ECSA review

Mike7 · December 2016

I started ECSAv9 recently. Had initially signed up for another course but switched to ECSA due to course availability issues, so here is a short review.

v9 course includes lectures, hands-on lab and what EC-C calls Pen Test Challenge.
There are no printed books unlike GIAC SANS; you are given DRM protected PDF course materials.
Neither are you given VMware images for labs. Both the labs and challenges are conducted in their iLabs environment which is accessible from internet, so you can do it during class or at home. You are given 30 days to complete the labs and challenges.

The trainer will start a lecture module, you do the corresponding labs if any and start on day's challenge at the end of the day. Labs manual have step-by-step instructions with screenshots. You get to install and use tools such as Nessus, OpenVAS, ZenMap, Metasploit, sqlmap and a couple of other tools. You do get to use Metasploit a fair bit to run the exploits and get meterpreter shells.

The challenges do make the course interesting. On Day 1, you need to do host discovery and scanning of 172.16.0.0/12 and 10.0.0.0/8 networks. Day 2 to 4 challenges require you to compromise specific windows and Linux servers and get hashes of specified files among other tasks. There are 10 servers to compromise. EC-C provides 4 VMs for your pen testing: Windows 2012, Windows 8, Kali and Kali rolling. The VMs do not have internet connectivity and you are unable to transfer files in and out of them. They do mount an ISO of different Windows tools for you to install and use.

Different points are assigned to each challenge and the final report is 14 points; you need 70 out of 100 points to pass. I have already completed the challenges and is putting finishing touches to the report. You need to upload pen test report to EC-C within 60 days. EC-C did provide a "sample" report template to help with the documentation. Once the report is marked and a passing mark is achieved, you are then allowed to take the MCQ exam.

I find some of ECSAv9 challenges interesting and enjoyable. I was using the newer Kali rolling VM most of the time as I am comfortable with Linux, but had to switch to older Kali VM at times as some programs only work in older Kali VM. I used Windows Server VM once to run a Windows tool. You get to compromise different types of systems and applications including Linux, Windows, databases, web applications and CMS.

I know ECSA is not that well recognised, but this was a good learning experience. Let me know if you have any questions.
Now back to work and eCPPT study.

636-555-3226 · December 2016

I'm curious as to the use of ZenMap over straight up nmap. I know it's easier, but nmap isn't that hard once you know the switches (or know how to Google them)

Mike7 · December 2016

636-555-3226 wrote: »

I'm curious as to the use of ZenMap over straight up nmap. I know it's easier, but nmap isn't that hard once you know the switches (or know how to Google them)

Guess they were trying to make it more user-friendly. I prefer to use nmap and did include both nmap and Zenmap screen shots in my report.

Charli · February 2017

Hi Mike,

I am currently working on the ECSA. In the beginning it was a lot of fun but it seems that none of the challenges are similar to the ones for the practice lab. Can you provide any insight? I am wondering if I am over thinking it.

Mike7 · February 2017

Yes, the challenges are not the same as your practice. You need to do some reading up and that is where the fun is. I was running tools and metasploit exploits that were not covered.

Make sure you are able to discover the servers and enumerate running services. Then run other tools such as Nessus to look for security vulnerabilities that can be exploited or weak passwords to gain access.

Good luck and have fun!

Charli · February 2017

Thanks Mike! I have found a lot of tools that weren't covered. It has been interesting.

Charli · February 2017

Hi Mike,

I am new to pen testing and still working on the ECSA report. I extended it due to its very hard. I feel like I am leaving out a step or something when I am doing the attacks. I do all of the information gathering but I am still having issues with the attacks. Any advice is greatly appreciated.

Mike7 · February 2017

Not sure where you are stuck at. I am assuming your challenge is same as mine so here are some tips without giving you the direct answer. You have been warned.

Some dead ends that I encountered. Some of the servers are not very robust in that excessive scanning or brute force attacks will kill them. Nessus scan will flag out some critical Windows vulnerabilities. However, these vulnerabilities may not have an appropriate Metasploit exploit that you can use to gain access; a DoS exploit can only crash the server and some exploits only work on 32-bit but not 64-bit Windows. As per my original review, I had to use older Kali in one instance as a Metasploit exploit does not work on Kali rolling. Also remember to configure the correct Metasploit option settings when running them.

The first challenge is very important as this is where you discover all the hosts; else you are unable to continue with the rest. Different machines require different attacks. Servers with web services are to be compromised via web vulnerabilities. One web server was a bit tricky in the sense that you need to brute-force search for a hidden directory. As for the other challenges, one of them requires Nessus scan to detect an old but infamous Windows vulnerability that you can exploit. The others require brute force password guessing; you can use Hydra or Metasploit to do it. There is one server where you can either brute force the password or exploit a vulnerable service listening on a non-standard port to gain access.

