Tag Archives: security

Incoming Newsletter

Hello Everyone!

I’ve started working on getting an easy to use newsletter system up and running! There’s still a little work to do in order to make it work exactly how I want it, but I added in a quick sign up widget in the meantime! While I won’t be sending out newsletter updates very often, it will help provide a base of users that I can reach for feedback and content updates. By enrolling, you won’t be submitting yourself to spam or anything along those lines. I’ll be sending out a newsletter once every two weeks or so.

What can you expect in a newsletter? Pretty much anything that is not really worth writing a formal write up or post. I’m attempting to keep this site as static and relevant as possible. I don’t want to start posting about news or anything that will become quickly outdated. The newsletter, however, can have some news discussion, project updates, and any other information that would ideally be as helpful as possible.

Here’s a couple examples of content you can expect:

To subscribe, simply enter in your email in the bar to the right! I don’t ask for any personal information, just your email.

Hopefully, this will grow into something worthwhile. As always if there’s anything you would like to see in the email updates or on the site in general, send me an email! I started this blog primarily to help out a couple friends who were either new to the security industry or wanted to know how to get into it. I try to be as helpful as possible! I’m always up for new ideas and suggestions.

Staying Current with Cyber Security News

You’ll be hard pressed to find a single day where there is nothing noteworthy in cyber security news. For some, news exposure occurs only when watching a standard cable news channel or hearing stories from coworkers, friends, and family. If you are in the professional security world (or are aspiring to be one), you’ll need to get another news source to stay current, to keep your thumb on the pulse on all that is happening in the security world.

My preferred method is using an RSS feed to keep up with all the articles and website updates I follow. My RSS feed is comprised solely of cyber security related sites such as personal blogs, vendor blogs, and official notification sites, i.e. US-CERT.  Currently, I have 45 sites on my feed.  I read articles days or even weeks before my coworkers or infosec friends thanks to my feed. RSS feeds are not my only source of information, however, I find it most helpful out of all the various methods of obtaining news.

I’ve written a quick, easy guide on how to get started and provided my file of news sources to import. The end result is a fully customized news feed using Feedly on your browser or on your phone. Take a look and feel free to provide feedback! RSS-Tutorial

Path to Pentesting: OSCP Preparations

Having taken the eJPT, I’ve been deciding which route to go down. Do I go for the eCPPT (Certified Professional Penetration Tester) by eLearnSecurity or the OSCP (Offensive Security Certified Professional) by Offensive Security?

For my situation, I decided to tackle the OSCP. Given that I bought lab time back in 2015 (while taking 18 credit hours in college), the 90 day lab time will only cost 600 USD vs the 1200 USD the eCPPT Elite plan costs. From a career perspective, the OSCP is also much more well known by HR departments, and since I can really only pick one (for now), I’ll go for the more marketable certification. OSCP here I come…..only…..

I’ve been incredibly intimidated by the reviews I’ve read of the OSCP. The course seems grueling, especially with the recent changes to the scoring. I’ve decided to give myself some homework to pass before I sign up and plunge into the content. If you have any suggestions to add to the list, feel free to let me know!

  • Complete and document all exercises on pentesterlab.com. I’ll use these notes to compile a small book for different techniques will examples of the exploits and indicators to compromise. I’ll combine these notes with my notes from the eJPT. Hopefully, this will give me a good head start in documentation and will add a couple tricks into my toolkit before starting the OSCP exercises and subsequent labs.
  • Complete and document three more vulnhub capture the flags.
  • Configure a fully updated version of Kali with the MATE desktop. This will decrease the overhead of running Gnome on my laptop (Solus) and virtualizing another Linux distribution running Gnome.
  • Find/modify/write any helpful reconnaissance scripts. I want to be able to VPN into their lab environment the moment I get the credentials and start scans to run overnight.

I’d like to get this list done in a month or two. Between work and an impending vacation, I think it’s doable. Really, the documentation will take the most amount of time. Then I’ll try my hand on the OSCP labs and exercises!

A main factor I’ve noticed in all the reviews is the sheer amount of time most people spent on the OSCP labs, easily 200+ hours over the course of 3 months. I’ve decided to give myself a realistic goal, one that I can easily hit and surpass without burning out. At the very least, I want to put in 20-25 hours per week, which will equal out to 240+ hours. Will this be enough to pass the exam? Maybe, maybe not. I would like to think that this will be enough time for me to comfortably go through and document the labs and at least 75% of the lab boxes. I do plan on tracking my time as I go through the labs and exam itself, so I guess we’ll see!

In the meantime, I won’t be posting much more about the OSCP or certifications until I pass the OSCP and give a review similar in structure to my eJPT review. I’ll be uploading write ups for my checklist above, so I expect quite a bit more content in the next two months followed by three months of silence while I go through the OSCP.

As always, feel free to let me know if you have any suggestions or comments!

Path to Pentesting: eJPT

I passed the eJPT! Here’s my review of this pentesting course and certification test.

Plan Overview

When going onto the course page, you’ll see three tiers for the program at various pricing. First, you’ll see the barebones plan, which isn’t purchasable. You can easily get a voucher for this plan for free. I got mine by following the /r/netsecstudents subreddit. It may take some time, but the elearn staff frequently post links to keys on this sub. Alternatively, you could always send them an email and hope for the best. This plan gives you access to the slides and (more importantly) a 100 dollar discount on the full and elite plans.

