My review of the eCPPT course and the exam
So it has been a little over two weeks of being a 'Certified Professional Penetration Tester' from the INE course and I decided to spend a little bit of downtime with family before collecting my thoughts and writing out this review in hopes that you may gain some insight and understanding of the course as well as even some motivation to get it done yourself if you are following the path into pentesting!
- Architecture Fundamentals (Stack Frames and Security Implementation)
- Assembler Debuggers and Tool Arsenal (ASM, NASM, Compilers, Immunity Debugger)
- Buffer Overflows
- Shellcoding (Encoding and Debugging)
- Cryptography and Password Cracking (Cryptographic attacks, PrettyGoodPrivacy and Pitfalls)
- Information Gathering
- Scanning & Evasion
- Service Enumeration
- Sniffing & MiTM Attacks (Sniffing, Poisoning, ICMP Direct)
- Exploitation (Nessus, Bruteforcing, Metasploit, Client Side Exploitation, Remote Exploitation, Relay Attacks,)
- Post Exploitation (Privilege Escalation, Persistence, Evasion and Bypassing Firewalls & AV, Pivoting)
- Social Engineering
Powershell for Exploitation
- Recon and Info Gathering
- Empire & C2 setups
- UAC Bypass
- Leveraging WMI and Persistence
- Leveraging Powershell for Exploitation, Post Exploitation and Lateral Movement
- Remote & Local enumeration
- Remote Exploitation (various methods such as web, smb, java)
- Post Exploitation & Lateral Movement
- Privilege Escalation
Web App Security
- Same Origin, HTTP/s, Cookies
- Tools such as Burp Suite, ZAP and advanced methods
- Fingerprinting & Enumeration
- Local/Remote File Inclusion
- SQL Injections (various databases)
- Session Hijacking and Fixation
- Wireless Standards & Networks
- Traffic Analysis
- WEP cracking
- WPA Capture Attacks
- Rogue Access Points
Metasploit & Ruby
- Control Structures
- Methods, Variables, Scope
- Classes, Modules, Exceptions
- Packet Sniffing
- Exploitation with Ruby
- Write Custom Metasploit Modules
Before we dive into what might be a recommendation for the course; Initially let's tackle the background that may be required:
I will list the background that I came from but I don't believe this was necessary as the course is fairly self-sufficient albeit practice is required: Prior to eCPPT, I have been eJPT certified and I have roughly 4 or so minor certifications through TryHackMe indicating course completion: Jr Penetration Tester, Offensive Pentesting, Comptia Pentest+ and Web Fundamentals.
Prior to sitting the eCPPT, I went through those courses however I would say that the eCPPT course materials and labs itself was very much on par and sufficient for the exam. I do not believe the additional courses completed would be necessary for someone prior to starting eCPPT but I do believe that practice of topics is recommended and unfortunately there are external places that provide better practice and teaching materials on certain topics that I will discuss below.
The exam is a 7-day test where you are engaged by a fictional company to perform a penetration test on its external and internal network containing numerous hosts with varying degrees of internal-communication. The engagement was a black box engagement whereby you only know what a real threat would know (In this case, you don't know the network layout, only the public facing IP address). Through reconnaissance and technical enumeration & exploitation, the fictional company wants to see what a simulated threat can uncover, the security risk involved for the company and the remediation steps in order to patch & improve their security.
The exam was great. I had a great time while sitting the exam and exploring various methods to break it apart. The benefit with the eCPPT exam structure is that there was sufficient time to have a really in-depth look into the network that was provided to you and then to actively look for various vulnerabilities, data leakage, and various exploits. The exam required you to uncover the network/s yourself through discovery and to simulate the potential of a real threat actor.
The exam is not a capture-the-flag goal whereby you complete the task by finding a text file through some exploit and then know you are finished with the objective. This was a little different as you needed to break the same network machines multiple times to provide a comprehensive report to a fictional client.
This report is required to communicate to at least two different levels of personnel;
- The executive level to understand the risks involved to what business processes and why your findings are important due to the impacts/costs,
- the technical managers to understand the exact issues so they can replicate your results and devise fixes that actually work.
Furthermore, the report required all vulnerabilities discovered but also to recommend remediation steps which requires you to understand the vulnerability and how to fix it.
The exam felt real and felt like an investigation that made it exciting. The time crunch was there but it was there to signal an end to the engagement and not there to slip you up.
What I liked about this setup was that the simulation and the exam itself was geared towards what a smaller enterprise would realistically be setup like. The exploits themselves were not a needle-in-the-haystack hunt but what you could expect for a company where security is second or third to functionality and ease-of-use. This type of exam reminded me of my own experiences within a corporation and colleagues who are actively wanting to make their jobs easier but the security mindset is in the background or completely absent.
The exam was fun and it had its scary moments but I learned a great deal from sitting this test. You will also find great benefit in this course as it really encouraged me to develop my methodology as well as my report writing; Not the most fun things in comparison however the report is the reason you are consulted so it needs to be carefully curated and useful to the client.
