1. What is VAPT, and why is it important?
VAPT stands for Vulnerability Assessment and Penetration Testing. It’s a set of activities to find, validate, and prioritize security weaknesses in systems, applications, and networks. Vulnerability Assessment discovers and catalogs flaws; Penetration Testing attempts to exploit them to show real-world impact. VAPT is important because it moves an organization from theoretical risk into actionable remediation by validating which vulnerabilities are exploitable and how severely they could be abused.
2. Difference between Vulnerability Assessment and Penetration Testing?
A Vulnerability Assessment is typically automated and breadth-focused: it scans assets, enumerates issues, and rates them. Penetration Testing is depth-focused and manual: a tester tries to exploit vulnerabilities, chain them, and demonstrate business impact. Think of assessment as mapping the terrain and pentesting as attempting to break in and reach sensitive objectives.
3. What are the main phases of a penetration test?
The common phases are:
(1) Planning & Scoping—define rules, targets, and legal consent;
(2) Reconnaissance—gather public info;
(3) Scanning & Enumeration—discover services and accounts;
(4) Exploitation—attempt to gain access;
(5) Post-exploitation—escalate, persist, move laterally;
(6) Reporting—document findings, PoCs, and remediation. Each phase must respect the agreed scope and safety controls.
4. What is reconnaissance in ethical hacking?
Reconnaissance (recon) is information gathering about a target using public sources (OSINT) and active techniques like network scans. It reveals domains, IP ranges, technologies, employee names, subdomains, and exposures. Recon is crucial because quality intel narrows the attack surface and informs which techniques will likely succeed.
5. What is enumeration, and why is it important?
Enumeration is active probing to extract detailed information—usernames, shares, running processes, open ports, services and version strings. It’s the bridge between recon and exploitation: enumerated details (e.g., an exposed SMB share or versioned service) often provide the exact vector for a successful exploit.
6. What are black box, white box, and gray box testing?
Black box: tester has no internal knowledge—simulates an external attacker. White box: tester has full source code and architecture—deeply inspects logic and configuration. Gray box: partial knowledge (e.g., credentials, architecture diagram)—balances realism and depth. Choice depends on goals, time, and risk appetite.
7. What is a CVE?
CVE stands for Common Vulnerabilities and Exposures—a unique identifier assigned to publicly disclosed vulnerabilities (e.g., CVE-2024-XXXX). CVEs provide a standard reference so vendors, researchers, and security tools can cross-reference and share information consistently.
8. What is CVSS, and how is it calculated?
CVSS (Common Vulnerability Scoring System) is a framework to score vulnerability severity using Base, Temporal, and Environmental metrics. Base captures inherent technical features (attack vector, complexity, privileges required, impact). Temporal reflects exploit maturity and remediation availability; Environmental tailors the score to the target’s environment. The resulting numeric score (0.0–10.0) helps prioritize fixes.
9. What is a vulnerability scanner?
A vulnerability scanner is software that probes systems and applications for known weaknesses (misconfigurations, missing patches, default credentials). Scanners like Nessus or OpenVAS produce lists of findings; they’re efficient for broad coverage but typically need manual validation to remove false positives and confirm exploitability.
10. What are some commonly used VAPT tools?
Common tools include Nmap (discovery), Nessus/OpenVAS (scanning), Metasploit (exploitation), Burp Suite (web testing), Nikto (web server checks), Hydra/Medusa (brute force), Hashcat/John (password cracking), and Wireshark (network analysis). A modern tester mixes automated tools with custom scripts and manual techniques.
11. What is Nmap used for?
Nmap is a network mapper used to discover hosts, open ports, running services, and OS fingerprints. It supports many scan types, version detection, and NSE scripting for deeper checks. Nmap is foundational for recon and shaping the attack plan.
