Posted on 2022-10-24 by Nathan Jarvie in Industry
Part 4 of the Sysadmin-to-Pentester series is discusses offensive security foundation-level certifications. While not required to get a job in the infosec industry, there is no denying that certifications help your chances of landing your first role. Luckily for you, I have done quite a few so far, and can tell you which are worth your time (and which are not).
Certifications - The good, the bad and the ugly
I love courses and exams. I don’t know why. I like to learn new skills and concepts, then achieve my certification at the end of a course and proclaim proudly “I did this thing!”. Then I put it in my folder or on my wall of ego, and do it again like some kind of junky.
Some people can just pick things up as they go along, by firing up Kali and HackTheBox and just smashing things until they break. I can’t do that; I need a reason and I need to understand the fundamentals before I start. So I use certifications as short-term goals to learn a topic or set of skills. There are over 430 IT security related certifications with 74 of those being directly related to penetration testing or exploitation, so you can always find something that will interest you and help you to develop.
A full list is provided by Paul Jerimy, and can be found here:
I have done a few IT and security related certifications and I will admit that not all of them are equal. Some are certainly held in higher regard in the industry than others, but does that mean that those certifications are a good representation of the skills required to do the job?
So which ones are worth doing? Good question! and the answer is:
There are a few factors to consider and they require you to be honest with yourself, which is surprisingly hard to do. You don’t know what you don’t know. So long as a course teaches you something new, it may be worth it. But if you are going through a whole course for one nugget of insight that you could have learned in 10 mins on YouTube, it’s probably not worth it.
I evaluate potential courses based on the following:
- What did people that completed it think of the course?
- Does it hold any value in the community and in the job market?
- Will I learn something new?
- Am I sufficiently skilled to understand the course and get value from it?
You have to be truly honest about your skills in the field and know when to pull the pin if it’s not going to plan. Understanding the fundamentals, not just in security but general IT and networking can help to provide context to the instruction material in advanced courses. It is important to understand that while OSCP, PNPT, eJPT, etc are foundational exams for penetration testing, there is an assumption that the student is advanced in general IT beforehand. They will not teach you about components or basic networking. Some of them will touch on topics that may be foreign to the average computer user (like Linux CLI skills, or subnetting), but it is expected that you will research and learn these topics yourself.
So, in the following section, I will give my recommendation from Zero-to-Hero of penetration testing. I will explain why I chose each one and what you can expect to gain from it.
CompTIA A+ - Coursework only
This is one of the most popular beginner IT courses available. It covers the foundational knowledge of computers and peripherals. What they are, how they work, their internal components. There is a lot of content in this course but it is an inch-deep-mile-wide approach to IT. Consequently, the certification itself does not hold a lot of value on your CV for mid-tier roles.
Regardless, the course is incredibly valuable if you are just starting out your IT career. There are a heap of resources available for this including books and the immensely popular Professor Messer series of instructional videos.
I recommend completing the coursework and revising until you can achieve a passing grade consistently on practice exams. When you feel comfortable with the content, move on to the next level. I don’t recommend sitting the exams for the A+ though, but you can if you want to.
If you are comfortable explaining the different components of a computer to a child, you can probably skip this course.
Penetration testing involves attempting to break in to or out of restricted networks. Doing so requires more than a base level understanding of how networking works under the hood.
CompTIA’s Network+ provides a high level overview of all the components of a network and how they fit together. It will teach you to differentiate between a firewall, a router and a switch. It covers IP addressing schemes and subnetting, and will even start on the basics of network security. But most importantly, it starts to teach you about how the Internet works. After all, the Internet is just thousands of interconnected-networks. They all have to follow the same sets of rules to work together.
Similar to A+ there are hundreds of resources available, including books and videos. You can choose the method of training that works for you.
As suggested earlier in this blog series, it is recommended to build a home lab as a bit of a sandbox for you to play in. The same is true for networking. While doing the course is important, networking is best understood by doing. Put together your environment, add in a virtual router or switch and attempt to get it all to talk together nicely. Then play with VLANs and other more advanced networking concepts.
Unlike CompTIA’s A+, Network+ does have value as a certification on your CV. Sitting the exam for this one is well worth the time investment, and is a good demonstration that you understand all the previous content (A+ and Net+) before moving on to the more advanced concept of Security.
