Here are 100 ethical hacking interview questions and answers, covering fundamentals, reconnaissance, scanning, exploitation, web application security, network security, social engineering, cryptography, and incident response.
Ethical Hacking Fundamentals
1. What is ethical hacking?
Ethical hacking is the authorized, legal practice of bypassing system security to identify potential data breaches and threats in a network. It’s performed with the organization’s permission and aims to improve security posture.
2. What is the difference between ethical hacking and penetration testing?
Penetration testing is a focused, goal-oriented assessment of a specific system or network. Ethical hacking is a broader term that encompasses penetration testing, vulnerability assessments, and continuous security testing using a hacker’s mindset.
3. What are the phases of ethical hacking?
Reconnaissance (footprinting), Scanning & Enumeration, Gaining Access (exploitation), Maintaining Access (persistence), and Clearing Tracks / Reporting.
4. What is the CIA triad?
Confidentiality (data is accessible only to authorized users), Integrity (data is accurate and trustworthy), and Availability (data is accessible when needed). It’s the foundation of information security.
5. What is a vulnerability, threat, exploit, and risk?
Vulnerability: a weakness. Threat: a potential danger that can exploit a vulnerability. Exploit: the code or technique used to take advantage of a vulnerability. Risk: the potential loss/damage when a threat exploits a vulnerability.
6. What are the different types of hackers?
White hat (ethical), black hat (malicious), gray hat (borderline, may act without permission but not maliciously), script kiddies (unskilled, using others’ tools), and hacktivists (politically motivated).
7. What is the hacker’s methodology or kill chain?
A sequence of attacks: Recon → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives (derived from Lockheed Martin’s Cyber Kill Chain).
8. What is OWASP?
Open Web Application Security Project – a non‑profit foundation that publishes the OWASP Top 10, a list of the most critical web application security risks.
9. What is the difference between a vulnerability assessment and a penetration test?
VA identifies, quantifies, and ranks vulnerabilities. Penetration test actively exploits vulnerabilities to determine the actual impact and business risk.
10. What is a red team / blue team / purple team?
Red team attacks, blue team defends and monitors. Purple team integrates them, working together to improve detection and response.
11. What is a zero-day vulnerability?
A vulnerability unknown to the vendor or public until exploited. No patch is available, making it extremely dangerous.
12. What is a payload?
The piece of malware or code that executes the malicious action on the target system after an exploit delivers it (e.g., a reverse shell).
13. What is a reverse shell vs. bind shell?
Reverse shell: the target connects back to the attacker. Bypasses firewalls easily. Bind shell: the target opens a port and the attacker connects to it.
14. What is privilege escalation?
Gaining higher-level permissions than initially obtained. Vertical escalation (user to admin) and horizontal escalation (accessing another user’s resources at the same level).
15. What is a pivot in penetration testing?
Using a compromised machine as a foothold to attack other systems on an internal network that are not directly reachable from the attacker’s starting point.
Reconnaissance & Footprinting
16. What is footprinting?
The first phase of hacking: gathering as much information as possible about the target to find ways to intrude. It’s passive (no direct interaction) or active (touching the target).
17. What tools are used for passive reconnaissance?
Shodan (search engine for devices), theHarvester (emails, subdomains), Maltego (relationship mapping), Google Dorking, Whois, and DNS interrogation tools.
18. What is DNS footprinting?
Collecting domain information, DNS records (A, MX, NS, TXT, SOA), zone transfers, and subdomains. Tools: dig, nslookup, dnsrecon, dnsenum, fierce.
19. What is a Google Dork? Give an example.
Using advanced search operators to find sensitive information exposed on the web. Example: site:example.com filetype:pdf "confidential".
20. What is WHOIS lookup?
A protocol to query databases for the registered users of a domain name or IP address block, revealing contact information, registration dates, and name servers.
21. How can you enumerate subdomains?
Using tools like Sublist3r, Amass, subfinder, or by brute‑forcing with a wordlist (gobuster dns mode), and via certificate transparency logs (crt.sh).
22. What is OSINT?
Open Source Intelligence – collecting data from publicly available sources (social media, news, online forums, public records) to be used as intelligence.
23. What information can you gather from a target’s SSL certificate?
Domain names, subdomains, organization name, and location (if included). CT logs provide historical certificates.
