← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 05 · Cyberspace Tech Solutions Cybersecurity Curriculum

Ethical Hacking & Penetration Testing

~60 minutes of structured prep covering the 5 pentest phases, tools, OSINT, vulnerability assessment, and exploitation techniques.

⚠️ Legal Notice: All techniques covered here are for authorized security testing only. Performing these activities without explicit written permission is illegal. Always operate within defined scope and rules of engagement.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Conduct penetration tests ethically and methodically
  • Utilise tools like Metasploit, Nmap, and Burp Suite
  • Report and remediate vulnerabilities professionally

Topics Covered

#TopicTimeType
1Core Concepts (5 Phases, Tools, Recon, Assessment Types)10 minReading
2Interview Q&A (20 questions)20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4Pentest Phase Sequencer5 minSimulation
5Tool Purpose Matcher4 minSimulation
6Recon Type Classifier3 minSimulation
7CVSS Severity Picker3 minSimulation
Core Concepts · ~10 min

Ethical Hacking Fundamentals

The 5 Phases of Penetration Testing

1
Reconnaissance
Information gathering about the target. Passive (OSINT, WHOIS, Google Dorking, Shodan) and Active (DNS enumeration, port scanning).
2
Scanning & Enumeration
Identify open ports, services, OS fingerprinting, vulnerability scanning. Tools: Nmap, Nessus, OpenVAS, Nikto.
3
Gaining Access
Exploiting discovered vulnerabilities. Tools: Metasploit, manual exploits, SQLmap, credential attacks. Document everything.
4
Maintaining Access / Post-Exploitation
Lateral movement, privilege escalation, persistence mechanisms. Demonstrates real-world attacker dwell time impact.
5
Covering Tracks / Reporting
Restore system to pre-test state. Write comprehensive report: executive summary, findings, CVSS scores, evidence, remediation steps.

Types of Testing

TypeKnowledgeBest for
Black BoxNo knowledge of target systemSimulating external attacker perspective
White BoxFull knowledge (source code, architecture, credentials)Comprehensive code/config review, most thorough
Grey BoxPartial knowledge (some credentials, network info)Simulating insider threat or partner access
AssessmentScopeDepth
Vulnerability AssessmentScan and identify weaknesses (no exploitation)Wide but shallow
Penetration TestExploit vulnerabilities to prove impactFocused and deep
Red Team ExerciseFull adversary simulation (phishing, physical, etc.)Broadest — tests people, process, technology

Key Tools Reference

ToolCategoryPurpose
NmapScanningNetwork/port scanner, OS detection, service version detection
MetasploitExploitationExploitation framework with 1500+ modules, payloads, post-exploitation
Burp SuiteWeb AppHTTP proxy, web scanner, vulnerability testing, fuzzer
WiresharkNetwork AnalysisPacket capture and analysis (PCAP)
Nessus / OpenVASVuln ScanningAutomated vulnerability scanner with CVE detection
John the RipperPasswordPassword hash cracker (dictionary, brute-force, rules)
HydraPasswordOnline brute-force/dictionary attack for login forms
NiktoWebWeb server scanner for dangerous files/CGIs, outdated software
SQLmapWeb AppAutomated SQL injection detection and exploitation
ShodanOSINTInternet-wide device search engine — finds exposed services

CVSS Scoring (Common Vulnerability Scoring System)

SeverityScore RangeExample
Critical9.0–10.0Unauthenticated RCE (Log4Shell, EternalBlue)
High7.0–8.9SQL injection with authenticated access, privilege escalation
Medium4.0–6.9Stored XSS, CSRF, information disclosure
Low0.1–3.9Missing headers, version disclosure, verbose errors
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click to expand. Difficulty: Easy Medium Hard

