Skip to content

Networking interview questions

TCP/IP, the OSI model, DNS, TLS, firewalls and the protocols every security pro must know cold.

73 questions questions in this set
Does HTTPS hide which website you're visiting from your ISP or network?

Mostly no. The destination hostname is sent in the clear in the TLS ClientHello's SNI extension, and your DNS query usually reveals it too, so an ISP or network can see WHICH site you visit even over HTTPS — they just can't read the path or content. Encrypted ClientHello (ECH) and DNS-over-HTTPS can close this gap, but they aren't universal. 'HTTPS hides everything' is the misconception.

Mid-levelNetworkingWeb Security
The full answer
Does private / incognito browsing hide your activity from your ISP or employer?

No. Private/incognito mode only stops the local browser from saving history, cookies, and form data after the session — it does nothing to the network path. Your ISP, employer proxy, DNS resolver, and the sites you log into can all still see your activity. The misconception is 'incognito = invisible'; in reality it is privacy from other people using the same device, not anonymity from the network.

JuniorWeb SecurityNetworking
The full answer
Is 127.0.0.1 the only loopback address?

No. The whole 127.0.0.0/8 range is reserved for loopback, so 127.0.0.2, 127.1.1.1, and so on all resolve to the local host. This matters for SSRF and allow-list bypasses — an attacker may use 127.0.0.2 or other encodings to dodge a naive 'block 127.0.0.1' check — and for binding multiple local services. (In IPv6, loopback is the single address ::1.)

JuniorNetworkingLinux Internals
The full answer
Is a device's MAC address permanent and globally unique?

No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.

JuniorNetworking
The full answer
Does NAT act as a firewall and secure your network?

No. NAT (and PAT) maps private addresses to a public IP and, as a byproduct, drops unsolicited inbound connections because no mapping exists for them. That's not a security policy — there's no inspection, no rules, no logging — and NAT traversal, hole punching, and outbound-initiated C2 pass right through. NAT is an addressing tool; you still need an actual firewall. 'NAT = firewall' is the misconception.

Mid-levelNetworking
The full answer
What port does traceroute use?

Trick question — there's no single traceroute port. Classic Unix traceroute sends UDP datagrams to high, unlikely ports starting around 33434 with an increasing TTL; Windows tracert uses ICMP Echo instead. It works by reading the ICMP Time Exceeded messages routers return as the TTL expires, not by hitting a reserved port. And ICMP itself has no ports at all.

JuniorNetworking
The full answer
Does using a VPN make you anonymous online?

No. A VPN encrypts traffic to the VPN server and hides your IP from the destination, but the provider can see and may log your activity, and logins, cookies, and browser fingerprinting still identify you. It moves trust from your local network/ISP to the VPN operator — that's privacy from the local network, not anonymity. Tor and strict operational discipline are different tools for a different goal.

JuniorNetworkingGovernance, Risk & Compliance
The full answer
A scan shows your server still supports SSLv3/TLS 1.0 and RC4. What do you do?

SSLv3, TLS 1.0, and RC4 are broken or deprecated and enable downgrade and decryption attacks, so disable them and require TLS 1.2 or 1.3 with strong, forward-secret cipher suites — accepting the rare loss of very old clients. Leaving them on for compatibility keeps the weakness exploitable. Adding a second certificate or switching to a self-signed one doesn't remove the weak protocols, and self-signed certs harm trust without fixing the cryptography.

Mid-levelCryptographyNetworking
The full answer
You want to reduce PCI DSS scope. What's the standard approach?

PCI DSS scope covers systems that store, process, or transmit cardholder data plus anything connected to or able to affect them, so effective network segmentation isolates the cardholder data environment (CDE) and removes unrelated systems from scope, shrinking cost, effort, and risk. Encrypting every server doesn't define a boundary and connected systems stay in scope; adding untargeted firewalls everywhere isn't segmentation if it doesn't restrict and validate the data flows; and stopping people reading card numbers aloud is hygiene, not a scoping control. The systemic answer is to control where cardholder data lives and what can reach it.

SeniorGovernance, Risk & ComplianceNetworking
The full answer
During dynamic analysis the sample reaches out to a live C2 and may receive commands. What's the safe approach?

