Interview questions to screen offensive (red team/pentest) candidates
Switch branches/tags
Nothing to show
Clone or download
Latest commit e757c8a Aug 6, 2018

README.md

Purpose

Collect a large sampling of interview questions to screen offensive (red team/pentest) candidates

If you are a candidate and looking to find some good questions to ask employers, visits @doctorj's page here: https://gitlab.com/doctorj/interview-questions/blob/master/interview-questions.yml

Contributing

  1. Use the standard method of forking this repository, making your changes and doing a "pull" request to have your content added
    • Format your questions as a numbered list, the question, your name (@name) if you'd like attribution, then any directions for the interviewer in italics. These are directions on what to look for or how to ask the question not answers to the questions.
    • Examples:
      1. "What is CSRF and how is it different from XSS?" @webbreacher
      2. "I have a /24 subnet on the Internet. You are a pentester. Tell me, start to finish, how you would execute this assessment." @webbreacher Look for everything from scoping meeting and rules of engagement to the depth/detail of their responses.
  2. Alternatively, if you just want to copy/paste your content, we'll take that too! Create an "Issue" with your content and we will add for you. Please tell us if you'd like attribution ("this question came from @johndoe") or not.

Organization

Questions should be organized (right now at least) in a couple different formats:

  1. Open-ended Questions
    • These questions have multiple methods of achieving a "correct" response.
    • Examples:
      • "Describe how you would compromise a victim's laptop using a phishing attack."
      • "What would you do once you successfully got a shell on a database server?"
  2. Knowledge-based Questions
    • There is a specific right and wrong answer for these questions.
    • Examples:
      • "What is CSRF and how is it different from XSS?"
      • "What are the primary differences between netcat and ncat?"
  3. Scenario-based Questions
    • These questions are ones in which the interviewer sets up a situation and allows the candidate to respond. During their responses, the interviewer adds (more information | emulates a client | tells the candidate what happens when they take an action) in order to more fully understand the breadth and depth of a candidate's knowledge.
    • Examples:
      • "I have a /24 subnet on the Internet. You are a pentester. Tell me, start to finish, how you would execute this assessment."
      • "You have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to exfiltrate Active Directory hashes. How do you accomplish this?"
  4. Other Questions
    • These questions do not fit in the other categories.
    • Examples:
      • Right now I have no examples of this but you may!

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.