eLearnSecurity eCPPTv2 Review

mstreet, 01 October 2020

Introduction

I can finally say that I have completed the Penetration Testing Progessional course from eLearnSecurity and became eCPPTv2 certified! I’m extremely happy about this result and how the whole experience turned out, and so I wanted to tell you about it. After eJPT, doing eCPPT is mandatory: it is the first “grown man” step into the pentesting field and as such I was extremely stoked to start it. I already knew eLearnSecurity from their previous eJPT course so I knew about the quality of the material. Looking at the syllabus I already had some experience with each of the topics, albeit not really deep, but the modules about Ruby and Powershell were completely new, so I decided to go with the Elite version to have those modules and also 120 hours of laboratory.

Course Content

You can find the course syllabus in detail on eLearnSecurity’s website, but the course is organized into seven macro sections:

System Security: it features an overview of computer’s architecture along with assembly and tools such as debuggers and assembles. Then Buffer Overflows are presented and thoroughly explained, with also examples of automatic shellcoding generation (e.g. with msfvenom) and manual shellcoding. Finally cryptography and password cracking are presented and also an overview about Malware and its different types.
Network Security: this is the core feature of all the course, it dives deeply into each phase of a penetration testing: information gathering, scanning, enumeration, sniffing and man in the middle, vulnerability assessment and exploitation and post exploitation. Finally there are two other sections about how to stay anonymous when conducting a penetration test and another about social engineering. Note that in this section all the modules are about Windows’ systems.
Linux Exploitation: this sections basically reviews the modules about enumeration, exploitation and post exploitation but only with Linux systems as a target.
Web Application Security: this section covers the most common web attacks such as XSS, SQLi and file inclusion.
WiFi Security: in this section there is a thorough introduction about IEEE 802.11 standard and the a whole array of attacks are presented, from WEP, WPA and WPA2 to other ways of using WiFi as an attack vector such as with evil-twin attacks.
Ruby for Pentesters and Metasploit: this section is all about the language Ruby, starting from a basic intro with control structures, variables, etc., to more advanced topics such as classes and finally how to leverage the power of this language as a pentester for instance by integrating it in Metasploit.
PowerShell for Pentester: this section introduces Windows PowerShell and how an attacker can leverage it for offensive purposes. This is extremely useful as Powershell is a powerful language installed in all new windows versions, so it is definitely another weapon in the arsenal.

As with their PTS, I really liked the course content. The online HTML5 slides are easy to use and have a nice layout and honestly I prefer this layout (from 2018) than that of PTS (from 2019). The material is good and covers really a lot of topics, always starting from the basics and providing extra resources, so that even a less experienced student can catch up if the taught material is not enough. The videos are also helpful as they show practically how to carry out the attacks presented in the lecture slides. The System Security section is quite heavy and might discourage new students, but it’s one of the core components (also for the exam) and as such must be really well understood. I think the material is really explained well and I only have a minor complaint which is that exluding bad characters from shellcode could be explained better. Anyway that’s not an issue, there are some free resources on how to practice that (check the Extra resources section). Networks Security and Linux exploitation are the most fun parts, it’s where you actually get your hands dirty in popping boxes, escalating privileges, etc. eLearnSecurity puts a lot of emphasis on the Post Exploitation and Pivoting phases which is an extremely good thing as it’s not something deeply covered in similar courses. The WebApp security section is also quite fun. While by no means exhaustive (web applications have a LOT of possible attacks which takes years to even scratch the surface) the attacks presented are deeply explained (the slides are in fact taken from eLearnSecurity eWPT course) and give a really good understanding of the most common threats. WiFi section has the downside that home labs must be setup, as the concept explained cannot really be tried with Hera Labs, but apart from that are quite interesting even if not part of the final exam. Finally, I did not complete the Ruby and Powershell parts because I needed to finish the exam before moving out so I was a bit strict regarding time. I will update this part once done.

Laboratories

There are a whopping 30 labs to practice to be able to pass the exam. As with PTS, mostly self contained, each of them covering and teaching a particular aspect, such as LLMNR Poisoning, in a detailed matter. What I like about the labs though is that while they have a predefined objective, different paths can be taken, and so once you have mastered what is taught in them you can freely experiment and try different techniques. That’s also why I bought the Elite with 120 hours. There are also a couple of labs, “Blind Penetration Test” and “From XSS to Domain Admin” which are really nice as a final practice before taking the actual exam. Now, the first time going through them they were indeed difficult, as they are supposed to be: they are teaching something which you don’t know. Don’t be discouraged by this, I recommend doing the lab for the first time while following along the solution and then repeat it one or two times without looking at the solutions. This way you know at least a path to go, and when becoming more keen on the specific scenario you are then free to experiment new techniques. Each lab is dedicated to you, so you don’t need to worry if you break something, just reset it and you’re ready to go again. My only complaint here is that I found the VPN a bit clumsy, since you get a new .ovpn file for each lab, which gets reset after 48 hours and as such needs to be downloaded again.

Exam

The exam is structured as a 7 day black box penetration testing. You are provided with a letter of engagement which defines the scope (e.g. which networks to target), the rules of engagement and and which tools can be used. You are also provided with a “necessary but not sufficient” condition for the exam. What to say about it… The exam is extremely fun! It will test EVERYTHING covered in the course, from web to network security without requiring abstruse or absurd exploits. It’s an awesome benchmark that will thoroughly test all the skills taught in the course, from enumeration to post exploitation and pivoting (and trust me, these last things are important). Finally, after the 7 days time frame the lab will close and you have another 7 days to compose and deliver a commercial grade report of your findings. Note, this is also extremely important: if you are able to conduct the pentest fully, but the report is not adequate, then you will fail the exam. As I said, I really really enjoyed the exam. I think the time frame is fair, I’ve been able to clear it in three days of 12 hours work each, so even for those who are working full time, the seven days should be enough. Some tips I can give without breaking the NDA are:

enumerate, enumerate, enumerate. Really, this is key. I got stuck for almost a day on a point where I couldn’t proceed after having owned X machines. This was due to the fact that I was a bit light with the post exploitation phase of one of those, so, be warned.
If you get stuck, take a break, clear you mind, eat something and then get back to work. Review the training material if needed, trust me it is really well done and at times the answer you’re looking for is there.
Be sure to know well how to do the Buffer Overflow explained in the System Security section and the pivoting techniques explained in the Post Exploitation phase in the Network Security section.
Don’t overcomplicate things.
Finally, take your time, enjoy, have fun. Remember that if you fail you have at least one other attempt depending on your course plan, so really, enjoy the experience!

Final thoughts

Overall, this is my favorite course so far! A very broad course on all aspects of a pentest with emphasis on areas, such as reporting and post exploitation, which, even if of extreme importance, are usually disregarded (in full or in part) in other similar courses. This course will make you confident in what to do at each stage, so that during each different assessment you will have a methodic and precise way to perform it. Obviously you will not know how to exploit each and all systems you encounter (and some of them really aren’t exploitable), but having a solid work method allows you to concentrate the effort in researching and developing, or adapting, an exploit for something you didn’t see before, without panicking. Finally, the certification you get is shareable on linkedin and makes a nice impression on your CV thanks to the all practical exam. So, is this course for you? Well, for me it’s been amazing, and I cannot recommend it enough! That said, here is the course, be sure to check it out!

Extra Resources

While working through the course material, I’ve found some extra resources which might be useful to you, be sure to check them out: