All topics › Ethical Hacking
Ethical Hacking Interview Questions
20 real interview questions from ethical hacking interviews at Bangalore's top product, services, and BFSI companies. Each answer is the atomic version — for the full explanation, related concepts, and a complete topic guide, follow the link to the full version on Networkers Home.
Reconnaissance
Reconnaissance
Q. Difference between active and passive reconnaissance. Which to use first?
Passive recon — gathering info without sending packets to target (Google dorking, Shodan/Censys queries, GitHub source code search, social media OSINT). Stealthy, can't be blocked. Active recon — direct interaction (port scans, banner grabbing, web crawling). Faster but detectable. Always start pass…
Read full atomic answer → Reconnaissance
Q. Walk me through subdomain enumeration for a target.
Multi-source approach: (1) Passive sources — amass enum -passive, subfinder, assetfinder. Pull from CT logs, DNS aggregators, search engines. (2) Active resolution — massdns to verify which subdomains have live IPs. (3) Permutation/wordlist — gobuster vhost mode + custom wordlists for missed subdoma…
Read full atomic answer → Web App
Web App
Q. Find SQL injection in a parameter that's not obvious. How?
Beyond basic ' or 1=1 -- testing: (1) Test in HTTP headers (User-Agent, Referer, X-Forwarded-For); (2) Test cookies — many apps blindly trust cookies; (3) Test JSON parameters in API endpoints (sqlmap supports JSON body via -r); (4) Test boolean-based — change parameter value, observe page diff (tru…
Read full atomic answer → Web App
Q. Explain SSRF and how to escalate to RCE.
SSRF (Server-Side Request Forgery) — server-side code fetches a URL the attacker controls. Detection: parameter accepts URL (e.g., 'image_url=', 'callback='), modify to internal IP (127.0.0.1, 169.254.169.254 cloud metadata), observe response. Escalation paths: (1) AWS — http://169.254.169.254/lates…
Read full atomic answer → Web App
Q. Explain prototype pollution and give a real exploitation chain.
Prototype pollution — attacker modifies Object.prototype in JavaScript, affecting all subsequent object creations. JS-specific. Detection: parameters like __proto__, constructor.prototype in request body. Real chain: (1) Find merge function (lodash.merge < 4.17.20 or similar) accepting user input. (…
Read full atomic answer → Active Directory
Active Directory
Q. Explain Kerberoasting attack with full chain.
Kerberoasting — extract service account password hashes from AD. Chain: (1) As any AD user, query domain for SPNs (Service Principal Names) — every service-using account has SPN. (2) Request Kerberos service ticket (TGS) for each SPN — TGS is encrypted with service account's NTLM hash. (3) Extract T…
Read full atomic answer → Active Directory
Q. What is BloodHound and how do you use it in AD pen-test?
BloodHound (Specter Ops) — Active Directory attack path visualisation tool. Workflow: (1) SharpHound (data collector) — gather AD info: users, groups, sessions, ACLs, GPOs. (2) Upload data to Neo4j-backed BloodHound GUI. (3) Query attack paths — built-in queries like 'shortest path from any user to …
Read full atomic answer → Active Directory
Q. Explain Pass-the-Hash, Pass-the-Ticket, and Pass-the-Key.
All authentication abuse techniques in Windows AD. PtH — use NTLM hash directly (without knowing password) to authenticate to remote service. Tools: Mimikatz sekurlsa::pth, Impacket secretsdump → wmiexec. PtT — use Kerberos ticket (TGT or TGS) without knowing password. Common: dump tickets from comp…
Read full atomic answer → Exploit Dev
Exploit Dev
Q. Walk through a buffer overflow exploit on Linux x86_64.
(1) Identify vulnerable function (strcpy, gets, sprintf without bounds checking). (2) Send oversized input to crash binary (segfault). (3) Find offset — pattern_create.rb + pattern_offset.rb (Metasploit utilities) to find exact offset where RIP is overwritten. (4) Identify register state — RAX/RDI/R…
Read full atomic answer → Exploit Dev
Q. Difference between heap and stack overflow exploitation?
Stack overflow — overwrite return address on stack, redirect execution. Mitigations: stack canaries, ASLR, DEP/NX. Heap overflow — corrupt heap metadata or in-place objects to gain primitives (arbitrary read, arbitrary write, type confusion). Modern heap exploitation focuses on tcache poisoning (gli…
Read full atomic answer → Mobile
Mobile
Q. Walk me through pen-testing an Android banking app.
(1) Static analysis — APKTool to decompile, jadx-gui to read decompiled Java/Kotlin. Search for hardcoded secrets, API endpoints, weak crypto. (2) Dynamic analysis with Frida — hook root detection, certificate pinning, encryption functions to bypass and observe. (3) MITM proxy — Burp Suite + bypass …
