eLearnSecurity’s Penetration Testing Pro (PTP) – What CEH Should Have Been
Recently the web has been abuzz with pentest training options. The CEH received new life as it was added to DoD Directive 8570 as well as revamped its courseware in version 6.0, Offensive Security rolled out their version 3.0 of “Pentesting With BackTrack,” and it seems like new training options are coming out almost every day in the field. That being said, I have been lucky enough to receive an advanced copy of the flagship course by eLearnSecurity, Penetration Testing Pro (PTP).
PTP is a three section presentation and video course authored by Armando Romeo (admin of hackerscenter.com), Brett D. Arion, Nitin Kumar, and Vipin Kumar. It has an optional certification component called the Certified Professional Penetration Tester or eCPPT for short. The target audience for the course is security engineers or penetration testers in the 0-3 year experience range. The course divides penetration testing into three categories: System Security, Network Security, and Web Application Security. Let’s take a look at each.
The Systems Security Module is arguably the most advanced section of the three. The introduction covers using Dev-Cpp, some assembly concepts, and windows driver development. Then the Systems Section drills down into:
• Cryptography and Password Cracking
• Buffer Overflows
• Malware Introduction
• Rootkit Coding
Cryptography and password cracking is the fast track to all things crypto and authentication including introductions to Hashing, SKI, PKI, Block Ciphers, Stream Ciphers, PGP, SSH, Historic Cryptography Attacks, and then ending with a full section on Windows System Authentication including covering tools like psexec, pwdump, fgdump, gsecdump, ophcrack, and nbtdump for password cracking.
The next section on “Buffer Overflows” gives a really good introduction to the stack and how memory works. It then massages you through examples of finding an overflow, triggering a stack overflow, fuzzing platforms, and then a final section for exploiting a real-world overflow in a FTP suite. This section goes from theory to code very fast and is very exciting. It also goes hand-in-hand with the “Shellcoding” section.
The next few sections I’ll cover quickly. “Shellcoding” is a crash course on writing OS specific shellcode, egg hunters, etc. There is literally a few days of material between these two sections if you follow the examples and exercises. “Malware Introduction” is a great section that covered some of my favorite topics such as malware techniques, packers, polymorphism, metamorphism, obfuscation, and vectors from which malware spread. Lastly, “Rootkit Coding” is the shortest of the systems sections but still contains a great deal of explanation of rootkit classification, how rootkits hide, and control file access. All sections here lead with example code from which to learn.
Network Security (a la network pentesting)
• Information Gathering
• Scanning and Target Detection
• Sniffing and MITM Attacks
• VA & Exploitation
The pentesting module (here called Network Security and Web Application Security) was what I was really waiting to see, since it is the material for which I am most comfortable. Using Backtrack as a common test platform, the Network Security module takes you all the way from finding targets to staying hidden.
The first section, “Information Gathering,” goes over usage of common, up-to-date tools (unlike the CEH) including lessons on Nmap, Maltego, SubDomainer, DnsMap, Cain, Arpspoof, etc. All of these give step-by-step walkthroughs of the tools and, for the most part, cover why they work and what they are doing. These mini-sections include video walkthroughs for some of the tools as well.
“Scanning and Target Detection” leads off with theory, explaining the essentials of the ports, protocols, services, and the TCP 3-way handshake. Students then delve into Nmap and an intro to SuperScan. Both scanners are covered adequately and include the types of scans you would use on an internal pentest. Where applicable eLearnSecurity seems to try and cover both the Windows and Linux versions of a given tool to get the job done. Additional sections cover techniques for using and integrating Amap, Unicornscan, and p0f with Nmap. The scanning module includes videos covering advanced Nmap topics like the Nmap scripting engine, timing options, and other Nmap related goodness.
“Enumeration” covers mostly NetBIOS and SNMP. All your favorite tools and scripts to pull down the data associated with these two services are represented. The NetBIOS sections cover finding valuable shares using net view, auditing NetBIOS using NAT, winfo, and gathering usernames using SID2USER and USER2SID. The SNMP section showcases attacks against the community strings, using MIB resources to enumerate devices and servers, brute forcing, and using a variety of tools to pull down more SNMP information.
“Network Sniffing and MITM” is a primer for wireshark, tcpdump, dsniff, windump, ettercap, macof, Dnsspoof, arpspoof, Cain, and sslstrip. This section/module is a really well put together set of guides on how MITM trickery works, how to spoof everything one would need, and how to capture all that juicy data from your client’s LAN.
“Vulnerability Assessment and Exploitation” is one of the longest sections. It guides the student through setting up a full Nessus and Metasploit install and then through the usage of each product respectively. This section is video heavy and does not feature as much ninja-ry as we’d liked, but I am assured there will be more content added soon.
Finishing off Network Security is a small section called “Anonymity” which covers proxies, SSH tunneling basics, TOR, and cleaning logs on *nix and Windows machines. This section was very informative and is often an overlooked part of testing.
