I am curious the hear what people think about CPT vs the other certs. Also, will it help getting through HR?

The easiest mechanism to determine the weight/validity/*sought_afterness is to see what's being sought on sites like Dice.com for example:

http://seeker.dice.com/jobsearch/servlet/JobSearch?op=302&dockey=xml/7/0/70bd6464f12b5852d249b887aee14659@endecaindex&source=19&FREE_TEXT=cpt+security&rating=99

---

Certification such as CISSP, CISM, GSEC, GIAC, CEH, CPT, PCI are strongly preferred ABITLITY TO TRAVEL The position requires up to 60% out-of-town travel to client locations.

http://seeker.dice.com/jobsearch/servlet/JobSearch?op=302&dockey=xml/7/0/700da35614c089061d4db102d1d09e3a@endecaindex&source=19&FREE_TEXT=cpt+security&rating=99

---


?Professional Certification such as CISSP, CISM, GSEC, GIAC, CEH, CPT, PCI are strongly preferred

http://seeker.dice.com/jobsearch/servlet/JobSearch?op=302&dockey=xml/2/6/2631309644952da36536ec87339e0748@endecaindex&source=19&FREE_TEXT=cpt+security&rating=99

---

<>Other Security Certifications (such as CEH, CPT, GCIH, etc.)

http://seeker.dice.com/jobsearch/servlet/JobSearch?op=302&dockey=xml/0/2/029f5e40307a2c1b58ddf142d35df6a6@endecaindex&source=19&FREE_TEXT=cpt+security&rating=99

------------------

We can see that HR departments know "OF" the CPT although most have zero idea of the differences in certifications. For example, I've seen penetration tester jobs where the requirements were a CISM or CISSP. I've seen security manager positions where the requirements were CCNA's. At the end of the day, it all boils down to presentation. How you present yourself and your capabilities. A resume is used to pass stage 1, the HR individual who has a written detail of the job duties. Normally, its the second and every interview thereafter that matter.

In 1998 I interviewed with Kroll O'Gara who had purchased Securify, who had purchased Packet Storm from Ken Williams. Back then I had zero certs but I had the experience. I was offered a job in their NYC office but turned it down the moment I was told I'd be wearing suits. (I kid you not). I prefer to be comfortable doing what I do without the suits thank you.

I can tell you from experience, certs don't always equate into offers. In fact, I had more offers before I had certs. Often for positions that were seeking CISSP's, CISA's, EnCE's, etc. While it helps to have them (certs) it all boils down to two things that trump certs at the end of the day:

1) What you know
2) Who you know

How I miss the dotcom daze

Thanks again sil (I often feel dumb when you answer my questions...  )

Yes, my goal is to pass the HR layer. Of course, it is 1) What you know and 2) Who you know. But very recently, I was giving my business card to a "CISSP" guy. He immediately looked at my certs and when he couldn't CISSP, he turned it down... Man I hate that! But on the other hand, maybe I wouldn't even want to work for a guy like that...

So yes, certs and resumes get you an interview. Then you have to be able to answer the questions!

So, just to update - I passed the CPT!

Here's a word of advice - when you get to the end of the 60 days, whether or not you completed cracking both root passwords...  Document the pentest, in detail, demonstrating that you know what you've done and what the results mean, and send that puppy in...

I too am on the last stage, I have escalated privileges on the second box but JTR is taking foooorreeeevver to crack this root password.

Im getting 7100 c/s how long should I expect it to take?
Should I be using something else? JTR is a hybrid so I would have thought it was the right tool to use.
Dont suppose anyone would like a crack at my shadow file with your huuge clusters? 


My 2c about Infosec Institute is that you CANNOT do better than them for your CPT/CEH training, unless you are lazy and dont even try its virtually impossible to fail. Excellent class, excellent instructors.

I downloaded a 46MEG wordlist file and it got through it in about 10 minutes with no luck.
I got a 400MB one im trying now but if that doesnt work...

Is brute force the only option? It could take weeks! months!?!

Also will JTR only try words in the wordlist? I thought it was a hybrid which means it would try those words + those words with special characters intermixed right?

With dictionary attacks, your success is not based solely on the size of the dictionary - its the quality of the dictionary. It doesn't matter how big your dictionary is....if the word is not in there, you will never crack it.

What you are looking for with a brute force attack in Jtr is incremental or external. Incremental is the one most often used. I would use brute forcing only as a last resort, as it is usually not successful (especially with a small set of passwords).