24. What is social engineering?
Manipulating people into divulging confidential information or performing actions, instead of breaking in using technical hacking techniques.
25. What is shoulder surfing?
Directly observing someone’s screen or keyboard to steal passwords, PINs, or sensitive information.
26. What is tailgating/piggybacking?
Gaining unauthorized physical access to a secured area by following an authorized person through a door or checkpoint.
Scanning & Enumeration
27. What is network scanning?
Probing a network to discover live hosts, open ports, running services, and operating system details.
28. Explain the three-way handshake.
Client sends SYN, server replies SYN-ACK, client sends ACK. Used to establish a TCP connection. Scanners manipulate this to detect open ports.
29. What is a SYN scan (half-open scan)?
Attacker sends SYN, receives SYN-ACK (port open) or RST (port closed), but never sends the final ACK. It’s stealthier and often not logged by applications.
30. What is a FIN scan?
Attacker sends a FIN packet. Closed ports reply with RST; open ports ignore it (according to RFC). Works well on Unix; Windows may still send RST.
31. What is an Xmas scan?
Attacker sends a packet with FIN, URG, and PUSH flags set. Used to identify OS type; open ports remain silent, closed ports send RST.
32. What is banner grabbing?
Retrieving the service banner (version information) from an open port to fingerprint the service and its version. Tools: netcat, telnet, Nmap.
33. What is OS fingerprinting?
Determining the target’s operating system by analyzing its responses to crafted packets (TTL, window size, TCP options). Active (Nmap -O) and passive (p0f).
34. What is SNMP enumeration?
Extracting information from network devices using SNMP (Simple Network Management Protocol). Uses community strings (often default ‘public’) to query device details, user accounts, and shared resources.
35. What is NetBIOS enumeration?
Collecting information about Windows systems using NetBIOS name resolution and SMB protocols. Tools: nbtstat, enum4linux, smbclient.
36. What is LDAP enumeration?
Querying Active Directory (Lightweight Directory Access Protocol) to gather user names, groups, and system information, often used for internal network attacks.
37. What is the purpose of a vulnerability scanner?
To automatically scan systems for known vulnerabilities (CVEs), misconfigurations, and missing patches. Examples: Nessus, OpenVAS, Qualys.
38. Name some common Nmap switches and their functions.-sS (SYN scan), -sT (TCP connect scan), -sU (UDP scan), -O (OS detection), -sV (service version), -A (aggressive), -Pn (skip host discovery), -T4 (timing template faster).
39. How can you identify open services without making direct connections?
Using passive techniques like analyzing p0f logs, observing traffic, using Shodan, or extracting information from public sources.
40. What is a port? Which ports are commonly important for hackers?
A port is a logical endpoint. Key ports: 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80/443 (HTTP/HTTPS), 445 (SMB), 3389 (RDP), 3306 (MySQL), 1433 (MSSQL), 8080 (HTTP proxy).
System Hacking & Exploitation
41. What is password cracking?
Recovering passwords from stored or transmitted data. Methods: brute‑force, dictionary attack, rainbow tables, and hybrid attacks.
42. What is a rainbow table?
A precomputed table of hash values for every possible password (up to a certain length) used to reverse cryptographic hash functions. Mitigated by salting.
43. What is salting?
Adding a random string to a password before hashing to defeat rainbow tables and ensure identical passwords produce different hashes.
44. Explain buffer overflow.
A program writes more data to a buffer than it can hold, overwriting adjacent memory. This can crash the program or allow arbitrary code execution.
45. What is a shellcode?
A small piece of code used as the payload in exploitation of a software vulnerability to launch a command shell from which the attacker can control the machine.
46. What is Metasploit?
An open‑source penetration testing framework that provides pre‑built exploits, payloads, auxiliary modules, and post‑exploitation tools.
47. What is a Meterpreter?
An advanced, extensible payload in Metasploit that runs in memory and provides an attacker with an interactive session on the target.
48. How does DLL hijacking work?
Placing a malicious DLL with the same name as a legitimate DLL in a location the application searches first, causing the app to load and execute the attacker’s code.
49. What is Kerberoasting?
An Active Directory attack requesting TGS (Ticket Granting Service) tickets for service accounts, extracting them offline, and cracking the password of the service account.
