.

Please give me the suggestion for choosing CEH Certification

<<

ravi2jkc

Newbie
Newbie

Posts: 1

Joined: Thu Feb 09, 2012 10:48 pm

Post Thu Feb 09, 2012 10:55 pm

Please give me the suggestion for choosing CEH Certification

Hi all ,

Presently i am working as software professional . But i am very much intrested in Security . I am planning to do CEH Certification . Can you please share your thoughts on this .How it will be helpful as a fresher to security field .  Can you recommend any other security certification after CEH to become professional in this security field .

your suggesions are more valueable to me and my career  :)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 10, 2012 11:53 am

Re: Please give me the suggestion for choosing CEH Certification

1) What do you want to do within Information Security?
2) What do you plan on using CEH for? (Besides getting past HR screenings)

If 1 == PenTesting, Vulnerability Research, or similar more technical and practical domains, choose something that will give you more in return, such as PWB (Pentesting with BackTrack) which ends in the OSCP certification (Offensive Security Certified Professional), which is gaining more and more popularity at various companies, esp. in the UK and USA.

2) If you plan on becoming a really good hacker because of CEH, sorry to crush your dreams, but it will only give you an inch deep gro but a wide base, as it doesn't dive deep into Web App Sec, Malware Research, Reverse Engineering, Exploit Development (Buffer overflows, etc.)

Be aware that some of the training material for CEH, at least for CEHv6 by e.g., Skillsoft is incorrect at some points. I was surprised to see test questions being completely wrong, as it would teach students that doesn't know security, wrong things.

How to prevent SQL Injections? According to Skillsoft, strong authentication and bruteforce prevention. (Wtf?)  :)

That's just my opinion, but CEH is still good to get past many HR screenings, so in that sense, it has a higher value in getting a job still.
I'm an InterN0T'er
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 10, 2012 1:49 pm

Re: Please give me the suggestion for choosing CEH Certification

MaXe wrote:How to prevent SQL Injections? According to Skillsoft, strong authentication and bruteforce prevention. (Wtf?)  :)


bwahahahahaha!  (wow)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 10, 2012 1:58 pm

Re: Please give me the suggestion for choosing CEH Certification

The correct answer is clearly only supporting Internet Explorer, so sqlmap doesn't work ;)

*I was recently involved in a web app test where everything was completely IE-centric, and none of the common tools worked. Security through inaccessibility...
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 10, 2012 2:06 pm

Re: Please give me the suggestion for choosing CEH Certification

hayabusa wrote:
MaXe wrote:How to prevent SQL Injections? According to Skillsoft, strong authentication and bruteforce prevention. (Wtf?)  :)


bwahahahahaha!  (wow)


Proof:
http://i.imgur.com/tD7w4.png

As the right answer is: Sanitize user-input in SQL queries with e.g., mysql_real_escape_string($var); in PHP (aka SDLC / Secure Development LifeCycle), but it doesn't exist in the CEHv6 courseware by Skillsoft, I had to use the possible answers the best way I could.

Explanations to the possible answers and my choices:
- Enforce the use of strong passwords and typing: It's just simply wrong
- Ensure that HTML placeholders in URLs are replaced with symbols: I read this as "encode (sanitize) user-input so < becomes &lt;". The problem is that they don't use the language anyone else use.
- Grant user unlimited login attempts: I knew this would be wrong no matter what.
- Append all quotes sent to clients: This was a bit weird, but I read it as: "Append a backslash to quotes and apostrophes, sent BY clients / users." That, did make sense, even though it does not protect against SQL Injection. (Double-byte characters can bypass this.)
- Limit the allowed number of failed login attempts: I have no idea why this is right, as login attempts has nothing to do with SQL Injection. According to Skillsoft, it does.

As I know you can't have just 1 right in the Skillsoft tests, when it's multi-choice questions, I had to choose at least 2. (Sometimes 3)


When I read my first possible choice of answer again, a few months later, I can see that it can be interpreted as: Replace &quot; with " , and that is of course wrong.  :)


dynamik wrote:The correct answer is clearly only supporting Internet Explorer, so sqlmap doesn't work ;)

*I was recently involved in a web app test where everything was completely IE-centric, and none of the common tools worked. Security through inaccessibility...


