My Journey to Pass eJPT (eLearnsecurity)
On the afternoon of Sunday 06/12 at 17:00 I passed the eJPT exam (eLearnsecurity Junior Penetration Testing) a very nice certification that I recommend to everyone.
The eJPT certification was made for those who are starting in the PenTest area or want to start a PenTest trail in eLearnsecurity itself. And as I already do some PenTest and always wanted to reach ePTX, I started with eJPT to understand how the exam method that eLearnSec uses in its certifications works.
And I say I don’t regret it! It is a very challenging certification, I will give a review on what I found of the course and the test.
Course Review
First of all, I bought the certification without purchasing the course, because as INE bought eLearnsecurity, some changes were made, so I started my study journey only with the PTSv4 menu as it was at CEH Practical where I took only what falls in the exam and I studied over. However, I was lucky that eLearnsecurity released PTSv4 to us on the INE platform, although I noticed that I had the free PTSv4 course in a promotion that they had done, but without the labs. But as eLearn released INE, I also obtained laboratories that were essential.
In general the course is very good, for those who are starting it, the slides and videos are sensational, I am sincere to say that I didn’t watch all the classes and I didn’t even see all the slides, only the fundamentals regarding Computer networks and other modules I found interesting like Buffer Overflow. But otherwise, I focused a lot on the labs and practiced a lot.
But not everything is wonderful, unfortunately some things of the course left something to be desired at the time of the exam, but I will leave it in the review of the exam.
In general the grade for the course is 8.5 / 10 it is a sensational course, I highly recommend it, do not expect something at OSCP and CEH level that are different footprints, I will explain now
Exam Review
The Exam is sensational, thinking outside the box is essential to do it, this is where I noticed the footprint of eLearnsecurity:
- First you access the VPN they provide, in this case an OpenVPN;
- You will receive an exam guide with some details and necessary files;
- You will log into the environment and will already be inside the laboratory, I recommend that you have a Kali or Parrot well updated and a stable environment to perform the test;
- You will have 3 days to complete and you need to solve at least 15 questions, these 3 days are enough, the test will give you questions, for example: What is the password for user X: How many subnets do you have? and etc;
- I recommend that you practice CTF if you want to go on such a journey, especially Vulnhub, TryHackMe and Hackthebox, as they have machines and learning methods that help a lot during the test, try playing with my machine: https://www.vulnhub.com/entry/bizarre-adventure-mrr3b0t,561/;
- Enumerate, enumerate and enumerate, because I tell you that the exam consists of 75% recognition and enumeration and 25% exploitation of vulnerabilities;
- The exam guide will give you all the necessary scope to act, see it as a proposal from a client to which you will make an Internal PenTest of the Black Box type, to which you only have the VPN and the first range of IP;
- Certainly Pivoting falls, but it is not as big a thing as SSH tunneling, for example. Just know the command IP route add <destination network> via <source network>;
- Learn simple CMD commands (search directories, use diskpart and even read files);
- Continuing the question of enumeration, I recommend that you write down the information regarding ports, services and IPs in a spreadsheet or use Dradis, Faraday or even notepad to store the information;
What I used in the test
Information Collection and Enumeration:
Nmap
hfping
Nessus
enum4linux
smbclient
nmblookup
Pivoting and IP Routing:
Ip route add <destination network> via <outgoing network>
Meterpreter> run autoroute -s “destination network>
portfwd
Web Exploitation:
Dirb
Dirbuster
Burp Suite
SQLMap
Xss Manual
Nikto
Brute Force:
ncrack
Hydra
John
Auxiliary Scripts Metasploit
Network Exploitation:
Metasploit-framework
Searchsploit
Wireshark
eJPT vs CEH Practical
I did CEH Practical and I say that the challenges are similar, both have 20 questions that need to be answered, however the eJPT is a little more try harder, as it is a 90% Black Box environment and if you don’t have enumeration, understand how the network protocols work, where to look and etc … You will not be able to go far.
Both certifications are cool and I recommend you take both, as it will develop your skills a lot, certainly the eJPT course does not reach the level of CEH that details like no other, the main vectors of attacks and methods of exploitation, especially this version 11 of CEH, is sensational !!
In summary, if you want something to start, I recommend CEH Practical, then eJPT is a challenge that will complement you, as you will be faced with a new way to perform PenTest and for those who want to start and seek to get an OSCP a eJPT is sensational.
I particularly have a trail, I will now look for eCPPT and OSCP, and then go deeper into bigger challenges like ePTX for example.
And so as not to leave without giving anything to you, I will provide my favorites that I used in the eJPT test to search and some links that I saved that can help you.
Just import it in your browser: https://drive.google.com/file/d/1hQtKxq31oM8ePmg_K7Eu_dnQQm7TKwui/view?usp=sharing
Special thanks
https://www.linkedin.com/in/sureshitsec/
https://www.linkedin.com/in/jo%C3%A3o-paulo-de-andrade-filho/
https://www.linkedin.com/school/acaditi---academia-inovadora-de-ti/
And to everyone who enjoys my work and is always supporting me, especially those who know me personally and know on the other side, let’s go!
My LinkedIn: https://www.linkedin.com/in/joas-antonio-dos-santos/