If you're a new in the infosec industry, don't even attempt CRT. You need to know theory by heart, and know the most common switches for several tools as well, and be able to solve a lot of problems fast.

Doing PWB first is a good idea, as you learn the tools, and also to use other tools than the default ones, including a bit of scripting, and to think outside the box. 

Update:
After more and more friends have taken the exam, the picture is becoming quite clear about e.g. CRT.

For the first part, you have a lot of multiple choice questions about theory, you have 30 seconds for each question.

The next part, which most people fail, is the practical part, where you have 2 minutes for each test (total of 50 right now), in a block with 512 IP's, meaning you don't have time to scan the entire block if you want to scan all ports.

Some of these questions are e.g., there is a vulnerability on this IP, find and exploit it. You got 2 minutes.

The best part is, these questions both pratical and theoretical, are generally not that hard. They are around OSCP level, except the practical questions are a lot easier.

In fact, multiple persons have said all of the test is noob easy, but the problem is that it's almost impossible to do in the time allocated. Let me give you a hint, 3 hours in total, and there's over 170 questions in total, 120 theoretical (1 hour) and 50 questions (2 hours).

Assume you have everything open, even Metasploit.
- Read and understand the question: 15-30 seconds
- Figure out what tool to use: 0-15 seconds
- Can't remember the flags? Read the man page: 0-120. (It's easy to loose time here.)
- Run e.g. nmap with a script scan: 30 - 240+ seconds
- Run nmap again because it failed or you used the wrong switch(es): 30 - 240+ seconds
- Perform additional work which may be included in the question: 0-240+ seconds.

Does anyone else see the problem? Even an experienced pentester is not able to do all practical questions in time. It's simply almost impossible, unless you got some sort of automation and perhaps AI on your side.

If you can remember everything, you may be able to get everything right, but you have to be fast typing too, and know everything about everything including exactly how long tools and scripts takes to run.

When you do a real penetration test, does this matter? No, unless a tool is taking way too long to execute, or if you're doing an internal pentest and you only got 1 day, or an external vulnerability assessment and you have +1024 IPs, you have to plan, accordingly, what are the best ways to scan, and you may even use a distributed scanning network.

Can you use multiple laptops during CRT (CREST)? No.

I hope that they will make the questions harder, as a colleague of mine said anyone could do it, it's just time you need, and that if they make the questions harder, they either remove some of the questions, or increase the time-limit.


Another insane thing, is that if you fail CRT (1000$), or CCT (3000$), you have to, pay 1000$ or 3000$, again! A lot of pentesters have a yearly budget of 5000$. Yeah, a retest for the same price as the original certification is very reasonable, not lol.

And fyi, CREST is apparently, non-profit. Imagine a guy fails CCT x3? 9'000$, sure, non-profit. I can agree to the extremely unreasonable prices, which ONLY includes certification, there's no course-ware whatsoever. But a re-test, costing the exact same amount of money, now that's just grotesque. (i.e. super lame)


I haven't even done this exam yet, but many friends have attempted and most have failed, and I am disappointed in that CREST hasn't been shut out from the industry yet or forced to improve, as there's a lot of people complaining.

CREST, does not test a real penetration tester's skills. OSCE will test some of a penetration tester's skills, even though I must agree that I have yet to see any of the scenarios in real life, but it does force you to think outside the box and be creative, which is important as a pentester.

No problem, if you're already working in penetration testing, I suggest you aim for CRT (or CCT) as soon as possible, as it is as you say, no CREST, no contract a lot of places. When I had interviews over the phone for jobs in England, I was often asked for CHECK and/or CREST as if it would be normal for me to have them, despite never having been there before. (And since CREST only existed in the UK at that time afaik, why would anyone else have the cert when there's no need. Most people I've met that didn't come from England, had never heard of CREST.)

There are some pentest jobs in certain countries, that does require a high clearance. Well, they require it at least in Denmark and Australia for doing special type of government work naturally.

But it wouldn't surprise me if a NATO clearance will be required soon, meaning it will be even harder for newbies to get into ethical hacking. I can understand that for certain projects (when you are already having the job), e.g. here, that you're getting an extensive background check.

The reason why I used Nikola Tesla as an example of a hacker, is because he was extremely clever and brilliant, he was way ahead of his time and was hacking together devices still in use today. Hacking is you and many others said, not confined to technology. The original meaning of a hacker was e.g. a person who was extremely good at crafting items out of wood. Of course, you don't have to share my beliefs and generally I wouldn't consider Nikola Tesla as the general kind of hacker, but, he was extremely dedicated to his work, just like any other hacker is, and he knew exactly what he was doing.