1What is the difference between ethical hacking and malicious hacking?Easy
FeatureEthical HackingMalicious Hacking
PermissionExplicit written authorizationNo permission — illegal
IntentFind and fix vulnerabilitiesExploit for personal gain/damage
ScopeDefined and agreed uponNo limits
ReportingFull disclosure to the clientConcealment
LegalityLegal (with authorization)Criminal offence
💡 The key distinction is authorization. The same techniques used without permission constitute a crime under India's IT Act, USA's CFAA, UK's CMA, etc.
2What are the five phases of penetration testing?Easy
  1. Reconnaissance: Passive and active information gathering (OSINT, port scanning)
  2. Scanning & Enumeration: Deep analysis of discovered services, versions, vulnerabilities
  3. Gaining Access: Exploiting vulnerabilities using tools like Metasploit or custom exploits
  4. Maintaining Access / Post-Exploitation: Lateral movement, privilege escalation, persistence, pivoting
  5. Covering Tracks / Reporting: Restore to pre-test state; write detailed report with evidence and remediation
💡 Different methodologies use slightly different names: OWASP, PTES (Penetration Testing Execution Standard), and OSSTMM all describe similar phases. Know them all by concept.
3What is the difference between a vulnerability assessment and a penetration test?Medium
FeatureVulnerability AssessmentPenetration Test
GoalIdentify and classify weaknessesExploit weaknesses to prove impact
Exploitation?No — discovery onlyYes — controlled exploitation
DepthBroad but shallowFocused and deep
ToolsNessus, OpenVAS (automated)Metasploit, manual techniques
OutputList of vulnerabilities with CVSS scoresProof of exploitation, business impact
FrequencyMonthly / quarterly scansAnnual / after major changes
💡 A VA is like a doctor listing your health risks; a pentest is like actually demonstrating that a risk can kill you. Both are needed for a complete security programme.
4What is OSINT? Give examples of OSINT tools.Medium
OSINT (Open Source Intelligence) is the collection and analysis of information from publicly available sources to gather intelligence about a target.
  • People/Org: LinkedIn (employees, org structure), company website, news articles
  • Domain/DNS: WHOIS, DIG, DNSDumpster, Sublist3r (subdomains)
  • Technology: Shodan (exposed services), Censys, BuiltWith (web tech stack), Wappalyzer
  • Search engines: Google Dorking (site:example.com filetype:pdf), Bing, Yandex
  • Code: GitHub (leaked credentials in public repos), GitLeaks
  • Dark web: Breached credential dumps (Have I Been Pwned)
  • Social media: Twitter/X, Facebook — phishing target profiling
Framework: Maltego — visual OSINT graph tool for mapping relationships.
5What is Nmap and what is it used for?Easy
Nmap (Network Mapper) is an open-source network scanning tool used to discover hosts and services on a network. Key capabilities:
  • Host discovery: nmap -sn 192.168.1.0/24 — ping sweep
  • Port scanning: TCP SYN scan -sS (stealth), full connect -sT, UDP -sU
  • Service/version detection: -sV — identifies running service and version
  • OS detection: -O — fingerprints operating system
  • Script scanning: -sC — runs default NSE (Nmap Scripting Engine) scripts
  • Aggressive scan: -A — OS + version + scripts + traceroute
💡 Common pentest first step: nmap -sV -sC -p- -oN output.txt target.com — scan all 65535 ports with service detection and default scripts.
6What is Metasploit and how is it used?Medium
Metasploit Framework is the world's most widely used penetration testing framework. It provides a unified platform for exploit development, payload delivery, and post-exploitation.
  • Exploits: 1500+ pre-built exploit modules for known CVEs
  • Payloads: Code executed on the target (reverse shells, Meterpreter)
  • Meterpreter: Advanced in-memory payload — file system access, privilege escalation, pivoting, screenshot, keylogging
  • Post-exploitation modules: hashdump, mimikatz (credential theft), persistence
  • Auxiliary modules: Scanners, fuzzers, DoS modules (non-exploiting)
Basic workflow: use exploit/windows/smb/ms17_010_eternalblueset RHOSTS targetset payload windows/x64/meterpreter/reverse_tcprun
7What is the difference between black box, white box, and grey box testing?Easy
  • Black box: Tester has no prior knowledge of the target. Simulates an external attacker. Most realistic but most time-consuming. Misses internal flaws that require code knowledge.
  • White box: Tester has full knowledge — source code, architecture diagrams, credentials, network maps. Most thorough and efficient. Best for finding deep code-level vulnerabilities.
  • Grey box: Tester has some knowledge — e.g., valid user credentials, network topology. Simulates an insider threat or a partner with partial access. Good balance of realism and efficiency.
💡 Most real-world engagements are grey box — it's cost-effective while still finding meaningful vulnerabilities. Pure black box can waste time on recon that the client could provide.
8What is privilege escalation?Medium
Privilege escalation is the process of gaining higher-level permissions than originally granted, moving from a limited user account to admin/root/SYSTEM privileges.
  • Vertical escalation: Low-privilege user → admin/root (most impactful)
  • Horizontal escalation: One user account → another user's account at the same privilege level
Common techniques:
  • Exploiting SUID binaries (Linux) — find / -perm -u=s -type f
  • Misconfigured sudo rights (sudo -l)
  • DLL hijacking / PATH manipulation (Windows)
  • Kernel exploits (Dirty COW, PrintNightmare)
  • Token impersonation (Windows — Juicy Potato, Rogue Potato)
  • Credential harvesting from config files, environment variables
9What is lateral movement?Hard
Lateral movement is the technique attackers use to progressively move through a network after gaining initial access, seeking higher-value targets or data. The goal is to expand access while remaining undetected.

