eLearnSecurity opinions?

Viewing 40 reply threads
  • Author
    Posts
    • #5472
      eternal_security
      Participant

      I’m thinking of checking out eLearnSecurity’s on-line program.  I’ve already got my C|EH (worthless) and OSCP.  I need some opinions.

      1) Is the PTP course well organized?
      2) Could anyone who has taken training from Offensive Security and eLearnSecurity give opinions on how the two compare? (it looks like the PTP course goes a little more indepth on some topics)  Which puts the material into a better organized methodology?
      3) Is it worth the money, especially if you already have OSCP?

      I really enjoy the security aspect of my job, but since it is not the sole focus of my job, getting $$ and time allocated for training like this is not easy.  Any opinions/guidance would really be helpful.

      Thanks.

      Kind regards,
      eternal_security

    • #34607
      UNIX
      Participant

      Just in case you didn’t see it already.. there was a review posted here on EHN.

    • #34608
      Xen
      Participant

      I’m studying eLearnsecurity’s PTP course. I haven’t taken OSCP so I won’t be able to compare them. xXxKrisxXx did a nice comparison of both the above courses here  http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5399.msg30830/#msg30830
      I think Hayabusa is also enrolled in PTP and has already attained OSCP cert. so he will also be able to provide some valuable input.

      1) Is the PTP course well organized?

      Yes. It covers 3 modules- Web application security, Network security and System security.
      Network security module covers the pentesting methodology and tools. I didn’t find anything exceptional here which isn’t already in other courses’ syllabus- and OSCP’s too.
      System security module is good and though it covers some sections extensively and just introductory stuff for others.
      Web application security module is very good. Armando has written it really well. Out of all the three, I enjoyed this module the most. His web application footprinting methodology and other stuff is really useful.

      My opinion of this course is that, it tries to cover a lot of stuff, and achieves this objective to some extent. But, as a result it also misses some some useful stuff. It gives you pointers/introduction to a lot of stuff, but doesn’t cover anything in so much detail so as to make you a perfectionist (I specially found this to be a problem with the system security module).

      2) Could anyone who has taken training from Offensive Security and eLearnSecurity give opinions on how the two compare? (it looks like the PTP course goes a little more indepth on some topics)  Which puts the material into a better organized methodology?

      I can’t answer this question. However, from what I’ve gathered through other members’ posts, OSCP has lot of labs. You’ll be disappointed with PTP as far as labs go. For the few labs there are you’ll have to download the software on your machine and practice it.

      3) Is it worth the money, especially if you already have OSCP?

      Again, I can’t compare it with OSCP. I think PTP is a good beginner to medium level course. System security module just touches a lot of stuff but doesn’t go in-depth. Network security module covers a good deal of network pentest stuff but nothing exceptional. Web application portion is very good, and what it covers, it covers in detail.

      Hope it helps. Feel free to PM me or ask here if you’ve more specific questions.

    • #34609
      KrisTeason
      Participant

      Thanks for referencing my post Equix3n, I tried to compare them quickly and that’s all I had. I’m thinking about doing a full side-by-side comparison between the two and go more in depth. I also fully agree with Equix3n’s answers above to your questions eternal_security.

      (it looks like the PTP course goes a little more indepth on some topics)

      I’d say it goes more in depth mainly on the web application attack section. More topics are covered and it’s the courses strong section but it’s a go figure on this, considering to pass the exam you have to break a web application. eLearnSecurity also has some nessus stuff and brings in more point and click tools to use during a pentest while PWB is like more focusing on getting your ninja command-line skills prepped. I’ll try to answer two of the questions just based off of my opinion.

      2) Could anyone who has taken training from Offensive Security and eLearnSecurity give opinions on how the two compare? (it looks like the PTP course goes a little more indepth on some topics)  Which puts the material into a better organized methodology?

      Comparison wise – both to earn the certification you have to provide practical skills in breaking something and you have to provide a report. I’ve heard the reports not necessary but high recommended for PWB v3 and is recommended for eLearnSecurity’s course. Comparing them further they both have videos in the course which demonstrates tool usage.

      3) Is it worth the money, especially if you already have OSCP?