The below is a list of content that I utilise myself and I have found enormously useful for my own development. Not all of it is required for eCPPT alone however I would recommend these sources as part of your own development for beyond eCPPT.
As mentioned; there are some external resources that either explain or provide better practice for topics than the course does.
For that reason, the following would be recommendations for eCPPT specifically:
- Finished the eJPT course & labs (eLearning Junior Penetration Tester)
- The eCPPT course work & labs
- Optional: The eWAPT course (eLearning Web Application Penetration tester)
- THM Buffer Overflows, practice all of them! The context within the eCPPT course is great to understand a taste of stacks and assembly language however the teaching of tackling buffer overflows is severely lacking and therefore from my experience THM was king in this regard.
- THM Internal and Relevant by The Mayor, has been great practice rooms that encourages your methodology when you uncover interesting information. These rooms definitely helped in the mindset of "that's odd, lets google it".
- THM Wreathe by MuirlandOracle, the entire practice room is great but the main reason for this recommendation is pivoting! Various pivoting tools & techniques is important to understand and it is very important for the eCPPT exam.
Note: While I did not do the eWAPT course prior to eCPPT myself; I am however currently going over this course while I am waiting for my OSCP to begin and from the course material so far I would recommend eWAPT to be completed prior to eCPPT if possible due to the content being great but also the guide to report writing being within this course. (Wish I had looked into this content before I did eCPPT myself as the report was difficult without prior experience at it)
I found the following content incredibly helpful for improving in my journey:
- The unofficial INE/eLearning discord: Having people on the same path as you is great and being able to ask questions and discuss topics will go a long way to improving your own ability.
- Red Team streamer Alh4zr3d: A wealth of information for introductory and advanced topics. Streams on a set schedule and goes through various activities, speaks on industry topics and discusses exploits and engagements.
- TryHackMe learning paths: Web Fundamentals, Comptia Pentest+, Jr Penetration Tester, Offensive Pentesting
- TryHackMe Premium subscription with access to various challenges, walkthroughs and up to date exploitation guides.
- Alternatively: HackTheBox Premium subscription with the ability to tackle retired challenges as well.
- IppSec Walkthroughs: Used in conjunction with HackTheBox retired challenges by watching and then repeating the exploitation methods. It's a great method to start with and then eventually lead to exploitation done yourself then watching for different methods later.
- Tib3rius Privilege Escalation Course for both Linux & Windows: These courses are great to supplement and improve your methodology. The content is similar to the TryHackMe courses however there is a few additional topics that really helps. This is also really important for OSCP if that will be a future exam you sit.
A few tips to help with your journey. Nothing discussed within this review will give content away that hasn't been previously provided by eLearning themselves but these tips may prove useful to you when you decide to sit your exam.
- You have 7 days: This is more than enough time so take a breather and go for a walk or a shower when you are stuck.
- Not a CTF: Each host in the internal network will not signal to you that you are done. Spend time discovering each host and understand the role that host plays. What is it being used for? What kind of content might you find on there?
- It may be staring you in the face: The fictional security issues are not 'needle-in-haystack' problems that rarely show up in the real world. Explore each machine and you will likely find something interesting that may cause you to think "odd.." so dive a little deeper and move on if there is nothing.
- Privilege Escalation: It is always important as you require Root/System on all hosts so doing Linux/Windows priv esc practice will benefit you in the long run. I do recommend Tib3rius Privilege Escalation Course for both Linux & Windows but it is optional.
- Report professionally: This is a mock vulnerability engagement and the 'client' expects a professional report. If you don't deliver a professional report on your findings then unfortunately you will not pass. This is important as reaching the objective is not enough to pass; your report must contain security risks & how to remediate them.
- Pivot and Enumeration: It should be self explanatory but you are Pentesting a fictional company; as such you most likely will be dealing with pivoting and need to know how to extract or find information or explore further after the fact. If pivoting is a weak point then I recommend that you place emphasis in understanding this topic as well as the course material on what to do after you have gained footholds.
- Have a comprehensive cheat sheet or notes: You can't memorise or retain all the info within this industry. Having your own notes is vital and if you have it setup in your own words then you will be able to spend more brainpower on problem solving and less on trying to remember obscure things. Be verbose with your notes and type it as if you need to explain it to yourself in a few months time; This I cannot stress enough because even though you know the subtext of what you are trying to record now does not mean you will remember those finer details in a couple of weeks. Verbose!
That's all folks! The exam was great and has setup a great outlook on what I am going to be doing next. From doing the course work and sitting the exam; my personal notes has expanded and improved immeasurably. With each topic we can know a little more than we did yesterday. Onward to the next big thing and hopefully this may have inspired you to tackle this certifications yourself as the course is fairly complete with its content so you will know what you need to practice and improve upon!