Web Application Security
• Information Gathering
• Vulnerability Assessment
• SQL Injection Attacks
• Advanced Web Attacks
One area that impressed me very much was the Web Application Module. Probably related to his HackersCenter.org experience, Armando covers these topics very well. The “Introduction” and most sections thereafter cover their topics eloquently, making web hacking easy to learn.
“Information Gathering” rehashes some ideas from the network side but still manages to get some very valuable ideas across like Fingerprinting Frameworks and Applications, Harvesting Usernames using Burp, and some Google Hacking basics. “Vulnerability Assessment” was the only section we found a bit lacking as we would have liked to see Grendel Scan, W3af, NetsparkerCE, etc, covered instead of just Nessus with Web Checks and Nikto. We contacted Armando, and he told us that there will be a completely stand-alone Web Application course on its way containing much more web hacking fu. In the meantime he is working on adding w3af into the VA section.
“XSS” goes through all of the types of XSS (persistent, DOM, reflective), how to attack them, stealing cookies, and using BeEF for further infiltrating the browser. “SQL Injection Attacks” covers some really good injection examples, and gets into some very advanced database fu. After introducing you to the manual way, Armando shows the students how to do the techniques using Absinthe, BSQL Hacker, Pagolin, and SQLmap. This section was very well represented. The last section, “Advanced Web Attacks,” covers session stealing via predictability, cross site request forgery, local and remote file inclusion, and an intro to Web 2.0 (AJAX) auditing.
Just when you thought you were done, Armando and his course authors added some great extras to the package! This consists of a set of forms to keep track of your scanning and enumeration results, and a 24-page guide on reporting. This guide goes through a full pentest report and potentially what should be in each section. It is one of the best put together documents I have seen for this purpose and is extremely impressive. Also included is a document on mapping your project via mindmaps (one of my personal favorite techniques) using FreeMind.
Technical Content: 8/10
I kept thinking “this is what the CEH/LPT should have been,” and I am delighted to say that if students can master the topics and techniques in eLearnSecurity’s Penetration Testing Pro, they should be well on their way to being an accomplished pentester. eLearnSecurity’s course is easy to follow the whole way through with appropriate breaks for video and sprinkled exercises at every turn. I enjoyed each section and could have taken much more time to review them as the course houses 1600 slides of information and 4 hours of video. If you think 1600 slides is too much, let us assure you it never felt disjointed. All the way through the course eLearnSecurity doesn’t just throw the tools in your face, attendees also get the technical foundation and theory to back it up using the attack tools. As for interaction, I emailed Armando many times, and he was very helpful getting us set up and fixing any content related issues. He assured us he will be just as vigilant with every student and has a forum set up for all such issues and suggestions. The extras, including the reporting guide, were great additions at the end of the 3 main sections. I am very impressed by the product as a whole and congratulate Armando and Team in an exceptional first run of the course.
Areas for Improvement
Although eLearnSecurity was a great course, there were a few things I would have liked to have seen or have covered deeper in the course.
Firstly, starting with a client side/social engineering section (maybe including tools like SET, JetMetric, Phishme). I also didn’t notice any Pcap Analysis coverage in the “MITM” Section using tools to pull out relevant data after gathering some traffic. In the “VA and Exploitation” Section there was no Metasploit Scripting or Nmap/Nessus integration w/ Fastrack/DBautopwn. In large networks making the most of these features often will save a lot of time. Even coverage of some of the more popular NBE parsing utilities/scripts would be great. I would have liked more Metasploit fu, such as the newer getsystem functions, using resource files, using multi-handler, etc, but there are other places I can go for that if needed (MSU). There was also no Pass the Hash coverage which was disappointing due to the great attack vector it opens up.
As I said, this is the first run of the course, and it is a stellar curriculum that has some great people behind the wheel. We are confident that any ideas or contributions that better the course will be added by the eLearnSecurity team as fast as possible.
So in closing, here’s my offering for a soundbite world:
eLearnSecurity’s Penetration Testing Pro: the CEH killer =)
Jason Haddix, VP of Trust and Security at Bugcrowd, Inc.
I am passionate about information security. Not only is security my career focus but it’s my hobby. I absolutely love my job.
In my previous role as Director of Penetration Testing I led efforts on matters of information security consulting. The gamut stretched from developing test plans for Fortune 100 companies to competing in “bake-offs” to win business against other top tier consulting vendors.
In my current role I serve as the Director of our Application Security Engineers and Technical Operations. This means I am an extension of (and advisor to) over 300+ security programs across many industry verticals. Under my direction, my team has triaged over 15,000 vulnerabilities this year alone. We also strive to keep the relationship between vulnerability researcher and customer a good one.
While I never call myself a “master” of anything, I do have a very particular set of skills; skills I have acquired over a very long career. These skills make me adept at getting business, finding security vulnerabilities, and eventually leading a customer to a better security posture.
Jason is a regular columnist for EH-Net. See all articles by Jason Haddix.Tags: course review elearnsecurity haddix pentest ptp webapp