.

[Article]-Course Review: eLearnSecurity Penetration Testing

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Jun 21, 2013 12:38 pm

[Article]-Course Review: eLearnSecurity Penetration Testing

This is a blog post. To read the original post, please click here »

ImageShrinking budgets and geographical diversity are pushing educational trends out of the classroom and into online learning opportunities. But, hands-on training and skills evaluation is a trickier problem to solve in that paradigm. Information Security training is no exception. Yet, many students seeking training in Information Security face barriers of entry involving their prior knowledge, and how to get it. Many offerings assume a level of proficiency above what a beginner may have, especially one who has not already worked in Information Security. To add to the beginner’s frustration, most training organizations don’t offer the background learning necessary to get to that level. Enter the eLearnSecurity (eLS) Penetration Testing Student course.

The eLearnSecurity Penetration Testing Student v2 course addresses the need for online, hands-on education for the beginner. The flexible and self-paced, browser-accessible online course teaches basic foundational concepts for students who wish to enter the field of penetration testing while allowing hands-on application through the Hera Student Lab and, optionally, the Coliseum Web Application Testing Framework. The course provides an ordered and appropriately broad basic introduction into foundational concepts for the beginner. While this course alone will not produce a qualified penetration tester, it provides a guided hands-on opportunity to become familiar with some of the basic concepts. It is effective for those who are exploring the possibility of penetration testing as a career path, or for those who simply want to know more about what penetration testers are capable of doing.


Overview of eLearnSecurity Penetration Testing Student v2
Few assumptions are made about the knowledge that students are required to have before engaging in this class, but a basic grasp of the Linux command line and an understanding of binary will be helpful. Understanding how to run a script, change a directory, and do some basic troubleshooting will be very useful to students. Although if the student lacks even these basic skills, there is plenty of support available. Additionally, exposure to the concept of programming is not required but will make the introduction to Python and C++ more familiar. The curriculum is split into foundational concepts and penetration testing concepts which may be explored or skipped at the discretion of the student.

The section on foundational concepts covers the introduction of terms like vulnerability assessment and penetration testing including a walk-through of penetration test phases. It also covers the crucial difference between vulnerability assessment and penetration testing, a simple concept for those in the industry that most newcomers lack. This section continues with coverage of network and web application basics. It also includes adequate C++ and Python primers with exercises that include the creation of several practical scripts.

The Penetration Testing section goes into more detail about each of the phases of a penetration test. Along the way, it introduces in-depth tool specifics including Metasploit, sqlninja, dirbuster, and netcat. It also covers topics such as backdoors, open source information gathering, password cracking, null session exploitation, SQL injection, XSS, and other exploitation topics — all good foundational information for penetration testers. The course includes plenty of great references for independent and supplemental learning. The full course syllabus is available online.

The course is sold with lifetime access rights to the material with free minor updates and a fee for major updates. Lab access is offered with flexible purchasing options including on-demand usage. Lab time may be used by the minute or through a flat unlimited plan, where labs are available for 30, 60, or 90 days. This course focuses on the content available in the Hera Lab, eLearning's live penetration testing environment. Accessed through a VPN, Hera offers a hands-on environment to support the course material. The registration for the course also offers the option to add on access to Coliseum, eLS’s more advanced web application security training framework. Other than these time restraints, students are free to pursue the content at their own pace and even their own choice of order, as some modules provide a clickable navigation panel with access to the different concepts. Of additional interest, eLS offers a payment plan where the course can be purchased with a monthly fee instead of a lump sum. This flexibility raises its appeal to self-funded students.
The Experience
Students access eLS’s student website to access documentation and code samples for the class, the courseware itself, account management, and lab management. All of these functions are very intuitive and easy to navigate. It’s advisable for students to completely run through the courseware before digging into the Hera lab, as access in the lab may be time limited depending on the subscription choice.

The web interface enables students to stop, start, and reset the Hera lab. Getting into Hera may be a little confusing for absolute beginners. There is a guide that describes how to connect to the lab using both Windows and Linux, so the choice is available to the student. Then, walk-through videos describe how to download and install Nessus, for example. But, some of the labs require Linux tools, and the videos appear to use BackTrack for tools demos. Students will want to be prepared to confront the possibility that they may need to create and run a Linux virtual machine if they choose a Windows platform.

