eLearnSecurity opinions?

[impelse]

I havd to admit, it is a real penetration, for the first time
 I learnt how to make a report

[MindOverMatter]

Hey thanks Armando, for posting the certification, it's actually really nice, I like it!  I'm gonna frame it and put it next to my others when acheived.

I look forward to getting mine soon as the course is very engrossing, makes you want to keep going and going, although I like to go back a re-fresh the previous before continuing.

One of the things I really like about the course (that at first I wasn't sure about) are the slides.. It's very clear, sharpe looking fonts that are easy to read and not too much info is on each slide, so you don't get bored or overwhelmed.  It's a very effecient learning technique I think, especially for anyone with short attention spans.

[MindOverMatter]

I also gotta say, learning aside that the logo and color scheme for eLearnSecurity is pretty awesome.  Whoever came up with it is a darn good social engineer / marketeer.

[SephStorm]

Nice certificate, oh god, if Paris Hilton was a pentester.... well, I guess theres nothing to fear.

If you guys haven't already, you might want to consider printed certificates and a nice card, professionals like to have a little card to show off. They've been begging for them over at the EC-Council forums every now and again.

[eternal_security]

I just got the results today from the exam, so from now on I am an eCPPT!

I really liked the course. It is very well structured, and a very important advantage is that you can access it any time.

Now I am doing some checks for work and I use the course as a guide for the most important steps. I recommend following the course multiple times, because there is so much information so you can't digest it in a single shot.

I just wait for the new course they will produce (supposed to be an advanced one).

I found this course to take you from the novice to an intermediate level for the web application part, and this is what I wanted. The other two modules are at an intermediate level.

Congrats!  And thanks for your feedback!

eternal_security

[H1t M0nk3y]

Congrats alucian!

I found this course to take you from the novice to an intermediate level for the web application part

To who would you recommend this course? Novice?

[alucian]

To who would you recommend this course? Novice?

I would definitely recommend the web part for the novice students (as I was). The course is taking you from the beginning and it teaches you a lot. Each chapter contains theory and then the tools that help you automate the attacks.
The videos of the tools are very useful, too.
This course opened a new world for me, in an easy way. I will try to continue the exploration by myself, but it is always easier when you have a “master” that points you on the good direction.

[Solinus]

Thanks for the original post and the responses. This is the information I had been looking for myself. I have been excited about this course from the day I read the review on EH.

[pentestnoob]

I just have to add my $.02 after reading these posts. I purchased this course from eLearnsecurity and, being a beginner pentester, I find that it is MUCH more challenging to actually do this stuff than first thought. In my duties and speaking to many of the folks in the business, we spend the bulk of our time searching for vulnerabilities. This course "does" teach that, but it also attempts to focus on exploiting the vulnerabilities. In a typical engagement, I have not been asked to attempt to exploit a production system.

That being said, I have found that I was better off mentoring with a senior pentester than what I got from the slideshow that is this course. I never could get any of the exploits to work and honestly did not feel that I got much help, nor did I feel that it was worth $600 bucks for slides. Use your best judgment - it's especially tough with not too much on the market of this type of on-line training.

Good luck!

[Armando]

Funny
In your "pentesting" engagements you are not asked to exploit vulnerabilities.
Curious.
You talk about mentoring...we provide FREE support from our instructors. Maybe we should advertise this better.
Please log in in our community forum where you will find me and the other instructors there to help you.

Interesting.
This was your first post.

[SephStorm]

He may be referring to vulnerability scanning. Many companies perform scanning, but do not allow full on penetration testing.

[MaXe]

I just have to add my $.02 after reading these posts. I purchased this course from eLearnsecurity and, being a beginner pentester, I find that it is MUCH more challenging to actually do this stuff than first thought. In my duties and speaking to many of the folks in the business, we spend the bulk of our time searching for vulnerabilities. This course "does" teach that, but it also attempts to focus on exploiting the vulnerabilities. In a typical engagement, I have not been asked to attempt to exploit a production system.

That being said, I have found that I was better off mentoring with a senior pentester than what I got from the slideshow that is this course. I never could get any of the exploits to work and honestly did not feel that I got much help, nor did I feel that it was worth $600 bucks for slides. Use your best judgment - it's especially tough with not too much on the market of this type of on-line training.

