After gaining the CCNA Cyber Ops and Security+ certifications, I wanted to start focusing on how best to start my journey on becoming a penetration tester. I was looking for a course that can give me the solid foundations of penetration testing before moving on to more advanced certs, like eCPPT or OSCP.
This is when I came across the eLearnSecurity Penetration Testing Student (PTS) course that when passed, rewards you with the eLearnSecurity Junior Penetration Tester (eJPT) certification.
This review is for PTSv3, but it still applies to everything that wasnt added to the PTSv4 course!
Course Pricing Plan:
I bought the PTS Full plan which provided me with:
- 30 hours of HERA lab time
- Training videos - HTML5
- The eJPT certification exam with one free retake (taken within 180 days)
Looking back, I'm glad I didn't pay for the Elite plan because even for a complete beginner to penetration testing like myself at the time, I had plenty of lab time left over and still felt comfortable in the exam to not warrant the extra 30 hours worth of lab time, although the Elite plan is is the only plan that gives you the training material in PDF format and the eJPT exam comes with up to three retakes.
The course syllabus gives you an overview of what is going to be covered in the course - https://www.elearnsecurity.com/course/penetration_testing_student/
The introduction modules are a great taster and overview of the topics to come when the penetration testing part of the course kicks in, as a network engineer I did find the networking introduction chapter as more of a refresher but the web app and penetration testing chapters were a high level overview of the basics.
There is also a programming section which was an introduction into C++ and Python. With the course being suited more for beginners, The module didn't really go too deep into the subjects, which I found a little disappointing, but I cant remember needing to use anything from the programming section to pass the exam anyway.
Penetration Testing Modules:
The penetration testing part of the course is what most people bought the course for, and it did not disappoint! The layout of the modules was as follows:
- Information Gathering
- Footprinting and Scanning
- Vulnerability Assessment
- Web Application Attacks
- System Attacks
- Network Attacks
The slide contents was to the point, easy to understand and with little to no 'fluff' At the end of most chapters, there are also videos that cover the practical elements of the theory from the slides, sometimes including extra concepts you can use to complete the tasks. You will also be introduced to resources outside of the course that can be used to further research topics, and you'll also learn about the tools that are used in a pentest along with how the work and why they are used etc. I found this to be extremely useful for when it came to the labs and the exam.
You also get given access to 12 HERA labs. The HERA labs are worth the $400 cost for the course alone, The labs are all based on specific topics from the course, this helps reinforce the topics covered by trying out concepts/commands for the given tasks. Every lab comes with a lab solution guide, which if you are stuck at any point in a lab, you can reference back to it whenever you need it, this is also good for the exam if you are struggling with a certain vulnerability/method/command.
When you first start your exam, you are given a rules of engagement letter which details the exam scenario and a IP scope to work from and you are given 3 days to answer a series of questions.
The exam format is well thought out, especially as it is aimed at the more beginner penetration testers because as you are given the multiple choice answers, if you are stuck, you can reference the questions and work out a rough idea of where you need to look, tool to use etc or if you need to enumerate more, say you find 5 hosts, but one of the multiple choice answers isn't 5.. you know you still have work to do..
I spent around 8 hours in the actual exam environment which considering when you are given 3 days to complete the exam, it shows that there is no reason to worry about the time constraints at all, there is plenty of time to get the answers to the questions! Once you submit your exam, you are given a pass/fail answer straight away.. I passed with 95%
Exam Tips and Techniques:
- Have a solid penetration testing methodology.. info gathering > scanning > etc
- Enumerate, enumerate... enumerate! - nmap, gobuster, sqlmap etc
- Get comfortable with using password cracking and brute forcing tools
- Make sure you know how to pivot between networks
- Remember the exam does not restrict certain tools you can use, like SQLmap or Metasploit
I thoroughly recommend the PTS course/eJPT exam to anyone looking to get more knowledge with the foundations of penetration testing. The HERA labs are awesome, dedicated to you, with specific topics to practice on each lab made it a joy to learn and explore!
The exam was so much fun, it was practical, you have to know your methodology, concepts, commands, tools.. it isn't a multiple choice exam like other certs!
Being in the UK, eLearnSecurity isn't as well known as it is elsewhere so if you are looking for HR filter certs, this probably isn't the one for you, but if you just want to learn and gain useful knowledge of penetration testing, you wont find a better course/exam to take.