It's good to hear your friend is learning that everything is not black and white, there's (even though I don't want to say this), shades of grey in between. (Not 50 though.)

On the good side, depending on what type of role you're in, you will do almost the same as the attackers (blackhats), except you have permission to do so, and that you abide by an ethical code so you won't e.g. sell the client out, blackmail them, or disclose their information, etc.

Examples of work I have done is as follows:
- Web Application Penetration Tests (often few ips or small blocks)
- Web Service Penetration Tests
- Wireless Penetration Tests
- External Network Penetration Tests
(And soon I'll be doing Internal Network Penetration Tests too.)
- External Vulnerability Assessments (of large blocks)
- Vulnerability Research (finding 0days)
- Incident Response (when a client gets hacked by the bad guys..)
- Host Security Assessments (review of OS and/or Service configuration)
- Writing Secure Configuration Standards (for clients)
(And soon, I'll be writing Secure Coding Standards)
- Denial of Service Testing (i.e. stress testing servers.)
- Verifying that a site is e.g. out of a PCI Scope. (Otherwise, they have to get a PCI Assessment, which I don't do. We have a separate team for that.
- Source Code Reviews (I have a few big projects coming up.)
- Social Engineering Penetration Test (I have this type of project coming up soon as well.)

Of course I have also done:
- Marketing Videos for Information Security Conferences (showing how an external penetration test could get Domain Access, all because of an XSS bug to start with, and a MySQL server (the latest) hosted on a Windows server. This video was made months before KingCope released his "bugs".)
- Developing and upgrading internal tools (hacking tools, reporting tools, security tools)
- Developing and upgrading internal lab environment (for demonstrations, Capture-the-Flag contest, testing environments, etc)

And of course, I have used a variety of different risk rating systems, internal, client-based, and CVSS 2.0


Besides that I have done research in a variety of domains (most not released yet), but it spans across network attacks, web application security, etc.

The released stuff is mostly related to web application security. (Where this was released way before I got my job.)

They have indeed and somewhat unfortunately come to Australia as well.

This is the reaction from most information security professionals down under:
http://securityreactions.tumblr.com/post/32935107872/crest


What are the extremely fair examination fees? (GST means "tax".)
- CREST Registered Tester - $1,000 + GST (GST = ~100$)
- CREST Certified Tester (Certified Web Application Tester) - $3,000 + GST (GST = ~300$)
- CREST Certified Tester (Certified Infrastructure Tester) - $3,000 + GST (GST = ~300$)

These fees, only include the certification (and examination process), for this non-profit company.

As they have a hand in the government, CREST may become mandatory in Australia.


Syllabus
CRT - Registered Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-crt-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf

CCT - Certified Web Application Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf

CCT - Certified Infrastructure Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf


Random facts and opinions:
- Does it expire? Yes, I think it's every 4 years or so. Wouldn't be much of a non-profit if all their uhm, zero profits isn't recurring.
- What's up with the price? It's not really a non-profit company when you have to pay that much for a certification.
- How's the exam, technology wise? You're tested in both current AND seriously outdated information, some of it which a penetration tester may never see or need to hear about.
- How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
- These practical questions, what are they? Some of them are related to e.g. Blind SQL Injection, where you have to pretty much dump an entire database, where tools such as sqlmap does not work, so you end up having to do it manually, which costs you too much, so you fail and will have to take a retest, which is around 1000$ more, plus GST.
- Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.
- What's the best way to prepare for this exam? Check out the syllabus (region wise), and study all topics in depth. You will definitely be tested in topics you most likely don't need in your job. (i.e. how certain protocols work, oh I forgot, this is more like a computer science exam at some points.)


What do I think? I think it's bs, it's certifications like these that make the infosec industry a joke, especially if it becomes mandatory. CRT and CCT, doesn't make you a penetration tester or a true hacker, it's hard yes, just like CHECK Team Leader, but it does not prove your true skill.

True skill is proven by what you have specialised in, and what you do with that skill. If you're able to think outside the box, and perform advanced hacks and understanding the entire process, then you've got the right skills.


