------------------------------------------