Advice for a colleague who wants to learn about hacking

Hi,

My colleague has the support from our organisation to fund some courses and training into hacking. They did pay for CEH

- something I would not have recommended.

Unfortunately my colleague did not pass the exam although was not far off and has learnt a ton from reading and practicing by himself. So he's making good progress.

What courses would you recommend?
What certifications?
Not just OSCP, or pen testing, but general stuff?

I was thinking scripting, linux, eJPT,
SEC401: Security Essentials Bootcamp Style (GSEC)
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling (GCIH)

The sans courses are only if there is the budget for it - not sure they'd stretch that far but worth a try.

My own belief is you can achieve more by self-learning and hacking away, trying things at home. But they want formal training and a "training roadmap"

Any thoughts?

ADDITIONALLY - I should have said in the original post that:

We both work in law enforcement. None of this is about how attractive the certifications would be to employers, it's about the knowledge. It's good to have a formal qualification from the learning though, as that goes onto a training/personal record.

Also, he is not trying to become "a hacker", it's more about wanting to learn more about that area, about offensive security, pen testing, about exploitation, etc...

Find more posts tagged with

Comments

MrsWilliams

CyberCop123 said:

Hi,

My colleague has the support from our organisation to fund some courses and training into hacking. They did pay for CEH - something I would not have recommended.

Unfortunately my colleague did not pass the exam although was not far off and has learnt a ton from reading and practicing by himself. So he's making good progress.

What courses would you recommend?
What certifications?
Not just OSCP, or pen testing, but general stuff?

I was thinking scripting, linux, eJPT,
SEC401: Security Essentials Bootcamp Style (GSEC)
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling (GCIH)

The sans courses are only if there is the budget for it - not sure they'd stretch that far but worth a try.

My own belief is you can achieve more by self-learning and hacking away, trying things at home. But they want formal training and a "training roadmap"

Any thoughts?

See here lies the comedy. ..

People have a lot of negativity to say about the CEH...but people are failing the exam. I personally don't tell anyone if I fail an exam. I keep that to myself

SEC401 is not going to teach you how to be a hacker. Trust me on that.

SEC 504 is not going to teach you how to be a hacker. Trust me on that. It has some useful information in it, but I wouldn't say that it's devoted to how to be a hacker nor would I suggest anyone who wants to be a hacker to take it...if that's all that want to know how to do.

I personally wouldn't recommend any higher level SANS course 500/600 if he/she can't even pass CEH.......................

What some of the SANS courses will teach you is techniques. Your colleague failed what most people call, an entry level "hacking" cert if you shall call it that. When I took the exam years ago, it went through a lot of output and commands and some fundamental information. I personally think it was useful fundamental information for someone who wants to be a ...hacker as they call them.

Personally, I think he/she needs to revisit the material and understand it, so that they can pass the CEH exam. I think besides for the CEH, every other certification only gets harder from here on out. I wouldn't recommend someone going to advanced level courses if they can't pass the most basic one, Certified Ethical Hacker.

I have never taken the EJPT exam. So, I can't comment on that. BUT it only got me 3 hits on indeed just now in America, I didn't input a city to state. Any certification exam that gets me 3 hits on the job board, I am personally not going to waste time and money, especially time to pursue it. BUT it's a lot of good reviews about it on this site and some other sites, who are probably the same users from this site under different names.

I agree, nothing in any paid course that's online is going to teach you something that you couldn't have found with a google search. We both can agree on that.
Good Luck to you both.

JDMurray

I think the CompTIA PenTest+ certification is worth looking at by anyone who wants to know what an application pentester must know. It has been official for about a year and there a few study guides for it now.

tedjames

MrsWilliams said:

I have never taken the EJPT exam. So, I can't comment on that. BUT it only got me 3 hits on indeed just now in America, I didn't input a city to state. Any certification exam that gets me 3 hits on the job board, I am personally not going to waste time and money, especially time to pursue it. BUT it's a lot of good reviews about it on this site and some other sites, who are probably the same users from this site under different names.

eJPT is very much an entry level penetration testing certification. I have it, and I love what I went through to get it. Earning it helped me to go beyond the theory and actually do the work. Earning eJPT will likely not get you a job. However, I like to think of it as a "gateway" certification. Get started and then use that knowledge to earn a higher level certification that employers are looking for.