Common techniques:
  • Pass-the-Hash (PtH): Use captured NTLM password hash to authenticate without knowing the plaintext password
  • Pass-the-Ticket (PtT): Steal and reuse Kerberos tickets
  • Remote services: WMI, PSExec, WinRM, RDP, SSH for remote command execution
  • Pivoting: Use a compromised host as a relay to reach otherwise inaccessible network segments
  • Credential reuse: Try captured credentials on other systems
💡 Lateral movement is why network segmentation is critical. If an attacker compromises one endpoint, flat networks allow them to reach every other system. Segmentation limits the blast radius.
10What is a CVE and CVSS score?Easy
  • CVE (Common Vulnerabilities and Exposures): A unique identifier assigned to a publicly disclosed vulnerability. Format: CVE-YEAR-NUMBER (e.g., CVE-2021-44228 = Log4Shell). Maintained by MITRE, published in the NVD (National Vulnerability Database).
  • CVSS (Common Vulnerability Scoring System): A standardised numerical score (0–10) measuring the severity of a vulnerability based on exploitability, impact, and scope.
CVSS v3 metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality/Integrity/Availability Impact.

Scores: 0.0 = None | 0.1–3.9 = Low | 4.0–6.9 = Medium | 7.0–8.9 = High | 9.0–10.0 = Critical
11What is a buffer overflow vulnerability?Hard
A buffer overflow occurs when a program writes more data into a buffer than it can hold, overflowing into adjacent memory. This can corrupt data, crash the program, or allow an attacker to inject and execute arbitrary code.

Types:
  • Stack-based: Overflows the call stack — classic attack. Can overwrite the return address to redirect execution.
  • Heap-based: Overflows heap memory — more complex to exploit but more impactful.
Mitigations: ASLR (Address Space Layout Randomisation), DEP/NX (Data Execution Prevention / Non-eXecutable), Stack Canaries, Safe C functions (strncpy vs strcpy), memory-safe languages (Rust, Go).
💡 Classic example: Morris Worm (1988) used a buffer overflow in sendmail. Many CVEs today are still buffer overflows in legacy C/C++ code.
12What is SQL injection and how do you test for it?Medium
SQL injection is an attack that inserts malicious SQL code into input fields that are then executed by the database, allowing attackers to read, modify, or delete database data, or bypass authentication.

