If you follow me on Twitter, you will have noticed that I recently achieved my first professional certification: eLearnSecurity Junior Penetration Tester (eJPT). So, I thought I should share my thoughts on my experience with the exam and with the Penetration Testing Student (PTS) course.
This blog post is a condensed version of my review video on YouTube, so if you prefer videos, then click the link below:
What is eJPT/PTS?
eJPT is a beginner-level certification for people who are just starting out in the cyber security scene and want to get into red teaming or penetration testing. The PTS course, hosted by INE, teaches you everything you need to know to pass the exam.
Firstly, the course introduces key concepts of networking like IP addresses, routing, TCP and UDP, and how to use Wireshark. It also goes over the basics of HTTP/S, cookies and sessions, and how to use Burpsuite. It then advances onto some programming with C++, Python and command line scripting, and how to use each to exploit a victim’s machine.
The final part of the course establishes the penetration tester’s methodology and teaches you how to use tools like Nmap, Nessus, and Masscan for information gathering and vulnerability analysis. It then takes covers web, system, and network attacks and finishes with three blackbox pentests.
Each section of the course contains lecture slides, videos, and labs to make sure you fully understand each concept both theoretically and practically. INE also provides solutions to each of the lab so that you can learn what the best practices are. It is obviously advised not to look at these before you attempt the lab exercises.
As I mentioned, the PTS course is provided by INE. You can get free access to all of the course materials through the Free Starter Pass. Note that this doesn’t include a voucher to sit the exam. If you want to sit the exam it will cost you $200 for a voucher. This includes one free retake which you must use within 7 days of your first attempt if you fail.
The exam itself is an internal penetration test on a fictional but very realistic corporate network. You are given a letter of engagement and some other important files which you will need during your pentest. It’s vital that you read the letter of engagement carefully as you will find a lot of key information on it. The exam consists of 20 multiple choice questions, which you are given 3 days to submit. You need 75% (15/20) to pass.
How I Studied
I started studying for eJPT on June 7th and sat and passed the exam on July 12th. I was using this schedule as a basis, which aims to complete the PTS course in just 16 days:
I obviously took a bit longer, mainly because I couldn’t manage the minimum 3 hours of studying everyday as well as keeping up work commitments.
Fortunately, I come from a technical background, so the course was mostly revision for me, although I did learn some very useful tricks (like pivoting).
My Exam Experience
The exam is very hands-on. You will have to use and combine a lot of the techniques which are covered in the course to answer the questions. There are a few modules which are not required in order to pass the exam:
- Programming prerequisites
- Buffer overflows
- Privilege escalation
Before I started the exam, I made sure I had all of my notes ready so that, if I got stuck and needed to look anything up, they were readily available. I then began the exam.
I also made sure to take note of everything I did during the exam (scans, exploits, credentials) so that I had all of the information needed to answer the questions.
The exam took me around 5 hours to complete and I scored 100% (20/20), although I was confident that I had answered more than enough to pass within the first 3–4 hours:
My Advice
Make sure you take notes!! Note down everything while your studying and even when you take the exam. This will help you establish a methodology and will make sure you don’t miss anything.
If you are new to penetration testing, take the time to learn the basic concepts. This course is a great resource to help you break into the industry, but it’s even more important that you fully understand the theory and how the concepts are applied to real-life scenarios. Also make sure that you complete all of the labs at least once, read every slide, and watch every video.
The final piece of advice I’m going to give is don’t punish yourself for not working every day. It’s very easy to slip into a bad routine where you are constantly working, but this often causes more harm than good. Make sure you give yourself enough time to relax and do other things away from the keyboard.
Overall Thoughts
In my opinion, the eJPT certification and accompanying PTS course is a great way to learn the basics of red teaming and penetration testing. The price of $200 also makes this one of the most affordable certifications on the market, so it’s perfect for you students (myself included).
The exam is also a lot of fun and very realistic. If you choose to follow this path, I’m sure you will learn a some neat tricks to help you on your way.
Questions
A lot of you have messaged me on Twitter with questions, so I’ll try to answer them here…
What topics are covered in the exam?
Everything in the PTS course is covered in the exam apart from programming, buffer overflows, and privilege escalation.
Are the blackbox pentests harder than the exam?
In my opinion, yes, the three blackbox pentests are definitely harder than the exam.
Is TryHackMe/HackTheBox useful?
Yes both platforms are very useful resources, but they are not necessary to pass the exam.
How long would it take for beginner to complete?
I would recommend spending at least two months on the course material. But, if you feel confident enough, there’s no reason why you can’t do it in a shorter time-frame.
Can you give any example questions?
I don’t want to give away the exact questions (for obvious reasons), but you may be asked questions similar to the following:
- What is the password of a specific user?
- What are the contents of a specific file?
- What is the address of a specific network/machine?
Are there any other resources you would recommend?
As I’ve said, the PTS course gives you everything you need to pass the exam. If you are looking for other resources then I would recommend:
- TryHackMe or HackTheBox
- John Hammond on YouTube
Final Comments
I hope you enjoyed this post as much as I enjoyed making it. I would really appreciate it if you check out my YouTube channel and my Twitter:
Lastly, if you have any questions or any thoughts, I would love to hear them. I reply to every message/comment on my Twitter, so don’t hesitate to ask.
Stay curious.
-v3r4x