Use simulated network services or a tightly monitored, attributable-safe egress so you can study C2 behavior without revealing your real IP to the attacker or letting the host be tasked with harmful commands. Interacting from the corporate IP tips off the operator and risks real harm. Bridging the sandbox to the LAN invites spread. Disabling logging throws away the analysis data. Control the network so you observe without exposing or being weaponized.

SeniorMalwareNetworking
The full answer
A firewall review finds an 'any source / any destination / allow' rule near the top of the policy. What's the issue and fix?

Because firewalls evaluate rules top-down, a broad any/any allow near the top short-circuits every rule below it and permits all traffic — the firewall effectively stops enforcing anything. Replace it with explicit least-privilege rules for the flows actually needed, ordered so specific allows and denies take effect, ending in a default deny. Calling it efficient is wrong, moving it to the bottom can still shadow the default deny, and renaming changes nothing about what it permits.

Mid-levelNetworking
The full answer
The company relies on 'once you're on the VPN, you're trusted.' What architectural shift do you propose?

Network-location trust means a single foothold inside grants broad lateral access — one phished VPN credential and the attacker is 'inside.' Zero trust removes implicit trust: every access is authenticated, authorized, and continuously evaluated on identity and device posture, with least privilege and segmentation (NIST SP 800-207). A second VPN or a wider VPN just extends the same flat-trust problem to more places, and trusting the LAN instead of the VPN repeats the original mistake.

SeniorNetworkingIdentity & Access Management
The full answer
A new VM was launched with SSH (22) and RDP (3389) open to 0.0.0.0/0. What's the right remediation?

Management ports open to the whole internet are scanned and brute-forced within minutes, so the fix is to shrink the attack surface: restrict the security-group ingress to known admin CIDRs or VPN, or remove inbound entirely using a bastion or SSM Session Manager. Moving SSH to a non-standard port is security by obscurity that scanners defeat trivially. A stronger password doesn't reduce the exposed surface or stop credential-stuffing. Trusting a host firewall ignores the attack surface the security group is openly advertising to the internet.

Mid-levelCloudNetworking
The full answer
A business-critical production service looks vulnerable to a memory-corruption exploit that might crash it. What do you do?

Rules of engagement usually exclude DoS on production, and an unplanned crash causes real business damage and can void the engagement. Verify scope first; if a destructive proof-of-concept isn't authorized, prove the vulnerability through safer means and clearly document the likely impact. Firing the exploit for a screenshot is reckless. Running it repeatedly for 'reliability metrics' multiplies the outage. Skipping it silently hides a serious, exploitable risk from the client.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
You crack a service-account password from a captured hash. What's the highest-value next step to demonstrate risk?

The point is impact: a reused or over-privileged service credential that unlocks domain admin or critical systems is the finding that matters, so test for reuse and map the privilege and lateral-movement path. Cracking every other hash first is busywork that delays the real story. Changing the service-account password is destructive, breaks production, and tips off defenders. Emailing a live credential in plaintext is itself an exposure and bad operational security.

SeniorIdentity & Access ManagementNetworking
The full answer
Mid-engagement you discover an exploitable host that is clearly NOT in the agreed scope. What do you do?

Authorization defines the engagement, so testing outside the agreed scope is potentially illegal and breaches the rules of engagement no matter how tempting the target. Document what you saw, stop, and obtain written client approval before going further. Exploiting for 'more findings' is never a justification for unauthorized access. Quietly exploiting it if you think you won't be caught is both unethical and a crime, and self-extending the scope strips the client of informed consent.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
A critical unauthenticated RCE patch is out for an internet-facing server, but the team fears downtime. How do you proceed?

An internet-facing, unauthenticated RCE is emergency-grade: shrink the exposure window with a tested, staged or rolling deploy, and add compensating controls (restrict access, WAF rules) in the meantime. Waiting for the quarterly window leaves a wormable hole open for weeks. Blind production patching during business hours with no testing risks an outage and a botched rollback. Trusting the perimeter firewall does nothing — the service is already exposed and the exploit needs no credentials.

SeniorNetworkingGovernance, Risk & Compliance
The full answer
A review finds the network is flat — finance servers share a broadcast domain with guest Wi-Fi. What do you recommend first?

