ECSA review
I started ECSAv9 recently. Had initially signed up for another course but switched to ECSA due to course availability issues, so here is a short review.
v9 course includes lectures, hands-on lab and what EC-C calls Pen Test Challenge.
There are no printed books unlike GIAC SANS; you are given DRM protected PDF course materials.
Neither are you given VMware images for labs. Both the labs and challenges are conducted in their iLabs environment which is accessible from internet, so you can do it during class or at home. You are given 30 days to complete the labs and challenges.
The trainer will start a lecture module, you do the corresponding labs if any and start on day's challenge at the end of the day. Labs manual have step-by-step instructions with screenshots. You get to install and use tools such as Nessus, OpenVAS, ZenMap, Metasploit, sqlmap and a couple of other tools. You do get to use Metasploit a fair bit to run the exploits and get meterpreter shells.
The challenges do make the course interesting. On Day 1, you need to do host discovery and scanning of 172.16.0.0/12 and 10.0.0.0/8 networks. Day 2 to 4 challenges require you to compromise specific windows and Linux servers and get hashes of specified files among other tasks. There are 10 servers to compromise. EC-C provides 4 VMs for your pen testing: Windows 2012, Windows 8, Kali and Kali rolling. The VMs do not have internet connectivity and you are unable to transfer files in and out of them. They do mount an ISO of different Windows tools for you to install and use.
Different points are assigned to each challenge and the final report is 14 points; you need 70 out of 100 points to pass. I have already completed the challenges and is putting finishing touches to the report. You need to upload pen test report to EC-C within 60 days. EC-C did provide a "sample" report template to help with the documentation. Once the report is marked and a passing mark is achieved, you are then allowed to take the MCQ exam.
I find some of ECSAv9 challenges interesting and enjoyable. I was using the newer Kali rolling VM most of the time as I am comfortable with Linux, but had to switch to older Kali VM at times as some programs only work in older Kali VM. I used Windows Server VM once to run a Windows tool. You get to compromise different types of systems and applications including Linux, Windows, databases, web applications and CMS.
I know ECSA is not that well recognised, but this was a good learning experience. Let me know if you have any questions.
Now back to work and eCPPT study.
v9 course includes lectures, hands-on lab and what EC-C calls Pen Test Challenge.
There are no printed books unlike GIAC SANS; you are given DRM protected PDF course materials.
Neither are you given VMware images for labs. Both the labs and challenges are conducted in their iLabs environment which is accessible from internet, so you can do it during class or at home. You are given 30 days to complete the labs and challenges.
The trainer will start a lecture module, you do the corresponding labs if any and start on day's challenge at the end of the day. Labs manual have step-by-step instructions with screenshots. You get to install and use tools such as Nessus, OpenVAS, ZenMap, Metasploit, sqlmap and a couple of other tools. You do get to use Metasploit a fair bit to run the exploits and get meterpreter shells.
The challenges do make the course interesting. On Day 1, you need to do host discovery and scanning of 172.16.0.0/12 and 10.0.0.0/8 networks. Day 2 to 4 challenges require you to compromise specific windows and Linux servers and get hashes of specified files among other tasks. There are 10 servers to compromise. EC-C provides 4 VMs for your pen testing: Windows 2012, Windows 8, Kali and Kali rolling. The VMs do not have internet connectivity and you are unable to transfer files in and out of them. They do mount an ISO of different Windows tools for you to install and use.
Different points are assigned to each challenge and the final report is 14 points; you need 70 out of 100 points to pass. I have already completed the challenges and is putting finishing touches to the report. You need to upload pen test report to EC-C within 60 days. EC-C did provide a "sample" report template to help with the documentation. Once the report is marked and a passing mark is achieved, you are then allowed to take the MCQ exam.
I find some of ECSAv9 challenges interesting and enjoyable. I was using the newer Kali rolling VM most of the time as I am comfortable with Linux, but had to switch to older Kali VM at times as some programs only work in older Kali VM. I used Windows Server VM once to run a Windows tool. You get to compromise different types of systems and applications including Linux, Windows, databases, web applications and CMS.
I know ECSA is not that well recognised, but this was a good learning experience. Let me know if you have any questions.
Now back to work and eCPPT study.
Comments
I am currently working on the ECSA. In the beginning it was a lot of fun but it seems that none of the challenges are similar to the ones for the practice lab. Can you provide any insight? I am wondering if I am over thinking it.
Make sure you are able to discover the servers and enumerate running services. Then run other tools such as Nessus to look for security vulnerabilities that can be exploited or weak passwords to gain access.
Good luck and have fun!
I am new to pen testing and still working on the ECSA report. I extended it due to its very hard. I feel like I am leaving out a step or something when I am doing the attacks. I do all of the information gathering but I am still having issues with the attacks. Any advice is greatly appreciated.
Some dead ends that I encountered. Some of the servers are not very robust in that excessive scanning or brute force attacks will kill them. Nessus scan will flag out some critical Windows vulnerabilities. However, these vulnerabilities may not have an appropriate Metasploit exploit that you can use to gain access; a DoS exploit can only crash the server and some exploits only work on 32-bit but not 64-bit Windows. As per my original review, I had to use older Kali in one instance as a Metasploit exploit does not work on Kali rolling. Also remember to configure the correct Metasploit option settings when running them.