Read full atomic answer → Cloud Pen-Test
Cloud Pen-Test
Q. How would you test an AWS environment for security issues?
(1) IAM enumeration — list users/roles, identify over-privileged service accounts. Tools: ScoutSuite, Prowler, pacu. (2) S3 bucket enumeration — public buckets, leaked AWS credentials in CI/CD logs. (3) EC2 metadata access — SSRF in deployed app → http://169.254.169.254/latest/meta-data/iam/security…
Read full atomic answer → Methodology
Methodology
Q. Walk me through your pen-test methodology for a black-box engagement.
OWASP Testing Guide / PTES + custom adaptation: (1) Pre-engagement — scope, rules of engagement, emergency contacts, written authorisation. (2) Reconnaissance — passive then active. (3) Threat modelling — identify high-value assets, likely attack paths. (4) Vulnerability identification — automated (…
Read full atomic answer → Methodology
Q. How do you write a pen-test report that gets paid?
Audience-tailored sections: (1) Executive summary — 1 page, business risk + key findings + recommendations. CXOs read only this. (2) Methodology — scope, tools used, time spent. (3) Findings list — sorted by severity (Critical → High → Med → Low → Info). (4) Per-finding sections — title, CVSS score,…
Read full atomic answer → Tools
Tools
Q. List the top 10 tools every ethical hacker should master in 2026.
(1) Burp Suite Pro — web app testing standard. (2) Nmap — port scanning + NSE scripts. (3) Metasploit Framework — exploit chains. (4) sqlmap — SQL injection automation. (5) Nuclei — template-based vulnerability scanning. (6) Wireshark — packet analysis. (7) Hashcat / John — password cracking. (8) Bl…
Read full atomic answer → OSCP
OSCP
Q. What's different about OSCP exam compared to certifications like CEH?
CEH — multiple-choice, 4-hour exam, theoretical knowledge of tools/concepts. ₹100K. Pass rate ~60%. OSCP — 24-hour practical exam in custom lab environment, requires actually compromising machines + writing professional report within 24 hours. ₹135K+. Pass rate ~30%. Skills tested: Linux + Windows e…
Read full atomic answer → OSCP
Q. OSCP exam strategy — how to manage 24 hours?
Time blocks: 0-12 hours: target machines worth most points first (typically 25-pt and 20-pt machines). Take screenshots of every successful exploitation step in real-time. 12-18 hours: complete remaining machines as time/skill allows. 18-22 hours: take a 4-hour break (sleep is critical, not optional…
Read full atomic answer → Behavioural
Behavioural
Q. Tell me about the most interesting bug or attack chain you've found.
Use STAR format. Best examples: (1) Bug bounty find with documented payout — credibility unmatched; (2) CTF challenge solved creatively (not just following walkthroughs); (3) Internal pen-test with unique attack chain — even from coursework. Avoid hypotheticals ('I would do X') and overly generic an…
Read full atomic answer → Behavioural
Q. How do you stay current with new vulnerabilities and attack techniques?
Sources weekly: (1) Twitter/X — @SwiftOnSecurity, @bugbountywriteup, @PortSwigger researchers; (2) HackerOne disclosed reports + Bugcrowd disclosed reports; (3) PortSwigger Web Security Academy free training; (4) DEFCON / Black Hat talk recordings on YouTube (don't pay to attend); (5) Personal lab —…
Read full atomic answer → Behavioural
Q. Why do you want to work at our company specifically (vs other pen-test firms)?
Required research: visit company's tech blog, read their open-source repos, find their disclosed CVE history (if any). Your answer should reference concrete things ('I read your team's blog post on X technique', 'noticed your CVE-XXXX-YYYY in product Z'). Avoid generic answers ('I want a challenging…
Read full atomic answer → Web Security
Web Security
Q. What is a CSRF token, and how does it differ from a CORS header?
A CSRF token is a unique, secret, and unpredictable value generated by the server and embedded in web forms to protect against Cross-Site Request Forgery attacks. It ensures that the request originated from the legitimate application, not an attacker's site. CORS (Cross-Origin Resource Sharing) head…
Read full atomic answer → Ethical Hacking
Ethical Hacking
Q. Explain SQL injection types: in-band, blind, and out-of-band, and how they are detected.
SQL injection types include In-band, Blind, and Out-of-band. In-band, or error-based/union-based, returns data directly in the application's response, detected by observing error messages or union query results. Blind SQLi, like boolean-based or time-based, doesn't return data directly; detection re…
Read full atomic answer → Deeper context lives at networkershome.com.
Each of these Q&As is part of a structured topic guide on the main site, with
multi-part answers, code samples where relevant, strong vs weak answer notes, and
follow-up question patterns. View
the full ethical hacking interview hub →