Passed eJPT

Pseudonymous

I've never had so much fun taking an exam before. I have no pentesting experience outside of this exam so I was pretty nervous about taking it. It took me a little over 11 hours to finish. The main problem for me was trying the same thing over and over and expecting different results. There were situations where something I was doing should've worked, but it kept failing. I really had to think outside the box because there's usually multiple ways to exploit and achieve something. Although I did all of the training material (multiple times), there was one lab that I didn't fully understand, but I figured it wouldn't be a big deal... that was a mistake lol. Overall, I'm glad I passed and I can't wait to get a pentesting job so I can apply it. Being a Penetration Tester/ Ethical Hacker has been my dream job for as long as I can remember.

What I used during the exam (that most people probably didn't):

• draw.io - used it to create a networking diagram of all the hosts, routers, etc that I could find during the exam. This was a HUGE help for me.
  
• OneNote - I used OneNote to keep documentation on pretty much everything as I worked through the exam. Steps, things I tried, things to try, stuff I found, etc.
• VirtualBox - I did all of the training course and the exam using Virtualbox (specifically pfSense and ParrotOS).
• ParrotOS - To each his own, but I don't like Kali Linux. I've loved ParrotOS since the first time I used it and I used ParrotOS exclusively during throughout my entire eJPT journey.

What's next?

Not sure. I'd love to study for eCPPT or OSCP, but both are pretty expensive and my job no longer pays for my certifications. I can't take CEH til next year (I only have 1 year of Security experience). I think for the month of April I'm just going to learn a little Python and then figure out where to do from there. I could do PenTest+, but my Security+ doesn't expire until October 2020 so I'm not in a rush to take PenTest+ yet. I think it's still new as well so I'd like to wait until there is more study material to choose from.

PC509

Congratulations! It was definitely the most fun I've had during an exam as well. I think the "There's more than one way to skin a cat" saying is pretty big with this and all of pentesting. I kept doing the same thing expecting different results and then finally moving on to something else and then having that AH-HA! moment, going back and knocking it out. 

It's a great learning experience! Congrats again!

k4ppla

Hi, 

Congrats on the pass.

For how many year are you in the industry ? tell us more about your background 

tedjames

Congrats! I was also really nervous about taking it. Good point about taking notes. Keeping good documentation is an important step in any penetration test. Excellent idea about creating the network diagram.

Pseudonymous

k4ppla said:

Hi, 

Congrats on the pass.

For how many year are you in the industry ? tell us more about your background 

Mostly general IT/Helpdesk experience. I'm a Security Admin right now (at least by title... it's actually a bait and switch position so I'm looking for another job). I have a lot of certifications, but I'm still lacking in real world experience. Still looking for that big break into a real security position.

JDMurray

Congratz and thanks for the tip on ParrotOS. I'm looking into buying a beefy Chromebook and I need a (non-Kali) Linux OS to run in a VM on it.

beads

Thanks for the ParrotOS tip. Something I have to look at, as a side benefit I live with a dozen parrots and have done so for decades. Seems to be a custom fit. InfoSec and parrots. Too funny!

- b/eads

Cuse0311

+1 for ParrotOS. I have been using it for a while myself. It's a solid OS with lots of built in security features and tools. BlackArch is another one I have experimented with and liked. Just my .2 cents for what it's worth.

Blucodex

Don't waste your time and money on CEH unless it's a checkbox for a job.

PC509

Blucodex said:

Don't waste your time and money on CEH unless it's a checkbox for a job.

It's got the word HACKER in it, though! 

It's a good one for the DoD, if someone else is paying for it, or you need it for a job. Otherwise, it is a waste of time and money for sure. I know there are several people on the forum that really can't stand the CEH (or EC|Council in general). If I can help it, I won't renew it ever. 

Infosec_Sam

PC509 said:

Blucodex said:

Don't waste your time and money on CEH unless it's a checkbox for a job.

It's got the word HACKER in it, though! 

It's a good one for the DoD, if someone else is paying for it, or you need it for a job. Otherwise, it is a waste of time and money for sure. I know there are several people on the forum that really can't stand the CEH (or EC|Council in general). If I can help it, I won't renew it ever. 

Why do you think the CEH is a waste? I haven't heard that too much until just recently, and I don't really understand why. Are they just behind the times, or is there a cert that has taken its place? I remember a while ago it used to be THE offsec certification.

PC509

Infosec_Sam said:

PC509 said:

Blucodex said:

Don't waste your time and money on CEH unless it's a checkbox for a job.

It's got the word HACKER in it, though! 

It's a good one for the DoD, if someone else is paying for it, or you need it for a job. Otherwise, it is a waste of time and money for sure. I know there are several people on the forum that really can't stand the CEH (or EC|Council in general). If I can help it, I won't renew it ever. 

Why do you think the CEH is a waste? I haven't heard that too much until just recently, and I don't really understand why. Are they just behind the times, or is there a cert that has taken its place? I remember a while ago it used to be THE offsec certification.

For me, it was a simple certification. Just the basics with no applied knowledge. Easy memorization. The cost (I didn't pay for it, but know the costs involved) is way too much for the knowledge. Depending on the job, though, it could mean a higher paycheck. So, it's not worthless completely. There are just other options if you're wanting the knowledge. CompTIA Sec+ & Pentest+ together would be a better bargain and you'd gain more. 

It's a foundation certification with an advanced price tag. 

Infosec_Sam

Interesting - thanks for your insight! I guess I hadn't really sat down and compared the CEH price tag to some others in the industry. Speaking of price tag though, @Pseudonymous we're currently running a $1000 off promo on our CEH boot camp! Now it's entirely up to you as to whether or not that makes the cert worthwhile, but I figured I should mention it since we just announced the price drop. We're hoping that brings the price more inline with the actual value of the cert.

chrisone

Congrats on the pass! Keep in mind, if you are short on money, you don't need full blow course/certification to study. Look at some books from nostarch, packtpub, etc. They usually have VM labs you can download and you can continue to work on those. 

Here is a quick few:
The Hacker Playbook 3 - Red team edition has a full blown lab you can download. Highly recommended. 
The Web Applications Hackers Handbook 2nd Edition - learn web application hacking (can practice using OWASP BWA)
Kali Linux Web Penetration Testing Cookbook - Second Edition - This is a good book on web applications that uses the virtual images of OWASP BWA and bWapp bee-box to work on learning web app pentesting concepts. Sleeper book! (I am sure you can continue to use Parrot OS with this book.)
https://www.bugcrowd.com/  (sign up for bugcrowd and learn some web app pentesting)
https://portswigger.net/web-security (sign up for burpsuite web app pentesting)
Practical Malware Analysis
BlackHatPython
IDA Pro Book, 2nd Edition
Penetration Testing

These books range from $20-$50 at most. You may find them cheaper during some deals. Anyone one of these books should keep you busy for a couple months. 

Good luck! 

edit: also don't forget the plethora of VMs on vulnhub. 
oscp like vulnhub vms
https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms

OSCP like vms
https://medium.com/@andr3w_hilton/oscp-training-vms-hosted-on-vulnhub-com-22fa061bf6a1

securitychops

Congratulations on the pass!

If you don't like using Kali then the OSCP should be an interesting time (if you go for it) since it is quite literally "Penetration Testing with Kali Linux", but that being said I would still recommend it. 

In addition to what @chrisone mentioned I would also recommend checking out hackthebox and hacker1 as well.  Working on bug bounties is a wicked fun way to practice while also being able to make some actual cash in the process too