12. What is the difference between TCP and UDP scanning in Nmap?
TCP scanning targets TCP ports and benefits from connection-state feedback (SYN, ACK). It’s more reliable and informative. UDP scanning probes UDP services, which are connectionless and often slower and noisier to scan—responses can be silent, leading to false negatives. UDP requires different techniques (e.g., service probes, timing adjustments).
13. What is banner grabbing?
Banner grabbing collects service/version strings presented by network services (e.g., web server headers, SSH banners). These banners can reveal software and versions that point to known vulnerabilities. Banner grabbing is simple but useful; however banners can be misleading or intentionally altered.
14. What is OpenVAS, and how does it work?
OpenVAS (part of Greenbone stack) is an open-source vulnerability scanner. It runs a database of network checks (NVTs) against targets, reporting known weaknesses. It’s used for automated assessments; like all scanners, its results must be validated and contextualized.
15. What is Nessus used for?
Nessus is a commercial vulnerability scanner that identifies missing patches, misconfigurations, and known software vulnerabilities across hosts and applications. It offers rich plugin libraries and compliance checks and is widely used for enterprise scanning and pre-engagement assessments.
16. What is Metasploit, and how is it used in exploitation?
Metasploit is a penetration testing framework with a large collection of exploits, payloads, and auxiliary modules. Testers use it to verify exploitability, deliver payloads (reverse shells, Meterpreter), and automate parts of exploitation. It’s powerful—must be used ethically and within scope because it can destabilize targets.
17. What is Burp Suite, and what are its main components?
Burp Suite is a web application security testing platform. Key components: Proxy (intercepts requests), Scanner (automated vulnerability discovery in Pro version), Intruder (automated fuzzing/bruteforce), Repeater (manual request manipulation), Sequencer (token analysis), and Decoder/Comparer for analysis. Burp is central to modern web VAPT.
18. What is Nikto, and when is it used?
Nikto is an open-source web server scanner that checks for common misconfigurations, server defaults, and known issues (e.g., outdated server versions, risky headers). It’s fast and noisy—useful for initial discovery but must be used carefully so as not to trigger WAFs or alarms in production.
19. What is OWASP, and what is the OWASP Top 10?
OWASP (Open Web Application Security Project) is an open community focused on web app security. The OWASP Top 10 lists the most critical web application risks (e.g., Injection, Broken Access Control, XSS). It’s a de facto baseline for web security testing and developer education.
20. Explain SQL Injection and how to prevent it.
SQL Injection occurs when user-controlled input is concatenated into database queries, allowing attackers to modify or run arbitrary SQL. Prevention: use parameterized queries/prepared statements, input validation/whitelisting, ORM safe APIs, least-privilege DB accounts, and regular code reviews and testing.
21. What is Cross-Site Scripting (XSS)?
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session theft or UI manipulation. There are stored, reflected, and DOM-based XSS types. Prevention includes output encoding/escaping, input validation, proper Content Security Policy (CSP), and sanitizing untrusted content.
22. What is CSRF (Cross-Site Request Forgery)?
CSRF tricks an authenticated user’s browser to send unintended requests (e.g., change password) to a site where they’re logged in. Prevention: implement anti-CSRF tokens, require same-site cookies (SameSite flags), use re-authentication for sensitive actions, and validate the origin/header.
23. What is command injection?
Command injection occurs when attacker input is concatenated into system shell commands (e.g., via exec or system()), allowing arbitrary command execution. Prevent by avoiding shell invocation, using safe APIs, strong input validation, and running processes with minimal privileges.
24. What is directory traversal vulnerability?
Directory traversal (path traversal) lets attackers access files outside intended directories by using sequences like ../. It can expose config files, credentials, or sensitive data. Prevent by validating and canonicalizing paths, restricting file access to safe directories, and enforcing least privilege on file storage.
25. What is SSRF (Server-Side Request Forgery)?
SSRF tricks a server into making HTTP requests to attacker-specified destinations, potentially accessing internal services or metadata APIs. Prevention: restrict outgoing requests, whitelist allowed hosts, enforce network segmentation, validate user-supplied URLs, and block internal IP ranges.