The last in CompTIA’s CORE series of certifications is Security+. This course is about as generic as a security course can be, and once you start to study it, you will see what I mean.
IT security is not a small field. There are roles in threat response, cryptography, governance, development, architecture and design, and many more. IT Security is an industry in itself and this course helps to make that clear. It is very possible that you start this course with full intention of becoming a penetration tester, and instead find that your interests lie in security engineering instead; that is perfectly OK! Do what you find interesting!
Once again, Professor Messer comes to the rescue with his series of Sec+ videos. Along with many books and resources that are available for the course there is no shortage of training materials for this certification.
I highly recommend this course and exam to anyone interested in IT security. The high level approach to all aspects of IT security can help you discover what you are interested in and find your niche.
This certification is highly valued when hiring for mid-level IT consultants. While not specifically required for penetration testing, it does show a general understanding of IT security as a whole, and is therefore worth completing.
Ok, so you have got this far and you definitely want to be a pentester. OK, sure; now we get into the fun stuff.
TryHackMe (and recently some other platforms) have created these learning paths that will help you to work through the content in a logical and methodical way. While there is some overlap in the paths, the system keeps track of modules you have completed and will automatically mark them as done when you start the next path. Some of them are free while others require a subscription. Regardless, they are worth the cost and time investment.
Recommended learning paths:
- Complete Beginner
- Web Fundamentals
- CompTIA Pentest+
By working through these learning paths you can start to understand the concepts, methodologies and skills required to become a penetration tester. Though, for now at least, I suggest leaving the “Offensive Security” path until later. Not because I don’t think you can do it, but because it serves as great pre-exam practice.
I can honestly say that these learning paths, along with the next recommendation, had the largest impact on journey to becoming a penetration tester. In saying that, I am fully aware that without my prior understanding of networking and security through the CompTIA certifications (and my professional experience), I would not have fully understood the concepts being taught in the learning paths and I would have struggled here. So make sure you understand your basics before heading in here.
TCM Academy - PEH Course bundle
There are many “fundamental penetration testing certifications” to choose from, that all effectively teach the same things. They will all cover enumeration of a target, using basic tools, privilege escalation, and other techniques that are required for the trade. The primary difference between each course and subsequent exam, is which of the fundamental topics they focus their energies into.
Personally, the most valuable exam I have completed to date is TCM Security’s Practical Network Penetration Tester. When purchasing the certification, you are given the option of purchasing the exam itself or a bundle with the recommended training videos. I recommend taking the training. Though much of it is available on YouTube for free through TCM’s official channels, there is some key content for those who have the courses.
The bundle includes 5 modules called:
- Practical Ethical Hacker
- Open Source Intelligence fundamentals
- External penetration testing playbook
- Windows and Linux privilege escalation modules
Working through the course will cover a lot of the content in the learning paths above, helping to reinforce this knowledge and build on it. It also provides some practical examples on more advanced topics not yet covered, such as Active Directory, Powershell and stack-based buffer overflows. Additionally, The course covers some of the more abstract skills of penetration testing including Open-Source Intelligence (OSINT), report writing and client communications.
All the content required to pass the PNPT exam is included in the modules, and if you have amazing notes and understood everything, you should be able to sit your exam. However if you want more practice before taking that plunge, you can head back to TryHackMe.
TryHackMe (#2 - Electric Boogaloo)
Let’s put our skills into practice. You can do anything you like on TryHackMe or HackTheBox, but I recommend walking through the remaining learning path - Offensive Security - and seeing what you can do without assistance. This will help to build your confidence and if you do get stuck at any point, the explanation of how to complete the task is available to you.
Once that is complete, look into the Networks. These are fully functioning Active Directory networks that will emulate a real life scenario. You can complete these with the instructions provided or on your own. Either way, completion will give you an idea of what to expect on the PNPT (and now OSCP) exam environments. I have referred to the the notes I created from these networks many times on live, real world penetration tests and have considered even going back and doing them all again with the experience I have gained since.
- Offensive Security learning path
- Wreath Network (Free)
- Holo Network (Included with subscription)
- Throwback Network (Separate paid access)
I highly recommend these to anyone, especially those who are pre-OSCP or pre-PNPT exams.
