CEH version 7
I was excited when EC-Council announced that I was being awarded one of their 'scholarship' spots, for the Global Launch of CEH version 7. Having passed my CEH, originally, 6 or 7 years ago, I was looking forward to seeing what had changed with the training, and welcomed the opportunity to collaborate with other professionals, who would be attending the class with me. To me, the professional connections that are built, and the camaraderie that is shared among students, is often the 'icing on the cake,' when given the chance to sit in a bootcamp.
*** Note – as you read this, remember that this was a 'First run' / pilot of the class, and is designed to help work out the bugs, typos in the manuals, etc, so that as I mention some of these things, below, they were semi-expected, going in. All in all, I think EC-Council did a good job with the course materials and the instructor for our class was as prepared as he could have been, without having been given a lot of time with the materials, prior to our class. That said, I think more time could have been focused, for those who attended solely for certification, on exam prep materials, as in honesty, had I not already had experience in this realm, nor been CEH-certified in the past, I don't know that I would have felt prepared for the exam, at the end, based on the questions I had on my exam, versus what we covered in class.
Anyway, without further adieu, on to the actual course / bootcamp.
The first day opened with the usual introductions, the instructor giving background about themselves, and the students doing the same. Our class was pretty small, only about 10 of us. Of those in the class, not counting myself, we had one guy (a developer) who'd previously sat for CEH v6 class, but hadn't tested at the end, another developer, some IT / security folks from medical organizations, an IT Security professional from the IRS, and a student / IT security lab worker, from a college.
(*** Author's note- Additionally, we were told that our hours for the class were 9 AM to 4 PM, with a one-hour lunch, each day, and that the labs would be open from 8 AM to 5 PM, should anyone be a little early, or want to spend some extra time in there, after class. In this case, this was a drawback, for me, from my original CEH, in that at my original bootcamp, we had access to the facilities, 24 hours-a-day, for the entire week, and the instructor also stayed late, most evenings, even throwing a “capture the flag” exercise and such in, to give us added practice with tools and techniques. While I know that original training provider was going above and beyond with that practice, there was much to be said for the experience, and so this one was a bit of a different feel, and relied, much more specifically, solely on EC-Council's books and lab.)
We cracked open the courseware, and quickly surveyed the materials. Of obvious note / mention was the fact that the course / lab manuals consist of roughly 1426 pages of slides, with exercises mixed in, followed by 84 pages of reference URL's, sorted by slide reference from the book, for the student to be able to go out and dig for further, deeper information on their own time.
Next, the instructor introduced us to the lab machines. Each student had a lab machine loaded up with Windows Server 2008, and a handful of Hyper-V virtual machines. The VM's were setup for BackTrack 4 r2, Windows XP SP1 (unpatched), Windows 7 and Windows Server 2003. All of the guests were supposed to have been minimally patched, although, as we found out in later exercises, most of them were patched current, and some of the labs (Metasploit) failed to work. More on that, later. The instructor took us through the first couple of modules - “Introduction to Ethical Hacking” and “Footprinting and Reconnaissance” - and we got part of the way through module 3, “Scanning Networks,” before we left for the day.
The second day brought us into more of the hands-on aspect of the class, as we began with the labs from module 3. The labs here worked fine, and the instructor gave some tips from his experience, as well as taking feedback from myself and others in the class, with regards to how we use some of the tools, etc. This was one thing that I think this instructor did well, in that, not only did he try to bring in his personal experiences, but he opened up the floor and we had some good discussions, with regards to each of the modules, without spending so much time on them as to take away from the flow of the course.
We proceeded into modules 4, 5, and 6 - “Enumeration”, “System Hacking” and “Trojans and Backdoors” - spending roughly 20 minutes of lab time, for each. Due to the fairly substantial number of labs for each module, there simply wasn't enough time to go through all the labs in each section, and in all honesty, I think that was a good thing, in that many of the labs were simply showing that a task could be accomplished with multiple tools. While that is valuable to know, in a real pentest, for the sake of a bootcamp environment, it isn't conducive to time management, and would've greatly slowed things down. So, typically, we'd do two or three of the five to eight exercises for each module, and everyone seemed in agreement that it was for the best.
Before the day ended, we wrapped up with module 7, “Viruses and Worms.” Here, the class kind of slowed down for the night, as things were wrapping up, and we had to spend some extra time, getting tools to work with. The instructor had copied the 5 DVD's from the courseware to the 2008 host, but many of the tools were missing from the target directories, either because they weren't actually ON the source DVD's, or because antivirus was installed, and removed them from the destination. So a few of us had to quickly track them down, put them on the class' publicly-available share, and let everyone pull from there. By this time, most of the students were ready to head out, for the evening, so some folks quickly did the labs, while others saved them for the next morning.