26. What is privilege escalation?
Privilege escalation is gaining higher-level permissions than initially obtained—either vertical (user → admin) or horizontal (user A → user B). It often involves misconfigurations, unpatched services, SUID binaries, weak service permissions, or token manipulation. Post-exploitation, it’s used to expand control and impact.
27. What is password cracking, and which tools are used for it?
Password cracking is recovering plaintext passwords from hashes (offline) or guessing them online. Common tools: Hashcat (GPU-accelerated), John the Ripper, Ophcrack (rainbow tables), and Hydra/Medusa for online brute force. Techniques include dictionary, rule-based, mask, and rainbow-table attacks.
28. What is a reverse shell?
A reverse shell is when a compromised host initiates an outbound connection to an attacker-controlled listener, giving an interactive shell back to the attacker. It bypasses inbound firewall restrictions and is commonly used in post-exploitation. Use encrypted tunnels and monitor for unexpected outbound connections to detect them.
29. What is privilege escalation in Windows vs Linux?
On Windows, escalation often abuses misconfigured services, weak ACLs, unquoted service paths, token impersonation, or unpatched SMB/LSA vulnerabilities. Linux escalation commonly leverages SUID binaries, insecure sudo rules, cron jobs, kernel exploits, or weak file permissions. Techniques differ due to OS internals and privilege models.
30. What is post-exploitation in a pentest?
Post-exploitation is the phase after initial compromise where testers maintain access, escalate privileges, harvest credentials, pivot to other systems, and demonstrate impact (data exfiltration, persistence). It shows real business risk and informs detection and response controls.
31. What is vulnerability chaining?
Vulnerability chaining is combining multiple lower-severity issues to achieve a high-impact result (e.g., info disclosure → RCE → data exfiltration). Testers look for chains because a single low-severity finding can become critical when combined with others—this drives prioritized remediation.
32. What is a zero-day vulnerability?
A zero-day is a vulnerability unknown to the vendor (no patch available) or with no public mitigation—meaning attackers can exploit it before defenders can fully protect systems. Zero-days are high-value and require careful disclosure practices and compensating controls when discovered.
33. What is the difference between authenticated and unauthenticated scans?
Unauthenticated scans run without credentials and simulate an external attacker—useful for external-facing checks but limited in depth. Authenticated scans use credentials to access internal functions and configuration, enabling detection of vulnerabilities that require login (missing access controls, insecure defaults). Authenticated scans provide higher fidelity but must be carefully managed.
34. What is risk rating, and how is it assigned?
Risk rating quantifies the priority for remediation by combining technical severity (CVSS), exploitability, business impact (data sensitivity, availability needs), and exposure (internet-facing or internal). Practical ratings often map numeric scores to categories (Low/Medium/High/Critical) and factor in environment-specific impacts.
35. What should a VAPT report include?
A comprehensive VAPT report contains an executive summary, scope & methodology, detailed findings (severity, description, evidence/PoC), reproducible steps, risk and impact, remediation guidance, timelines, and appendices (logs, tool outputs). It should be clear for both technical teams and business stakeholders.
36. What is remediation, and why is it important?
Remediation is fixing vulnerabilities (patching, configuration changes, access control updates) and validating the fix. It’s important because discovery without remediation leaves the organization exposed—effective VAPT includes actionable fixes and retesting to ensure closure.
37. What is a false positive in scanning?
A false positive is a scanner-reported vulnerability that is not actually exploitable or present in the target. False positives waste remediation effort and reduce trust in tools, so manual validation and context-aware verification are essential.
38. How do you verify if a vulnerability is real or false positive?
Verify by reproducing the issue manually, attempting safe exploitation in a controlled manner, checking service versions and configurations, and confirming with logs/packets. If exploitation risks production, replicate the environment or use read-only techniques and coordinate with stakeholders.
