My roadmap to InfoSec

This topic contains 19 replies, has 8 voices, and was last updated by  Triban 7 years, 11 months ago.

  • Author
    Posts
  • #7200
     MrTuxracer 
    Participant

    Hello EH-Community,

    I’m new to this community, but I have read a lot of good & interesting articles in here and that’s the reason why I need your advice  🙂

    I’m currently working as a network administrator for about 4 years now (it’s my first job) and would like to go deeper into InfoSec. I spent most time of my day on router, switch and firewall shells, so I’ve got quite good networking fundamentals. Beside this I am a LPI – certfied Linux fanboy – well, I don’t use Windows unless there’s no other way, like in the world of Active Directory  😉 and I am a VMware enthusiast, because I love this technology and its impact.
    I’ve got coding knowledge in VB.NET, PHP/SQL and basic ASM, C++.

    Now I would like to realign my focus on InfoSec like attack and prevention mechanisms. I’m interested in InfoSec for over a year now and already have some basic fundamentals (like WebSecurity, BufferOverflows, usage of Metasploit and some other common tools) but I’m missing the in-depth details. That’s the reason why I started to blog about things but this only helps a little. Now I’ve read a lot about certifications on EH and think those courses and (practical) exams are the best way to learn the details.

    I’m currently thinking of going this way during the next 2 years:
    CEH -> eCPPT Pro -> OSCP -> OSCE
    (Taking the CEH and eCPPT Pro until summer, and the OSCP until end of 2012).

    What do you think ?

    By the way: My problem is that I have to pay most of the courses/exams out of my own pocket because my employer doesn’t want to pay them. I hope that they’ll pay at least the CEH :-

    Thanks & Regards

  • #45015
     KrisTeason 
    Participant

    Hi MrTuxracer,

    Welcome to the forums. Great background! Your experience in programming will help you out big time. Looks like a solid track you’ve set up for yourself, but with you having the fundamentals under your belt, I would say its time to go out there and have at it. VMware is great for practice! Setup some vulnerable VMs, get some vulnerable software, and hack away.

    Having taken the eCPPT Pro and OSCP courses, I can tell your going to learn a good amount. Plus with the practical exams versus written, after you earn the certifications, they’ll look better to employers (although I haven’t seen the eCPPT recognized yet by HR. OSCP/E is getting its recognition barely, and CEH they love to see – thoughthe exam is written). Be sure when you sign up for the eCPPT course, you obtain the 5% voucher offered for EH-NET members, which could be redeemed here.

    There are several of us here who pay out of pocket for our training. Sounds like were all in the same boat in relating to getting the best training for buck. Although not initially mentioned, alternate positive resources at affordable prices are:

    Hacking Dojo

    Strategic Security – which I believe was previously LearnSecurityOnline

    SecurityTube

    I think you’ve picked a solid route to take and your in for a fun ride (especially by the time you get to taking Cracking the Perimeter). Were all here to help along the way. For future references if you want to go the route of practicing in your own lab, below are a few links that will help out:

    Virtual Images of Windows XP, Vista, and 7 – Compatible with Virtual PC
    http://www.microsoft.com/download/en/details.aspx?id=11575

    VMware’s Virtual Appliance Marketplace – Containing Windows 2003 & Various Linux Distros
    http://www.vmware.com/appliances/

    Vulnerable Web Applications for Learning
    https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

    OldApps – Find older software to practice exploitation on
    http://www.oldapps.com/

    Vulnerable by Design – Links to tons of vulnerable VMs, Web Apps, War Games & More
    http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html

  • #45016
     Seen 
    Participant

    Honestly, I would take the eCPPT first, and strongly read these forums in regards to the CEH.  It looks good on a resume, but from what I hear you don’t get a lot of knowledge from the CEH.  The eCPPT, on the other hand is a great entry-level cert, and way cheaper than the CEH unless you don’t have to take the class.

  • #45017
     MrTuxracer 
    Participant

    Thanks xXxKrisxXx & Seen for your answers!

    @xXxKrisxXx:
    I thought about the SMFE course made by SecurityTube too, but it’s quite too new and more specific. If there is more feedback on the SMFE available, I think it’s good to take it after the eCPPT and before the OSCP/E. Have you planned to take it ?

    Thanks for the list of ressources, I already know some of them, especially oldapps.com. I used them to rebuild a bufferoverflow exploit by myself…well an easy one, but at least it worked like a charme  🙂
    And the last one is really nice!