CyberCop123

MrsWilliams said:

People have a lot of negativity to say about the CEH...but people are failing the exam. I personally don't tell anyone if I fail an exam. I keep that to myself

SEC401 is not going to teach you how to be a hacker. Trust me on that.

SEC 504 is not going to teach you how to be a hacker. Trust me on that. It has some useful information in it, but I wouldn't say that it's devoted to how to be a hacker nor would I suggest anyone who wants to be a hacker to take it...if that's all that want to know how to do.

I personally wouldn't recommend any higher level SANS course 500/600 if he/she can't even pass CEH.......................

What some of the SANS courses will teach you is techniques. Your colleague failed what most people call, an entry level "hacking" cert if you shall call it that. When I took the exam years ago, it went through a lot of output and commands and some fundamental information. I personally think it was useful fundamental information for someone who wants to be a ...hacker as they call them.

Personally, I think he/she needs to revisit the material and understand it, so that they can pass the CEH exam. I think besides for the CEH, every other certification only gets harder from here on out. I wouldn't recommend someone going to advanced level courses if they can't pass the most basic one, Certified Ethical Hacker.

I have never taken the EJPT exam. So, I can't comment on that. BUT it only got me 3 hits on indeed just now in America, I didn't input a city to state. Any certification exam that gets me 3 hits on the job board, I am personally not going to waste time and money, especially time to pursue it. BUT it's a lot of good reviews about it on this site and some other sites, who are probably the same users from this site under different names.

I agree, nothing in any paid course that's online is going to teach you something that you couldn't have found with a google search. We both can agree on that.
Good Luck to you both.

Thanks for your response.

He is not trying to become "a hacker" necessarily, in the same way people study for a CCNA but do not necessarily want to be a network engineer. We both work in law enforcement and he is not planning on a second career, or moving jobs. The value of the courses or the certifications is the knowledge it brings.

I don't value CEH for my own personal reasons, and I feel the title of the course is hugely misleading as I know many people who claim to be "qualified hackers" after completing it. I also can not believe how much EC-Council charge for the exam.

My colleague is re-doing the CEH exam as there is a special re-take fee which is very low. They just want an idea of further avenues of learning.

In terms of how many hits you got on a job site - that is not relevant to him.

JDMurray said:

I think the CompTIA PenTest+ certification is worth looking at by anyone who wants to know what an application pentester must know. It has been official for about a year and there a few study guides for it now.

Ah yes, that is a great suggestion. Completely forgot about the CompTIA ones, maybe also network+ and security+ too.

Thanks!

tedjames said:

MrsWilliams said:

I have never taken the EJPT exam. So, I can't comment on that. BUT it only got me 3 hits on indeed just now in America, I didn't input a city to state. Any certification exam that gets me 3 hits on the job board, I am personally not going to waste time and money, especially time to pursue it. BUT it's a lot of good reviews about it on this site and some other sites, who are probably the same users from this site under different names.

eJPT is very much an entry level penetration testing certification. I have it, and I love what I went through to get it. Earning it helped me to go beyond the theory and actually do the work. Earning eJPT will likely not get you a job. However, I like to think of it as a "gateway" certification. Get started and then use that knowledge to earn a higher level certification that employers are looking for.

Thanks.... I should have said in my post that this is nothing to do with employment opportunities or what certifications are most sought after. We both work in law enforcement and for him it's not about job prospects or moving careers.

Good summary of eJPT - thanks for your views on it

yoba222

I recommend the eJPT because from a learning value perspective it's excellent. As far as failing the CEH exam, a good amount of criticism of CEH being poor quality lies with both the course content and the exam.

PenTest+ would be good, but it's not a course really so that's all on your coworker to develop his or her own curriculum and stick to it and also figure out how to lab. eJPT includes the lab.

There's cheaper stuff out there too:
https://www.root-me.org
https://www.virtualhackinglabs.com/