Penetration Testing Professional course (PTP) and eCPPTv2 exam (July 2020)

This article is a quick overview of the Penetration Testing Professional (PTP) course and the eCPPTv2 exam by eLearnSecurity. Its purpose is to provide some insight into this penetration testing course and my sharing about the exam

It contains 3 sections as below:

• Why do I choose PTP?
• Overview of PTP course
• eCPPTv2 exam and my walkthrough

Why do I choose PTP?

As an incident responder, I start to be interested in knowing more about my enemies. Specifically, I want to understand my adversaries’ thought process and what they need to do to achieve their goals. Some blue-team people may just advise sticking to the cyber kill chain by Lockheed Martin; however, you won’t actually understand the importance of each phase, unless you put yourself into the attackers’ shoes.

Therefore, I decided to take a penetration testing course. There are quite a few choices in the market and the three courses below are under my consideration:

• Sec660 — Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (GXPN certificate)
  SANS is famous for its high-quality courses and I also took several digital-forensics courses which I am totally impressed with. Therefore, this course comes first in my search. However, going through the course’s curriculum, I am not convinced that it is the right choice for me. It seems to be a theoretical course and I am already familiar with at least 70% of the course content.
• The penetration testing with Kalli Linux (OSCP certificate)
  This course is very practical, all that you have to do is “try harder” :). With my limited hacking experience, I feel like I am not ready for OSCP yet. Hence, I look for something in the middle which covers theoretical hacking knowledge as well as hands-on experience as well.
• PTP (eCPPTv2 certificate)
  PTP is a good combination of theory and practice. On one hand, it provides me all the necessary background knowledge to perform all hacking phases from scanning, enumeration, exploitation to post-exploitation. Furthermore, its labs are easy to use and good to apply your theoretical knowledge. On the other hand, to pass this course and achieve eCPPTv2 certificate, you must pass a 7-day hacking challenge ( and another 7 days for writing a penetration testing report) which you have to compromise an initial foothold, perform post-exploitation and move laterally to your target. Hence, knowing all concepts is not enough to pass this course (for a multi-choice exam, you should be able to pass the exam regardless of your capability to apply theoretical knowledge into practice). With all of the above reasoning, I have chosen PTP and am glad that it is, indeed, the right choice.

Overview of PTP

The course contains 7 modules as below. I have spent about 3 months (part-time) to understand all materials/references and practice labs.

Module 1: System Security
This module provides fundamental knowledge about architecture fundamental, compiling, assembly, debugging, buffer overflow, and shellcode. It may sound intimidating to people that are new to those topics. However, this course scratches the surface of those topics only. So it is not too difficult.

Module 2: Network Security
Module 2 is the most interesting one from my point of view. It leads you through phases of penetration testing for the Windows environment, from scanning, enumerating services, man-in-the-middle, exploitation, and post-exploitation activities.

Module 3: PowerShell for Pentesters
It seemly introduces Powershell and several offensive frameworks (e.g. Powersploit, empire)

Module 4: Linux Exploitation
This module is similar to module 2 but for Linux

Module 5: Web Application Security
This module instructs how to conduct penetrating testing for a web application. Also, it introduces some common attacking techniques (e.g. SQL injection, XSS, CSRF, etc.)

Module 6: WiFi Security
It introduces some well-known techniques to attack WEP and WPA.

Module 7: Ruby for Pentesters and Metasploit
Finally, the course ends with introducing Ruby programing language and teaching you how to work with Metasploit and create customized modules.

eCPPTv2 exam

eCPPTv2 is the most extreme exam that I have ever taken. It is a 2-week exam in which you have 7 days to perform penetration testing against a mimicked enterprise environment and 7 days for a commercial-grade report.

eCPPTv2 engages you to a penetration testing for a mimicked enterprise environment, in which you are asked to find/exploit all vulnerabilities and gain root access to DMZ servers. It is important to note that rooting DMZ servers is required, but is not sufficient to pass this exam (Unlike OSCP). As a penetration tester, you want to find and report all exploitable vulnerabilities to your client(s).

In general, I find the exam pretty straightforward. All that you need to prepare before the exam is to understand all course materials and make sure that you can apply them in labs. Then you should not see any surprise in the exam.

Below is my exam walkthrough (I try not to spoil anything regarding the exam):

• Day 1:
  I started early in the morning around 7 Am and quickly got the initial foothold to a public-facing server. I spent several hours performing post-exploitation information gathering. After setting up pivoting via the compromised server, I left Nmap running some extremely slow scans via pivoting.
  Feeling confident about my progress, I went out for lunch and relaxed the whole afternoon.
  I was back in the evening and the scan results were promising. Some vulnerable machines in the corporate network were found :). After quite a few failed exploitation attempts, I finally compromised the second machine in the corporate network. Again, I performed post-exploitation information gathering which I hoped helping me laterally move to other machines. But I had no luck and I was tired as well. So I rooted two machines for the first day, not too bad.
• Day 2:
  I spent the whole day without any progress. I got stuck and couldn’t find a way to move forward.
  Having a good dinner, I began to read in deep a vulnerability that I have identified in a targeted machine and couldn’t exploit. Once fully understand the vulnerability, I know what piece of information that I have missed. Hence, I performed more enumeration on two compromised machines. Bingo…. I found what I needed and successfully compromised the third machine. (Feeling so happy and confident again :) after the whole day in doubt).
• Day 3:
  I started the day by exploiting a vulnerable application via a buffer overflow vulnerability. It is pretty easy as I am quite familiar with this topic and reverse engineer. After 30 minutes, I completely exploited the BOF vulnerability in my lab environment. But Damit….no shell when I ran the crafted exploit. I was sure that the exploit worked, so it must be a firewall(s) or antivirus that block my shell. After sometimes, I figured out a way (hint: pivoting skill shined here), and hooray, a shell was established. I rewarded myself with a good lunch and a 1-hour walk with my lovely dog.
  Perfect….the newly compromised machine shown me the route to DMZ network. Shortly I got initial access to a DMZ server. The only thing left is to gain root privilege. It wasn’t difficult at all and I rooted that DMZ server in less than 1 hour.
  And that’s it, I completed the exam on the third day. I relaxed and watched movies for the rest of the day.
• Day 4:
  I checked the report requirements and reviewed my notes to see if I have enough information to write the report. The day was pretty light, I just re-ran some exploitations and take additional screenshots.
• Day 5:
  I decided to reset the lab and re-exploited from the beginning to make sure that I have found all vulnerabilities.
  Once I think that I have found and exploited all weaknesses, I started with the report. Honestly, it was boring.
• Day 6–7:
  I didn’t do much with the exam, mostly enjoyed Tom Hanks’ movies.
• Day 8–10:
  I completed the report and submitted it. A few hours later, I received their congratulation letter :)