39. What is responsible disclosure?
Responsible (coordinated) disclosure means privately reporting a vulnerability to the vendor, giving them time to develop a patch, and coordinating public release. It balances giving vendors time to fix while eventually sharing knowledge to improve ecosystem security.
40. What are the ethical and legal considerations in penetration testing?
Pentesting must be authorized in writing, scoped, and scheduled to avoid legal liability and unintended damage. Testers must protect sensitive data, avoid disruption beyond agreed limits, follow responsible disclosure, and respect laws and client policies. Ethics and legality are as critical as technical skill.
41. What are some challenges faced during a pentest?
Common challenges: incomplete scope or access, noisy production systems, limited time, evasive WAFs/IDS, complex architectures (cloud, microservices), privileged account restrictions, and reconciling tool output with real risk. Communication with stakeholders is key to navigate these.
42. What is social engineering?
Social engineering manipulates people into revealing confidential info or performing unsafe actions (phishing, pretexting, baiting, vishing). Since humans are often the weakest link, testing staff awareness and controls (training, MFA, verification processes) is vital in VAPT.
43. What is phishing simulation in VAPT?
Phishing simulation is a controlled campaign that mimics real phishing to measure user susceptibility, train staff, and test technical controls. It should be authorized, safe (no malicious payloads), and followed by education and reporting to reduce future risk.
44. How do you test for insecure file uploads?
Test file upload handling by trying dangerous file types, content disguised as allowed types, double extensions, oversized files, directory traversal, and files containing web shells. Also check server-side validation, MIME-type checks, storage locations, and execution permissions. Safe testing uses isolated environments to avoid server compromise.
45. What are the stages of the cyber kill chain?
The Lockheed Martin-style kill chain stages: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control (C2) → Actions on Objectives. Understanding this lifecycle helps defenders detect and interrupt attacks at multiple stages and helps testers simulate realistic adversary behaviors.
46. What is exploit development?
Exploit development is creating code or techniques to reliably abuse a vulnerability (e.g., buffer overflow -> crafted payload, ROP chains, shellcode). It requires deep understanding of the target, debugging, reverse engineering, and careful testing. In VAPT, exploit dev may be used to validate impact—but must follow legal and safety rules.
47. What scripting languages are useful for VAPT?
Useful languages include Python (automation, tooling), Bash (quick system tasks), PowerShell (Windows post-exploitation and hardening scripts), Ruby (legacy Metasploit modules), and JavaScript (web testing). Choose tools and languages that match target environments and testing goals.
48. What certifications are valuable for VAPT roles? (CEH, eJPT, OSCP, etc.)
Valuable certs: OSCP (hands-on, highly regarded for pentesting), eJPT (entry-level practical), CEH (conceptual/industry recognition), OSCE/OSCE (advanced exploit dev), Crest/CREST accreditations, and broader security certs like CISSP for leadership. Practical, hands-on proof often matters more than paper credentials—combine certs with real experience.
49. What soft skills are important for a penetration tester?
Key soft skills: clear communication (translate technical risk for non-technical audiences), report writing, ethical judgment, problem solving, persistence, collaboration with defenders, and time management. Good testers also have curiosity, patience, and the ability to prioritize impact-focused findings.
50. How do you stay updated on the latest vulnerabilities and exploits?
Stay current via multiple channels: subscribe to CVE/NVD feeds, vendor security advisories, mailing lists (Full Disclosure, Bugtraq alternatives), security blogs, Twitter/X and Mastodon (researchers), Exploit-DB, GitHub, vulnerability RSS aggregators, and attending conferences/CTFs. Continuous learning and practical lab testing keep skills sharp.
Closing notes (ethical-hacker perspective)
VAPT is a balance of automated discovery and thoughtful, manual validation. Always operate with written authorization, minimize impact on production, document everything, and prioritize remediation that reduces real business risk. Technical mastery is necessary, but ethical judgment, communication, and continuous learning are what make a great penetration tester.