Flat networks let one compromised guest device reach crown-jewel systems directly. Segment by trust level and enforce least-privilege traffic between zones so lateral movement is contained and monitored. An edge firewall does nothing for east-west traffic between hosts already inside. Re-IPing the finance servers is security-by-obscurity that any scan defeats. Endpoint AV is one detective layer, not a substitute for the architectural control of isolating sensitive systems.

SeniorNetworking
The full answer
A public API went down because its TLS certificate expired. Beyond renewing it, what's the durable fix?

Manual renewals fail, so engineer the problem away with automated ACME renewal plus expiry monitoring that alerts days in advance. A calendar reminder is the manual process that already failed once. A long-lived self-signed cert breaks public trust and violates modern lifetime limits (CAs cap validity at ~398 days, dropping further). Disabling TLS trades an availability blip for a catastrophic confidentiality and integrity loss.

Mid-levelCryptographyNetworking
The full answer
You notice a single host making thousands of unusual, long TXT-record DNS queries to one domain. What's the most likely explanation and action?

High-volume, high-entropy TXT or long-subdomain queries to a single domain is a classic DNS tunneling / C2-and-exfil signature: data is being smuggled inside DNS to evade egress filtering. Capture a query sample for analysis, sinkhole or block the domain to cut the channel, and pivot to the host to find the responsible process. Dismissing it as normal caching or a slow website misses live exfiltration. Restarting the DNS server does nothing about the compromised endpoint and just disrupts name resolution.

Mid-levelNetworkingThreat Intelligence
The full answer
Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.

The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)Networking
The full answer
Explain DNS data exfiltration and how a blue team would detect it.

DNS exfiltration encodes stolen data into DNS queries (e.g. long subdomain labels sent to an attacker-controlled authoritative server), abusing the fact that DNS is almost always allowed outbound and often unmonitored. Detect it with anomalies: unusually high query volume to one domain, long/high-entropy subdomains, many unique subdomains per parent domain, TXT/NULL record abuse, and queries to newly registered or rare domains.

SeniorNetworkingDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Explain how SPF, DKIM, and DMARC work together to prevent email spoofing.

SPF publishes which IPs may send mail for a domain. DKIM adds a cryptographic signature so the receiver can verify the message was not altered and came from the domain. DMARC ties SPF/DKIM results to the visible From: header via 'alignment', tells receivers what to do on failure (none/quarantine/reject), and sends reports. SPF and DKIM alone do not protect the From a user sees — DMARC is what enforces that.

Mid-levelNetworkingWeb SecurityIdentity & Access Management
The full answer
What is a honeypot, what types exist, and what value does it give a blue team?

A honeypot is a decoy system or service with no legitimate business use, deliberately exposed to attract attackers. Because nothing benign should ever touch it, any interaction is a high-confidence alert. Low-interaction honeypots emulate services cheaply; high-interaction ones are real systems that yield richer intel but carry more risk. Honeytokens are the same idea applied to fake credentials, files, or records. Value: early detection, low false positives, and threat intelligence.

JuniorThreat IntelligenceNetworkingDFIR (Forensics & Incident Response)
The full answer
Explain defense in depth and how it differs from relying on a single strong control.

Defense in depth layers multiple, diverse, and independent controls across people, process, and technology so that the failure of any one control does not result in compromise. It assumes every control will eventually fail and uses redundancy and variety to slow, detect, and contain an attacker.

SeniorNetworking
The full answer
How do you secure container images?

Start from a minimal, trusted base image (distroless or slim) to shrink attack surface, scan images for known CVEs in CI and in the registry, pin and verify image digests, run as a non-root user, and avoid baking in secrets. Sign images and enforce admission policies so only scanned, signed images run. Rebuild regularly so patched base layers flow through.

Mid-levelCloudNetworking
The full answer
What are the basics of Kubernetes security (RBAC and network policies)?

RBAC controls what identities can do against the Kubernetes API — Roles and ClusterRoles grant verbs on resources, bound to subjects via RoleBindings — and should follow least privilege, avoiding cluster-admin and wildcards. Network policies control pod-to-pod traffic, which is allow-all by default until you apply a default-deny and then explicitly permit required flows. Together they limit blast radius if a pod or token is compromised.

SeniorCloudNetworking
The full answer
How do CloudTrail and GuardDuty fit into cloud logging and monitoring?

