CEH CPT (Certified Penetration Tester) Review

Reposted from EH.net

Hello all.

If I remember correctly I made some comments when Michael Heinzl wrote his InfoSec Institute CEH/CPT review(on eh.net). My comment was that his review was pretty much the same things I would have written and another review was unnecessary. However, having (hopefully) completed both the CEH and the CPT, I would like to give that review.

As Mr. Heinzl stated, the CEH/CPT is a combination course offered by InfoSec Institute. These are the people who bought out (i believe) the well likes Intense School training company. If this class is any example, they have not lost a beat. When you purchase the ISI CEH/CPT course you receive A student Handbook, a Lab Manual, A Certified Ethical Hacker V6 Review Guide a guide for the lab setup, CPT and CEH voucher . I want to note a few things here:

The student handbook includes dvd with tools and vm's (clearly marked so you dont hose your production pc. I had an issue where one of the VM's did not work or was corrupted. I contacted ISI, and the issue was quicly resolved by receiving access to an online host that had the vm for download. My only issue with this arrangement, was that it seemed the issue was known, and perhaps steps had not been taken to fix it?

CEH voucher is reserved for you but is not included until you ask for it, so you don't have to worry about a strict time limit on your learning.

Some packages may include software (i.e Immunity Canvas), make sure you receive this, I am still working on this.

The course:
The course is divided up into several modules. The suggested method is to read the student guide and then to watch the corresponding video hosted online, in a prerecorded session, followed by the lab video. I found that pleasantly, the book contained more information than the slides, which helps you understand the material, and is good for preparing you for your lab work. My suggestion here would be to include some of that info in the lab (i.e, have the person try different switches with explanations). The labs were generally good, though at some times there were differences between what the instructor may have been doing and you, the student. (The instructor was using a XP host OS, and had some differences, as well as different names on one of the VM's, so you were thinking for a second "did I forget something?! Am I missing a vista vm?!" The instructor: James Conrad was generally fairly entertaining, if not a little dry at times, but I couldn't get away from his references to oh-days(it's zero!!!) lol. The modules are good, but of course, many of the attacks are dated, and you may not find out until you see it mentioned elsewhere or try it against your pcs. MS03-26 has to be the most abused exploit...

Overall, entertaining and enlightening. I learned a few things, but I couldn't help but know that I would have preferred to take this class live. My biggest complaint was that 1. the videos were not downloadable, and therefore had to be redownloaded if you had to leave, or couldn't finish one. 2. Many of the labs required you to create a situation (i.e create accounts with passwords, and then you cracked them), which is nice for the lab, but is a completely different experience vs attacking a system (like you might in the CPT) where you have no idea who the users or passwords are. 3. It may have been a good idea to group some of the modules and by default, the labs together. That way you get a real feel of the process, rather than practice, stop, practice, stop. review 1. practice, stop. review 2 and 3....

I Think I gave a decent review of the CEH, but ill just highlight, in my opinion, the best thing for preparing for the CEH will be some prior security knowledge and experience with the main tools of hacking, their options and output,

Onto the CPT. The CPT is composed of two parts, a written online, multiple choice exam, and a practical, composed of two vms set up on your network. I really liked the CPT written. The answers were realistic, and I felt good taking it I knew I knew the material, and I was interested in each question. My only issue was with two of the questions. The good news is that you can submit feedback after the exam. Then it.s practical time. You have 30 days from the start of your written to complete the practical and the corresponding report.

The difficulty of the CPT will depend on your experience, and your time constraints. I think it is a decent challenge for new pentesters. first and foremost, I had never really penetrated a linux machine before. (I completed de-ice 1, but that was different. After what seems a lifetime of point and click owning ala metasploit (even via the cli), linux was a challenge. Attempting to use your newfound methodology and apply it to an attack was a rewarding experience. For sure I had to ask for advice along the way. And boy, I swear that I had stepped into an OffSec class, I could swear I heard someone whispering "Try Harder". My advice during this portion would be to keep your books close by, and to feel free to research. Many times I found myself looking at the student manual, then reading about the subject in Hacking Exposed, then off to youtube, then a developer website. Try it, fail, and off to the message board. "try harder", give up and try 1 more time, got it and move on.

overall, I highly recommend this course for those just starting out who want to get their hands wet, you might get a little soaked.
Sign In or Register to comment.