TCM Security - Practical Network Penetration Tester
While this certification is not yet as popular as OSCP, this is by far the most realistic exam I have taken.
You have 5 days to compromise the domain controller of a network, then 2 days to produce a professional report including vulnerability write-ups and remediation, which is followed by a 15 minute debrief with a senior penetration tester.
Not only are the time frames accurate to a real world test, but the requirements of a professional report and a debrief to complete the exam mean you cannot bluff your way through it.
It’s not often you can try-before-you-buy a new career path. But this exam is pretty close. If you get through this exam and think, “that was amazing!” then pentesting is the right path for you. If you get through it and hated every second, well…
Offensive Security Certified Professional (OSCP)
It’s no secret that OSCP is one of the most sought-after certifications to have on your CV. It is considered a gatekeeping certification for pentesting roles by many simply because of how recognisable it is. Many people in recruitment, who are not specifically in Cyber Security, still recognise that acronym as being important for a pentester.
Whether or not everyone agrees, it can be the difference between candidates when applying for roles, and as such it is a valuable certificate to have.
So how do you get it?
Offensive Security - Pentesting with Kali Linux (PWK/PEN-200) Course and Labs
The PEN-200 package includes the Pentesting with Kali Linux (PWK) course which covers all the foundational topics of pentesting and is delivered in both text and video formats. The course has a very different feel to TCM Academy’s PEH course but the content is similar. There are some different techniques and tricks that are useful to know and help you to put together more complex attack-chains.
Working through the course and exercises can be beneficial on exam day if you are willing to put in the effort as submission of the course exercises is worth 10 bonus points, and for many is the difference between a pass and a fail. The thing that is important to remember is that the PWK course does not provide you all the material required for the exam. You are expected to go above and beyond what they cover to be exam ready and there is not a lot of detail on how far you need to go.
The meat of the course really comes from the included student labs. There are multiple environments and scenarios that you need to work your way through. No walkthroughs are provided so you need to work it out yourself or hit the forums for some hints. Pay close attention to the Active Directory networks within the student labs as they are a key portion of your exam. Though if you have done PNPT, you should find these relatively straight forward.
Additionally the student labs, while useful, are shared with other students meaning there are times when two (or more) people are working on the same machine without knowing they are doing so. This caused issues for me more than a few times and lead me to search for other training materials.
One of the best guides for practice machines is provided by TJNull. It’s a Google Docs sheet with a list of OSCP-like machines to practice on.
Offensive Security Proving Grounds
Proving Grounds is OffSec’s version of HackTheBox and somewhat ironically, contains more retired OSCP and OSCP-like machines than the PWK student labs. There is a free (Play) and a paid (Practice) version. The paid version is included with a LearnOne subscription and, unfortunately, most of the useful OSCP-like machines are hidden behind the paywall. So if you didn’t get a LearnOne subscription (I didn’t) this comes at an additional cost, but one that is worth the investment, even if only for a couple months.
Many of the machines on here are ex-Vulnhub machines and as such walkthroughs are available if you get stuck. I found the best approach was to attempt a machine on my own for a few hours until I was sufficiently frustrated, then find a walk through to get me to the next stage. It may sound like cheating, but I learned so much from this method that I otherwise would never have known. Walkthroughs are available in the platform itself but they are time-gated at 1-per-24hours (Google is your friend).
You don’t know what you don’t know. There were many times where I looked at a walkthrough and thought “There is no way I would have worked that one out. But that is damn cool!” It was through this method that I discovered and documented methods and tricks that appeared on my exam. I regret nothing.
Offensive Security Certified Professional (OSCP)
There are hundreds of blogs about the OSCP exam. The short of it is that it’s not a great experience, but if you want that acronym on your CV then you have to sit through it.
You have 23 hours and 45 mins in the lab environment to obtain 70 points out of a possible 100 (remember 10 bonus points are available if you submit the student lab report and exercises), and then a further 24 hours to submit your report. The exam environment is very CTF-like and should feel reasonably familiar once you have done the student labs. The time limit on the lab environment is stressful and I know some people have ran out of time. I worked out one of the challenges about 30 mins after my lab expired, while I was writing my report. But none the less it is doable.
