So You Want To Hack For A Living?

| August 10, 2006

Review of Course Offered at ChicagoCon 2009s 

Active Image

When looking at the hot security topics of the day, penetration testing AKA ethical hacking has got to be near the top of everyone’s list. With the onslaught of compliance regulations, this self-testing process is virtually required by law. As with any technical process (even one as sexy as legal hacking for a living), there is bound to be standards, training and, of course, certifications to go along with it. This one is no different. As we all know, a certification is not the end all – be all in the IT world. And as most know, I am fond of saying that a certification is a baseline of knowledge and by no means meant to be an indicator of expert status. But you have to start somewhere.

Active ImageOK… so I want to be a professional hacker. Where do I start? Who offers this training? With all popular IT fields, there are a multitude of certifications. Which one do I choose? If I have no experience, how do I start? If I have IT experience, where do I jump in? Well, without causing a huge debate, a lot of companies now use the format of sending their staff to a highly regarded training facility with the end goal of attaining some type of certification. Like it or not, that is the reality. A recent US DoD report (Document 8570.01-M) states their intentions to require certifications for security positions. So let’s just continue with the assumption that no matter where you end up on your road to becoming a professional penetration tester, training and a certification is likely somewhere in your plans.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}


I have a strong interest in security not only professionally but also personally. I find it fascinating. So much so, that I created two web sites dedicated to IT security issues. Years ago, when looking to advance my knowledge and my career in the direction of security, I actually wrote down a number of topics that interested me and certifications that I’d like to attain. As the industry matures, I try to update that list on a regular basis. On that list was (ISC)2′s CISSP. Penetration testing was also high on the list. Last year, I wrote an extensive article named Luck, Career Goals and a CISSP Boot Camp detailing my trek. I had a very positive experience with The Training Camp, so when they asked if I’d like to review their Certified Ethical Hacker (CEH) course, I jumped at the chance. This article details that experience.

I was even more excited when they told me that Andrew Whitaker, author of the Cisco Press book, Penetration Testing and Network Defense, would be the instructor. My enthusiasm was dashed as a last minute change was necessary. Andrew was replaced by Steve Kalman. I hadn’t heard of the name, so, as all of you should do before attending a class, I googled him. So when I found out that he had written the book titled Web Security Field Guide, and had experience working with and teaching in the field of ethical hacking and forensics, I was feeling a little better. Even though I understand this is the way of the training industry, I was still a little down.

chicagocon2009s_125x200banner.jpg
The course described in this article and other security boot camps are being offered at a discount at ChicagoCon 2009s May 4 – 9.

For anyone attempting an exam, I highly recommend not only researching the instructor, but also the certification itself, its prerequisites and the curriculum. CEH is a certification by EC-Council that deals with penetration testing. CEH has two main things going for it. First of all, the term ‘ethical hacking’ not only is another way of saying penetration testing, but it has also caught the eye of the media and IT staffers around the world. This leads to my second point. EC-Council got a huge marketing edge because of the awareness that the media attention afforded them. They in turn allowed for a number of third party training outfits to offer CEH boot camps. So now, if you look at almost any advertisement for a group that offers security training, CEH is right there next to Microsoft, Cisco, CompTIA and (ISC)2. Maybe it was just a simple case of being at the right place at the right time, but, however you look at it, this cert shot to the top of many people’s wish list. For other certs in this area, browse our Certification Section.

When researching a little deeper, we find that there’s always a little bad that goes along with the good. I searched for opinions on the Official CEH Courseware offered by EC-Council, and many commented on the horrible grammar (mostly due to English as a second language) and severe lack of organization of the material. When I received my courseware, there were two large books covering the lectures that included a bootable Knoppix CD and a bootable Auditor CD. There was also one smaller book of labs with two CDs of its own. Throw in a CEH t-shirt all nicely arranged in an EC-Council embroidered backpack, and it made for a nice package. Although the courseware has been updated to version 4.1, and most of the grammar was corrected (still enough to make a writer cringe), the organization of the material still needs some work. Don’t get me wrong, the material is clearly separated into the predetermined modules and is apparently better than it had been. But there were still certain items that seemed to be out of place and some screenshots were way off the mark. Also, there seemed to remain a strong emphasis on tools and not the actual process of performing a penetration test. This isn’t so bad, because most of what an ethical hacker does utilizes tools. But the sheer number of tools that the course tried to cover would make even the seasoned pro quiver. Additionally, there were a number of tools that either can no longer be found or are highly outdated. But at least I now clearly know what is expected of me by EC-Council.