Image
Figure 1 – eLearnSecurity Penetration Testing Student v2 Screenshots
The courseware itself launches from the same web interface and runs in the browser, providing a clean and professionally done graphical interface. The guided introduction to the course material is supplemented by periodic hands-on labs and quizzes as well as demo videos. Additionally, a discussion area is available for students to collaborate or get help with issues from course support staff. Navigation within the course itself is very simple. A navigation control panel at the bottom allows you to move forward and backwards through the lesson, one slide at a time. The same navigation bar keeps track of the currently viewed slide. Audio sometimes supplements the text, and the graphics used to support the material are very well done and appropriate to the information at hand.

Once inside Hera, the experience is exactly as it should be for a penetration tester connected onto a client network. The Hera labs provide a good place to do the hands-on exercises provided in the course, but it is not advertised as a free-form environment where a burgeoning penetration tester might experiment very freely with newly learned skills. Lab exercises are specifically targeted towards the use of the tools according to the examples provided in the lesson. There are other hosts accessible within the lab, but there is no guidance within the courseware that suggests further exploitation should be considered beyond the scope of the exercises.
Content
The course covers web application penetration testing concepts in depth. One demo video in particular stands out as a crystal clear and exemplary explanation of the mechanics of Cross Site Scripting. But don’t fret that it will quickly get overwhelming, as network concepts are hardly unmentioned. In addition to a thorough exploration of Burp Suite, the course covers Wireshark in interactive detail, both with labs and exquisitely detailed walk-throughs within the slides. There are lessons defining how buffer overflow attacks work, what role malware plays in the exploitation process, and various server and client exploitation methodologies. Social Engineering and Physical Pentesting even receive their nod during the Information Gathering lessons. There are two videos that cover Metasploit, but no exploitation labs using it, and its capabilities are only explored at the very surface. eLS’s Professional Course covers these more advanced topics, but students who are expecting a detailed walk-through of network penetration testing will not find it in this class.

Image
Figure 2 – eLearnSecurity Penetration Testing Student v2
Introduction to Python
The course’s strength is in the foundational information it provides. Beginners with no grasp of what a network port or an IP address are will get the introduction they need to properly contextualize these lessons. For example, a very detailed examination of how networks work begins with the simple and non-assuming explanation of what a network is. The lesson progresses naturally, building upon each layer of information to explain Firewalls, IDS and IPS, and Web Application concepts. And, perhaps most importantly, their role in defending against - or failing to defend against - attacks. For beginners who have no exposure to security concepts or who have yet to explore them in an offensive frame of mind, these foundational lessons are truly essential.

Far from death by PowerPoint, the course not only allows students to choose their own order and take their own time to process the material, but the slides are interspersed with demo videos, lab exercises, and self-test quizzes. Students are free to explore Burp before Metasploit, or vice versa, to explore foundational concepts, or only the penetration testing concepts. Students may leave and come back to the content at their leisure due to the lifetime access granted by the license.

Quizzes enable students to test their own progress and decide how best to use the resources for ongoing study provided at the end of each lesson. The quizzes follow a multiple choice format for the most part. But, occasionally, a drag-and-drop question is thrown into the mix. These aren’t always obvious, and have confused some students, so keep an eye out for it. For the most part, they do a good job of reflecting the course content without being verbatim repetitions of the lessons. However, the logical leaps some of the questions make require a bit of thinking and practical application of the subject. The option to review incorrect answers will help solidify the learning in the cases where this trips up an unsuspecting student.
Areas for Improvement
Overall, the course is very well done and establishes a good, broad base of knowledge about penetration testing. Again, the course alone is not enough to produce a qualified penetration tester, but, as an introduction to concepts and tools, the class succeeds. Only a handful of items stood out as possible issues for students, and most of these were relatively minor. In general, the course navigation is sometimes inconvenient, and the grammar and audio is occasionally awkward. There are also notable inaccuracies in some of the technical details about networking. None of these should interfere with a penetration test, and the course authors have been very receptive to fixing any issues found.

