Blog

eCPPTv2 Logo

Disclaimer: eLearnSecurity is a sponsor of the IoT Village, an ISE-run organization. I received the course and exam for free due to this relationship. eLearnSecurity had an opportunity to review the contents of this article before it was published but it nonetheless represents my genuine opinion.

This post first appeared on the ISE Blog

I recently took the eLearnSecurity Penetration Testing Professional (PTP) course and passed the associated eLearnSecurity Certified Professional Penetration Tester (eCPPTv2) exam. As a security professional I’m always on the lookout for new opportunities to improve my skillset and learn new techniques for attacking and defending networks, so I was excited to see what the course had to offer. I already have a few certifications including the Offensive Security Certified Professional (OSCP) and Expert (OSCE), so I have a pretty good background in the topics covered in the course, which include:

  • Fundamentals of buffer overflow exploits
  • Cryptography and password cracking
  • Fundamentals of network security including reconnaissance, spoofing attacks, post-exploitation, and social engineering
  • Linux and windows exploitation and privilege escalation
  • Basics of web application security including reconnaissance, cross-site scripting, and SQL injection
  • Wi-Fi security and attacks

Additionally, buyers of the “extreme” edition of the course also get access to material covering PowerShell and Ruby scripting for pentesters including use of tools like Metasploit and Empire.

About the Course

The material is broken into chapters containing a series of modules delivered in the form of video lectures and PDF slideshows with other files such as tools attached where relevant. The videos combine lecture slides with live demonstrations, and I found the video lecturer easy to follow. The PDFs were useful for review and to skim around to find the information I needed. The material was mostly up-to-date and covered relatively recent versions of the software involved. The only glaring exception is that the exploration of spoofing attacks includes usage of Cain and Abel, which is an ancient tool for performing ARP spoofing and password cracking that’s been supplanted by more modern tools such as Responder, Ettercap, and Hashcat. Also, the explanation of buffer overflows focuses on exploitation under extremely favorable circumstances that don’t often occur in modern software and operating systems — namely, exploiting buffer overflows in software with zero exploit mitigations such as W^X or ASLR. However, knowing how to perform a buffer overflow attack in such an environment is kind of a requirement for more advanced techniques like bypassing ASLR with ROP, so it gets a pass from me on that front.1

Personally, I already knew perhaps 80 percent of the content due to both my general background as a security professional and specifically due to the certifications I have already achieved. The content new to me mostly consisted of the Ruby and PowerShell modules; I had a working knowledge of both but hadn’t ever taken the time to really learn how to use them. I enjoyed following the material to manually write a Metaspoloit module in Ruby and playing with the PowerShell post-exploitation tools it covered.

Labs

Many of the modules have labs associated with them, which take the form of virtual environments containing various hosts intended to provide hands-on practice with the module contents. When you start a lab, the environment is spun up on eLearnSecurity’s “Hera” servers and you are issued OpenVPN credentials which put you on the lab network. Unlike the OSCP, lab networks are dedicated to you, so you never have to worry about someone crashing the box you’re trying to exploit or (as happened to me several times during my OSCP labs) finding what you think is the intended way of getting access to a machine only to realize that it was a backdoor left by another student so they could continue where they left off. The labs also come with manuals containing general directions outlining the goal and general intended exploitation path, some hints, and then a full solution manual. This is both a great strength and weakness of the course: unlike the OSCP (whose lab environment is just a bunch of boxes in one big network with no hints or solution manual), the PTP labs felt very targeted and purposeful since each lab was designed to illustrate a specific concept or technique. It even included a few “blind pentest” labs that drop you in a network with little information and tell you to go nuts à la OSCP. However, those labs were on the small side and I think having a few more boxes and requiring more pivoting steps wouldn’t have been amiss, since it’s rare in a real pentest for you to attain your goal going through only one or two machines.

Overall I found the labs to be the best part of the course and they made an excellent practice ground for me to both learn new techniques and refresh my knowledge of older ones before taking on the exam.

The Exam

The eCPPTv2 exam is a 7-day exam that can be started whenever you want (no scheduling in advance like OffSec’s) simply by clicking a button in the eLearnSecurity members area. You immediately receive VPN access and a PDF containing your instructions. The exam emulates a real penetration test: you are given a rough network map, a rough goal (called out as “necessary but not sufficient” to pass), and told to pwn all the things. After you’re done, you have to write a “professional quality” report detailing your steps to reconnoiter and exploit each host along with all applicable security issues you’ve found (even ones that weren’t directly exploitable or that just made it easier for you to exploit other weaknesses). The report will be reviewed by eLearn’s staff and then you’ll either pass or fail; if you fail, you’ll receive comments and then have another 7 days of exam time to log back into the lab and try again, correcting any issues in your report or exploiting hosts you missed in the first round.

