eLearningSecurity Certified Professional Penetration Tester (eCPPT) Review: One Of The Best Certifications Available
It’s been three years since I sat the eCPPT Gold exam and I still have incredibly strong memories of the experience, which is far more than I can say for the CEH and GPEN I’ve completed subsequently. I’m not saying those other certifications are useless, but despite the content being similar on paper, the eCPPT is hands down the superior certification in my opinion. It all comes down to the practical elements involved and the unique final exam. While the CEH and GPEN can involve practical exercises, they are completely optional and any practical skills learnt are not required for the exam. It’s possible to pass both the CEH and GPEN without having ever typed a thing into the command line. This is the polar opposite to the eCPPT where you’ll be scanning, modifying code, digging into metasploit and a whole host of other hands of tasks, all of which are required for the final practical week long exam.
Everything you’ll need to know to pass the exam is taught on the course, however it won’t harm you to have awareness of the following:
• Enthusiasm for learning something new
• Hacker mind-set
• Familiarity with Windows and Linux
• Knowledge off the command line
• Ability to read code
The eCPPT takes you on a penetration testing journey, from creating a penetration testing report for a client all the way through to pivoting through a compromised network and coding a custom exploit. The course covers everything you might need to get started as a penetration tester, of course it’s just scratching the surface of the topic, but it creates a solid foundation which can be built upon. Many participants go onto to tackle the OSCP which has a similar ethos when it comes to practical experiencing trumping theory only learning. I won’t claim that passing this course will turn you into a penetration tester, it’s only a start and might get an interview as a junior penetration tester, the rest will come down to your commitment to learning more.
The course is split into three main sections Web Application Security, Network Security and System Security. Each section has a ton of slides, videos and practical examples to work through. The practical elements are especially enjoyable and perhaps where you’ll want to spend most of your time, I find that doing something enforces what you’ve read or watched far better than just reading something multiple times.
Web Application Security as you might expect covers web applications, taking you through common issues such as XSS, SQLi, LFI, RFI etc.
Network Security demonstrates network scanning, vulnerability scanning, scoping targets, as well as how to gather additional information from social media sources such as LinkedIn or job boards.
System Security covers a wide range of subjects such as password sniffing, password cracking, buffer overflows and much more besides. The buffer overflow section was especially interesting for me, and has practical examples to work through, further enforcing what you’ve learnt.
Unlike any other course I’ve done, the eCPPT actually teaches you how to write a professional penetration testing report. I feel this is sorely missing from many other courses. You might be an elite penetration tester but if you can’t accurately articulate your findings to the client the whole exercise is likely a waste of time.
The reporting continues on into the exam itself and will decide whether you pass or not. So, even if you compromise every single in scope target and verify every vulnerability, if the penetration testing report does not accurately communicate your findings then you might find yourself missing out on a passing mark. The quality of my reporting was one of the most valuable pieces of feedback I received. Basically my report was overly confusing and a nightmare to read, which in hindsight was a fair assessment. In my defence I was excited about finishing the exam and perhaps didn’t give the report the attention it deserved.
The exam was equal parts challenging, fun and frustrating. To this day I still think about the hosts I didn’t compromise during the exam, did I miss something important, where they only there to serve as a distraction? I don’t know. Without giving to much away, the exam will have you using everything you’ve learnt on the course and will likely lead to more than one sleepless night. Finally achieving elevated access on the last host is a great feeling and is one which I won’t forget in a hurry. I took three days off work to complete the exam and worked on it every evening when I was working until the early hours, even then I felt I could have done with more time. At the end of the week I felt exhausted, the lack of sleep and mental drain had taken its toll. To celebrate I took a couple of days off before starting the penetration testing report.
I can appreciate why penetration testers don’t enjoy the reporting side of a test, it’s time consuming and in some respects harder than the test itself. My report ended up being far larger than I was comfortable with and was difficult to read. If I was to do it again I’d certainly change the formatting and use some of the widely available penetration templates to make my life easier.
One of the overlooked benefits of this course is the mind set it teaches you to have. It teaches you to look at things like an attacker, what are the potential weaknesses, what are the the low lying overlooked vulnerabilities or how would you go about circumnavigating a security control. It’s a valuable skill to have at your disposal as a defender. Additionally, it’s very unlikely you’ll forget what a XSS or SQLi is, which are questions that have popped up in more than one job interview.
My Exam Tips
• Make sure you find and report all vulnerabilities. The exam is not a CTF, simply achieving root on every host is not the goal, finding and reporting on the fictional companies security exposure is your priority.
• Take frequent breaks. Go for a walk, get some fresh air, eat something healthy.
• Don’t bang your head against the same target for too long, move onto something else.
• Thoroughly enumerate compromised targets, leave no stone unturned.
• Take at least an hours downtime at the end of evening to do something else. You don’t want to try and sleep while churning over the exam in your head.
• Take notes and screenshots as you progress through the exam.
• Try and have fun!
Even though the other certifications and qualifications I’ve earned since sitting the eCPPT are better known and tend to show up in job adverts far more often, I would still recommend the eCPPT above all others and would strongly encourage everyone involved in Info Sec to strongly consider taking the course, it can benefit anyone involved with IT, not just aspiring penetration testers.