From Dev to InfoSec Part 3 — My First Cert
I mentioned in my first article that I was starting on a journey to better understand the security landscape and learn how security techniques and tools are used to protect systems. Soon after I published, I went off to look for a good training course that:
- Provided a clear path and not a jumbled mesh of topics
- Offered relevant techniques based on discussions I had with security people
- Had positive feedback in the community
- Had a good support structure
- Offered flexibility in terms of schedule (i.e., self-paced)
Having a structured curriculum was a key factor in my choice. There are a ton of resources available, but I didn’t want to have to stitch all of them together to get from point A to point Z. I also wanted something that was hands-on not just textbook material. After a lot of homework, I found one that ultimately met all my expectations, eLearnSecurity.
A little full disclosure action. As many of you may know, I have a regular column on The Ethical Hacker Hacker Network (EH-Net) where the first 2 parts of this series is published. EH-Net was acquired by eLearnSecurity last year yet remains an independent community project. Because of their desire to remain an unbiased publication, they no longer publish course reviews. This makes sense as they don’t want positive comments of eLS courses or negative thoughts of competitors to be thought of as being financially driven. So we agreed to publish this on my own blog to avoid such conflicts.However, I was clear with them that what I wrote up would also be unbiased and had to be published with both the good and the bad. They had no problem with that. I also want to be clear with you that this and many other courses were on my radar long before my column started on EH-Net. Now with that out of the way… Here’s my experience.
Getting Hands-on Training
Learning security on your own is really hard. The glut of tools, workflows, and techniques makes it really challenging to know how to even start. Just look at the catalog of tools in Kali, and it’s very easy to become overwhelmed. I had already taken a course with the fine folks at Hacker House in Dec 2017, and, while learning a lot, I didn’t immediately apply what was learned when I got back home. Six months later, I remembered some things, but it was a case of “if you don’t use it, you lose it”. I needed a refresher.
So at the beginning of September, I gave eLearnSecurity’s Penetration Testing Student (PTS) course a shot. It’s not an easy decision to choose an online provider who you know little about. Many people recommended SANS and Offensive Security, but I wanted something that I felt was at a level that I needed and could help me build the foundational skills for the next level. I had read a lot of positive feedback about eLS on various forums and even met people who had taken the course and swore by the content. Many folks considered them underrated considering the quality they provided, and, while I was still a little wary, I took the plunge. I took the Elite version of the course with extended lab hours.
The PTS Course
One of the things that immediately stood out was the structured feel of the course. It was organized in a way that I’ve read you should conduct a pentest meaning:
- Information gathering
- Vulnerability assessments
- Attacks (web, system and network)
This was an immediate plus, since it seemed like I’d be taken down a true pentest path versus some other YouTube videos that bounce you all over the place. There was a method to the madness. Additionally, the course provided foundational sections that ensured you developed an understanding of topics like networking and python development. The content was just enough to ensure you could grasp the concepts and better understand how they’re used in subsequent chapters.
Opening the dashboard, you were presented with:
- A list of all the main topic areas to cover
- Online HTML5-based study materials
- The same materials in PDF format
- Online virtual labs (I’ll cover these shortly)
The PTS doesn’t provide an instructor. This is online and self-paced requiring you to read the study materials, watch videos and perform the labs at specific spots to reinforce what you learned. If you get stuck, there’s a forum for you to ask questions. The few times I needed help I found that the answer had already been provided on the forum.
It had been a long time since I had done any real networking work, so I appreciated the refresher. Having a good understanding of networking is so critical to successful security assessments, and I felt the section not only gave me that refresher I needed but also provided learning opportunities. I loved learning how to calculate IP ranges and how ARP broadcasts work. Things that I had taken for granted (because they just worked) now became clearer as I understood “how they worked”. And that’s a common theme I found throughout the course. The PTS tries to show you both the “how” and “why”, so you can ensure you can make the best decisions on how to proceed with an assessment. That’s an important facet of any course, especially an online self-paced one.
Once I got into the actual pentesting section of the course, this is where my previous learnings from my Hacker House course helped. Many of the topics covered areas I had previously learned but never reinforced through practice. This was the refresher I needed on everything from nmap to Metasploit while also learning about tools that were new to me such as enum4linux and Meterpreter. What stood out was how well the provided videos reinforced the materials I had just read. Without them, I couldn’t tell you that I would’ve been able to just use a new tool. Having videos that showed the usage and outcomes was a critical success factor for me.
I completed the course in about two weeks overall time. During the course, I had to travel cutting into my available study opportunities, but I eventually finished and felt good about the content. Knowing that I wanted to take the accompanying eJPT (eLearnSecurity Junior Penetration Tester) certification exam, I decided to go over the entire course a second time including the labs. I was able to cruise over a lot of sections the second time around preferring to focus more on the videos and the actual labs to ensure that I understood the workflow and tooling. You don’t have to do this, but I like to be prepared.