The first challenge is very important as this is where you discover all the hosts; else you are unable to continue with the rest. Different machines require different attacks. Servers with web services are to be compromised via web vulnerabilities. One web server was a bit tricky in the sense that you need to brute-force search for a hidden directory. As for the other challenges, one of them requires Nessus scan to detect an old but infamous Windows vulnerability that you can exploit. The others require brute force password guessing; you can use Hydra or Metasploit to do it. There is one server where you can either brute force the password or exploit a vulnerable service listening on a non-standard port to gain access.
Do take note you do not need to complete all the challenges. 70 out of 100 points is enough to pass.
You are to discover hosts in the private IP ranges; i.e. 172.16.0.0/12 and 10.0.0.0/8 subnet. This can be executed using Nmap host discovery. The default host discovery is not very fast as it does a lot of things besides ICMP ping. I used custom switches to execute a pure ICMP-only echo request at a faster rate and with more parallelism and was able to scan 16.7 million IPs in 10.0.0.0/8 subnet within 6 hours. You will find servers in the 172.16.0.0/12 subnet as well.
Read nmap documentation, try different switches and use WireShark to validate.
Alternatively, you can also scan for NetBIOS servers. This method is much faster but will only reveal some servers. Follow up by doing a nmap host discovery scan of the servers' (much smaller) subnet to discover more servers.
Once you have found all the IPs, run complete port and OS discovery scan on them. Nmap SMB-OS-discovery will give you computer name and OS. You can also run Nessus scan on discovered hosts to extract host info and in addition find vulnerabilities for exploitation. Or you can use OpenVAS; I prefer Nessus though. Some servers have SNMP enabled with default community string; if you are familiar with SNMP, you can extract the network subnet range among other things via SNMP queries.
So the approach is to do a rapid sweep scan, followed by host discovery of the smaller network subnet and then targetted host enumeration scans. There is more than one way to do host discovery and enumeration. Be familiar with nmap switches, try different tools and learn from the experience.
Make sure you discover all the servers and do sufficient enumeration. Challenge 1 (host discovery) is very important. You should be able to identify which server subsequent challenges refer to. If you are stuck with one challenge, switch to another. There was one server where I guessed the password correctly without even using Hydra.
Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.
So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.
Still following this thread indeed
i tried with many combinations and some scans are still in progress (nearly 20hrs) but still no results. can you help me with the nmap switch for the first challenge,
thanks
No. You need to figure the switches yourself.
Did you read up Nmap host discovery switches? Did you fine tune the switches for faster discovery? Can you use Wireshark to verify the nmap scanning?
Nmap is not the only way to search for hosts; there are other tools in Kali that you can use and even the Windows VM have an ISO of tools. All hosts in the network respond to ICMP pings and some have NetBIOS or HTTP ports open. You can write your own script and use ping command if this is easier.
You have 2 subnets to scan, 172.16.0.0/12 and 10.0.0.0/8. Start with the smaller subnet. Do your own research, read up, test out and learn.
You should get a confirmation mail after uploading your report to Aspen web site from [email protected]. Once the report is marked and passed, you should receive a mail with voucher code from [email protected]
My course was taken at New Horizons in Singapore.
I have not done the pen test yet. My class consisted of the instructor talking about everything in the CEH curriculum. We did not go over anything that would help in the practical.
On the first day, we logged in to https://aspen.eccouncil.org/ to activate and download ECSA DRM protected curriculum PDF and pen test report template. The instructor was talking from ECSA curriculum.
We also activated our iLabs account at https://ilabs.eccouncil.org/. The environment was provided by https://labondemand.com. ISACA's CSX Practitioner is using the same vendor with a lab test link at https://labondemand.com/Launch/122B02AA. We started the tutorial labs on day 1. There are 19 lab modules; 14 tutorial modules that correspond to the curriculum chapters and 5 classroom challenge modules for each day. The classroom challenge modules are exactly the same environment; you can do all your challenges on one challenge module.
Your instructor is probably new. Ask your instructor if this is his first ECSAv9 class.
My DRM protected PDF have the words "EC-Council Certified Security Analyst v9" on it.
You could be doing ECSAv8. When I started my course, the instructor claimed that the training center is among the few in our region offering v9 and other centers are still on v8. Seems that training centers must go through a certification process in order to offer ECSAv9. Is v9 stated anywhere in your invoice? You may want to contact EC Council.
To be honest, I have never been impressed with any of the EC-Council instructors at New Horizons.
I'm not sure I'm going to pursue this cert at this time.
Suggest you contact ECCouncil about this. The course include practical and exam. This is clearly stated at https://www.eccouncil.org/programs/certified-security-analyst-ecsa/
how to compromise the ubuntu and centos machine, challenge 2. i tried many exploits but session is not getting created. pls help.
Thanks.
With the scanning of the networks I noticed that I had to scan through 2 different subnets to find some of the others.
Also with the report you don't need to finish all the fluff. How you got to completing the challenge with screenshots as evidence was enough as I was running out of time to finish the report and still passed.
Can u give some advice. I did CEH training and planning to get certified ECSA. How long does it take and is it hard?
Thnx