So now I have the background information I need in order to start preparing. Remember, a boot camp is more like a review that prepares you for an exam. If you go into any boot camp expecting to learn everything there is to know about a subject with no prior study or experience, you’re sorely mistaken. I won’t say it can’t be done, but it surely is a recipe for failure.

As I always do when prepping for an exam, I go back to my trusty Recommended Study Method that we have posted on the Book Smarts Section of the Certified Security Professional Online Magazine. This has helped many with a number of different exams, so why stop now. As always try to bring experience and desire to your studies, and remember it is vastly important to use more than one source of study materials. Sometimes the way one person explains a concept, for whatever reason, just doesn’t stick with you. Plus, the more a given subject is studied, the greater chance of retention. I’ll tweak the Method for this specific exam, but the overall steps remain mostly the same:

  1. Know What You’re Getting Yourself Into – Go to EC-Council’s web site and thoroughly read the details of the modules contained with the CEH Course Description as mentioned above. The CramSession Free Study Guide can be a great help during this step as well.

  2. Read, Read and Then Read Some More – Start off by reading some general books on the topic of penetration testing. A great place to begin is Hacking for Dummies (Look for a new edition of this book later in 2006). Be sure to get more detailed with each book you choose. My recommendation is to read Ed Skoudis’ Counter Hack Reloaded next. His humor and accessibility of the content will stick with you long after you’ve passed the exam. Then concentrate on the specific exam to drill down more into each module with CEH: Exam Prep 2 and/or EC-Council’s own study materials. The last book should be published by the organization giving the exam. Although not always the most well written material, it at least gets you accustomed to their terminology and ways of thinking. After all, they also wrote the exam, so those little buzz phrases are easier to pick out.

  3. Computer Based Training (CBTs) – We are big fans of CBT Nuggets (See full review of their CEH Course), but we also like the Career Academy videos as the instructor covers both CEH and CPTS. Both video series also cover version 4 of the CEH Courseware. CBTs become especially important if you cannot comply with step #4, instructor-led training. As an alternative, you may also want to consider something in between the classroom and computer based approaches with Learn Security Online, web-based training videos and labs with an available mentor.

  4. Boot Camp – If you can afford it (or get your company to pay), attend classroom style training. This article covers The Training Camp.

  5. Use the IT Community – Utilize the EH-Net Community Forums on Ethical Hacking (and any other security forums for that matter) to review problem areas or specific exam experiences. We also host a CEH specific board as well as an Official Course Modules v4.1 board. Those who are currently studying or have already taken that exam will be willing to share their thoughts.

  6. Practice Exams – Use the practice exams either provided by your boot camp or a third party vendor. Go through every single one taking notes on questions/topics for which you did not know the correct answer immediately. Go back through all of your material and brush up on just those topics. Although we like PrepLogic materials for certain subjects, we have found that the practice exams for CEH will confuse you more than help you.

  7. Rest – Get plenty of sleep before your exam. A groggy head loses focus.

  8. Be Prompt – In fact, showing up early to the testing site will drastically reduce stress levels.

  9. Review – Once on site, do a quick scan of your CramSession Free Study Guide and your review questions. This gives your brain a running start into the testing room.

  10.  PASS THE EXAM!!

One additional step I would add to this list specifically for the CEH exam is to create your own virtual lab. There are many reasons for this. First of all, the CEH exam is tool heavy. Hands-on usage of the tools will truly help you on the exam as well as in your job. Secondly, if you attend a boot camp, you will most likely be using a system with a virtual lab, so this practice with virtualization will enable you to utilize your time in the classroom wisely. Lastly, and most importantly, you do not want to ‘learn’ on a production network. That could be very bad.