The navigation, as mentioned, is very basic. But, progression from slide to slide is not always sequential. When students choose from lesson menus, slide counts jump, sometimes by the hundreds. Getting back to the menus may require navigating slide by slide back to the menu. Also, while the course is supposed to bookmark student progress between sessions, this does not always work as expected. As a browser-based platform, the student computer settings have an impact on the experience. Workarounds for these issues have been provided by the course administrators on the student discussion boards.

The grammar on the slides and the audio are occasionally awkward enough to impact the student experience. In the best cases, misuse of common jargon like “arp” or “syn” in favor of “A-R-P” or “S-Y-N”, for example, might make a beginner seem strange to peers in InfoSec. In the worst cases, the meaning of learning points may be lost behind confusing wording with unclear intentions. However, as these oddities are not always present, and the bulk of the content is clear, this is not something that should discourage a student from the course.
ImageConclusion
While the web application information and the tools usage are spot on and very useful, some of the other complex concepts on network penetration testing have been oversimplified for the purpose of introducing them to beginners. These minor errors would not actually affect someone while conducting a real penetration test, so it is acceptable for its intended audience. As mentioned, the course authors have been receptive to improving their course and fixing any errors that are reported. So in conclusion, minor issues in the courseware are heavily outweighed by the clear content, clean presentation and excellent support, making it easy to recommend eLearnSecurity Penetration Testing Student v2 to beginners in InfoSec or experienced IT professionals looking to get into the exciting field of ethical hacking.



Heather Pilkington has almost fifteen years of experience in Information Security, including Incident Response, Change Management, and Vulnerability Management. Certified both as an OSCP and as a CISSP, she has also previously held GCIH and GSEC certifications. Outside her primary professional work, Heather acts as the BeEF project blogmistress and operates as a freelance technical editor.
CISSP, MCSE, CSTA, Security+ SME
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Fri Jun 21, 2013 8:04 pm

[Article]-Course Review: eLearnSecurity Penetration Testing

Thank you for the great review Heather. I'm planning on taking this and the professional version later this year to help me prepare for the OSCP and I've got a much better idea of what to expect now. Two quick questions.

1: Are you going to review the pro version too??? ;)

2: If you have taken the pro version, how do you feel they would help prepare someone for the pwb/oscp experience?
GCFA, GCIH, GCIA, GWAPT, CISSP, CEH, GSEC
<<

Armando

User avatar

Jr. Member
Jr. Member

Posts: 93

Joined: Sun Sep 13, 2009 11:15 am

Location: Italy

Post Sat Jun 22, 2013 2:34 am

[Article]-Course Review: eLearnSecurity Penetration Testing

A1: The Professional training course has already been reviewed on EH:
https://www.ethicalhacker.net/features/root/course-review-penetration-testing-professional-v2-by-elearnsecurity

A2: PTPv2 doesn't prepare for other courses.
The PTPv2 prepares you for real world jobs.
If you can pass our eCPPT Gold certification you are someone ready to do a professional penetration test as a freelancer or within your organization.
Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Sat Jun 22, 2013 8:05 am

[Article]-Course Review: eLearnSecurity Penetration Testing

Thank you for the link and thoughts Armando. I'm very much looking forward to your courses as soon as I finish up a few other things.
GCFA, GCIH, GCIA, GWAPT, CISSP, CEH, GSEC
<<

Armando

User avatar

Jr. Member
Jr. Member

Posts: 93

Joined: Sun Sep 13, 2009 11:15 am

Location: Italy

Post Sat Jun 22, 2013 2:52 pm

[Article]-Course Review: eLearnSecurity Penetration Testing

And we are looking forward to welcoming you in our community :)
Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me
<<

rockman

Full Member
Full Member

Posts: 104

Joined: Sun Apr 06, 2008 12:38 pm

Post Sat Jun 22, 2013 9:31 pm

Re: [Article]-Course Review: eLearnSecurity Penetration Test

Great review! I am currently taking the eLearnSecurity Web App Pen Testing course and I am enjoying it. It's a very good course and I highly recommend it.
<<