Good luck!

Realistic penetration testing, includes exploitation of the target but usually on a cloned network or not mission critical equipment / production equipment. (It wouldn't be good, if the server crashes while people are working.)

If you don't perform any actual attacks, it's rather a vulnerability assessment, because if you can only "guess", based on version banners and heuristics, that a target may be vulnerable, then you're just guessing and assuming the version banners are right, which can be easily spoofed / changed. (Security by obscurity, fools some people.)

Guessing that a target is safe, is not equivalent to that it really is. In some pentests, I did them after work hours to evade problems in case the server(s) shut down by accident (it can happen, even if you're very careful). In others it was possible for me to replicate parts of their services locally and then pentest those (hunt for bugs), and in case I found a bug (especially in web apps), it would be possible to confirm the bug and report it.

[sil]

Realistic penetration testing, includes exploitation of the target but usually on a cloned network or not mission critical equipment / production equipment. (It wouldn't be good, if the server crashes while people are working.)

Sorry I have to disagree with this MaXe and ultimately it all boils down to your SOW between you and your client. Trying to mimic a target is a bad move since you will unlikely be able to obtain an exact replica, patch revisions, installed software, system configurations.

In the last 4 years that I remember with clarity, I've performed to the tune of 50+ active zero knowledge tests with the vast majority of those have the go ahead to perform full exploits. Want to know how many services I crashed? None. This is because of me testing parameters in labs time and time again. Prior to going on a clients machine blindly, I know which tools are noisy, which tools consume a lot of resources (HP Webinspect anyone?) and when to use them.

From my point of view: "You wouldn't use a sledgehammer to drive a nail would you?" It boils down to understanding what tools do what, which are good alternative tools to use, how to attack your target.

The whole: "you may crash the server" is a moot point and it needs to be understood by the client: "Do you think an attacker from China (Advanced Persistent Annoyance) is going to worry about crashing your server?" A good tester from my POV will illustrate the risk of NOT being allowed to perform a REAL test. A good tester will also know what works and what doesn't. What offsets to use (timing variables, iffy exploits, etc.)

Most of the exploits one can find or write on their own will often contain information about the exploit and whether or not USING the exploit will leave a service unusable. It's up to the tester to weed out those exploits and NOT use ones that will crash services. This is my two cents.

Long ago it was a common popular belief that: "well if I clone their W2K, NT4 machine, run this exploit in my lab... It should run on their machine... Autopwnage!" This would be inconsistent with reality. You could never know what say Windows Updates a server has on it, what's in their IIS/ASP/C# pages to mimic a machine to exactness. What you'd be doing is selling them a pentest of YOUR server under the theory that: "if it affects mine, it can affect yours"

[MaXe]

Long ago it was a common popular belief that: "well if I clone their W2K, NT4 machine, run this exploit in my lab... It should run on their machine... Autopwnage!" This would be inconsistent with reality. You could never know what say Windows Updates a server has on it, what's in their IIS/ASP/C# pages to mimic a machine to exactness. What you'd be doing is selling them a pentest of YOUR server under the theory that: "if it affects mine, it can affect yours"

If they're using a Web Application which is freely available for download or purchase and you find a 0day in that, allowing you to get within the corporation from the outside world, the chance of that it works on the target network is high if there isn't any IPS's and / or WAF's imho :-) Of course, in some cases, configurations of the webserver, PHP, MySQL has to be taken into consideration, such as safe_mode, but even that can be broken in some versions.

But you're right that it's impossible to get exact replicas of machines really, since it doesn't stop at software level, it goes all the way down to the hardware and network equipment including configurations used.

Sorry for being unclear on my opinions, I didn't want to write an overly long reply where I might be misunderstood  

[H1t M0nk3y]

Hey,

I agree with both of you. I generally test web applications in a dev environment. I would normally find quite a few vulnerabilities. Once the developpers are done fixing them, I check again in dev before giving my "ok". Then, once in production, I test the application again in order to check the "production" problems and validate the whole package.

Being not experienced like sil, I was glad twice so far that I was working in dev... 

But on the other end, I always found something in prod after (mainly configuration issues).

So for me, test a clone/copy image first (if you have this luxury) then validate in prod.