50. What is Pass-the-Hash?
An attack where an attacker captures a password hash and uses it to authenticate to a system without needing the plaintext password.
51. What is a golden ticket attack?
Compromising the KRBTGT hash in Active Directory to forge Kerberos ticket-granting tickets, giving domain-wide, persistent admin access.
52. How does privilege escalation work on Windows?
By exploiting vulnerable services, misconfigured permissions, unquoted service paths, registry vulnerabilities, and kernel exploits. Tools: WinPEAS, PowerUp.
53. How does privilege escalation work on Linux?
By exploiting SUID binaries, cron job abuses, sudo misconfigurations, writable /etc/passwd, and kernel exploits. Tools: LinPEAS, LinEnum.
54. What are common post‑exploitation activities?
Gathering system info, creating users, installing backdoors, capturing credentials (Mimikatz), pivoting to internal networks, and exfiltrating data.
55. How do you cover tracks after a penetration test?
Clearing logs (event logs, bash history, auth logs), removing any created files/accounts/tools, and restoring the system state as agreed in the rules of engagement.
Network & Wireless Hacking
56. What is sniffing?
Intercepting and logging network traffic passing through a network interface. It can be active (ARO spoofing) or passive (on a hub or mirrored port).
57. What is ARP spoofing?
An attack technique that sends falsified ARP messages, associating the attacker’s MAC address with the IP of another host (like the default gateway) to intercept traffic.
58. What is DNS spoofing/poisoning?
Corrupting the DNS resolver cache to redirect traffic from a legitimate website to a malicious IP address controlled by the attacker.
59. What is a man-in-the-middle (MITM) attack?
An attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.
60. How does DHCP spoofing work?
An attacker sets up a rogue DHCP server on the network, answering client requests with the attacker’s IP as the default gateway or DNS server.
61. What is MAC flooding?
Overloading a switch’s MAC address table with forged entries, causing it to fail open and broadcast all traffic, which the attacker can then sniff.
62. What is VLAN hopping?
An attacker sends packets to gain unauthorized access to traffic on other VLANs, using switch spoofing or double tagging.
63. What is a wireless packet injection?
Sending crafted wireless frames into a WLAN to cause disruptions (de‑auth) or aid in cracking keys.
64. Explain WEP cracking.
WEP uses RC4 with a weak IV; by capturing enough initialization vectors (IVs), statistical attacks (like ARP replay) can recover the key. Tools: aircrack‑ng.
65. How does WPA/WPA2 cracking work?
By capturing the four‑way handshake between client and AP, and then performing a dictionary/brute‑force attack against it. Tools: aircrack‑ng, hashcat.
66. What is an evil twin attack?
Setting up a rogue AP with the same SSID as a legitimate network, forcing clients to disconnect from the real AP and connect to the attacker’s.
67. What is WPS attack?
Wi‑Fi Protected Setup can be cracked by brute‑forcing the 8‑digit PIN, which is often feasible. Tools: Reaver, Bully.
68. What is deauthentication attack?
Sending spoofed deauth frames to disconnect clients from an AP, forcing them to re‑authenticate and revealing the handshake.
69. What is a rogue access point?
An unauthorized wireless access point installed on a secure network, bypassing security controls and providing backdoor access.
70. How does Bluetooth hacking work?
Bluejacking (sending unsolicited messages), bluesnarfing (accessing data), and bluebugging (taking control of the phone) exploit insecure Bluetooth connections.
Web Application Security
71. What is SQL Injection?
Inserting malicious SQL code into a database query via input fields, allowing an attacker to read, modify, or delete database contents.
72. How can you prevent SQL Injection?
Use parameterized queries/prepared statements, stored procedures, input validation/whitelisting, and ORMs that handle escaping automatically.
73. What is Cross‑Site Scripting (XSS)?
Injecting malicious scripts into web pages viewed by others. Reflected (script reflected off a URL), Stored (script stored on the server), DOM-based (client-side vulnerability).
74. How can you prevent XSS?
Output encoding (escaping HTML/JavaScript/CSS), Content Security Policy (CSP) headers, input validation, and using frameworks that auto-escape (React).
75. What is Cross‑Site Request Forgery (CSRF)?
An attack that tricks a user into submitting a malicious request by using their authenticated session with another site.