CloudTrail records every API call in the account — who did what, when, from where — giving you the authoritative audit trail for investigations and compliance. GuardDuty is a managed threat-detection service that analyzes CloudTrail, VPC flow, and DNS logs to surface findings like credential exfiltration or crypto-mining. CloudTrail is the source of truth you must protect; GuardDuty turns that telemetry into actionable alerts.

Mid-levelCloudNetworking
The full answer
What's the difference between security groups and network ACLs?

Security groups are stateful firewalls attached to instances/ENIs: they allow rules only, and return traffic for an allowed flow is automatically permitted. Network ACLs are stateless filters at the subnet boundary: they have ordered allow and deny rules and you must explicitly allow return traffic on ephemeral ports. Security groups are the primary control; NACLs add coarse subnet-level guardrails like blocking an IP range.

Mid-levelNetworkingCloud
The full answer
What is Perfect Forward Secrecy and why does it matter?

Perfect Forward Secrecy (PFS) means each session derives a unique key from an ephemeral key exchange that is thrown away afterward. If an attacker later steals the server's long-term private key, they still cannot decrypt previously captured traffic, because that key was never used to derive the session keys. It's achieved with ephemeral Diffie-Hellman (DHE/ECDHE).

Mid-levelCryptographyNetworking
The full answer
Walk me through the TLS 1.3 handshake.

Client and server agree on a shared secret in a single round trip using ephemeral Diffie-Hellman (ECDHE). The ClientHello carries the supported groups and a key share; the server replies with its key share and certificate, both sides derive the same keys, and application data flows immediately — with forward secrecy by default.

Mid-levelNetworkingCryptography
The full answer
Explain defense in depth and give an example.

Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. It assumes no single control is perfect — for example combining a firewall, network segmentation, endpoint protection, MFA, least privilege, and encryption rather than relying on a perimeter alone.

JuniorNetworkingIdentity & Access Management
The full answer
Explain the difference between an IDS and an IPS.

An IDS (intrusion detection system) monitors traffic and raises alerts but does not block — it's typically out-of-band. An IPS (intrusion prevention system) sits inline in the traffic path and can actively drop or block malicious traffic. IPS prevents, but a false positive can break legitimate traffic.

JuniorNetworkingThreat Intelligence
The full answer
Explain the difference between TCP and UDP and when you'd use each.

TCP is connection-oriented and reliable: it uses a three-way handshake, guarantees ordered delivery, and retransmits lost packets. UDP is connectionless and fast with no delivery, ordering, or congestion guarantees. Use TCP for accuracy (web, email, file transfer) and UDP for speed-sensitive traffic (DNS, VoIP, streaming, gaming).

JuniorNetworking
The full answer
What is a firewall, and what's the difference between a stateless and a stateful one?

A firewall controls traffic between network zones by allowing or denying it based on rules. A stateless firewall evaluates each packet in isolation against rules; a stateful firewall tracks the state of connections so it can allow return traffic for sessions it permitted. Next-gen firewalls add application-layer awareness.

JuniorNetworking
The full answer
Is ARP a TCP or UDP protocol?

Neither. ARP is a Layer-2 (link-layer) protocol that is encapsulated directly in an Ethernet frame, not inside an IP packet. Because it never rides on IP, it cannot use TCP or UDP — those are Layer-4 transports that require IP underneath. ARP's job is to resolve a known IP address to the MAC address on the same local network segment.

JuniorNetworking
The full answer
On a firewall, would you rather a port be filtered or closed?

Filtered. A filtered port silently drops the packet, so the scanner gets no response and must wait for a timeout — it learns nothing about whether the host even exists, and scanning is slowed dramatically. A closed port sends back a TCP RST, which confirms the host is alive and responding, handing the attacker reconnaissance value for free.

Mid-levelNetworking
The full answer
Does HTTPS fully prevent man-in-the-middle attacks?

Not on its own. HTTPS prevents MITM only when certificate validation is strictly enforced and the client reaches the site over HTTPS to begin with. If a rogue CA is trusted (corporate proxy, malware-installed root), if the user clicks through cert warnings, or if SSL stripping downgrades the connection to HTTP before TLS starts, an attacker can still sit in the middle.

Mid-levelNetworking
The full answer
Is HTTPS the same as SSL? And what's the difference between SSL and TLS?

