CEH interview questions
Broad coverage of hacking tools, techniques and the attacker mindset.
For an authorized social-engineering test, which pretext is acceptable?
Social-engineering tests must stay within agreed, ethical pretexts: realistic enough to be useful but without coercion, impersonating authorities, or exploiting personal or medical situations. A generic IT password reset agreed in the rules of engagement is fair game. Impersonating a real employee's sick child or threatening someone with being fired causes genuine psychological harm. Pretending to be law enforcement impersonates authorities and is often illegal even with a signed engagement.
Your alert() XSS test fires but the popup is blank — what does that tell you?
It confirms XSS. If alert() fired at all, the browser parsed and executed your injected JavaScript in the page context — that is the vulnerability. A blank/empty popup just means the string argument you passed didn't render as expected (quote handling, encoding, or context mangling broke the message), not that the payload is being blocked. The execution sink is live; you refine the payload from here.
How does malware detect and evade analysis sandboxes, and how do you counter it?
Sandbox-aware malware checks whether it is being watched before it misbehaves. It looks for VM and hypervisor artifacts (drivers, MAC prefixes, registry keys, CPUID), analysis tools and debuggers (process names, IsDebuggerPresent, timing of single-stepping), and signs of a real user (few processes, no recent documents, no mouse movement, low uptime, small disk). It may stall with long sleeps or only fire on a specific date, language, or domain. Analysts counter by hardening the VM to look real, patching out the checks, fast-forwarding sleeps, simulating user activity, and confirming behavior with static disassembly.
Show me how you'd combine common web bugs — say SQL injection and XSS — into impact beyond a single finding.
Individually, SQLi exposes or modifies data and can reach RCE; stored XSS hijacks sessions in victims' browsers. Chained, you can use SQLi to plant a stored XSS payload that fires in an admin's session, steal their session, and escalate to full application control.
Walk me through Kerberoasting — how it works, why it's possible, and how defenders stop it.
Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with an SPN. That ticket is encrypted with the service account's NTLM password hash, so you extract it and crack the password offline — no privileged access needed to start, and it's near-silent.
Explain the difference between passive and active reconnaissance, with examples of each.
Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.
Walk me through the phases of a penetration test from kickoff to delivery.
A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.
Explain reverse shells versus bind shells and when you'd choose each.
A bind shell opens a listening port on the target and waits for you to connect to it. A reverse shell makes the target connect outbound to a listener you control. Reverse shells usually win because outbound traffic bypasses inbound firewall rules and NAT.
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?
A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.
Get 100 cybersecurity interview questions + answers
Drop your email and we'll send you the free PDF pack and the flashcard deck.
No spam. Unsubscribe anytime.