76. How can you prevent CSRF?
Using anti‑CSRF tokens, SameSite cookies, and checking the Referer/Origin header. Modern frameworks often have built‑in CSRF protection.
77. What is a directory traversal attack?
An attacker accesses files and directories stored outside the web root folder by manipulating file path parameters with ../ sequences.
78. What is Insecure Direct Object Reference (IDOR)?
An access control vulnerability where the application exposes a reference to an internal object (like a database key) and fails to verify the user’s authorization.
79. What is a file inclusion vulnerability?
Allowing an attacker to include local or remote files through parameters. Local File Inclusion (LFI) can lead to RCE; Remote File Inclusion (RFI) directly includes external code.
80. What is command injection?
An attacker injects operating system commands into a vulnerable application, which executes them with the privileges of the web server.
81. What is the OWASP Top 10? (Name at least 5)
Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, Server-Side Request Forgery (SSRF).
82. What is Server‑Side Request Forgery (SSRF)?
An attacker forces the server to make requests to internal or external resources on their behalf, bypassing firewalls.
83. How does a Web Application Firewall (WAF) work?
It monitors and filters HTTP/S traffic based on rules and signatures to block common attacks (SQLi, XSS, etc.). It can be bypassed by encoding, chunking, or protocol-level tricks.
84. What tools are used for web application penetration testing?
Burp Suite (proxy, scanner), OWASP ZAP, sqlmap (automated SQLi), Nmap scripts, Nikto (web server scanner), Dirb/Gobuster (directory brute‑force).
85. What is HTTP parameter pollution?
Injecting multiple parameters with the same name to modify application logic, bypass authentication, or trigger errors.
Social Engineering & Physical Security
86. What is phishing, spear phishing, and whaling?
Phishing: mass email deception. Spear phishing: targeted at a specific individual or organization. Whaling: targeted at high‑profile executives.
87. What is a pretexting attack?
Creating a fabricated scenario (pretext) to engage a victim and steal sensitive information, e.g., calling IT support pretending to be an employee.
88. What is baiting?
Offering something enticing to the victim (free USB drive, movie download) that contains malware.
89. What is scareware?
Falsely claiming a user’s computer has a virus to trick them into installing malicious software or paying for fake removal.
90. How can an organization defend against social engineering?
Regular security awareness training, simulated phishing tests, clear policies on information sharing, and multi‑factor authentication.
Cryptography & Malware
91. What is symmetric vs. asymmetric encryption?
Symmetric: same key for encryption and decryption (AES, DES), faster. Asymmetric: public/private key pair (RSA, ECC), slower, used for key exchange and digital signatures.
92. What is a hash function? Why is MD5 considered broken?
A one‑way function that maps data to a fixed‑size string. MD5 is collision‑prone: two different inputs can produce the same hash, making it insecure for certificates.
93. What is SSL stripping?
Downgrading an HTTPS connection to HTTP by acting as a man‑in‑the‑middle, forcing the victim to communicate in plaintext with the attacker.
94. What is ransomware?
Malware that encrypts the victim’s data and demands a ransom for the decryption key. Delivered via email, exploit kits, or RDP.
95. What is a Trojan horse?
A malware disguised as legitimate software. When executed, it runs malicious code while the user believes they are using a normal program.
96. What is a botnet?
A network of compromised computers (“zombies”) controlled by a central command & control server, used for DDoS, spam, and data theft.
97. What is steganography?
Hiding data within another file (image, audio) to avoid detection. Used for exfiltrating data covertly.
98. What is a side‑channel attack?
An attack based on information gained from the physical implementation of a system rather than weaknesses in the algorithm itself (timing, power consumption, electromagnetic leaks).
Incident Response, Compliance & Scenarios
99. You’ve compromised a domain admin account. What’s your immediate next step?
Determine the scope of access, extract the NTDS.dit file or use DCSync to obtain all domain password hashes, and establish a backdoor (golden ticket) for persistence — all while coordinating with the designated point of contact and logging every action.
100. What is the difference between NIST and ISO 27001?
NIST Cybersecurity Framework is a guideline for managing and reducing cybersecurity risk, primarily used in the US. ISO 27001 is an international standard for establishing, implementing, and maintaining an information security management system (ISMS) that can be certified.