Who's the leaders in courses and certifications?
- Offensive Security
- Corelan
- SANS & GIAC (SOME of their advanced courses, not all of them.)
- Immunity Inc
- SensePost (I have heard they're pretty good, not 100% sure about their courses but their name pops up all the time.)
- Some BlackHat courses (I know that these are different vendors offering courses here.)
- And probably a few others I forgot to mention.


Let's take a look at the syllabus.

First I wonder, why aren't these mentioned:
- Cross-Site Request Forgery (This doesn't seem to be mentioned, or is it under the XSS category? If so, major fail, it has nothing to do with XSS even though it can be used with XSS.)
- Local and Remote File Inclusion (Any web app pentester must know about these. And no they are NOT named code injection in case CREST named them that.)
- DNS Classes (INternet, CHaos, etc.)
- Advanced Cross-Site Scripting (As this certification is aimed at "experts" it seems, it should have at least a basic module about what's possible with XSS, e.g. http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ )

Now here comes my "WHY GOD WHY" section:
- Token ring (When was the last time you pentested this? I know how it works, but seriously, this isn't a computer science exam.)
- Generating ICMP packets (LOL? Yes, you can use Scapy, hping3, or for that sake "ping", all of them can generate ICMP packets for you, some of them can generate one (ping), while some can be used to generate virtually all (hping3, and Scapy). But why? Why do you need to be able to prove this?
- rusers (When was the last time you were able to execute this command? 10, 20 years ago?)
- rwho (When was the last time you were able to execute this command? 10, 20 years ago?)
- finger (When was the last time you were able to execute this command? 10, 20 years ago?)
- Berkeley r* services? (When was the last time, or how often have you seen these enabled? I have seen some once or twice over the last year or so, but were they listening on the Internet? No.)
- CRLF Attacks? (LOL, seriously? Call it header injection ffs.)


As I haven't taken the exam yet, but friends have and even right now, some colleagues are taking the certification, the picture I have had drawn out by them doesn't seem pretty.

Random guess, is it maybe one of these?
http://en.wikipedia.org/wiki/Pigpen_cipher
http://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
http://en.wikipedia.org/wiki/Playfair_cipher

Or a ROT-NUM?

Of course, I presume the question mark is just a delimiter.

If you post a longer version of this cipher, it would be a lot easier to crack I believe.

#intern0t at irc.freenode.org , if you are using SSL, use chat.freenode.org I think.

You can use the following web client as well: http://webchat.freenode.net/

Grats!

The general public, have a view such as your friend's. This is because they do not understand that there are professional / ethical hackers like us, on the "good side", to many people, this type of job is surrealistic and incomprehensible, it's only something that exists in the movies, while this type of community on the good side, is in fact, quite large.

Obviously your friend is biased and somewhat newb, as he is only thinking about the script kiddies and black hats, and not thinking about that it was in fact a hacker who invented SSL (HTTPS), and another form of hacker, that invented a lot of other cool things, who was named Nikola Tesla.

It's a shame the general public have this view about hackers, that they are all bad, while a lot of us use a lot of our time, dedicated to learning in a safe and non harmful way, while increasing the security locally, or globally, often completely free. If increasing the security on a local or global scale is bad, then your friend may want to reconsider what is good or bad. (I know this is not what he said, but I am assuming his perception of the hacker world and the security aspect of technology is very limited.)

PS: Yes, it were hackers that invented the Internet.

Doing a vulnerability assessment for e.g. 500 live hosts where the total amount of hosts to be checked if they are alive or not is 2000, would take approximately a week to go through depending on if they have been scanned / tested before. That's a vulnerability assessment though, not a penetration test.

Five Words:
Offensive Security or Hacking Dojo 

Hint: dumpfile, outfile, load data infile. If that doesn't work, UDF. That's all the hints you're getting from me today before I head of to bed 

Try Burp, it's bigger and better. If it doesn't have support for IPv6, ask Portswigger and he will probably add it quite fast.

They give us jobs as they create a lot of paranoia. While in theory, the general population shouldn't be afraid of Anonymous, they should be afraid of the blackhats they have probably never heard of.

Acunetix and Burp Suite Pro (the pro version makes quite a difference)   As Grendel said in this post, but also countless other times, don't rely on one single tool, use multiple. Acunetix has its issues, but mostly it's better than most other automated scanners.
PS: I don't consider Burp an automated scanner, even though it has one, but the amount of "tools" it includes is amazing, meaning I use it primarily for manual attacks, while using its scanner too.