      I’d hate to sound like I’m knocking the course but here I think it really depends. I think the OSCP course was more hands-on and I’ve learned more. I honestly haven’t gone in depth with looking at the information in the first 2 modules of eLearnSecurity’s PTP course – System Security and Network-Security. I’ve skimmed them a little bit but I’ve been mainly paying attention to the Web Application Security module simply because the exam is more focused on it.

      I think if you have your OSCP already – your knowledge goes passed eLearnSecurity’s Network Security section. Their System Security section gives you a minor introduction into Cryptography and Password Cracking, Buffer Overflows, shellcode, malware and rootkit coding. Your prime interest if you hold an OSCP Certification from pwb v3 would be their web application module. I haven’t taken CEH but I’d just say eLearnSecurity because they have a practical exam and required report to earn the certification, it surpasses what a person has to do to earn their CEH certificate. Sure the CEH may cover more topics and a large amount of tools than PTP but I think penetration testing training should be focused on getting hands-on experience with tools – Getting down and dirty in a real life testing environment, being placed in scenarios and situations where you have to prove you’ve learned your material. I think PTP has this to an extent but PWB v3 has it more so.

      Long story short, if you have your OSCP  I think the course would be beneficial for upping your web application attack skills a little bit more but it’s really up to you if you want to spend the money just to get the little extra material this course covers that PWB doesn’t.

      eternal_security I know you said security isn’t the sole focus of your job, but perhaps opting for the OSCE certification would be better in this situation? Have you ever thought about taking it?

    • #34610
      impelse
      Participant

      Everything is true,, for ex the path I am taking is:

      eLearnsecurity . CEH > OSCP

      or

      CEH > eLearnsecurity > OSCP

    • #34611
      alucian
      Participant

      I just got the results today from the exam, so from now on I am an eCPPT!

      I really liked the course. It is very well structured, and a very important advantage is that you can access it any time.

      Now I am doing some checks for work and I use the course as a guide for the most important steps. I recommend following the course multiple times, because there is so much information so you can’t digest it in a single shot.

      I just wait for the new course they will produce (supposed to be an advanced one).

      I found this course to take you from the novice to an intermediate level for the web application part, and this is what I wanted. The other two modules are at an intermediate level.

    • #34612
      Xen
      Participant

      Congrats Alucian! Looks like you need to update your signature 🙂

      I’ve to submit my report by 14 November. I’m almost done, just have to perform some backend infrastructure tests though. Hopefully, I’ll be an eCPPT by the end of this month.

    • #34613
      UNIX
      Participant

      Congrats, alucian.

    • #34614
      impelse
      Participant

      Congrats

    • #34615
      MindOverMatter
      Participant

      Congratulations! Very awesome, I’m barely on the first few modules and really liking the course. 

      I can’t wait to get to the next couple of sections, but I must admit that this first section of modules of Web Applications is has taught me a lot so far. 

      I’ve been taking it pretty slow, going back and over the modules a time or two before continuing on.  Looking forward to get where you are!

    • #34616
      MindOverMatter
      Participant

      I was wondering if anyone who’s received their eLearnSecurity’s ePPT certificate/certification would mind sharing it with us.. Maybe block out the name if that would pose a problem…

      I’m just curious as I’ve seen all the others and wanted to know what this one looks like.. As in, is it standard frame size etc..

      P.S. I don’t know if I like the fact that CompTia started to make their certs physically smaller… They look cooler than before, but not the “standard” cert size, if one truely exists..

    • #34617
      impelse
      Participant

      Alucian  How long did you wait for your exam results?

    • #34618
      alucian
      Participant

      @MindOverMatter wrote:

      I was wondering if anyone who’s received their eLearnSecurity’s ePPT certificate/certification would mind sharing it with us.. Maybe block out the name if that would pose a problem…

      I only received a pdf that it is a diploma. I don’t know if I’ll receive a printed one.

      @impelse wrote:

      Alucian  How long did you wait for your exam results?

      I waited a month until I had an answer. Initially they asked me to redo the report, because it didn’t look so good (I made it in one day so..). Also, I had put the wrong names for some vulnerabilities, plus I went a little further than the scope of the test, so I had to remove a find.
      These comments made me think that he really looked very carefull at my report.

      So, I had a week to redo the formatting of the report, not to redo the test. If my refined report wasn’t good enough in terms of findings I would had to redo the test, but it was good enough to receive the certification.
      I really appreciated this, and I am sure that Armando is extremely busy.