Armando

User avatar

Jr. Member
Jr. Member

Posts: 93

Joined: Sun Sep 13, 2009 11:15 am

Location: Italy

Post Sun Jun 23, 2013 2:22 am

[Article]-Course Review: eLearnSecurity Penetration Testing

Thanks rockman :) I know a review is coming on WAPT course as well but maybe you can also post your views on the course in the Forums.
Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me
<<

Armando

User avatar

Jr. Member
Jr. Member

Posts: 93

Joined: Sun Sep 13, 2009 11:15 am

Location: Italy

Post Sun Jun 23, 2013 2:23 am

[Article]-Course Review: eLearnSecurity Penetration Testing

Thanks rockman :) I know a review is coming on WAPT course as well but maybe you can also post your views on the course in the Forums.
Founder and Lead Author of eLearnSecurity
Training for Penetration Testers
http://www.elearnsecurity.com

Founder of HACK.ME Free community based web app security virtual labs
https://hack.me
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Jun 24, 2013 11:15 pm

Re: [Article]-Course Review: eLearnSecurity Penetration Test

Thanks for the review Heather, glad to hear about the Student course and how it gives decent primers on material like programming.
<<

JohnE

User avatar

Newbie
Newbie

Posts: 12

Joined: Tue Jan 31, 2012 10:09 pm

Location: Sydney, Australia

Post Sat Jun 29, 2013 7:19 pm

Re: [Article]-Course Review: eLearnSecurity Penetration Test

I'm a bit concerned about taking this course.

Over the past 48 hours, I have tried 3 times to get a demo of the student course. Entered my details, and got a webpage saying a confirmation email had been sent with a link, no emails arrived.

I clicked on the icon saying "Live Support: Online", and after typing about my attempts, it came back saying that no operator was available. So I left my email address, again no email came through.

24 hours ago, I PM'd Armando through this site, explaining all this, and including my email address. No response.

I don't want to sign up for the course, pay, and then get no response, thus having to try and get the payment cancelled by my Credit Card company. I have been burnt by an online course before, so am a bit wary.

Maybe they just don't support Australia ;) What do people think, should I just jump in and sign up and hope everything goes okay?

Cheers

John
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Sat Jun 29, 2013 8:18 pm

[Article]-Course Review: eLearnSecurity Penetration Testing

That is a pain but these guys are absolutely 100% legit. No harm in waiting for the sample first but I wouldn't worry about being scammed at all. I'm in the middle of another course at the moment but their pen testing courses are high on my to-do list.

Their stuff is very well reviewed on this site.
GCFA, GCIH, GCIA, GWAPT, CISSP, CEH, GSEC
<<

El33tsamurai

User avatar

Full Member
Full Member

Posts: 219

Joined: Sat Feb 03, 2007 4:01 pm

Post Thu Jul 11, 2013 10:04 am

[Article]-Course Review: eLearnSecurity Penetration Testing

Previous post was talking about 30% OFF, do you have any coupons for money off this class?
CCENT, A+, Network+, Security+
<<

El33tsamurai

User avatar

Full Member
Full Member

Posts: 219

Joined: Sat Feb 03, 2007 4:01 pm

Post Thu Jul 11, 2013 10:05 am

[Article]-Course Review: eLearnSecurity Penetration Testing

Previous post was talking about 30% OFF, are there any discounts on this class?
CCENT, A+, Network+, Security+
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Sat Mar 29, 2014 4:42 pm

I signed up for this course a few days ago, got the discount and paid $99. I've been tinkering with Backtrack for about a year, and have loaded several distros of Linux to mess around with, but felt I needed a solid intro at the ground level to pentesting. Actually putting a little $$ into it has made be dedicate time.

I was already familiar with the basic networking concepts, but I went through the slides anyway to fill in gaps. It was helpful, and a refresher was good for me.

I began looking some of the exploit slides, and they took quite a jump in complexity. I am a total SQL noob, and the examples about SQL injection will require me to do some foundational reading. Same with web exploits, but I know now where to focus my learning.

I successfully connected to the Hera lab, but I'm saving my time for more advanced examples later.

Other than the occasional typos and language issues, and the slide navigation oddities, I am finding it well worth my investment. I also like the lifetime membership, no time crunch is nice.

My experience so far falls in line with your excellent review. Thanks!

Return to /root

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software