Tag Archives: review

Path to Pentesting: eJPT

I passed the eJPT! Here’s my review of this pentesting course and certification test.


Plan Overview

When going onto the course page, you’ll see three tiers for the program at various pricing. First, you’ll see the barebones plan, which isn’t purchasable. You can easily get a voucher for this plan for free. I got mine by following the /r/netsecstudents subreddit. It may take some time, but the elearn staff frequently post links to keys on this sub. Alternatively, you could always send them an email and hope for the best. This plan gives you access to the slides and (more importantly) a 100 dollar discount on the full and elite plans.

Next is the “Full” plan, which is the one I selected. This is the plan I’d recommend to anyone. I finished the labs with over 20 hours of my lab time remaining. Unless you literally have never done a CTF or familiarized yourself with Kali, pick the full plan. You could always go print out your shiny eJPT certificate at a local paper store.

Next is the “Elite” plan, which is essentially the full plan with more lab time, more free retakes, and a physical certification. Chances are you won’t need more than one retake, but if you think you’d need the extra lab time or retakes then this would be a perfectly valid option. The price is still good, especially with the barebones discount.

Course Content

This course has three major components: the slides, videos, and the labs. While the slides are good, they’re nothing you can’t get from a basic book or reading tutorials on the internet. The videos are well done and compliment the labs nicely. I thought the narrator did a good job overall, however, he pronounced some terms oddly. For example, he pronounced the word “meterpreter” (usually pronounced like interpreter) as meter-preter. Minor complaint aside, I thought the videos were a great resource to show the basics.

The labs are the best part of this certification. You vpn into their environment and learn the topics and techniques talked about in the slides and videos completely hands on. Check out the specific lab topics  on the course page. By the time you finish the labs, you’ll be ready for the test, and more importantly, be ready to take the eCCPT, OSCP, or dive into some online CTFs.

The Test

The test itself functions just like a lab with an added questionnaire component. Essentially you VPN into the environment, pull up the 20 questions on which you are graded, and go at it. You get three days access to the environment, which will be more than enough if you prepared. From start to finish, it took me around 4 1/2 hours including breaks and some food. A passing grade is 75%, so you have a good margin for error if you get stuck on a couple questions. If something goes wrong and you get a failing grade, you get a free retake with the full plan and several retakes with the elite.

Without revealing too much, the test is not a “get root and you win” capture the flag. The questions do a great job of making sure you have understanding of course objectives and test your critical thinking. While this is still a rudimentary penetration testing cert, I personally hold it higher than passing the Sec+ or CEH (even if HR departments do not).

When you submit the question answers, you’ll get an instant confirmation of your grade. I got a downloadable certification immediately upon passing (and a warm fuzzy feeling). Unfortunately, you aren’t able to see what you got wrong. Ideally, I would have liked to see at least the category of the question that I missed. Good news is, even after the test, you’ll still have access to your allotted lab time for review.

My Experience

I got a barebones plan quite some time ago. At first, I was going to just read the slides and go take the eCCPT, which financially I couldn’t manage to swing. In the meantime, I decided to just knock out the eJPT. It helped me check out eLearn’s learning methodology and view how  they structure their content to see if it was for me. Having the barebones package, the course and certification ran me 200 USD.

I purchased the content on week one and read through the slides and watched all the videos. Once I got through the media, I went into the labs. For each lab, I wrote down notes for methodology, syntax, alternative programs, switch explanations, etc. I occasionally had to go back and and re-watch a video to take additional notes. In retrospect, I should have taken notes on the videos as I went along.

This took me roughly two weeks, taking one day on my weekend per week to go through the labs. So really I sat down and consecutively worked on the labs and my notes, it may have taken me two or three days. For reference, I still have 24 hours and 44 minutes remaining from my original 30 hours of lab time. I went into this course with previous knowledge of the majority of techniques and tools used, so take that information with a grain of salt. I’d expect someone with no previous experience to use maybe an extra 10 hours figuring it all out and experimenting.

As mentioned earlier, I sat down with a cup of coffee and took the test. I’ll refrain from mentioning specifics but my overall impressions are incredibly positive. I wasn’t able to pass this by memorizing terms and definition like I did with the Sec+. At some points, I had to sit back and think about a question or roadblock I ran into. I may have walked into the cert with a wrong attitude, thinking it’d be a cake walk the whole way. Pleasantly surprised, I finished the cert feeling adequately challenged and accomplished with the experience.

Conclusion

Great content. Great test. Great introduction to penetration testing. I highly recommend it. The real question is, is it worth two hundred dollars? Some may look down at the price tag. Some may learn just as much if not more from online resources, books such as “Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman, and over the wire and vulnhub ctf challenges. I’m not going to try to discredit that route, it was initially the path I went down. I’ve read all the books, practiced and beat my head against vulnhub vms, and explored the vast amount of online resources available. I do believe I’m better off for that knowledge, however, there is something to be said about structured learning.

Having learning resources via a course makes learning much more time efficient. I was able to knock this out in my free time with a set mental time table of how to accomplish what needed to get done. This is the main selling point for me, and anyone on the fence about this cert should take this into consideration. Sure, you could go ahead and spend a hundred or so on some books, setup a lab environment (assuming you have the resources to do so), and learn way more than you can in this cert. However, you’ll spend an incredible amount of time doing so. For some people, the saved time taking the eJPT (or the eCCPT for those already familiar with penetration testing) is well worth the price tag.

Bottom line? Time is money, and the value of this cert will be reflective of that on an individual level. The eJPT will definitely be for some people, while skipping it in lieu of free resources will be for others.

As always, feel free to contact me with any feedback or questions!