Hera Labs — the PTS Secret Sauce
If there is one thing that sets eLearnSecurity apart is their lab environment. I think VMs are great for learning, but there’s nothing like having a real network to learn on. That’s how the PTS is setup. Every lab is its own self-contained virtual LAN, and you have to connect to it via OpenVPN. And it’s spun up specifically for each individual student, so there’s no sharing a work area. What this means is that every lab becomes like a real pentest, forcing you to enumerate your target and understand how you’ll be trying to compromise it. This also forces you to work harder to understand the underlying network in order to properly assess the environment. I can’t state enough how thankful I was for the networking topic provided at the beginning of the class. Coming from a dev background, this is not something burned into my brain.
Imagine how you would try to do ARP spoofing without this type of environment? Seriously, the lab environment is the secret sauce and gave me a feel of conducting a real pentest. And while each lab environment is tailored to specific lab scenarios, it was fun to poke around and try out other methods of compromising machines.
Some Improvement Needed
While the majority of the course was great and went really well, there were some things that stuck out and need some improvement. First, the video’s narrator clearly wasn’t a technology person. He spoke very clearly and the steps were great, but, after a while of hearing him mispronounce technical words, it started to grate on me. The biggest one being how he pronounced Meterpreter. After the 10th time of hearing “Meterpreeter” and “deebian”, I was getting annoyed. The videos also used much older versions of tools (since they were shot in 2015), making it tough to follow along on some tools. I know there’s a substantial investment that needs to be made to keep things relevant, and I hope eLS considers updating these soon.
I also had problems with the HTML5 formatting of certain slides. Most slides rendered fine, but some would have font issues causing words to scale past the viewport. The associated course PDFs helped in those cases.
I felt the section on NULL sessions was interesting but ultimately useless considering that it’s an issue that’s been patched on all modern versions of Windows. While I know there are a few Windows XP SP1 boxes floating around, the people I’ve chatted with all agree that this technique is way dated.
The chapter on C++ was also useless to me. I’m a programmer but C++ is a whole different world, and I didn’t feel I came out knowing it any better from the overview. The Python chapter, though, was a great intro, and I would’ve much preferred if they had a whole section just on that with an associated lab to build out something like a keylogger or admin tool.
Lastly, the videos had demo sites that they used to explain topic areas like XSS and SQLi. It would’ve been great if those sites were available either in downloadable form or as a virtual lab. Being a hands-on learner, I would’ve appreciated trying out things along with the videos.
Getting eJPT Certified
The PTS course also offers a certification, the eLearnSecurity Junior Penetration Tester. While I can’t share the details of the exam, I can say that it’s a hands-on pentest, where you must leverage the skills you learned in the course to compromise boxes in order to answer questions on the included exam. There’s really no way to pass this exam unless you go through and conduct a successful pentest of the provided virtual boxes. The exam uses the same Hera Lab environment used in the course labs, meaning you’ll VPN into the course VLAN to begin your assessment.
The one phrase that stuck in my head from the course was “widen your attack surface”. The context was that you need to spend time to properly enumerate the targets you’re planning to hit. I spent a great deal of time doing just that, documenting everything I saw including nmap scans to dirb results. I feel like new people are always inclined to run a basic nmap scan and then go attack a machine. I’ve read enough and learned from other professionals that taking your time enumerating the landscape pays dividends in being able to thoughtfully choose your best course of action. And I can’t stress enough how important it is to document EVERYTHING. What I found was that I kept coming back to what I thought was menial information several times to get past certain parts of the exam. My advice is not to take for granted the information you get back.
It was proud moment when I submitted the exam and saw that I passed with a 90%. It was validation for a lot of hard work. Considering the exam was a hands-on simulated pentest, it’s a testament to the course material that I was able to successfully compromise the boxes and get the information I needed for the exam questions. I would’ve liked to have know which questions I missed, so I could go back and review those weak areas but alas it wasn’t offered.
Finishing this course and getting the certifications was great, and I know I’ve learned a lot. Getting hands-on, in my opinion, is the key to my success, and I can’t rave enough about the Hera Labs. I’ve decided to take some days just to recoup and get myself ready for the next step which is the eLS Penetration Testing Professional course. Yes, I’ve decided to stick with eLearnSecurity for now. I felt the experience was top-notch and provided the educational experience I needed. I also liked that the forums are active and the people supportive. I’ve also met some security professionals at DerbyCon who also took the courses and highly valued their experiences.
The route I plan on taking is to finish the PTP and get the associated Certified Professional Penetration Tester (eCPPT) certification and then dive into the Offensive Security PWK+OSCP track. eLS also offers a third course in their pentesting training path, the PTX, Penetration Testing eXtreme and its own cert, the eCPTX. However, from my initial research on courses, the OSCP continues to be known as the gold standard for offensive security certifications. I’ll let you know if that stands as I continue my journey or if there’s a new king of the pentesting cert world. I’m forgoing SANS not for content or acceptance of their certs but sheerly on a cost basis. YMMV. Either way, I feel that having OSCP under my belt, along with the eJPT & eCPPT will help define how far I’ve come in learning about security.
This doesn’t mean I’ve ruled out the AppSec route in favor of network pen testing. I still think that’s ultimately where I’ll head, but as someone recently said, “Once you break past the app and into the network, you need to know how to do stuff in there!”. Very true. The path I’m on, I believe, will give me precisely that.
Originally published at Rey Bango.