The report needs to be written in such a way that a non-technical person can copypasta their way through the boxes and get the flags. i.e. an attack walkthrough. This is different from the PNPT requirements which are closer to a full pentest report.
This was a stressful experience and one I would not like to repeat, but I am also glad I have it and learned a few interesting tricks in the process.
Bonus round: eLearnSecurity (INE) Web Penetration Tester (eWPT)
This course was super valuable. While there are a few things I would change about it, the overall experience was positive. To get an idea of what to expect, the course and exam were written in 2013 and there have not be updated in any major way since. While this may sound like a bad thing, similar to the Web Application Hacker’s Handbook (which anyone will tell you to get a copy of), the concepts of web application security don’t really change. They get updated and new attack vectors are discovered over time, but SQL injection is still SQL injection, and Cross-Site Scripting is still Cross-site Scripting. It is expected that you have a reasonable grasp of Linux and network penetration testing or web application development before you start this course.
The course covers all of the OWASP top ten (2013 version) and is relatively easy to digest. The majority of the juicy information is in the slide decks which can feel a bit like death-by-powerpoint. The videos compliment the slide decks but are not as in-depth. While they were useful for study, I found them to be much more useful for revision pre-exam.
The best part of the course is the labs. The task-focused labs give you an opportunity to test out your new knowledge and help to cement it in your brain-matter. While they were out of date, the content relevant labs provide the most valuable learning opportunities.
I would like to see some updates to the course to remove some of the older attack vectors (I’m looking at you Flash module), and introduce some of the newer ones in OWASP top ten 2021. Also the labs need a major revamp. They are certainly useful but they are old. As an example, the installed copy of Burp Suite is so far out of date that I had to re-learn how to use it for the purpose of the labs. OK, it wasn’t that bad, but it was very annoying.
The disconnect between INE and eLearnSecurity is also very jarring. INE is the training provider while eLearnSecurity is the exam provider. This is true until it isn’t. All support is provided by INE, but you need two separate accounts (INE for training and eLS for the exam). The eLS portal has many dead links and references that can make the process feel disjointed.
One other criticism is that the conditions for the exam are unclear. There are many stories of people missing key information while preparing for the exam which resulted in them thinking they had more time than they do. To make it a little clearer will put some points below.
- You must purchase a voucher from eLearnSecurity for the specific exam you wish to take, then eventually you will receive information on how to set up your eLearnSecurity account, which includes the exam portal and your certificates. (Mine took a few days, which sucked.)
- You have 7 days of lab time to complete the exam, then a further 7 days to produce a professional level report. 14 days in total from starting the exam to end. You do not have 14 days of lab access.
- When you start your exam you are given a Rules of Engagement document. Read the whole RoE document carefully before you start attacking and scanning and stick to what it says to the letter.
- You must meet the objective provided to you upon commencement of the exam. However, this alone is insufficient to pass the exam. You need to treat it like a real-world pentest, which means finding as many vulnerabilities as you can in the time limit, not just the ones required for the attack chain.
- All information needed to pass the exam is in the course. If you are trying to do something outside the scope of the course and it isn’t working, take a step back and think about how you can utilise the course content. Don’t try to be clever until you have met the objective.
- Feedback and a free retake will be provided if the tester submits a report. If you do not meet the criteria, produce a report on what you did find and the examiner will give you a nudge for next time. You can claim your free retake even if you submit a blank report, but a failure to submit will result in a forfeited exam voucher. Retakes must take place within 30 days of receiving examiner feedback.
- Examiners will provide feedback with 30 business days (6 weeks). Personally, I got mine back within a few hours, but others have not been so lucky, having to wait the full 6 weeks.
I really enjoyed this course. I found it very valuable in developing a methodology and walking through the basics of Web App testing with enough detail that you can build on. I just wish they would update it to keep up with the times and clean up the process to make it less confusing.
One last thing to leave you with is:
Never pay full price for this package. Sign up to INE Starter Pass for free and let the spam emails flow. You will eventually get deals coming into your inbox that offer significant discounts and free exam takes.
On the next episode…
As you may have inferred from this article, I preferred the PNPT experience over OSCP as a new pentester. In the next post I will go over my reasons in a little more detail.
Next: Part Five - PNPT vs OSCP
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.