Next is the “Full” plan, which is the one I selected. This is the plan I’d recommend to anyone. I finished the labs with over 20 hours of my lab time remaining. Unless you literally have never done a CTF or familiarized yourself with Kali, pick the full plan. You could always go print out your shiny eJPT certificate at a local paper store.

Next is the “Elite” plan, which is essentially the full plan with more lab time, more free retakes, and a physical certification. Chances are you won’t need more than one retake, but if you think you’d need the extra lab time or retakes then this would be a perfectly valid option. The price is still good, especially with the barebones discount.

Course Content

This course has three major components: the slides, videos, and the labs. While the slides are good, they’re nothing you can’t get from a basic book or reading tutorials on the internet. The videos are well done and compliment the labs nicely. I thought the narrator did a good job overall, however, he pronounced some terms oddly. For example, he pronounced the word “meterpreter” (usually pronounced like interpreter) as meter-preter. Minor complaint aside, I thought the videos were a great resource to show the basics.

The labs are the best part of this certification. You vpn into their environment and learn the topics and techniques talked about in the slides and videos completely hands on. Check out the specific lab topics  on the course page. By the time you finish the labs, you’ll be ready for the test, and more importantly, be ready to take the eCPPT, OSCP, or dive into some online CTFs.

The Test

The test itself functions just like a lab with an added questionnaire component. Essentially you VPN into the environment, pull up the 20 questions on which you are graded, and go at it. You get three days access to the environment, which will be more than enough if you prepared. From start to finish, it took me around 4 1/2 hours including breaks and some food. A passing grade is 75%, so you have a good margin for error if you get stuck on a couple questions. If something goes wrong and you get a failing grade, you get a free retake with the full plan and several retakes with the elite.

Without revealing too much, the test is not a “get root and you win” capture the flag. The questions do a great job of making sure you have understanding of course objectives and test your critical thinking. While this is still a rudimentary penetration testing cert, I personally hold it higher than passing the Sec+ or CEH (even if HR departments do not).

When you submit the question answers, you’ll get an instant confirmation of your grade. I got a downloadable certification immediately upon passing (and a warm fuzzy feeling). Unfortunately, you aren’t able to see what you got wrong. Ideally, I would have liked to see at least the category of the question that I missed. Good news is, even after the test, you’ll still have access to your allotted lab time for review.

My Experience

I got a barebones plan quite some time ago. At first, I was going to just read the slides and go take the eCPPT, which financially I couldn’t manage to swing. In the meantime, I decided to just knock out the eJPT. It helped me check out eLearn’s learning methodology and view how  they structure their content to see if it was for me. Having the barebones package, the course and certification ran me 200 USD.

I purchased the content on week one and read through the slides and watched all the videos. Once I got through the media, I went into the labs. For each lab, I wrote down notes for methodology, syntax, alternative programs, switch explanations, etc. I occasionally had to go back and and re-watch a video to take additional notes. In retrospect, I should have taken notes on the videos as I went along.

This took me roughly two weeks, taking one day on my weekend per week to go through the labs. So really I sat down and consecutively worked on the labs and my notes, it may have taken me two or three days. For reference, I still have 24 hours and 44 minutes remaining from my original 30 hours of lab time. I went into this course with previous knowledge of the majority of techniques and tools used, so take that information with a grain of salt. I’d expect someone with no previous experience to use maybe an extra 10 hours figuring it all out and experimenting.

As mentioned earlier, I sat down with a cup of coffee and took the test. I’ll refrain from mentioning specifics but my overall impressions are incredibly positive. I wasn’t able to pass this by memorizing terms and definition like I did with the Sec+. At some points, I had to sit back and think about a question or roadblock I ran into. I may have walked into the cert with a wrong attitude, thinking it’d be a cake walk the whole way. Pleasantly surprised, I finished the cert feeling adequately challenged and accomplished with the experience.


Great content. Great test. Great introduction to penetration testing. I highly recommend it. The real question is, is it worth two hundred dollars? Some may look down at the price tag. Some may learn just as much if not more from online resources, books such as “Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman, and over the wire and vulnhub ctf challenges. I’m not going to try to discredit that route, it was initially the path I went down. I’ve read all the books, practiced and beat my head against vulnhub vms, and explored the vast amount of online resources available. I do believe I’m better off for that knowledge, however, there is something to be said about structured learning.

Having learning resources via a course makes learning much more time efficient. I was able to knock this out in my free time with a set mental time table of how to accomplish what needed to get done. This is the main selling point for me, and anyone on the fence about this cert should take this into consideration. Sure, you could go ahead and spend a hundred or so on some books, setup a lab environment (assuming you have the resources to do so), and learn way more than you can in this cert. However, you’ll spend an incredible amount of time doing so. For some people, the saved time taking the eJPT (or the eCPPT for those already familiar with penetration testing) is well worth the price tag.

Bottom line? Time is money, and the value of this cert will be reflective of that on an individual level. The eJPT will definitely be for some people, while skipping it in lieu of free resources will be for others.

As always, feel free to contact me with any feedback or questions!