Tools & Enumeration

Answer: Nmap is used to discover hosts, open ports, and services on a network. It helps identify what is exposed and where to focus testing. Scan results must be validated and always stay within scope.

Tip: Mention -sV for version detection and that results need confirmation.

Answer: Directory enumeration finds hidden paths like /admin or /backup that may not be linked publicly. These endpoints can expose sensitive pages or misconfigurations. Tools like gobuster or dirsearch automate guesses using wordlists.

Tip: Pay attention to 200/301/403 differences and filter noise.

Answer: Burp Suite is a web proxy that lets you intercept, inspect, and modify HTTP requests and responses. It’s used for testing authentication, input handling, and access control. Features like Repeater make it easy to re-test requests safely.

Tip: Mention Proxy + Repeater as core beginner features.

Answer: Nikto is a web server scanner that checks for common issues like risky files and outdated components. It can find quick wins but may produce false positives. Pentesters verify findings manually.

Tip: Say “scanner output is not proof—confirm manually.”

Answer: Fingerprinting identifies technologies like frameworks, servers, and CMS. It helps you choose the right tests and look for known weaknesses. Tools like WhatWeb or Wappalyzer assist, but results should be verified.

Tip: Fingerprinting guides targeted testing.

Answer: Subdomain enumeration finds hosts like api.example.com or dev.example.com. Subdomains often expose staging apps or forgotten services. It’s a common recon step for web assessments.

Tip: Mention DNS + certificate transparency as discovery sources.

Answer: Netcat can connect to ports, listen for connections, and send data. In labs it’s used to test connectivity and sometimes receive a reverse shell. In real environments, use must be authorized and controlled.

Tip: Explain simply: “connect or listen on a port.”

Answer: Hydra is used for password guessing against services like SSH or web logins when permitted. It helps validate weak password policies. You must respect rate limits, lockouts, and scope to avoid disruption.

Tip: Always mention “only with permission and safe rate settings.”

Answer: Metasploit is a framework with modules for exploitation and payload handling. Junior pentesters use it mostly to validate known issues in controlled ways. It’s important to understand what a module does before running it.

Tip: Say “don’t blindly run exploits—validate impact safely.”

Answer: Scanning identifies potential weaknesses automatically. Pen testing validates and demonstrates real impact under scope, often manually and with reasoning. A pentest also includes reporting, risk context, and remediation guidance.

Tip: Strong line: “Pentest proves exploitability and impact.”