Do take note you do not need to complete all the challenges. 70 out of 100 points is enough to pass.

Charli · February 2017

Everything you written is what I have been doing. I think I am over thinking it (which I am prone to doing). I appreciate your response. I wasn't going for the answers just trying to get a sense of what I am overlooking

. I think I am going to start over, clear everything out. Thanks again!!!

shank.appu · February 2017

i m struck in the first step itself. not able to gather the ip addresses. please help me.

Mike7 · February 2017

shank.appu wrote: »

i m struck in the first step itself. not able to gather the ip addresses. please help me.

Spoilers below... You have been warned.

You are to discover hosts in the private IP ranges; i.e. 172.16.0.0/12 and 10.0.0.0/8 subnet. This can be executed using Nmap host discovery. The default host discovery is not very fast as it does a lot of things besides ICMP ping. I used custom switches to execute a pure ICMP-only echo request at a faster rate and with more parallelism and was able to scan 16.7 million IPs in 10.0.0.0/8 subnet within 6 hours. You will find servers in the 172.16.0.0/12 subnet as well.
Read nmap documentation, try different switches and use WireShark to validate.

Alternatively, you can also scan for NetBIOS servers. This method is much faster but will only reveal some servers. Follow up by doing a nmap host discovery scan of the servers' (much smaller) subnet to discover more servers.

Once you have found all the IPs, run complete port and OS discovery scan on them. Nmap SMB-OS-discovery will give you computer name and OS. You can also run Nessus scan on discovered hosts to extract host info and in addition find vulnerabilities for exploitation. Or you can use OpenVAS; I prefer Nessus though. Some servers have SNMP enabled with default community string; if you are familiar with SNMP, you can extract the network subnet range among other things via SNMP queries.

So the approach is to do a rapid sweep scan, followed by host discovery of the smaller network subnet and then targetted host enumeration scans. There is more than one way to do host discovery and enumeration. Be familiar with nmap switches, try different tools and learn from the experience.

Mike7 · February 2017

Charli wrote: »

Everything you written is what I have been doing. I think I am over thinking it (which I am prone to doing). I appreciate your response. I wasn't going for the answers just trying to get a sense of what I am overlooking . I think I am going to start over, clear everything out. Thanks again!!!

Make sure you discover all the servers and do sufficient enumeration. Challenge 1 (host discovery) is very important. You should be able to identify which server subsequent challenges refer to. If you are stuck with one challenge, switch to another. There was one server where I guessed the password correctly without even using Hydra.

Mike7 · February 2017

And for those following and are still interested.

Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.

nebula105 · February 2017

Mike7 wrote: »

And for those following and are still interested.

Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.

Still following this thread indeed

Congrats on the pass!

shank.appu · February 2017

hi Mike,
i tried with many combinations and some scans are still in progress (nearly 20hrs) but still no results. can you help me with the nmap switch for the first challenge,
thanks

Mike7 · February 2017

shank.appu wrote: »

hi Mike,i tried with many combinations and some scans are still in progress (nearly 20hrs) but still no results. can you help me with the nmap switch for the first challenge,thanks

No. You need to figure the switches yourself.

Did you read up Nmap host discovery switches? Did you fine tune the switches for faster discovery? Can you use Wireshark to verify the nmap scanning?

Nmap is not the only way to search for hosts; there are other tools in Kali that you can use and even the Windows VM have an ISO of tools. All hosts in the network respond to ICMP pings and some have NetBIOS or HTTP ports open. You can write your own script and use ping command if this is easier.

You have 2 subnets to scan, 172.16.0.0/12 and 10.0.0.0/8. Start with the smaller subnet. Do your own research, read up, test out and learn.

PJ_Sneakers · February 2017

Mike7 wrote: »

And for those following and are still interested.

Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.

I did the official class and the instructor told us that after the pentest is submitted, we would have to pay $500 for the voucher. Since I don't have $500 I put this one on the back burner. Did you experience otherwise?

Mike7 · February 2017

PJ_Sneakers wrote: »

I did the official class and the instructor told us that after the pentest is submitted, we would have to pay $500 for the voucher. Since I don't have $500 I put this one on the back burner. Did you experience otherwise?

This is bad. Have you submitted your report?

You should get a confirmation mail after uploading your report to Aspen web site from [email protected].