I found the exam to be reasonably challenging and a lot of fun. It mapped very well onto the course material; the optional sections (Ruby and PowerShell) weren’t tested directly but are definitely helpful to know. A notable difference in the eCPPTv2 exam versus the OSCP exam is that you’re expressly permitted to use any tools you want, including automated tools like sqlmap or Metasploit, which better emulates a real penetration test scenario and is frankly just a lot less frustrating than trying to get years-old code off exploit-db to compile. I was done with all the objectives in about 2.5 days, but I can see someone who wasn’t as experienced as me taking another couple days to manage it. I thoroughly enjoyed the experience for sure!

Reporting

Reporting is a big deal on this exam. You’re expected not just to gain access to all the machines, but take good notes and produce a good quality report, including details like an executive summary and a breakdown of discovered issues. It’s a good idea to take notes as you go using tools like OneNote or CherryTree, including screenshots of steps, commands used, and any issues you discover. I also recommend building a network diagram as you go, including information like open ports (both inbound and outbound)—it’s helpful during the exam to keep track of where you need to pivot to/from and you can include it in the report to flesh it out. eLearn’s reporting guide is somewhat hard to find (it’s located here, for reference), but it’s very good at walking you through necessary elements of a report. I used a modified version of the template ISE uses when reporting our real engagements to clients, but you can find plenty of examples online, such as this one.

eCPPTv2 vs OSCP

This is the million dollar question: how does the eCPPTv2 compare to the OSCP? OSCP is currently one of the more recognized certifications in the industry while eCPPTv2 is still gaining traction, although it’s definitely getting there — many of my contacts at different companies have either heard of their courses or have taken them individually or through a corporate subscription. I found OSCP’s exam to be more challenging than eCPPTv2’s, though much of that was due to OSCP’s 24-hour time limit, which honestly strikes me as artificial difficulty. One other major difference between the two in terms of the exam is eCPPT’s explicit permission to use automated tools versus OSCP’s ban on them. There’s definitely value in knowing how the automated tools work, but in a real world scenario (which both certifications claim to emulate) there’s zero chance of me doing anything manually if I can avoid it. The other big difference between the two exams is that the eCPPTv2 exam emulates a realistic network requiring you to pivot and figure out how to get through restrictive firewalls both on ingress and egress, something OSCP doesn’t require.

In terms of content, the two courses are roughly the same; the main difference is that PTP covers WiFi attacks and PowerShell/Ruby, while the updated OSCP has better coverage of Active Directory attacks. I’ve already covered the differences in labs except that I also want to mention that I found the PTP labs to be way faster than the OSCP/E ones. I have a fast internet connection at home but my connection to the OSCP labs was always really high latency and low throughput, while the PTP labs were much snappier. That might be related to my physical location as much as anything on their ends, but it’s definitely worth mentioning since it can get pretty painful uploading exploit binaries at speeds measured in tens of kilobits per second.

So which one should you take?

The easy answer is both—the two certifications differ enough in covered material and exam style that it makes them almost more complementary than competing. PTP is definitely a lot friendlier with its lab walkthroughs and more lenient exam structure and policy, and it’s also a better emulation of a realistic pentest scenario than OSCP. OSCP is a little harder, covers Active Directory better, and is more widely recognized—you can see examples of general opinion between the two on Google and on charts like this security certification roadmap. That chart is of course just one person’s opinion and hardly ‘official’, but it does pretty well illustrate the difference in general status between the two. They’re also about the same price, though again the actual format of the PTP course is much more generous and user friendly. If I had to pick one, I’d say that someone who was entirely new at security would probably have a better time with the PTP course unless they were really itching for a challenge or wanted to get the most recognized certification they possibly can, while the OSCP would be a little better for people with some existing experience. I’d also say that you might be well served trying for both, or for doing PTP followed by the newly-updated Penetration Testing eXtreme course, which covers all the material missing from PTP on Active Directory and much more. It’s the one I’ll be taking next once I have the time.

It’s worth noting, as an aside, that you can take the eCPPTv2 exam without purchasing the course. If you’re an experienced pentester and already have the OSCP you might want to consider that since the exam on its own is about 1/3 the price of the course+exam.

Conclusion

Overall I’d consider the PTP course and the eCPPTv2 exam to be worth the $1,300 asking price as an entry level certification. For holders of existing certifications like the OSCP, the exam experience is certainly worth it but the material itself may not be worth the asking price. I thoroughly enjoyed the experience and look forward to trying the PTX course and its associated exam.


  1. By the way, if you want to learn how to take on challenges like bypassing W^X and ASLR, the CoreLan Exploit Tutorials are really excellent and also free. I also enjoy the MicroCorruption embedded security CTF, whose later levels cover those techniques in an embedded environment. ↩︎