HTTPS is not a protocol of its own — it is plain HTTP running inside an encrypted TLS tunnel. SSL is the old name: SSL 2.0/3.0 are the deprecated, insecure predecessors of TLS, which superseded them (TLS 1.0 through 1.3). When people say 'SSL certificate' or 'SSL', they almost always actually mean TLS.

JuniorNetworkingCryptography
The full answer
What port does ping use?

Trick question — ping uses no port. It runs on ICMP, which is a Layer-3 protocol that sits directly on top of IP. Ports only exist in Layer-4 protocols like TCP and UDP, so ICMP (and therefore ping) has none. ICMP uses type and code fields instead, e.g. Echo Request type 8 and Echo Reply type 0.

JuniorNetworking
The full answer
How many packets are exchanged in the TCP three-way handshake?

Three. The client sends a SYN, the server replies with a combined SYN-ACK (one packet that both acknowledges the client's SYN and sends the server's own SYN), and the client finishes with an ACK. The trick is that SYN-ACK is a single packet, not two, so the total is three — exactly what 'three-way' names.

JuniorNetworking
The full answer
Explain Zero Trust architecture and what changes when you adopt it.

Zero Trust drops the assumption that being inside the network makes you trusted. Every request to a resource is authenticated and authorized on its own merits — verifying identity, device health, and context — by a policy decision point, granting least-privilege access per session. There is no trusted internal zone; the network location of a request is just one signal, not a free pass.

SeniorIdentity & Access ManagementNetworkingCloud
The full answer
Walk me through a penetration testing methodology like PTES.

PTES defines seven phases: pre-engagement (scope, rules of engagement, authorization), intelligence gathering (OSINT, recon), threat modeling, vulnerability analysis, exploitation, post-exploitation (pivoting, data of value, persistence), and reporting. The structure makes engagements repeatable, defensible, and tied to business risk rather than ad-hoc hacking — pre-engagement and reporting are the phases juniors underrate.

Mid-levelNetworkingWeb Security
The full answer
How does a red team engagement differ from a penetration test?

A pentest aims for broad coverage — find as many vulnerabilities as possible in a scoped target. A red team is objective-driven adversary emulation: pick a goal (e.g., reach the crown-jewel data), emulate a specific threat actor's TTPs, stay stealthy to test detection and response, and avoid noisy scanning. Red teaming measures the blue team and the whole org, not just the asset; both need tight rules of engagement and authorization.

SeniorNetworkingThreat Intelligence
The full answer
Walk me through the vulnerability management lifecycle.

Vulnerability management is a continuous loop: discover assets and vulnerabilities (scanning, asset inventory), prioritize by real risk (CVSS plus exploitability, exposure, and asset criticality — frameworks like EPSS and SSVC help), remediate or mitigate, verify the fix, and report on trends and SLAs. The scan is the easy part; the discipline is prioritizing and closing the loop so risk actually goes down over time.

Mid-levelNetworkingCloud
The full answer
What ports do SSH, HTTP, HTTPS, DNS, RDP, and SMB use, and why do they matter?

SSH is TCP 22, HTTP is TCP 80, HTTPS is TCP 443, DNS is 53 (UDP and TCP), RDP is TCP 3389, and SMB is TCP 445. Knowing the well-known ports lets you read scan output, write firewall rules, and triage alerts quickly — a service on its expected port versus an unexpected one is an immediate signal.

JuniorNetworking
The full answer
How does DNS resolution work — recursive vs authoritative?

A stub resolver asks a recursive resolver for a name. If it isn't cached, the recursive resolver walks the hierarchy: it queries a root server (which points to the TLD), the TLD server (which points to the domain's authoritative servers), and finally the authoritative server, which holds the actual record. The answer is cached along the way per its TTL. DNS uses port 53 — UDP for most queries, TCP for large ones.

JuniorNetworking
The full answer
What is the difference between a forward proxy and a reverse proxy?

A forward proxy sits in front of clients and makes outbound requests on their behalf — used for egress control, filtering, caching, and anonymity. A reverse proxy sits in front of servers and receives inbound requests on their behalf — used for load balancing, TLS termination, caching, and as a security front for a WAF. The direction it faces, client-side or server-side, is the key distinction.

Mid-levelNetworkingWeb Security
The full answer
How does traceroute work, and what role does the TTL field play?

