eLearnSecurity Mobile PenTest Course (MASPT)
NovaHax
Member Posts: 502 ■■■■□□□□□□
Just finished taking the 7-day challenge exam for the eLearn Security Mobile Application Security and Penetration Testing Course (https://www.elearnsecurity.com/course/mobile_application_security_and_penetration_testing/). Overall, I was extremely happy with this course. Here are an overview of my thoughts (both positive and negative) for both the course and exam:
Some of the course is a bit out-dated -
Course content was fantastic -
The Challenge Exam -
Some of the course is a bit out-dated -
- Targets iOS 6 (currently on iOS 8.1) and Android 4.1.2 Jellybean (currently on Android 5.0.1 Lollipop).
- I personally don't see this as a huge concern, as this seems to be pretty common in the industry. It's pretty typical to take traditional PenTest courses that start you off attacking Windows XP with MS08-067. Along the same lines, this seems to be an effective way to introduce the fundamentals with some additional attack surface for practicing.
- The Android test environment setup uses Eclipse IDE and Android SDK. These solutions are deprecated and have since been replaced with Android Studio. Android Studio is very similar in functionality, but has a completely different GUI. So you are definitely going to have to figure some things out when getting started. Knowing the old setup is sufficient to do some searches and figure out what you need to do. Also, feedback from the admins in the forums indicates that the course should be updated soon. But as the course currently stands, its a bit frustrating.
Course content was fantastic -
- Overall, once you get past the test environment setup, the course is REALLY good. The test apps are a lot of fun, and the content is well presented.
- The course was definitely more focused on Android than iOS (which was a plus for me, since I was already pretty comfortable with iOS testing, and not so much with Android...but this may be a negative for some).
The Challenge Exam -
- Similar to the course, the exam is only on the Android side (no iOS component). Once again, this was fine by me.
- Just like the eWPT exam, this one was VERY well engineered to be highly challenging and to require you to be able to string together multiple exploits to successfully complete the challenge.
- The concept of the exam was awesome. Rather than the traditional "do a pentest and deliver a report" routine that I've encountered with both OSCP and eWPT, this was much more creative. Rather than doing a report, you actually have to write your own malicious Android app. You are provided two related target applications, and you have to write your own app that will exploit multiple flaws on each of those to extract sensitive data. The malicious app (source code and installation package) is your only deliverable.
- You have to be proficient at both run-time exploits, reverse-engineering and writing your own Android app to be able to pass the exam.
- Although it was challenging, 7 days is definitely more than enough for the exam. I managed to complete it in 3 days, with a total of probably about 18 hours of testing.
Comments
-
JoJoCal19 Mod Posts: 2,835 ModCongrats and thanks for the review! I know eLearnSecurity doesn't get the recognition that OffSec does but I am impressed by their material. It's very in-depth and explains things really well.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
impelse Member Posts: 1,237 ■■■■□□□□□□CongratsStop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
It is your personal IPS to stop the attack. -
john13619 Member Posts: 10 ■□□□□□□□□□Congrats and very good review.
Can you do the same for eWPT ? Does it really worth to take it or it's better eWPTX ? -
NovaHax Member Posts: 502 ■■■■□□□□□□Congrats and thanks for the review! I know eLearnSecurity doesn't get the recognition that OffSec does but I am impressed by their material. It's very in-depth and explains things really well.
As someone who has done training from both OffSec and eLearnSec, I have a great deal of respect for both organizations. And I think they supplement each other well. I think that OffSec's OSCP is still the defacto standard for general PenTesting (then again, I've never taken eLearn's general PenTest courses). But I think that eLearnSec definitely has the AppSec market more cornered.
Nonetheless, both are very hands-on in terms of both training and testing. In my opinion, still the two best training organizations out there. And I can't say that I prefer either more than the other.
SecurityTube/PenTest Academy probably comes in as a close third. I don't consider the material quite as well presented, but for the price...its high quality. -
NovaHax Member Posts: 502 ■■■■□□□□□□Can you do the same for eWPT ? Does it really worth to take it or it's better eWPTX ?
I actually did make several posts back when I did eWPT:
http://www.techexams.net/forums/security-certifications/98588-elearn-security-vs-offensive-security.html
http://www.techexams.net/forums/security-certifications/97319-pwning-justin-bieber-d.html
Hope those help. -
fuz1on Member Posts: 961 ■■■■□□□□□□Congrats!timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
The only real failure in life is not to be true to the best one knows. - Buddha
If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown -
unkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□Congrats mate , I had registered this a year back and couldnt study due to work and travel. This is next in line for me after finishing OSCP.
Cheers