Testing techniques:
  • Submit ' in input fields — look for database error messages
  • Try ' OR '1'='1 in login fields to bypass authentication
  • Use ' OR SLEEP(5)-- to detect blind SQLi (time-based)
  • Use SQLmap for automated detection: sqlmap -u "http://target.com/page?id=1" --dbs
  • Burp Suite Intruder for fuzzing parameters
Types: In-band (Error/Union-based), Blind (Boolean/Time-based), Out-of-band.
Prevention: Parameterised queries/Prepared statements, ORMs, input validation, WAF.
13What are the rules of engagement in a penetration test?Medium
Rules of Engagement (RoE) is the formal document agreed between the pentester and client before testing begins. It defines:
  • Scope: Which systems/IPs/URLs are in-scope and explicitly out-of-scope
  • Timeline: Testing start/end dates and times (e.g., off-hours only)
  • Permitted techniques: What types of attacks are allowed (DoS? Social engineering? Physical?)
  • Emergency contacts: Who to call if a critical system is accidentally disrupted
  • Data handling: How sensitive data discovered during testing must be handled
  • Notification: Whether the security team will be notified (covert vs overt)
  • Legal protection: Written authorization protecting the tester from prosecution
💡 NEVER start a pentest without signed written authorization. Without it, you are committing a crime regardless of intention.
14What is the difference between active and passive reconnaissance?Easy
FeaturePassive ReconActive Recon
Target interactionNo direct contact with targetDirect interaction with target systems
Detection riskVery low — target unawareHigher — traffic hits target logs
ExamplesWHOIS, Google Dorking, Shodan, LinkedIn, OSINTNmap scanning, DNS zone transfer, ping sweep
ToolsMaltego, Shodan, theHarvester, WHOISNmap, Nessus, Nikto, DNS tools
💡 Passive recon comes first — gather as much as possible without alerting the target. Active recon is noisier and may trigger IDS/firewall alerts.
15What is Burp Suite and what is it used for?Medium
Burp Suite is an integrated platform for web application security testing. Key features:
  • Proxy: Intercept and modify HTTP/HTTPS traffic between browser and web app
  • Scanner (Pro): Automated discovery of SQL injection, XSS, CSRF, and other OWASP Top 10 vulnerabilities
  • Intruder: Automated fuzzing and brute-force attacks against parameters
  • Repeater: Manually replay and modify individual requests
  • Decoder: Encode/decode Base64, URL encoding, HTML, hex
  • Collaborator (Pro): Out-of-band interaction server for detecting blind SSRF, XXE
  • Sequencer: Analyse randomness of session tokens
Burp Suite Community is free; Professional is the industry standard for web app pentesting.
16What is a payload in the context of Metasploit?Medium
In Metasploit, a payload is the code that runs on the target system after a successful exploit. It defines what happens post-exploitation.
  • Singles: Self-contained — do one thing (e.g., add a user, execute a command)
  • Stagers: Small code that establishes a connection, then downloads a larger Stage
  • Stages: Downloaded by stager — e.g., Meterpreter shell
Common payloads:
  • windows/x64/meterpreter/reverse_tcp — target connects back to attacker (firewall-friendly)
  • linux/x86/shell_bind_tcp — opens a listening port on target
  • windows/x64/exec — execute a command (single, no stager)
💡 Reverse shells are preferred because most firewalls block inbound but allow outbound connections. The target initiates the connection back to the attacker.
17What is pivoting in penetration testing?Hard
Pivoting is using a compromised machine (the "pivot") as a relay to reach network segments that are otherwise inaccessible from the attacker's machine. It simulates how attackers move deeper into a network after initial compromise.