As you can tell, preparation is the number one key to success when attending a boot camp. This is great for not only your time in the classroom but also for your fellow students. It’s bad enough when a single student holds back the entire class from true progress, because they either don’t belong there in the first place or are not as prepared as they should be. It’s even worse if that person is YOU!

As if we didn’t give you enough to do before the boot camp even starts, The Training Camp also sends you an online welcome kit after enrollment. The one item in their pre-class assignments that you should consider is their flash presentation on determining the type of student you are. If you’ve never done such an exercise, it’s quite helpful. It confirmed what I had assumed all along. I need to sit in the front of the class or else I will get sidetracked. The pressure of having the instructor in my face is all I need to focus on the material presented rather than my own agenda. The kit also includes a number of pdf documents and small videos to make sure that the basics of ethical hacking are covered. There’s good information contained in them, but, honestly, I would put this lower on your priority list. If you have the time, by all means go through the material. But given the above Recommended Study Method, you should be covered. Being the good student that I am (wink wink – nod nod), I did review them all before heading off to class for the week.

When I arrived at the hotel on a hot Sunday afternoon in June, I was disappointed once again by the lack of a Sunday evening ‘Meet the Instructor’ session. I thought this was extremely helpful the last time, as The Training Camp’s CISSP instructor handed out the syllabus and got us prepared for what was to come. Without a CEH Welcome Meeting, I had to create my own expectations. I felt that I had covered an adequate amount of materials, and I had followed my Recommended Study Method as closely as I could, considering all of the obligations us professionals must endure. But was the material in the course going to be up to par? How would the last minute replacement instructor be? Will I get stuck in a classroom of newbies whose career aspirations are not tied to this knowledge? Needless to say, I had mixed emotions on what to expect from the class, the instructor and the material.

But as soon as I unpacked and settled into my room, I slowly began to put my doubts aside and started getting into the flow of things. The Training Camp has a method that they refer to as total immersion. As most of you, I have a full time job and a family, so, even though I live only about 15 minutes away from the training facility, I chose to stay in the hotel with the rest of the students. Away from the distractions of every day life, I began reviewing some of the material I had covered in the weeks prior. It’s amazing how much more can be accomplished without the incessant office phone, cell phone and email notifications, not to mention the responsibilities of a father with only 2 years experience. I really tried to take advantage of my wife’s generosity in taking over the familial duties for an entire week by herself. I dedicated my time from the 2:00 PM check-in until midnight to play with the virtual lab I created on my laptop. This allowed me to truly immerse myself and focus on the goal at hand.

So what is the goal? Of course knowledge is the correct answer when looking at the issue from a 30,000 foot view. But remember, we’re about to take a class specifically for CEH, using EC-Council’s materials with an exam as the final step of the week. So, without starting an argument, our immediate goal is to pass the exam. Keep this in mind as we continue.

Seeing as how I know of my need to sit in the front of the class, I arrived extra early on Monday morning to reserve the seat of my choice. After claiming my turf, I had plenty of time to observe the room. Observing the room, being the first to logon to the systems and watching the final preparation of the 15 stations for the students gives one an edge during a hacking class. It also gave me the opportunity to meet the instructor and ask a few questions on him, his teaching process and the course. It never hurts to get a jump on the competition, and in a hacking course, your classmates are your competition.

As the other students rolled into the class, an alarming thought ran through my mind. It’s quite amazing how much the image of a hacker has changed. We had a few younger gentlemen in the class, but for the most part, this hacking class was filled with seasoned professionals who were married with families. This image has yet to hit the general public though. I would venture to guess that if you ask someone on the street to describe a hacker; it would either be a punked out juvenile delinquent or some ultra-nerdy guy with taped glasses and pocket protectors. The only stereotype that still fits is that this field is dominated by men, and our class was no different. There are some very talented women in this field, but I truly think it would benefit the community at large if there were a more diverse crowd.

What did hold true was that the class was filled with a number of highly intelligent people. As we moved around the room introducing ourselves, the diversity of the room became apparent with members from the private, public and military sectors. I would say that 90% of the class came with extensive experience in some security field and were very prepared to hit the ground running. For those of you who have never attended a boot camp style course, some of the most educational and entertaining sessions happen during the breaks and lunch while socializing with your classmates. It is not so much the case when attending an entry level, but the upper level courses inevitably have a higher caliber of student. This not only alleviated one of my fears going into the class, but it also made for an awesome environment to share experiences.

