CCNA for penetration testers?

[read bold only if you are lazy]

First of all, hello to everyone.
I am browsing this forum since a few months and it is really amazing

My goal is to learn and pass certs to find a job in network pentesting or web apps pentesting and I am abit confused right now about the certifications I would like to get

To make it simple I don't know if CCNA is really worth it if your goal is penetration testing, even if it is network penetration testing.

I am currently working full-time in backend development.
I am enrolled in eJPT (will take the exam next week) and eCPPT.
I plan to do OSCP after these two, soon or later.
However I wonder which of these two options is the best:

1) pass those certs along with CCENT and CCNA R&S, in which case I would do
eJPT -> CCENT -> eCPPT -> CCNA R&S -> OSCP
which I evaluate would take me around 18 more months, with my full-time work

2) grab the networking knowledge that I need along the way without passing any networking cert, in which case I would just do
eJPT -> eCPPT -> OSCP (-> ...?)
which I evaluate would take me around 10-12 more months to complete

Of course passing CCNA would be a + on my pentester wannabe resume but it is a matter of time : if I can have my OSCP sooner I can eventually pursue my pentesting training (with CTFs or web apps pentesting) and focus more on penetration testing than if I pass networking certs along the way, even if in this case I would have a better overal networking knowledge!

Find more posts tagged with

Comments

JDMurray

The CompTIA pentest+ cert not in your list?

NetworkNewb

I don't think a CCNA would be that beneficial... I would just work on your pentesting certs and also do CTFs and bug bounties. The CTFs and bug bounties will look just as good, if not better, than most of those certs as well. If you can show you do well at them that is.

NavyMooseCCNA

JDMurray wrote: »

The CompTIA pentest+ cert not in your list?

This will be a better exam than the CEH. Hopefully it will be accepted by the DOD and civilian employers.

thedudeabides

I personally think everyone in IT should get a CCNA R&S, but not many people agree with me. It's just such good foundational knowledge, even though some of it is Cisco-specific. I worked as a pentester for a few months before I figured out it wasn't for me. I'm glad I had the networking background as it helps one think logically about what's happening across a wire.

SlickRick

@thedudeabides..... May I ask why pentesting wasn't for you? I'm curious if it was something different than to what you were expecting. Hope I'm not intruding.

awitt11

I would think that CCENT or Net+ would be valuable. Really, you need to look at the test objectives and see if you are familiar with the topics.

Plotkine

Thank you for your replies.

The thing is that I am afraid to not have enough experience when applying for a junior pentester position and without networking or sysadmin experience I wonder if CCNA would be a good move to counter that lack of experience (tbh I enjoy alot learning the eJPT cert but studying networking books like Todd Lammle or Wendell Odom can be abit bedan for me...)

@JDMurray : I really don't know this new cert, should make researches to know what people who tested it think ; is it an advanced cert or..? Where would you place it in the eJPT -> eCPPT -> OSCP path? (Note that I live in Europe (Belgium) and that I think compTIA is less recognized here)

joelsfood

Everything runs on the network, and most of your penetration is done via the network. While the certification itself may not be directly beneficial to you, the knowledge will absolutely be useful. I don't think you can go wrong learning that information, whether you take the test or notp

NetworkNewb

thedudeabides wrote: »

I personally think everyone in IT should get a CCNA R&S, but not many people agree with me. It's just such good foundational knowledge, even though some of it is Cisco-specific. I worked as a pentester for a few months before I figured out it wasn't for me. I'm glad I had the networking background as it helps one think logically about what's happening across a wire.

I think it just goes way more indepth into setting up Cisco equipment than anyone who is not in networking will ever need to use. It just wouldn't be a good use of time in my eyes.

To me, just the CCENT would definitely be good enough for someone just wanting a good foundation on how a network is setup. But really don't think a networking cert is needed at all if he wants to go into pentesting. Can't imagine studying for a cert I don't plan on using anytime soon personally... Getting the CCNA if he decided afterward he wanted to try networking is something I would recommend though.

Just looked at few pentesting job ads in my area and none ask for the CCNA. (I'm sure there are some that someone can find... so not saying they aren't out there) I would go for the CEH, PenTest+, and OSCP personally. Also do CTFs and try Bug Bounties.

If people are gonna start recommending getting a CCNA, might as well throw in MCSA and RHCSA too. As it is all good knowledge to have.

Plotkine

I kinda agree with NetworkNewb. The thing is that I don’t want to study too much useless cisco networking details (considering my goal ofc).

I guess I will start applying at junior pentester positions after OSCP and see what happens.

Concerning CEH, it is too expensive for me as I don’t have the required 2 years of experience in the infosec industry needed to pay less. However I just read on the EC-Council site that instead of those 2 years of experience an OSCP cert allows you to avoid those additional fees; so I could go for CEH after OSCP if I need more recognition

Danielm7

100% agree with NetworkNewb, everyone always jumps right to the CCNA, but if you don't need to configure Cisco gear, then the 2nd half of the cert isn't going to be useful to you other than name dropping and hoping a pentest company even cares.

Also, pay special attention to the part about "I looked at job ads" that will tell you what some employers are looking for in your area, too many people ignore that step.

Ertaz

joelsfood wrote: »

Everything runs on the network, and most of your penetration is done via the network. While the certification itself may not be directly beneficial to you, the knowledge will absolutely be useful. I don't think you can go wrong learning that information, whether you take the test or not

+1, It won't help you to get your foot in the door as a Pen-Tester. It will help you have an excellent understanding of infrastructure to make you a better Pen-Tester though.

paul78

Plotkine wrote: »

The thing is that I am afraid to not have enough experience when applying for a junior pentester position and without networking or sysadmin experience I wonder if CCNA would be a good move to counter that lack of experience

Generally speaking - any knowledge is valuable to be a good pen tester. If you like a structured approach to gaining knowledge by studying for a certification, any cert on topics you don't already know would be helpful to be a better pen tester.

The attack surface of a typical target is usually going to be a heck of lot more than just their network infrastructure. So I would suggest just picking a handful of areas and get started.

I can't speak for others, but for me - the only certification on a resume that I care about is OSCP.

I hope you enjoy your quest to be a pen tester. If you have dedication and passion, that's probably the most important ingredient.

NetworkNewb

paul78 wrote: »

the only certification on a resume that I care about is OSCP.

I was told the exact same thing from a manager of a PenTesting firm when I was at a SANS event.

Info_Sec_Wannabe

SlickRick wrote: »

@thedudeabides..... May I ask why pentesting wasn't for you? I'm curious if it was something different than to what you were expecting. Hope I'm not intruding.

Same here!

Just curious as I'm planning to take the pentesting path as well (really excited about it except for the documentation part)...

joelsfood wrote: »

Everything runs on the network, and most of your penetration is done via the network. While the certification itself may not be directly beneficial to you, the knowledge will absolutely be useful. I don't think you can go wrong learning that information, whether you take the test or notp

Definitely agree. Was told by our Red Team Lead to invest in networking knowledge as part of my foundational skills if I am to pursue pentesting!

thedudeabides

SlickRick wrote: »

@thedudeabides..... May I ask why pentesting wasn't for you? I'm curious if it was something different than to what you were expecting. Hope I'm not intruding.

I don't think I can properly articulate it except to say I just had little interest in it. I've always wanted to learn networks. Before I ever took a security job, my goal was networking. The only reason I got on the security path was because a friend opened a door for a job.

Plotkine

Thank you everybody, I am now convinced to not take the ICND1 nor ICND2 exams; I am reading networking books as I do for other subjects like linux or javascript or ..., so that's it