      Good luck and be patient.

    • #34619
      impelse
      Participant

      One month??????, I sent mine last Sunday :P, this waiting is killing me.

    • #34621
      impelse
      Participant

      I havd to admit, it is a real penetration, for the first time
      I learnt how to make a report

    • #34622
      MindOverMatter
      Participant

      Hey thanks Armando, for posting the certification, it’s actually really nice, I like it!  I’m gonna frame it and put it next to my others when acheived.

      I look forward to getting mine soon as the course is very engrossing, makes you want to keep going and going, although I like to go back a re-fresh the previous before continuing.

      One of the things I really like about the course (that at first I wasn’t sure about) are the slides.. It’s very clear, sharpe looking fonts that are easy to read and not too much info is on each slide, so you don’t get bored or overwhelmed.  It’s a very effecient learning technique I think, especially for anyone with short attention spans.

    • #34623
      MindOverMatter
      Participant

      I also gotta say, learning aside that the logo and color scheme for eLearnSecurity is pretty awesome.  Whoever came up with it is a darn good social engineer / marketeer.

    • #34624
      SephStorm
      Participant

      Nice certificate, oh god, if Paris Hilton was a pentester…. well, I guess theres nothing to fear.

      If you guys haven’t already, you might want to consider printed certificates and a nice card, professionals like to have a little card to show off. They’ve been begging for them over at the EC-Council forums every now and again.

    • #34625
      eternal_security
      Participant

      @alucian wrote:

      I just got the results today from the exam, so from now on I am an eCPPT!

      I really liked the course. It is very well structured, and a very important advantage is that you can access it any time.

      Now I am doing some checks for work and I use the course as a guide for the most important steps. I recommend following the course multiple times, because there is so much information so you can’t digest it in a single shot.

      I just wait for the new course they will produce (supposed to be an advanced one).

      I found this course to take you from the novice to an intermediate level for the web application part, and this is what I wanted. The other two modules are at an intermediate level.

      Congrats!  And thanks for your feedback!

      eternal_security

    • #34626
      caissyd
      Participant

      Congrats alucian!

      I found this course to take you from the novice to an intermediate level for the web application part

      To who would you recommend this course? Novice?

    • #34627
      alucian
      Participant

      @H1t M0nk3y wrote:

      To who would you recommend this course? Novice?

      I would definitely recommend the web part for the novice students (as I was). The course is taking you from the beginning and it teaches you a lot. Each chapter contains theory and then the tools that help you automate the attacks.
      The videos of the tools are very useful, too.
      This course opened a new world for me, in an easy way. I will try to continue the exploration by myself, but it is always easier when you have a “master” that points you on the good direction.

    • #34628
      Solinus
      Participant

      Thanks for the original post and the responses. This is the information I had been looking for myself. I have been excited about this course from the day I read the review on EH.

    • #34629
      pentestnoob
      Participant

      I just have to add my $.02 after reading these posts. I purchased this course from eLearnsecurity and, being a beginner pentester, I find that it is MUCH more challenging to actually do this stuff than first thought. In my duties and speaking to many of the folks in the business, we spend the bulk of our time searching for vulnerabilities. This course “does” teach that, but it also attempts to focus on exploiting the vulnerabilities. In a typical engagement, I have not been asked to attempt to exploit a production system.

      That being said, I have found that I was better off mentoring with a senior pentester than what I got from the slideshow that is this course. I never could get any of the exploits to work and honestly did not feel that I got much help, nor did I feel that it was worth $600 bucks for slides. Use your best judgment – it’s especially tough with not too much on the market of this type of on-line training.

      Good luck!

    • #34631
      SephStorm
      Participant

      He may be referring to vulnerability scanning. Many companies perform scanning, but do not allow full on penetration testing.

    • #34632
      MaXe
      Participant

      @pentestnoob wrote:

      I just have to add my $.02 after reading these posts. I purchased this course from eLearnsecurity and, being a beginner pentester, I find that it is MUCH more challenging to actually do this stuff than first thought. In my duties and speaking to many of the folks in the business, we spend the bulk of our time searching for vulnerabilities. This course “does” teach that, but it also attempts to focus on exploiting the vulnerabilities. In a typical engagement, I have not been asked to attempt to exploit a production system.