Techniques:
  • Port forwarding: Forward a specific port through the pivot (SSH -L, Metasploit portfwd)
  • SOCKS proxy: Route all traffic through the pivot using a SOCKS proxy (Metasploit's socks module + proxychains)
  • VPN tunnel: Create a VPN-like tunnel through the pivot for full network access
Example: Attacker → [Internet] → Compromised DMZ server → [Internal Network] → Database server (unreachable from internet)
18How do you document and report findings after a penetration test?Hard
A professional pentest report has two main sections:

1. Executive Summary:
  • High-level overview for non-technical management
  • Overall risk rating, most critical findings summary
  • Business impact in plain language
2. Technical Report:
  • Methodology used (PTES, OWASP, etc.)
  • Each finding: Title, CVSS score, Description, Evidence (screenshots, logs), Proof of Concept steps, Business Impact, Remediation recommendation
  • Risk matrix / heat map
Best practices: No speculation — evidence for every finding. CVSS score every vulnerability. Prioritise by risk. Include a remediation timeline recommendation. Clean up all artifacts left during testing.
19What is a bug bounty program?Easy
A bug bounty program is a crowdsourced security initiative where organisations invite external security researchers to find and responsibly disclose vulnerabilities in exchange for monetary rewards.

Key platforms: HackerOne, Bugcrowd, Intigriti, Synack.

How it works:
  1. Organisation defines scope (which systems are in scope), rules, and reward tiers
  2. Researcher finds a vulnerability
  3. Researcher submits a detailed report with proof of concept
  4. Organisation validates the finding
  5. Researcher receives bounty based on severity (Low: $50–$500, Critical: $10,000–$1,000,000+)
Responsible disclosure: Researcher gives the organisation time to patch before public disclosure (typically 90 days — Google Project Zero standard).
20What is Google Dorking?Medium
Google Dorking (also called Google Hacking) uses advanced Google search operators to find sensitive information that is publicly indexed but not intended to be public.
  • site:example.com filetype:pdf — find PDFs on a specific site
  • intitle:"index of" "passwords" — find open directory listings with password files
  • site:example.com inurl:admin — find admin panels
  • filetype:sql "insert into" password — find SQL dump files
  • site:github.com "api_key" "example.com" — find leaked API keys
  • inurl:"/wp-admin" — find WordPress admin pages
Resource: The Google Hacking Database (GHDB) on Exploit-DB contains thousands of pre-built dorks.
💡 Google Dorking is passive reconnaissance — you're not touching the target, only querying Google's index. It's legal to search, but acting on findings without authorization is not.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after each submission.

Progress:
0 / 25
Simulation 1 · ~5 min

Pentest Phase Sequencer

Click a phase to select it (highlighted in blue), then click another to swap positions. Arrange all 5 phases in the correct order.

?
Gaining Access / Exploitation
?
Reconnaissance (Information Gathering)
?
Covering Tracks & Reporting
?
Scanning & Enumeration
?
Maintaining Access / Post-Exploitation
Simulation 2 · ~4 min

Tool Purpose Matcher

Match each pentest tool to its correct purpose using the dropdown.

Nmap
Metasploit
Burp Suite
Wireshark
Nessus
John the Ripper
Hydra
Nikto
Simulation 3 · ~3 min

Reconnaissance Type Classifier

Classify each action as Passive Recon or Active Recon.

Using Shodan to find exposed devices and services from your browser
Running Nmap -sV against the target IP address range
Reading through a company's LinkedIn page to identify employees and their roles
Attempting a DNS zone transfer against the target's nameserver
Googling the target organisation's CEO name and corporate address
Sending ICMP ping sweeps to identify live hosts on the target network
Simulation 4 · ~3 min

CVSS Severity Picker

Select the correct CVSS severity rating for each vulnerability description.

Unauthenticated Remote Code Execution (RCE) vulnerability in the web server — attacker can run any command as root without any login credentials.
SQL injection vulnerability in the admin portal — requires valid admin credentials to exploit; can dump the entire user database.
Missing X-Frame-Options and Content-Security-Policy HTTP security headers on the marketing website.
Stored Cross-Site Scripting (XSS) in a comment field accessible only to authenticated admin users.
Web server discloses its version number (Apache 2.4.51) in HTTP response headers.
🎉

Module 05 Complete!

Ethical Hacking & Penetration Testing complete. Review any section via the sidebar.