My Journey into Cyber Security: eJPT to eCPPT to OSCP (Part I)
Way back in November 2019 I as playing professional ice hockey and needing to transition into a real job that would pay the bills. I thought to myself:
“How am I going to get a job in cyber security?”
Why cyber security? Because I like computers, I like solving problems, and it pays well. Naturally what ensured was a plethora of YouTube videos, podcasts, and blog posts from middle aged white men who were usually bold with a beard (classic computer dudes). After looking at my screen for an unhealthy amount of time, and hearing the same things repeated over and over again, I decided to go down the root of getting a Master’s degree and picking up certifications as I went. The common entry level debate in cyber security (and IT in general) is whether or not to get a degree or certifications to get a job. I was in the fortunate position where I could say “screw it I’ll do both” and opted for what I dubbed the Hannah Montana approach (the best of both worlds). What ensured was a very busy 12 months from October 2020–21 where I completed my Master’s degree and obtained the eJPT, eCPPT, and OSCP (the title may have spoiled this). That 12 month period gave me the opportunity to assess, for myself, the best approach to take when trying to get an entry level job in cyber security, along with the quality of entry level penetration testing certifications on the market.
I chose to go down the penetration testing route because it’s perceived by many as the sexy thing to do in the world of cyber. It’s in the movies, it’s in the news, and all the cool kids are doing it on YouTube. I thought “I want to break into systems and get paid for it” so as bright eyed and bushy tailed wannabe I began my journey. My aim was to land a Junior Penetration Tester position at anywhere that would have me.
To do this, I first undertook a Master’s degree. Now Master’s degrees, and especially this one, are not like a classic Bachelor’s in Computer Science. They are much more self-directed, research-based, and sink or swim. The degree I undertook was a MSc in Cyber Security Engineering and consisted of 8 modules, along with a year long Dissertation project which made up half of your overall marks. The 8 modules were a week intensive teaching (9–5), followed by 4 weeks where you completed a project which was either technical or research focused. This project then was assessed via a viva or through the marking of an academic paper which had to be fairly lengthy and sources-cited (obviously you have to pretend to be a scholarly gentleman). Being a degree program these modules were very diverse. For instance, one module consisted of building a secure network infrastructure within a virtual environment, while another was about writing a information risk management and governance plan for an fictitious technology company. This diversity was a good introduction to the broad spectrum of fields within cyber security and helped me decide the area which I wanted to go into (kind of the whole point of degree programs). Once I had completed all the modules I could solely focus on my Dissertation project. This was all about creating a symbolic analysis tool which could aid a malware analyst in bypassing anti-analysis techniques (I can talk more about this in detail but I’d properly bore myself, let alone the fine people reading this blog article). Anyway, solely focusing on my Dissertation freed me up to doing some industry certifications which I was told would “help me” land an entry level position in penetration testing.
The first cert I set my sights on was eLearningSecurity’s Junior Penetration Tester (eJPT for short). This is at the very bottom of the totem pole for penetration testing certs and is a very nice introduction to the field. The training for it was (and hopefully still is) provided completely for free by INE so you only have to pay for the cost of taking the exam! This is an awesome model which is great for getting newcomers through the door by lowering the barrier to entry for those who perhaps can’t afford the high cost of other certs (e.g. SANS). The material in this course is basic but covers many areas of IT security in a clear way with practical labs thrown in to help you practice the skills you learn. There are some topics which may seen too advance for beginners, like programming a key logger in C, but these are not tested on the exam and are more of a “hey look at this cool thing you can do” rather than something you need to know. The exam itself if fairly easy and the course does a good job of covering everything you need to know. Overall it’s a perfect course for those who want to dip their toes in the field of penetration testing. You get the experience of popping shells and breaking into systems (albeit with decades old flaws like null sessions) without having to have a deep understanding of what is actually happening. It’s “video game hacking”; fun, easy, and provides high reward for little investment. These are not slights against the cert, it’s important to give newcomers easy wins so they come back. Just don’t expect this cert to prepare you for the real world. For that eLearningSecurity has their Certified Professional Penetration Tester (the eCPPTv2) which you do have to pay a significant amount of money for.