      That being said, I have found that I was better off mentoring with a senior pentester than what I got from the slideshow that is this course. I never could get any of the exploits to work and honestly did not feel that I got much help, nor did I feel that it was worth $600 bucks for slides. Use your best judgment – it’s especially tough with not too much on the market of this type of on-line training.

      Good luck!

      Realistic penetration testing, includes exploitation of the target but usually on a cloned network or not mission critical equipment / production equipment. (It wouldn’t be good, if the server crashes while people are working.)

      If you don’t perform any actual attacks, it’s rather a vulnerability assessment, because if you can only “guess”, based on version banners and heuristics, that a target may be vulnerable, then you’re just guessing and assuming the version banners are right, which can be easily spoofed / changed. (Security by obscurity, fools some people.)

      Guessing that a target is safe, is not equivalent to that it really is. In some pentests, I did them after work hours to evade problems in case the server(s) shut down by accident (it can happen, even if you’re very careful). In others it was possible for me to replicate parts of their services locally and then pentest those (hunt for bugs), and in case I found a bug (especially in web apps), it would be possible to confirm the bug and report it.

    • #34633
      sil
      Participant

      @MaXe wrote:

      Realistic penetration testing, includes exploitation of the target but usually on a cloned network or not mission critical equipment / production equipment. (It wouldn’t be good, if the server crashes while people are working.)

      Sorry I have to disagree with this MaXe and ultimately it all boils down to your SOW between you and your client. Trying to mimic a target is a bad move since you will unlikely be able to obtain an exact replica, patch revisions, installed software, system configurations.

      In the last 4 years that I remember with clarity, I’ve performed to the tune of 50+ active zero knowledge tests with the vast majority of those have the go ahead to perform full exploits. Want to know how many services I crashed? None. This is because of me testing parameters in labs time and time again. Prior to going on a clients machine blindly, I know which tools are noisy, which tools consume a lot of resources (HP Webinspect anyone?) and when to use them.

      From my point of view: “You wouldn’t use a sledgehammer to drive a nail would you?” It boils down to understanding what tools do what, which are good alternative tools to use, how to attack your target.

      The whole: “you may crash the server” is a moot point and it needs to be understood by the client: “Do you think an attacker from China (Advanced Persistent Annoyance) is going to worry about crashing your server?” A good tester from my POV will illustrate the risk of NOT being allowed to perform a REAL test. A good tester will also know what works and what doesn’t. What offsets to use (timing variables, iffy exploits, etc.)

      Most of the exploits one can find or write on their own will often contain information about the exploit and whether or not USING the exploit will leave a service unusable. It’s up to the tester to weed out those exploits and NOT use ones that will crash services. This is my two cents.

      Long ago it was a common popular belief that: “well if I clone their W2K, NT4 machine, run this exploit in my lab… It should run on their machine… Autopwnage!” This would be inconsistent with reality. You could never know what say Windows Updates a server has on it, what’s in their IIS/ASP/C# pages to mimic a machine to exactness. What you’d be doing is selling them a pentest of YOUR server under the theory that: “if it affects mine, it can affect yours”

    • #34634
      MaXe
      Participant

      @sil wrote:

      Long ago it was a common popular belief that: “well if I clone their W2K, NT4 machine, run this exploit in my lab… It should run on their machine… Autopwnage!” This would be inconsistent with reality. You could never know what say Windows Updates a server has on it, what’s in their IIS/ASP/C# pages to mimic a machine to exactness. What you’d be doing is selling them a pentest of YOUR server under the theory that: “if it affects mine, it can affect yours”

      If they’re using a Web Application which is freely available for download or purchase and you find a 0day in that, allowing you to get within the corporation from the outside world, the chance of that it works on the target network is high if there isn’t any IPS’s and / or WAF’s imho 🙂 Of course, in some cases, configurations of the webserver, PHP, MySQL has to be taken into consideration, such as safe_mode, but even that can be broken in some versions.

      But you’re right that it’s impossible to get exact replicas of machines really, since it doesn’t stop at software level, it goes all the way down to the hardware and network equipment including configurations used.