Congratulations! Our team has received the ECSA report you submitted in the Aspen ECSA dashboard. Within the next 7 days, we will review your entire report and grade it against our rigorous grading rubric. If you achieve a passing score, you will be granted eligibility to move onto part two of this process and challenge the ECSA Exam. As soon as we mark your report with a passing score, you will receive an email with your ECSA Exam voucher code and instructions on how to schedule your test.

If you require any assistance with this part of the process, please write to [email protected] and we will be happy to assist you.

Thank You.
EC-Council

Once the report is marked and passed, you should receive a mail with voucher code from [email protected]

We are happy to inform you that your ECSA report has been approved.

Your ECC exam voucher code is 9ECXXXXXXXXXXX, and is valid for 90 days from the date of this notice.

Please refer to the guide for further instructions.

Should you require any assistance, please write to [email protected]

Thank you.
EC-COUNCIL

My course was taken at New Horizons in Singapore.

PJ_Sneakers · February 2017

Mine was at a New Horzons too, thanks for the info Mike!

I have not done the pen test yet. My class consisted of the instructor talking about everything in the CEH curriculum. We did not go over anything that would help in the practical.

Mike7 · February 2017

Hmm.. this is different.

On the first day, we logged in to https://aspen.eccouncil.org/ to activate and download ECSA DRM protected curriculum PDF and pen test report template. The instructor was talking from ECSA curriculum.

We also activated our iLabs account at https://ilabs.eccouncil.org/. The environment was provided by https://labondemand.com. ISACA's CSX Practitioner is using the same vendor with a lab test link at https://labondemand.com/Launch/122B02AA. We started the tutorial labs on day 1. There are 19 lab modules; 14 tutorial modules that correspond to the curriculum chapters and 5 classroom challenge modules for each day. The classroom challenge modules are exactly the same environment; you can do all your challenges on one challenge module.

Your instructor is probably new. Ask your instructor if this is his first ECSAv9 class.

PJ_Sneakers · February 2017

We had no iLabs. In fact, he said that there were no ECSA v9 labs at all. So he called corporate and had them give us access to the CEH labs.

Mike7 · February 2017

PJ_Sneakers wrote: »

We had no iLabs. In fact, he said that there were no ECSA v9 labs at all. So he called corporate and had them give us access to the CEH labs.

This is very fishy. Does he have ESCAv9 training materials?
My DRM protected PDF have the words "EC-Council Certified Security Analyst v9" on it.

You could be doing ECSAv8. When I started my course, the instructor claimed that the training center is among the few in our region offering v9 and other centers are still on v8. Seems that training centers must go through a certification process in order to offer ECSAv9. Is v9 stated anywhere in your invoice? You may want to contact EC Council.

PJ_Sneakers · February 2017

All of my courseware is V9. I have a book that says V9. We got access codes for the practicals. Maybe that is my iLabs access, but there were no learning materials other than a thick ass book of the PDF.

To be honest, I have never been impressed with any of the EC-Council instructors at New Horizons.

I'm not sure I'm going to pursue this cert at this time.

Mike7 · February 2017

Do you get ECSA in your Aspen access? Cos you are supposed to upload your report there. This feels like someone printed out his CEHv9 PDF to conduct a CEH class and call it ECSA.

Suggest you contact ECCouncil about this. The course include practical and exam. This is clearly stated at https://www.eccouncil.org/programs/certified-security-analyst-ecsa/

PJ_Sneakers · February 2017

I know it's real, it's in my Aspen account and I have official courseware. I'm not going to contact ECC because they are a hot mess when it comes to emails.

Charli · February 2017

Yep that is what I have been doing. Did you have issues with the hydra tool not working properly? I appreciate your comments and feedback.

Mike7 · February 2017

Charli wrote: »

Yep that is what I have been doing. Did you have issues with the hydra tool not working properly? I appreciate your comments and feedback.

I will PM you.

shank.appu · March 2017

hi Mike,

how to compromise the ubuntu and centos machine, challenge 2. i tried many exploits but session is not getting created. pls help.

Thanks.

twe · March 2017

I did this course last year and was more impressed than CEH v9 - Passed both.
With the scanning of the networks I noticed that I had to scan through 2 different subnets to find some of the others.
Also with the report you don't need to finish all the fluff. How you got to completing the challenge with screenshots as evidence was enough as I was running out of time to finish the report and still passed.

twe · March 2017

Oh and I was given a book but it literally was a print out of all the PDF's in black & white.

su.jin · March 2017

Sounds fun to u. I hope i could enjoy lik u do.
Can u give some advice. I did CEH training and planning to get certified ECSA. How long does it take and is it hard?

Thnx

ECSA review

Comments