Once I had completed the eJPT (in around a month), I brought a year membership to INE so I could begin my eCPPTv2 journey. To be fair, the INE yearly membership is not obscenely priced and you do get a lot of content for your subscription. Unfortunately some of the content is old/dated and there is much cheaper/better resources that come at a fraction of the price (e.g. TryHackMe). The eCPPTv2 course begins with a lengthy module on system security or “learning about buffer overflows through a million PowerPoint slides”. This module may scare off newcomers because it is very technical and requires somewhat of a programming background to fully understand. However, once you get through this the course content becomes considerably easier to digest. The course has a strong emphasis on teaching you the technical details of how and why many of the hacking techniques it teaches work. For instance, it will talk about the SMB service used in Windows environments, then how this is secured, then move onto discussing the infamous MS17–010 (EternalBlue) and how this can be used to circumvent the authentication. Finally it will let you try this exploit out for your self in a lab environment using Metasploit (the point-and-click shooter of the hacking world). I liked this approach because it gave you a “what is happening under-the-hood” perspective, but it can be tiresome to go through a hundred slides just to see how one exploit works. For me, this wasn’t a big deal because I had plenty of time to study for this certification, yet for someone working full-time it certainly lengthens out the time it takes to go through the course material. This is especially true if you don’t come from a technical background and would have to do additional research to understand the topics the course material assumes you have knowledge of.
The assumption of underlying technical knowledge is indicative of both the eCPPT and the OSCP certifications. These certifications assume the person undertaking the training has somewhat of an understanding of networks, programming/scripting, system administration, and operating systems. A basic knowledge of these topics is needed to understand how and why hacking techniques work. A good example of this is a reverse shell. Reverse shells are small computer programs that can execute shell (system) commands on another computer across a network by calling back to the attacker’s machine. Now there are several questions which could arise from this definition; “what are shell (system) commands and how does this computer program get them to run?”, “how does it communicate back across a network?”, or even “what is a network?”. These questions traverse multiple domains of computing and don’t even go into how or why you’d want to get a reverse shell on a target’s system. Penetration testing requires the practitioner to have both the technical knowledge of what they are doing and how things work, as well as the tactical knowledge about why to do something and what problem a tool/technique could be used to solve. Much of the technical knowledge is pre-assumed by certifications because covering what TCP/IP is, what a for loop is, or how to navigate the file system on Linux, would take too long and would detract from what the certification is designed to teach you. This is why penetration testing is not an entry level field in cyber security (and perhaps cyber security is not an entry level field in IT, but that is getting too much like Inception).
Instead, penetration testing requires a prerequisite knowledge of several computing topics. By no means do you need to be a network engineer or have 10 years of system administration experience, but you do need to have a basic grasp of fundamental IT topics. I was able to build up this prerequisite knowledge through school/University and, like most young men, through a higher power — the Internet. That’s not to say this is the only path. You could undertake entry level IT certifications like those offered by Compita or self-study your way to success and build out a home lab with an accompanying blog to demonstrate your knowledge. Either way, you can’t skip the fundamentals and be proficient at penetration testing. If you want your pudding you’ve got to eat your vegetables.
Anyhow back to the eCPPT. Once you complete the course material on INE you can move onto taking your exam. The exam is nicely spread out over a 7 day period and you have to complete a full penetration test on the target’s network, submitting flags as you go. When you capture the final flag you can begin writing your report, which you have another 7 days to submit (eLearnSecurity is very generous with their time requirements). The exam probably won’t take you more than a few days to complete and then maybe a couple days to write-up a good report with lots of screenshots. You want to make sure you document everything (especially any buffer overflows you may or may not be doing). The coolest part of the exam is the pivoting aspect. Jumping from network to network through SOCKS proxies and port forwards is fun and mimics what real threat actors do, albeit before the invention of moderns Command and Control frameworks (C2s). That said, the course material lacks great coverage of pivoting techniques and I’d recommend looking at other learning resources to get good at this. I found TryHackMe to be an exceptional resource. Then you can begin chisel-ing away (if you know, you know).
The exploits and privilege escalations in the exam are not too difficult and overall it is relatively easy to capture all the flags. The reporting aspect is the element which eLearnSecurity focuses and I commend this. Being able to write a good report is perhaps the greatest skill in the whole of IT! You need to communicate to the person that pays you what they are paying you for. My only gripe with the eCPPTv2 exam is the time it took eLearnSecurity to mark my report and good my results back to me. It took almost 30 days for them to get back to me and say I’d passed! I can only assume they had to translate the report into braille for a blind French man to read, who then diligently translated it to Spanish, and finally it is translated back into English for me. Surely in this day-and-age this is the only reason a multi-national corporation like eLearnSecurity could take 30 days to read a 10 page report (excluding screenshots). Nevertheless, I received confirmation that I had passed and I was onto the OSCP.
In second part of this blog post I will go into my experience with the OSCP, how I landed my first job, and what I’d do different if I could do it all over again. Stay tuned!