Skip to content

CEH interview questions

Broad coverage of hacking tools, techniques and the attacker mindset.

9 questions questions in this set
For an authorized social-engineering test, which pretext is acceptable?

Social-engineering tests must stay within agreed, ethical pretexts: realistic enough to be useful but without coercion, impersonating authorities, or exploiting personal or medical situations. A generic IT password reset agreed in the rules of engagement is fair game. Impersonating a real employee's sick child or threatening someone with being fired causes genuine psychological harm. Pretending to be law enforcement impersonates authorities and is often illegal even with a signed engagement.

Mid-levelGovernance, Risk & Compliance
The full answer
Your alert() XSS test fires but the popup is blank — what does that tell you?

It confirms XSS. If alert() fired at all, the browser parsed and executed your injected JavaScript in the page context — that is the vulnerability. A blank/empty popup just means the string argument you passed didn't render as expected (quote handling, encoding, or context mangling broke the message), not that the payload is being blocked. The execution sink is live; you refine the payload from here.

SeniorWeb Security
The full answer
How does malware detect and evade analysis sandboxes, and how do you counter it?

Sandbox-aware malware checks whether it is being watched before it misbehaves. It looks for VM and hypervisor artifacts (drivers, MAC prefixes, registry keys, CPUID), analysis tools and debuggers (process names, IsDebuggerPresent, timing of single-stepping), and signs of a real user (few processes, no recent documents, no mouse movement, low uptime, small disk). It may stall with long sleeps or only fire on a specific date, language, or domain. Analysts counter by hardening the VM to look real, patching out the checks, fast-forwarding sleeps, simulating user activity, and confirming behavior with static disassembly.

SeniorMalwareDFIR (Forensics & Incident Response)
The full answer
Show me how you'd combine common web bugs — say SQL injection and XSS — into impact beyond a single finding.

Individually, SQLi exposes or modifies data and can reach RCE; stored XSS hijacks sessions in victims' browsers. Chained, you can use SQLi to plant a stored XSS payload that fires in an admin's session, steal their session, and escalate to full application control.

Mid-levelWeb Security
The full answer
Walk me through Kerberoasting — how it works, why it's possible, and how defenders stop it.

Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with an SPN. That ticket is encrypted with the service account's NTLM password hash, so you extract it and crack the password offline — no privileged access needed to start, and it's near-silent.

SeniorWindows InternalsCryptography
The full answer
Explain the difference between passive and active reconnaissance, with examples of each.

Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.

JuniorNetworkingThreat Intelligence
The full answer
Walk me through the phases of a penetration test from kickoff to delivery.

A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.

JuniorNetworkingWeb Security
The full answer
Explain reverse shells versus bind shells and when you'd choose each.

A bind shell opens a listening port on the target and waits for you to connect to it. A reverse shell makes the target connect outbound to a listener you control. Reverse shells usually win because outbound traffic bypasses inbound firewall rules and NAT.

Mid-levelNetworkingLinux Internals
The full answer
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?

A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.

JuniorNetworkingWeb Security
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.