Traceroute discovers the routers between you and a destination by exploiting the TTL field. It sends packets with TTL=1, then 2, then 3, and so on. Each router decrements TTL; when TTL hits zero, that router drops the packet and returns an ICMP Time Exceeded message, revealing its address. By stepping the TTL up, traceroute maps each hop in order until the destination is reached.

Mid-levelNetworking
The full answer
What is NAT, and how does PAT differ from it?

NAT (Network Address Translation) rewrites the source and/or destination IP as packets cross a boundary, typically mapping private internal addresses to public ones. PAT (Port Address Translation, or NAT overload) extends this by also translating ports, letting many internal hosts share a single public IP — each flow distinguished by its port. PAT is what home and office routers use to put a whole LAN behind one address.

Mid-levelNetworking
The full answer
Explain the OSI model and what each layer adds.

The OSI model splits networking into seven layers, each adding one responsibility: Physical (bits on the wire), Data Link (frames and MAC addressing), Network (IP routing), Transport (TCP/UDP, ports, reliability), Session (managing connections), Presentation (encoding, encryption, compression), and Application (protocols like HTTP). Each layer wraps the one above it as data goes down the stack.

JuniorNetworking
The full answer
What is a subnet, and what does a subnet mask do?

A subnet is a logical subdivision of an IP network. The subnet mask marks which bits of an IP address are the network portion and which are the host portion — for example, /24 (255.255.255.0) means the first 24 bits identify the network and the last 8 identify hosts. Subnetting controls how traffic is routed and lets you segment a network into smaller broadcast domains.

JuniorNetworking
The full answer
Walk me through the TCP three-way handshake.

TCP opens a connection in three steps. The client sends a SYN with an initial sequence number, the server replies with SYN-ACK (acknowledging the client's number and sending its own), and the client returns an ACK. After this exchange both sides have agreed on starting sequence numbers and the connection is established for reliable, ordered byte delivery.

JuniorNetworking
The full answer
TCP vs UDP — how do they differ and when would you choose each?

TCP is connection-oriented: it handshakes, numbers bytes, retransmits losses, and controls congestion, giving reliable ordered delivery at the cost of latency and overhead. UDP is connectionless and fire-and-forget — no handshake, no retransmission, no ordering. Use TCP when correctness matters (web, email, file transfer) and UDP when speed matters more than perfection (DNS, VoIP, gaming, video).

JuniorNetworking
The full answer
How does the TCP/IP model compare to the OSI model?

The TCP/IP model has four layers — Link, Internet, Transport, and Application — and describes how the real internet works. OSI has seven. They map closely: TCP/IP's Application layer absorbs OSI's Application, Presentation, and Session; its Link layer combines OSI's Physical and Data Link. OSI is the better teaching and troubleshooting reference; TCP/IP is the implemented protocol suite.

JuniorNetworking
The full answer
What is a VLAN, and what is its security value?

A VLAN (Virtual LAN) logically partitions a physical switch into separate Layer 2 broadcast domains, so devices on different VLANs can't reach each other directly even on the same hardware. It's labeled with an 802.1Q tag on trunk links. The security value is segmentation: isolating user, server, guest, and IoT traffic limits broadcast scope and lateral movement, with inter-VLAN traffic forced through a router or firewall where policy is applied.

Mid-levelNetworking
The full answer
What is the difference between a VPN and a proxy?

A VPN creates an encrypted tunnel at the network/OS level, so all of a device's traffic is routed through it and protected end to end — used for secure remote access. A proxy operates at the application level, relaying traffic for specific apps or protocols and not necessarily encrypting it. The big differences are scope (whole-device vs per-application) and that a VPN encrypts by design while many proxies do not.

JuniorNetworking
The full answer
What is a DMZ in network architecture, and why would you use one?

A DMZ (demilitarized zone) is a network segment that sits between the untrusted internet and the trusted internal network, hosting public-facing services like web, mail, and DNS servers. Firewall rules let the internet reach the DMZ but tightly restrict the DMZ's access to the internal network. The goal is containment: if a public server is compromised, the attacker is stuck in the buffer zone rather than landing inside the LAN.

Mid-levelNetworking
The full answer
Walk me through how you enumerate a brand-new target box.

Start with a full TCP port scan, then enumerate every open service in depth — banners, versions, default creds, anonymous access, and web content — before touching any exploit. Most boxes fall to thorough enumeration, not clever exploits, which is the core of the 'try harder' mindset.