      Sorry for being unclear on my opinions, I didn’t want to write an overly long reply where I might be misunderstood  ;D

    • #34635
      caissyd
      Participant

      Hey,

      I agree with both of you. I generally test web applications in a dev environment. I would normally find quite a few vulnerabilities. Once the developpers are done fixing them, I check again in dev before giving my “ok”. Then, once in production, I test the application again in order to check the “production” problems and validate the whole package.

      Being not experienced like sil, I was glad twice so far that I was working in dev…  ;D

      But on the other end, I always found something in prod after (mainly configuration issues).

      So for me, test a clone/copy image first (if you have this luxury) then validate in prod.

    • #34636
      rabray
      Participant

      I have an opinion about this thread.  I’m currently working on this cert.

      I have found that for me this course is one that personally I could afford, spent my staff training budget I think on CEH. But wanted more, so for the first time in my career I put my hand in my own pocket for a course.

      So far I can honestly say I don’t feel anyway disappointed.

      The course is a real challenge instead of a walkthrough for a change, been on many a course over the years and a few other cert, this course encourages me to think, research, test and learn.

      I like the fact that vulnerability  assessment tools don’t make it easy,I expect that manual testing and proper understanding and willingness to research etc is what a tester needs to be.

      I can also say that so far commitments that have been made to learners to continue to improve the value have been met and I don’t foresee any changes to that.

      I have recieved support to broaden my understanding from the tutors, the forum is the main method at the moment, but like someone else pointed out there is a need to be patient which I can understand.

      I don’t know if it is best to do perhaps ceh, sec+ before you go for this one but I would at least suggest anyone thinking of signing up makes sure they allow enough time for independent research. Like I said there is no walkthrough, and its not like training for a mc exam.

      One more thing I will add lifetime access at the price set is also of value.

    • #34637
      SephStorm
      Participant

      Thanks for your review, let us know how it turns out for you!

    • #34638
      rabray
      Participant

      Will do. Hopefully well, my feelings about my confidence levels of passing are up and down 🙂

      But it wont be for the lack of effort.

    • #34639
      eternal_security
      Participant

      Again, thank you all for your input.  After reading all of these posts, and seeing that PTP has been updated with additional information, I’m starting to consider taking the class again.  I can probably get the $$ allocated from work, so it’s just a matter of deciding if I really think it is worth the time and money, and getting my boss to approve it.

      Has anyone enrolled since the courseware has been updated?  If so, how much value to you think the updated information adds to the course?

      Thanks!

      Kind regards,
      eternal_security

    • #34640
      Darth Que
      Participant

      Can someone please provide the prices for the student and pro versions? Thanks.

    • #34641
      UNIX
      Participant

      Pro is $599, 5% discount here.

    • #34642
      Xen
      Participant

      Here’s the update information:

      a) The upgrade consists of an overall improvements in the language, corrections of typos and a multitude of minor bugs.

      b)We have also included a new wonderful module for you to study: SOCIAL ENGINEERING
      You will find this module, including 30 minutes of videos on Social Engineering Toolkit, in the Network Security section

      .

      I haven’t checked the module because my semester exams are going on, so I can’t comment on the updated content.

    • #34643
      rabray
      Participant

      With regards to the upgrade there has been  a variety of improvements in terms of the readability of the slides. I have still noticed a few bugs, but as yet have not had a chance to feed these back to Armando at elearn but I am confident he will be happy to hear about these and improve further.

      The new Social engineering section is quite informative and the SET video is excellent in my opinion.

      I also believe improvements are on the way with regards to more labs and further expansion of the report writing guides.

    • #34644
      SephStorm
      Participant

      Does the Web Pentesting module have to be done first, or can the order be switched around?

    • #34645
      KrisTeason
      Participant

      This course can be gone through at your own pace in any order.

    • #34646
      SephStorm
      Participant

      hmmm. I might just have found my leave plans…  ;D

    • #34647
      Darth Que
      Participant

      Ty for the information on the pro version and the 5% discount. ;D Does anyone know the price of the student version? Does anyone know the difference in content between the student version and the pro version? Thanks…

    • #34648
      rabray
      Participant

      I am not sure about the price of the student version. I believe that this is to be set and will be public fairly soon.

      Content wise this has not been made public yet but I believe it is to lead up to the Pro version so more introducing concepts and skills that you need to get you up to speed for Pro.

Viewing 40 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?