Moving on to one of my other fears… As if our instructor had a prepared statement, he immediately dealt with the elephant in the room – the outdated content in the EC-Council CEH curriculum. He seemed to handle the topic adeptly, explaining that the intention of the course was to teach the concepts. Steve continued by saying that the concepts don’t change over the years no matter how many new exploits, tools or operating systems come and go. This meant that we would have to learn tools that you can barely find on the net today, and impressive, up and coming tools such as Metasploit were nowhere to be found. Although I couldn’t help but think that this was a little preemptive damage control, I nonetheless could accept the logic of his argument. So, I made a conscious decision to put that fear aside and have fun with the class.

Steve continued with a generalized course syllabus and the schedule we would attempt to maintain. His approach was to start Monday with a heavy load of lectures and a few labs with a gradual progression that would flip that ratio by Thursday. Friday would be left for reviews and testing. We also voted as a group to skip the dinner break between the regularly scheduled daily and evening sessions. Instead, we agreed to work through the break and not waste time or energy leaving and returning to the training facility. Once we left for the day, we were free to have dinner and study on our own time frames.

I appreciated the honesty and flexibility with which Steve taught the class. He had mentioned that, although the course was based on the EC-Council course materials, The Training Camp had painstakingly filtered the courseware down to the essentials needed for the exam while still covering the lion’s share of the material. For this reason, the modules were done in a more logical fashion than in the EC-Council books, and a number of the slides were omitted. Good or bad, remember our goal is to pass the exam. Examining the volumes of material, the sheer number of tools covered by EC-Council, lectures, labs and late night study sessions, I greatly appreciated any shortcuts that were offered.

One of the other benefits of The Training Camp’s CEH Boot Camp was the experience Steve had in instructing this exact course. Combine that with taking the exam himself multiple times throughout its existence (passing every time I might add), Steve brought a unique and subtle approach to letting us know what information required extra attention by the students. I caught on to this pattern quite quickly, and began to dedicate a special section of my notebook to Steve’s Exam Hints. He never gave out an exact answer to a question or flat out stated content in the exam, but his facial expression, albeit muffled, spoke volumes. Steve in turn eventually caught on to my special notes section. So after a certain topic was covered and the facial expression appeared, he began to look over at me and asked directly if I had written that down. I can only assume by the polite laughter in the classroom that most of the other students had caught on to the pattern as well.

Don’t get me wrong, Steve did bring a breadth of knowledge of the security field with him into the classroom beyond what was required by the exam. He was adept and throwing in to the mix many real world stories from his years of experience. So much so that I often thought we would never get through the material with enough time to cover the lab work. Steve’s flexibility and easy going manner seemed to be weighing us down. But he kept assuring us that he was confident in his ability to cover the material and get all students prepared for the exam.

This would normally have been my downfall. As the instructor began to go off on tangents, I began to focus on my own agenda. Although this is a hacking class, and it actually helped immensely. This gave me time to play with all of those tools on the preset workstations. Each of our machines was setup with identical images with Windows 2000, both VMware and MS Virtual PC and a CEH themed Knoppix distro in ISO format. Learning your own machine meant that you knew your neighbors’ machine. This is dangerous and fun as we started hacking each others systems. Simultaneously, we were practicing counter hack methods. We installed malware, downloaded password hashes and cracked them, escalated privileges, defaced web pages, created FTP access for ourselves, opened remote shells… all the while trying to prevent the other students from doing the same to your machine. Even better was the ability to talk to the attackers in the room about how they thwarted your defensive moves and the information exchange on their tools of choice. So instead of being my downfall, this actually turned into the best experience of the entire class.