Days 3 and 4
The third and fourth days took the class from module 8, through the middle of module 14 - “Sniffers,” “Social Engineering” (which he only briefly touched on in class,) “Denial-of-Service,” Session Hijacking,” Hacking Web Servers,” Hacking Web Applications” and “SQL Injection.”
The material was good, however, one residual note (agreed upon by all in the class) was that there could've been more written information, rather than just slides. While the slides held a lot of data, there were so many of them that we often had to skip sections, or touch them so quickly that the information didn't sink in, as it could have, had there been more information provided to us. So along with other feedback, we asked our instructor to provide that to EC-Council, too.
Again, there were some lab issues here, specifically for missing tools on the host, a patched server not allowing the lab exploit to work for Metasploit, and some missing configurations of SQL and IIS on the host 2008 server, which stopped the SQL injection lab in its tracks. I quickly pointed out, for the sake of 'seeing Metasploit in action' (which was the goal of one exercise,) that the XP VM wasn't patched, and the class could hit it with the always handy DCOM exploit, and the students came back to do that, after the class moved on to the next module, to keep the class progressing. The IRS guy and I then went about finding and fixing the misconfigurations, and the two of us were able to successfully complete the labs, with some of the students watching, so they could see / understand the concepts.
We closed out the day with a very brief discussion about module 15, “Hacking Wireless Networks,” and carried the discussion into Day 5.
Day 5 began with a brief synopsis from the end of the previous day, and we quickly went into the final 4 modules (16 – 19) - “Evading IDS, Firewalls and Honeypots,” Buffer Overflows,” “Cryptography” and “Penetration Testing.” While all of the information in the slides for these was useful, it became clear that we were going to fly through with high-level overviews on most of the day's information, as the exam was scheduled for those who wanted to take it, from 1 PM onward. The exam is 4 hours in duration, if you need the entire time, so they wanted to ensure, for those commuting or traveling home, that they'd have ample time and opportunity to test for the certification by the end of the day.
The exercises, which we had time to look at, were OK, for most of these modules. However, those of us who already understood the concept and usage of Buffer Overflows were a bit underwhelmed by the exercise for that module. While it gave a very brief look at how the overflow worked, by pointing out the return address, clearly, from the compiled source code, it wasn't as realistic, as the program literally was designed to run the given module (for instance /bin/sh) that was passed from the command line, rather than showing that it could be run, simply by overflowing a buffer and changing EIP, etc, to point to your code. So again, while it did demonstrate a very basic overflow, it was highly unrealistic, and really didn't serve to show how it might work, in real-life. So I think that's one exercise that might be worth an extra revision / rewrite, or if it stands as is, over time, will require the student to do much more self-study on, after the class.
The final module, “Penetration Testing,” was an overall follow-up and piecing together of information from days one through five. It explained, once again, the differences between the types of pentests (White Box, Grey Box, Black Box,) differences between vulnerability assessments and pentests, and legalilties, etc. It went back through the phases of a pentest, as defined by CEH, and how to progress through them. And it emphasized the need for pentesting, the ROI involved, and the value of having properly trained folks doing the work.
Finally, before lunch (and the exam, for those who stayed to take it,) the instructor discussed Frankenstein, EC-Council's new tool and data repository for CEH's, to be able to find tools and other useful information from a 'trusted source,' rather than taking a chance and finding someone else's 'weaponized' tools, out on the public internet.
All in all, for those wanting to begin a career in pentesting, the CEH is a good starting point. While it focuses more on methodology and legalities, it dabbles enough into tools to help someone begin to understand the concepts necessary to 'continue' to learn, and to know what they need to study, further, should they want to progress as a professional pentester. The material in version 7 showed many more tools, and gave a lot more references to back them up, but the overall experience wasn't as nice, IMHO, as my original CEH, due to less ability to exercise and practice in the labs, as well as, again, the focus on slides on the books, and less actual 'description' to back them up.
So my penultimate review – for beginning security folks, 8 of 10 stars. By itself, it won't make you a pentester, but it will certainly guide you, as you begin, and would be a worthwhile beginning to launch your career. For seasoned vets, if you're looking for the certification, or to renew it, and have the experience, already, it'll suffice to pass and earn the cert. But if you're looking for something groundbreaking, or that will challenge your thinking and show you a lot of new material, I don't think it'll give you much of a rise.
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH