EH-Net

Hello ehackers,
I've become quite interested in Pen Testing lately.

I've got a couple of questions on the topic. Any advice greatly appreciated:

- I hold no GIAC certification at present, would you say going straight for GPEN is
  an adequate/realistic choice?
  I appreciate that taking GSEC/GCIH first would be very helpful.

- Is there any sort of an alternative to the official SANS GPEN SelfStudy material
  (books, ebooks, tutorials ) ?
  Something to get me started until I source funding for a SANS boot-camp.

Thank you.

I think your current experience/skills/knowledge is much more important than whether or not you have other GIAC certifications.

The candidate bulletin covers what will be on the exam. http://www.giac.org/certbulletin/gpen.php

That's pretty high-level, but you also get two practice exams when you sign up for a challenge, and those can provide additional guidance for what you need to delve further into.

The CEH and OSCP material helped a lot, as well as various books on pen testing and ethical hacking. Hacking Exposed, Open Source Penetration Testers Toolkit, Professional Penetration Testing (haven't read it myself, but it's gotten good reviews), etc.

Regarding the other GIAC certs, the GPEN will be more technical than either of those, so you should have that knowledge (not necessarily the actual certifications) under your belt prior to taking a shot at it.

Welcome to the forums :)

Bit of a difficult question without knowing your background skill sets and ability :-) Have you got an current IT certifications or have/do you worked in a security based role?

As a more generic  answer:

If you rate your general network, OS and IT security skills and abilities are good, then go for the GPEN. It assumes you know how to use Windows, Linux and how networks are put together in order to attack them. It's a fast paced course, with lots to absorb and plenty of hands on practice.

As some other suggested reading, Ed Skoudis'  Counter Hack Reloaded is a great starting point, as is reading offensive security's Metasploit unleashed http://www.offensive-security.com/metasploit-unleashed/


However, if you're missing any of those core skills then look at doing the GSEC first to cover all those bases.  It covers a massive amount of security knowledge, tools and skills.

Hope that is of some help.

GPEN is not for the faint of heart.  It is super technical.  My co-worker and brother have taken the course and they both were both dumb founded by the amount of technical information.  They are both well experienced and certified individuals, and are not stupid in any way.

As a holder of two GIAC certs and one on the way, with one self study and two courses, I can safely state without any previous experience it may be near impossible to pass without having the SANS course ware.

With that being said, there are a lot of options when going for a SANS course.  You can do OnDemand, Self Study, life training, and even work study at live training (where you work at the conference, get the training, materials, and certification attempt for around $800).  I think if you are starting off with no experience, then it would take all of your being to do self-study to bring you up to a level where you would be lucky if you drowned in the level of technical details the course offers.

I do not know your experience or commitment level, but you could probably do well to self-study and do the GPEN course.  If you are looking for a more long term and lower budget option, you may want to go the self-study route for Security+ to lay the security foundation > CEH to lay the pen testing foundation with methodology and tools > GPEN.

I would also recommend Counter Hack, because it is a good read, and it not only gives you a lot of the hacker tools and methodology, but it also gives you insight on how to defend these tools.  You would also do well to start learning some of the tools like NMAP, Wireshark, Metasploit, and Cain and Able.  Heck, just start playing with anything on http://sectools.org/. :)

Good luck!

Thank you much for the valuable comments.

As for my experience, I've been administering linux servers for the past couple of years plus windows/mac support.

No specific Information Security experience however, apart from generic linux rookit/firewall auditing.

I find GPEN and GIAC material in general, extremely interesting.
Definitely going to get involved.

Veselin