Skip to content

Latest commit

 

History

History
178 lines (144 loc) · 17.8 KB

roadmap-and-my-experience.md

File metadata and controls

178 lines (144 loc) · 17.8 KB

🛣️ RoadMap & My Experience

The path to becoming a penetration tester is like a winding river, ever-changing and unpredictable. To navigate it, one must be adaptable, resourceful, and always willing to learn.

The journey to becoming a penetration tester is a lifelong one. It is a journey of continuous learning, discovery, and self-improvement.

I'm writing this 'review' to assist aspiring candidates in their journey towards obtaining the eCPPTv2 certification. My aim is to share the resources, insights, and tools essential for preparation, offering advice and addressing common concerns. Unlike the eJPTv2 exam, where you have a only two days to tackle everything alongside multiple-choice questions, the eCPPTv2 certification presents a different challenge. This exam grants you a generous timeframe of 7 days to compromise the entire environment and an additional 7 days to compile a comprehensive professional report detailing all identified vulnerabilities, their criticality, and proposed resolutions.

While seven days may seem ample, completing the exam in less time is entirely feasible. Personally, I managed to conquer it within four days, allowing myself one day of respite, and dedicated two days to crafting a detailed report spanning a total of 80 pages. Is it worth the effort? Undoubtedly. The eCPPTv2 certification rigorously evaluates your prowess in pivoting, buffer overflow exploits, and, most importantly, your comprehension of the pentesting process. Success hinges not on merely reaching the root but on uncovering every vulnerability within the environment. Hence, a robust methodology and thorough enumeration are indispensable. Unlike conventional CTF challenges, you won’t find user.txt or root.txt flags; instead, you’ll encounter files containing crucial information such as passwords, IPs, or network segments, facilitating your progression within the network. I recommend using a diagram/map of the entire environment since otherwise you can get very involved and it is better to work organized, for example Excalidraw.com or Draft.io.

Not having much experience in writing reports, it was not easy and I recommend practicing beforehand. I received the positive result after just 24 hours, unlike what you read online of 15/25 working days.

Here are some tips and insights to aid your preparation:

  1. Thoroughly Review the Letter of Engagement: Pay close attention to the “Letter of Engagement” document as it provides insights into the exam’s structure and requirements. This document must be included in your final report, along with a graphical representation of the compromised areas marked in red.
  2. It’s Not a CTF: Unlike traditional Capture The Flag (CTF) challenges, the eCPPTv2 exam is designed to be more approachable.
  3. Master Metasploit: Proficiency in utilizing Metasploit is paramount, as a good portion of the exam necessitates its usage.
  4. Emphasize Post-Exploitation Techniques: Effective post-exploitation strategies are crucial for gathering information and pivoting to other machines.
  5. Mind Your Nmap Switches: Be cautious when using Nmap with non-aggressive settings. Setting it to -T1 can prevent accidental resets and loss of progress during scanning or pivoting.
  6. Patience is Key: Don’t be discouraged if it takes the full 7 days to compromise the environment. Persistence pays off in the long run.
  7. Act like you’re a journalist: Take as many screens as possible during the 7 days of access to the lab, or if possible start filling out the report at the same time, because if you forgot to track something, it would be a problem.

Creating a customized homemade lab, composed of three or more network interfaces is the best training for this exam, starting with network of 2/3 interfaces and machines without vulnerabilities (direct access with SSH for example, see here), increasing the network interfaces with more vulnerable machines (including one vulnerable to BoF, such as Brainpain).

Remember that you already have an OVA machine on your VMWare/VirtualBox running on Windows 10, with ImmunityDebugger and the Mona plugin installed, to be used to test and prepare the shellcode to exploit the BoF-vulnerable software running on one of the machines on the network.

The PowerShell, Wi-Fi Security and Ruby modules are certainly important, but not mandatory for passing the exam.

Personally I didn’t follow the INE course, but I relied on the resources found online that I tried to list on my github.

Here below the path I used and which I would recommend to reach a level necessary to pass the exam. 👇

Background Information

Tooling

Web

Post Exploitation

Red Team & Active Directory (only for v3)

Reporting (only for v2)

It's a good choice use one of these source: TCM's template, Offensive Security's pentest report, the ITProTv sample report, and INE's reporting guide.

Other Resources

CheatSheet