EH-Net

During the beginning of this / last week (depending on when you read this), I travelled to the Kryterion authorized test facilities and took the GPEN exam. After 2 hours and 20 minutes, I was done and had passed with 87,33%.

What a nice feeling, and it certainly made me more aware of other topics I didn't have much focus on before.

I look very much forward to the day my certificate arrives ;D

Congrats MaXe!
You'll be impressed with the certificate when it arrives :)

Thanks Data_Raid!  :)

I searched for it on Google and saw how it looked like, damn it looks awesome  ;D (Hence the reason I can't wait! hehe)

Gratz MaXe, that's awesome! :)

Congratz MaXe. How did you find it? I found that it complemented the OSCP quite well.

Thanks lorddicranius!


It forced me into some nice theory, about topics I hadn't read much about, until I had to prepare for the exam  :)

Congrats MaXe! impressive score for sure ;D any new developments/plans yet?

Maxe,

Congrats. I am giving some serious thought to taking it. I presume you self-studied? Can you provide info on referenced material/books?

n1p

Congrats Maxe!! I was also wondering how it compared to the OSCE exam.  A lot of people here seem to have the GPEN so it must be very informative and a good certification to have.

Thanks j0rDy! If I had trusted my own opinions more, (I was thinking in "GIAC terms" on occasion), I probably would've scored a little bit higher. But it was a nice score that I found acceptable  :) Nothing new currently, well, besides a few projects, etc. but that is not related to this certification  ;D


Thanks n1p! If you want the easiest way I'd go with a self-study course of SANS SEC560, but the OSCP course with perhaps OSWP, general knowledge, laws in e.g., UK, USA, Japan, Singapore, Germany and perhaps a few other countries will do much good. (Don't forget ethics, terminology, how a report is written, and other topics like these.)

It is possible to pass without any knowledge of laws, but it will probably be right on the edge. If you read The Penetration Testers Open Source Toolkit vol. 2, NIST SP800-42, skim through ISSAF, know about OSSTMM, have a good idea of the ethics and terminology of a penetration test, and have a good base knowledge within Web Application Security, Post-Exploitation, Buffer Overflows, commands in linux and windows (post-exploitation), reconnaissance, information gathering, exploits in general, password attacks, and wireless attacks, then you're good to go.

I wrote a few more things here as well:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,7071.msg38351/#msg38351

In short: "Jack of all Trades" (no speciality), or "Know most of the common attacks, defenses and information / technology related to these, this is your baseline for passing GPEN.

Without having studied (at all), I got a score of 77% during a practice test. (enough to pass.)
I failed primarily on laws, because they were not related to neither Denmark nor Sweden at all. Some of the terminology was a bit rusty on my part as well, but all it took was some dedication  :)



Thanks Agoonie! Oh it can't be compared to OSCE at all! GPEN is a good baseline certificate, but it does not give you the hardcore hands-on experience that OSCE or for that sake even OSCP does.

I haven't taken CEH yet, but I think it may be somewhat related to GPEN. Another certificate I've seen from GIAC was GSEC, it looks similar to CISSP. (I haven't done these either.)

It was nice in many ways, to obtain my second certification though  :)

Congrats, MaXe!

Went ahead and took my freebie (from both CEH v7 and OSCP in the last year) GPEN exam, this morning, and passed, too.  Just under 2 hours (1:54), with an 85%.  So now there's 2 of us, in the past week!   ;)

Edit - BTW, without giving the questions out / away...  Did you have a couple that you felt were ALL incorrect answers?  I had one, and because I felt they were ALL wrong, I intentionally just picked the MOST incorrect one, anyway...  I actually, supposedly, got that one right...  Needless to say, I commented in the survey, afterward, about that one, and a couple of others.

Congrats to you also, hayabusa!  Pretty awesome knowing the knowledge level of the user-base here (and willingness to share experience and help out).  I finally have a place to go to search/ask my questions!