JuniorNetworkingLinux Internals
The full answer
Why scan all 65535 ports, and how do you do it efficiently with nmap?

The default nmap scan only covers the top 1000 ports, so a service on a high port would be missed entirely. The efficient pattern is a fast SYN scan of all 65535 ports first, then a focused version and default-script scan against only the ports found open.

JuniorNetworking
The full answer
You've compromised a host with a second network interface. How do you pivot?

Use the compromised host as a relay into the unreachable subnet. Set up port forwarding for a single service, or a dynamic SOCKS proxy (SSH -D or chisel) and route your tools through it with proxychains, so your attacker box can reach internal hosts via the pivot.

SeniorNetworking
The full answer
What do you check when you find SMB and SNMP open on a host?

For SMB, enumerate shares, check for anonymous/null-session access, list users, and identify the version for known CVEs. For SNMP, try default community strings like 'public' and walk the MIB to extract usernames, running processes, installed software, and network details.

Mid-levelWindows InternalsNetworking
The full answer
Explain the difference between passive and active reconnaissance, with examples of each.

Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.

JuniorNetworkingThreat Intelligence
The full answer
Walk me through the phases of a penetration test from kickoff to delivery.

A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.

JuniorNetworkingWeb Security
The full answer
You've compromised a host on a segmented network. Explain how you pivot to reach systems you can't touch directly.

Pivoting turns a compromised host into a relay so you can reach internal segments your machine can't route to. You use port forwarding, a SOCKS proxy over your C2 channel (e.g. Chisel, SSH dynamic forwarding), or agent-based routing, then run tools through that tunnel to attack the next subnet.

SeniorNetworkingWindows Internals
The full answer
You have a low-privileged shell on a Linux box. Walk me through how you'd escalate to root.

Enumerate first: current privileges, sudo rights, SUID/SGID binaries, cron jobs, writable files in PATH, kernel version, and stored credentials. Then exploit the easiest reliable path — often a misconfigured sudo rule or a SUID GTFOBin — before reaching for a kernel exploit.

Mid-levelLinux InternalsNetworking
The full answer
Explain reverse shells versus bind shells and when you'd choose each.

A bind shell opens a listening port on the target and waits for you to connect to it. A reverse shell makes the target connect outbound to a listener you control. Reverse shells usually win because outbound traffic bypasses inbound firewall rules and NAT.

Mid-levelNetworkingLinux Internals
The full answer
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?

A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.

JuniorNetworkingWeb Security
The full answer
Explain defense in depth and give a concrete example of applying it.

Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. No single control is assumed perfect, so you stack preventive, detective, and responsive measures across the network, host, application, and data layers.

JuniorNetworkingIdentity & Access Management
The full answer
Walk me through how you would harden a fresh internet-facing Linux server.

Reduce attack surface (remove unused packages/services), enforce key-only SSH with no root login, keep the system patched, run a default-deny firewall exposing only needed ports, apply least privilege via sudo and file permissions, enable auditd and centralized logging, and add integrity monitoring plus MAC like SELinux or AppArmor.

SeniorLinux InternalsNetworking
The full answer
What is network segmentation, and how does it relate to a zero trust model?

Segmentation divides a network into isolated zones so a breach in one can't freely reach others, limiting lateral movement. Zero trust goes further: it removes implicit trust based on network location entirely, authenticating and authorizing every request regardless of where it originates — microsegmentation is one way to implement it.

SeniorNetworkingIdentity & Access Management
The full answer
What is a PKI, and walk me through how a client validates a server's certificate.

A PKI is the system of CAs, certificates, and policies that binds public keys to identities. To validate a server cert a client builds a chain to a trusted root, verifies each signature, checks validity dates and the hostname, confirms key usage, and checks revocation via CRL or OCSP.

Mid-levelCryptographyNetworking
The full answer
Why are DNS logs useful for detection, and what threats can you find in them?

Almost everything touches DNS, so DNS logs reveal threats other sources miss: command-and-control beaconing (regular callbacks to a domain), DNS tunneling and exfiltration (high volume of long, encoded subdomains), and algorithmically generated (DGA) domains. You detect these through patterns like query regularity, entropy, record types, and volume rather than single bad lookups.

SeniorNetworkingDFIR (Forensics & Incident Response)Threat Intelligence
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.