Depends on the company, what they do and how much they know. For most interviews I had questions about methodology and tools in particular, in some cases how to configure and scan networks, ports, basic knowledge about TCP/IP, network topology, what to do in certain scenarios (can be anything), how to mitigate risks, terminology (quite often), how would you break into a company in a certain situation / scenario (with web apps I just 0days as that's what I do except if they use outdated known vulnerable versions), and so forth.
Some companies asked almost nothing about practical hacking and were extremely theoretical, while others asked more practical questions as to exactly how you would pentest in general.
In some cases I was also asked if I knew what SQL Injection and XSS is, and then I of course had to say yes, you can e.g., check my custom tools at this blog.
Depending on the job responsibilities, you'll most likely be asked questions related to that position (logically), so if your position is web app focused, SQL Injections, XSS, LFI, etc., if it's about Malware: Reverse engineering, analysis of behaviour (what does the program do when executed and how do you find out, with or without running it), disassembly, etc.
If the position is focused more on securing than attacking, then you may be asked specific OS (Operating System) questions, firewalls, hids, ids, ips, etc.
Expect what you least expect, but be prepared for what may seem like the most common questions they'll ask.
In rare cases, I've heard people had to e.g., A) Analyse an executable file, track down a fake botnet website which had SQL Injection in, and then get remote code execution on that system, B) Analyze an entire web application in PHP, where the goal is to find an introduced 0day and hack the target web aplication and get remote code execution and C) Draw network diagrams with servers, firewalls, and of course services, where would you e.g., place a certain server, what type of firewall rule would you create, what would the risks be, etc. (I had this one once. It was fun.)
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