Thanks hayabusa!  :) Congratulations with the 85%, you'll receive a mail from SANS most likely as well about becoming a mentor, if you passed with that score or above, but the bummer is that you have to find students yourself I heard.  :D

With some of the questions, I felt that more than one could possibly be correct, so I got in doubt, and chose the one that I believed GIAC would think was correct. Then it appeared to be most likely the one I initially would've picked. It was mostly some of the non-technical questions that can easily be misunderstood due to there's so many different terminologies imho, but I like my passing score  :)

I commented also about the very application specific questions, informing them that not all pentesters use this particular program, some uses others as this other program may have more features, be more reliable, or simply just be more efficient and simple than the other.



I think that is one of the reasons most of us is here, the user-base  :)

Congratz Hayabusa and MaXe!!!

When I passed it last November, they were very quick at sending my emails to become a SANS mentor. But they said you need to own two SANS certification before you can become a mentor. So let me know guys if you receive an email from them...

Thanks H1t M0nk3y!  :)

They were very quick with me as well, I wonder if it's an auto-mail if you pass with 85% or above? I received 2, one in common and another for EMEA (since I live in Europe). I didn't read anything about you need two SANS or GIAC certifications, but maybe they'll reply back to me with that info not written anywhere  ;)

I'll try to remember to inform you what the reply was, so far I'm close to waiting 10 business days (which is the handling time they wrote it would take). I'm patient anyway  :D

BTW, I waited a long time before getting my certificate. They say on their web site that it normaly takes between 6 to 8 weeks, but after 3 months, I sent them an email and they said they make the certificates every quarter!

So I waited about 14 weeks to get mine...

Oh and yes, it looks very nice! No comparison with CEH...

I think GIAC has outgrown their process for shipping the certs.

I know there has been lengthy discussions about this elsewhere, and from those discussions, GIAC is looking at how to streamline the process.

They're just going through growing pains...

I will say, though, the three GIAC certs I earned came in the mail within the timeframe they promised. However, it's been a couple years since I sat for a cert with them.
 

That's a very long time! I hope I don't have to wait as long, since I might've moved address by then, or moved to another country  ;D I saw a few pictures on Google, looks very nice and professional. Do you think GSEC was hard?


Well at least you got them in time, but it's nice to know still  :) How hard was GSEC in your opinion? It covers a lot of areas, just like CISSP  :)

I have not taken my CISSP yet, so I can't really make a true comparison. However, I will say that the GSEC covers A LOT of information. I'm not sure if you've actually taken any of the SANS courses, MaXe, or just challenged exams, but the GSEC material was twice as voluminous as the GCIH or GCUX material! This does not make it more difficult per se, but it does mean that you have to know more about more topics. Also, from what I've read (remember I haven't taken the CISSP yet), you have to know greater technical detail than what the CISSP tests you on. From reading some of the study material for the CISSP, I believe this to be true.

The beauty of the GIAC exams is that they tell you pretty much everything that is going to be on the exam on their website. Its up to you, though, to determine what you need to know under each topic. If you feel pretty comfortable with a majority of the topics covered, you should do fine with some study on the remaining topics.

I found the material on cryptography and securing Windows to be the most challenging, but that's just me...I'm sure if you asked someone else, they'd claim completely different topics.

If you have specific questions that won't cause me to break my NDA, feel free to PM me.

I heard from a friend / colleague, that CISSP was a mile wide, and a foot deep. (While OSCE was a foot wide, but a mile deep.) I think in this case, GSEC is perhaps half a mile wide, and 5 foot deep. But thanks for at least informing me that it appears GSEC requires greater technical detail.  :)



I can relate to that, since I did a GWAPT practice test I had received from a friend, and without any study I scored 80%. (I flagged questions too, which I didn't do during GPEN, but I wasn't satisfied with some of the questions during GWAPT.) I think GSEC would require a very good all-around "Jack of all Trades" knowledge, in order to be passed.

What I did during GPEN, was to take a practice test, where I scored 77% and then I realized I had to study, but the results also showed which topics I failed somewhat and hard on  :) That is very nice, since you know exactly which topics in your toolbox, whether it's theoretical or technical, that should be improved. (So yeah, after studying for a week I took the exam and scored 87%, which I find acceptable  :) )


I believe that must be quite challenging, especially for a certification where you have to know almost all the topics, many techniques, methods, etc.

GCIH seemed interesting as well, I might go for that in the future, and it looks like it's gained popularity as well  :)