You can change the user-agent of most tools and thereby fool websites to allow you access anyway, I've used this quite a lot when websites say: "You cannot access this website unless you use Internet Explorer", oh yeah? *Changes user-agent* Oh yes we can!  ;D

It sounds a bit crazy about the web app test, but I have seen it on a few sites, often those that are poorly coded, or using ActiveX plugins that won't make the website work without.  

The funny thing is IE doesn't follow HTML coding standards anyway, so it's somewhat a joke to make a website specially compatible with only IE, even though many users, unfortunately still use IE.   ::)
Last edited by MaXe on Fri Feb 10, 2012 2:08 pm, edited 1 time in total.
I'm an InterN0T'er
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 10, 2012 2:16 pm

Re: Please give me the suggestion for choosing CEH Certification

That screenshot........  LOL!  'nuff said.

And folks wonder why we always tell them certifications, on paper, mean nothing, if you don't continue to both:

1.) grow and expand your knowledgebase

and

2.) possess the ability to demonstrate the skills in the real world.

Shame that training options leave so much out (or screw so much up...)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 10, 2012 2:38 pm

Re: Please give me the suggestion for choosing CEH Certification

MaXe wrote:It sounds a bit crazy about the web app test, but I have seen it on a few sites, often those that are poorly coded, or using ActiveX plugins that won't make the website work without.  

The funny thing is IE doesn't follow HTML coding standards anyway, so it's somewhat a joke to make a website specially compatible with only IE, even though many users, unfortunately still use IE.   ::)


It was the latter. You literally couldn't do anything without IE; it wasn't just checking the user agent or something simple like that.
The day you stop learning is the day you start becoming obsolete.
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Wed Feb 08, 2012 6:30 pm

Post Fri Feb 10, 2012 5:16 pm

Re: Please give me the suggestion for choosing CEH Certification

I took the v7 version last year and I agree with everything MaXe wrote. If you're just looking for a cert, the CEH exposes you to a lot of different hacking areas but doesn't cover any of them in-depth. And their training has an inordinate amount of bloat when it comes to tools.

One thing I'd have to caution on is the idea that it will help you with HR screenings. I think that may only be temporary. EC Council has been getting away with slipshod training/testing for (apparently) years. And I've seen the word "sham" used in conjunction with the cert. more than once (which kind of sucks given the amount of time/money I spent on getting it). I think it's just a matter of time before word gets around that the CEH cert doesn't live up to the hype.
<<

secureyour.it

Newbie
Newbie

Posts: 1

Joined: Sat Feb 11, 2012 12:19 pm

Post Sat Feb 11, 2012 12:46 pm

Re: Please give me the suggestion for choosing CEH Certification

Hi, I am a relative newbie myself and have already taken and passed the CEH V7 and sincerely wouldn't recommend it to anyone not even for getting past HR.

The course materials as previously stated are full of bloat and errors and their forum is out of date. One of the other problems for a beginner is where to start and the CEH way is here is an encyclopedia of hacking, get on with it but without any particular focus or depth in any area. The exam is a multiple choice exam and has no practical element.

Feeling let down and luckily for me having some more money in my training budget I decided to take the eLearnSecurity professional course which is also suitable for beginners.

Now in my opinion this course is bias towards web hacking but it did cover other areas and overall I found it excellent and great exposure going forward.

The exam for this course is a practical exam and students are expected to conduct a pentest and submit a report. There is plenty of help and support available from the course providers also which is good for a beginner.

So for a beginner certification I can readily recommend this as a starting point.

What you could also do before parting with any cash is to work through all of the free insecure virtual machines which are available on the internet for example

BadStore
Damn Vulnerable Web App
Hacme Series from Foundstone
De-Ice
WebGoat

Hope that helps...

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software