    @seen:
    Yes, you’re right! I think that the CEH is only a HR relevant certificate. I don’t like multiple-choice exams, even though the VCP exam was quite hard work, but they do not say a lot about the real skill of the holder…well in times of braindumps…. they do not say anything  :-

  • #45018
     KrisTeason 
    Participant

    Hi MrTuxracer,

    The SMFE course I think is barely starting. I don’t think there are any reviews on it currently. I did hear Vivek mention in his SMFE video that he planned on rolling out a Metasploit book early 2012. It’s going to be great and accommodate the course well.

    I went for the eCPPT after OSCP, but I agree on attempting it before the OSCP course. I plan on taking CTP eventually here but to be honest, the reviews on it, and how much it is hyped up I don’t know if I’m ready for it. They make it out like you have to be an Exploitation guru and require you to pass their http://fc4.me/ challenge before even signing up. The course looks intimidating to me, filled with tons of pain, but with the cert your guaranteed respect by any serious InfoSec peers.

    If you replicated a buffer overflow example, your well on your way for Pentesting with BackTrack. I was going to mention you could either do CEH or eCPPT in any order but didn’t want to bash CEH too hard like I have been guilty for doing in the past. Its’ very HR relevant, and taking it before the eCPPT may help you even more in the PTP Pro course. What I enjoyed about eLearnSecurity’s course was not only the amount of time they give you to go through all of the material in the class, but the solid material on the Web App module which will get you prepared for the eCPPT exam.

  • #45019
     MrTuxracer 
    Participant

    Hi xXxKrisxXx,

    I just enrolled for the eCPPT and started to study on it. The study material is quite good and organized and there are a lot of interesting new things in it. I do not have regrets about this purchase – looks like this gonna be much fun  🙂 It’s been the right decision to take the eCPPT before the OSCP!

    The CTP is indeed very intimidating…you really have to like pain to enroll for it…so what are you waiting for ? go for it  😉

    Well I’ll skip the CEH for now, let’s have a look how I’m doing after the eCPPT.

  • #45020
     KrisTeason 
    Participant

    Hi MrTuxracer,

    Excellent to hear you enrolled. Your going to have a blast! If you run into a bind, don’t forget about their forum for students. Plus were here to help on our end. There is a few of us here who have taken either the student or pro course with eLS so never hesitate!

    Until I reach the level of masochist is the only time I’ll be fully prepped to enroll in CTP. It’s definitely on my list of, ‘To do things in 2012’. I just need to go back through the PWB material and knock out the BoF extra miles and prep on Exploit-DB before officially going in.

    Goodluck on your journey, may the force be with you!  🙂

  • #45021
     vp75 
    Participant

    @mrtuxracer wrote:

    Hi xXxKrisxXx,

    I just enrolled for the eCPPT and started to study on it. The study material is quite good and organized and there are a lot of interesting new things in it. I do not have regrets about this purchase – looks like this gonna be much fun  🙂 It’s been the right decision to take the eCPPT before the OSCP!

    The CTP is indeed very intimidating…you really have to like pain to enroll for it…so what are you waiting for ? go for it  😉

    Well I’ll skip the CEH for now, let’s have a look how I’m doing after the eCPPT.

    Hi Mr.Tuxracer,
    I’m in the same course, except joined during christmas….
    Probably might meet in community  😉 there…
    V

  • #45022
     MrTuxracer 
    Participant

    @vp75 wrote:

    Hi Mr.Tuxracer,
    I’m in the same course, except joined during christmas….
    Probably might meet in community  😉 there…
    V

    Great one, isn’t it ?
    Nice, message me if you like  😉

  • #45023
     isgillen 
    Participant

    eCPPT is a good choice to start with, I was new to security and it takes you from a noob to having a good understanding.

    the course assumes that you have a basic knowledge of programming but i would suggest you need to have a bit more than basic if you intend to do the professional course straight away also TCP/IP.

    They do offer a student course prior to the pro but i decided to go straight in at pro and was pretty comfortable. A plus point about the eCPPT is that they offer you a whole module on scripting which it not the norm but very beneficial.

    The forums are very helpful and there is always someone there that will answer your questions.

    The only downside is that there are some grammatical errors and a few slide early on do get a little confusing because the examples they use do not exist in the real world so you cant follow them. The staff are aware of this and are addressing it.

    The future for eCPPT look promising and there are changes happening all the time. The best thing is that one you have paid up once you get life time access to both forums and course material so you can always stay up to date what ever changes they make. They also offer discounts to current members on anything new they try and listen to suggestions from the community.

    Hope this helps in your decision, good luck

  • #45024
     Triban 
    Participant

    Wow, eCPPT is pretty affordable.  I actually may sign up for that this month.  I like the idea of life time access.  I think I will try the demo and see how I like it.  Judging by the responses here it seems to be a good prep for getting a head start in OSCP. 

  • #45025
     coding_fury 
    Participant

    Hello everyone,
    I heard a lot of good things regarding eCPPT (in this thread and elsewhere). However when going to elearnsecurity website, I stumbled on this page for penetrating testing pro. Is it just me or it looks like a really bad sham-wow tv commercial ? I expected to read “but wait! if you order right now we double up the offer!” at any time. I’ld like some feedback for people that actually did the course (PTP and eCPPT exam) to see if my worries are founded or not.

    Also, is it possible to spend between 20-30 hours at most per week studying /practicing and still make the exam in the 120 days ? I presume it depends a lot on where you start but I’ld like an opinion.

    Thank you,

  • #45026
     KrisTeason 
    Participant

    Hello coding_fury,

    Welcome to EthicalHacker.net. After checking out that page, it mainly seems like they’re just trying to recommend/sell their course. Being a PTP alumni, I can confirm the course is legit.

    You can definitely get the exam completed if you put in that many hours per week studying. You could even start practicing on the exam prior to officially starting your time to pen-test it (meaning you’ll be given your exam target with eLS PTP credentials, and details on what needs to be done).

    Kris

  • #45027
     Gromic 
    Participant

    Hi Tuxracer!  Welcome to the forum!

    Congrats on enrolling in eCPPT… I am also planning to sign up for the course shortly. Actually I wanted to do that already in december, but since you can defer the lab time only for 90 days once you bought it… and I will be really busy till april … I haven’t done it yet…  Hopefully the next couple of weeks
    Time …time…time… it’s always the issue…

    @coding_fury
    I know the site sometimes looks like a “I make you rich quickly page”.  Next to what kris said… from what you read around here it must be a really good course…

  • #45028
     MrTuxracer 
    Participant

    Hi gromic,

    Thanks. It’s been a good investment so far, and as far as I can say now, I don’t need 120 days to complete the whole course. I think, it’s quite a good preparation for the offensive-security courses.

    @coding_fury / @3xban:
    I agree…the website is not looking very serious, but the members-area and the course pages are well-made and a great benefit for someone who’s new to the pentest topic.

  • #45029
     Gromic 
    Participant

    I finally signed up for the eCPPT today, too.  Didn’t want to wait any longer …  even though I won’t have much time for studying the next couple of weeks  -> lifetime acess for the win  ;).

    Maybe we see each other on the forums there…

    Yep, I am also taking the eCPPT course to put up the “groundwork” for the OSCP, which sounds really interesting but also really scary …

  • #45030
     Triban 
    Participant

    Damn you peer pressure!!  just enrolled.  Its winter so might as well use any time stuck inside for something useful.  Also need a reason to keep me from wasting away in Skyrim.  damn that game.

  • #45031
     Gromic 
    Participant

    heheh…way to go 3xban! Sorry, for putting you under peer pressure!

    I totally know what you mean on the “wasting time to gaming” part …It’s just frightening how much time (or better sleep…) one loses to such games… I just hope I will never get started with “Star Wars the old republic” … So far I have managed to stay away ^^

    Like you said, better put the time and effort into something more useful!!

  • #45032
     MrTuxracer 
    Participant

    Good to see you guys over there 🙂

    Well, but exploring the world of Skyrim is quite useful at all…much better weather, faster learning/skilling and cheaper houses to buy!!  😉

  • #45033
     Triban 
    Participant

    This is true, unless you are in the mountains and are hit with a blinding blizzard.  😀  So I was all geared up last night and decided to check out the first module of the course, just an intro and all but I like the setup of it.  I got to the end where you get to fire up Burp and realized I did not have it.  So no biggy, I’ll just download it… site is down, for most of the evening, or maybe my OpenDNS was not getting to it.  Came into work this morning and site is running fine, just in case I downloaded Burp for later.  Tomorrow is looking to be a cold and windy day so no outdoor activity planned an I will proceed with some more modules. 

    I sat through the 20 min demo and enjoyed it, got a head start on the SQLi stuff which I never actually tried before.  I think I will enjoy this course.  The Mile2 course was not keeping my interest at all, I think they need to just mix in some of the “ethical” and compliance info with the material rather than dedicating the first couple hours to it.  Grabbing your audience with talk of SOX and PCI is not a way to keep them engaged the rest of the time. 

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?