As we moved through the week, Steve kept with his formula of increasing the amount of lab work with fewer lectures and continued tangential stories. At the end of each day, we had an extensive review of the day’s work followed by simplified questions. Although we had to spend more time than expected on Thursday with lectures, we had methodically made it through them all. At this point, we had also completed all of the labs but one, a capture the flag exercise that combined most of what we had covered during the week. We were asked to break into a server through the online banking application of a fictitious company. After a little SQL injection, our goal was to create an account on the machine, make a folder with a personalized copy of netcat and eventually find a hidden message in a file with an alternate data stream. After the test victim was brought to its knees, we ended the day before the exam with a final review and a homework assignment. Steve handed each student a workbook with a sample exam. We were asked to complete the exam that night with a question by question review the following morning. This would be our launch in the actual exam.

At the end of the day on Wednesday, the students expressed their nervousness about the exam to Steve. He calmly and confidently stated that we were on track, and that he was certain we would feel differently by the end of Thursday. To his credit, he was correct. We had accomplished more than we had realized during the previous days, and the banking exercise was proof. So when we went back to the hotel to take the practice exam, it was relatively easy. All of the little tips, subtle hints and areas on which we were told to focus were covered on the exam. But how would this compare to the actual exam? Considering The Training Camp’s close relationship with certification organizations and their status as being officially recognized by those organizations to teach their courseware, it came as no surprise when Steve indicated that answering 80% of the questions on the practice exam correctly would roughly equal 70% (a passing mark) on the real exam.

Once again, I returned to my tried and true Recommended Study Method. For any question on the practice exam where I did not know the answer immediately, I marked and reviewed with third party information and my notes from class. Afterwards, I then went through the entire exam again. This time I was able to answer each and every question instantly. Time to get some sleep.

Unfortunately, my health quickly deteriorated throughout the day on Thursday. A bug or something I had eaten was wreaking havoc on my system. This forced me to break Rule #7: Get Sleep Before Your Exam. But I knew that the Friday morning review of the sample exam with the combined knowledge of the instructor and other students would be invaluable. So I forced myself out of bed and stumbled into class. Good thing for me that the preparedness of the students made the review go quickly. Also, Steve’s flexibility in scheduling exam times afforded me the opportunity to take a power nap back at the hotel. If I wasn’t certain of the importance of Rule #7 before now, it was abundantly clear today. The nap made all of the difference in the world. Although not 100%, I felt rejuvenated. I went back to the classroom and followed through with Step #9: A Quick Scan Review. This got my brain geared back into the material. Since I was the last one to take the exam, the other students were all reporting passing marks, even the ones who were nervous. This boosted my confidence even more.

While sitting at the testing computer going through the 125 questions in less than half of the allotted time of 3 hours, I began to see how an official boot camp can make a load of difference. Although the practice exam and Steve’s instruction did not mirror the real exam, they adequately prepared me with the proper concepts and focus points. My head was in tune with the task at hand. As with all exams that are updated on a somewhat regular basis, there were questions that were completely unfamiliar to me. But even on questions where lengthy firewall logs were presented, I felt like Russell Crowe in A Beautiful Mind where the answers seemed to jump right out at me.

If I had one complaint about our instructor, it would be that he was somewhat monotone. I know for me personally, hacking is exciting. When I talk with others on how to crack a password hash using a hybrid attack with rainbow tables, I can’t help but show my enthusiasm. It’s cool stuff! Plus, some extra energy is never a bad thing when sitting in the same room for hours on end over a five day span. On the other hand, I have to realize that people have different styles and varying methods of teaching.

But, I can’t argue with success. When I clicked the final button to complete my exam, the results page quickly returned an announcement that I had passed with 87%. That meant a clean sweep for Steve Kalman; all fourteen of his students had passed.

Steve was humble in giving the credit to the high quality of students. But considering his knowledge and experience, The Training Camp’s modifications of the course and the quality of available books on the subject, I don’t think the students would have performed nearly as well without their help. It really felt like a team effort, and the entire team won because of it.

With this goal achieved, it shouldn’t end there for you or me. Continuing education and refinement of skills is what truly makes a certified ethical hacker into a valued security professional. So the only question that remains is, ‘What are you waiting for?’ Your dream job is out there waiting for you. Go get it.

Donald C. Donzal
Editor-In-Chief
The Ethical Hacker Network

Category: Editor-In-Chief

Comments are closed.