In April 2020, I took the eJPT exam from eLearnSecurity. As the “Junior” part of the name suggests, this is an entry level exam, and I think it acts as a good stepping stone towards the eCPPT or the OSCP.
All of eLearnSecurity’s certifications are good for life, as opposed to Cisco/CompTIA certifications which have to be renewed every 3 years; however, they update the syllabus every so often, so eJPTv2 has now replaced the original eJPT (which I did).
This was my third penetration testing exam, and it took an interesting approach. PenTest+ is a traditional theory based exam, where you answer multiple choice questions and then a computer instantly gives you the result when you finish. OSWP is a practical exam, where I had to submit a written report and wait for a human to review it. In the eJPT exam, you are given VPN access to a network, and then you have to answer multiple choice questions based on that network. For instance, they might ask you “How many Windows services are configured for automatic startup on SERVER1?” The only way to find out is to gain access to that server, i.e. you have to actually use the skills that you’ve learnt rather than regurgitating trivia points from memory. I think this approach gives the best of both worlds, i.e. a practical test with instant results, although reports are an important skill for real-life penetration tests.
Overview
PTS (Penetration Testing Student) is the course which leads to the eJPT exam.
In 2020, I paid $299 for the PTS course and the eJPT exam. I started out with the “barebones” version of the course (free of charge) which just included online access to the slides. I then got a voucher for $100 off the full version (i.e. $199 was reduced to $99), which included videos and 30 hours of lab time. I also paid $200 for the eJPT exam itself.
INE (the training provider) have now moved to a subscription model: the Fundamentals Annual plan also costs $299, which includes all of their introductory learning paths, unlimited lab time, and the eJPT/ICCA exams. (If you pay for the exams separately, the eJPT voucher costs $200 and the ICCA voucher costs $99.)
NB At the time of writing, INE’s “start here” page has better prices:
- Fundamentals Annual costs $249 (reduced from $299) until 2023-03-31.
- Fundamentals Quarterly + eJPT costs $249, then $117 per quarter.
Also, be aware that INE often have “Black Friday” discounts in late November. Just make sure that you remember to cancel any ongoing subscriptions when you’re finished with them!
There are no formal prerequisites for the PTS course, but you should have some general IT experience. I would recommend CompTIA’s “core skills” (A+, Network+, Security+) to everyone who works in IT; you need that knowledge, even if the certifications have lapsed. For instance, if you’re going to do a ping sweep or a port scan then you need to understand how IP addresses work.
You will also need to run Kali Linux, either as a physical or virtual machine: you connect your computer to their network via a VPN (for the labs and the exam), then you run various tools locally on your computer. I.e. they don’t (or at least they didn’t) provide a “jump box” like the OSWP exam. I’d previously configured Kali on my laptop for the OSWP course (using VMware Workstation), so I used the same VM again. If you’ve never used Kali Linux before then it’s worth doing the PEN-103 course (free of charge). Similarly, you will need to use Metasploit, so it might help to do Metasploit Unleashed (free course, but they request a donation to charity).
In my case, it took me about 3 weeks to get through the training material (studying in evenings/weekends), including the various lab exercises. I paused the labs whenever I wasn’t actively using them, because I was conscious of the 30 hour time limit. However, I needn’t have worried; I averaged about 1 hour per module for 16 modules. Now that the lab time is unlimited, that won’t be an issue for new students.
Course
I did the old course (on the eLearnSecurity website). In brief, I’d say that it was good but not great. Some of the issues were just cosmetic:
- There were typos, e.g. “vunlerability” instead of “vulnerability”.
- The regional formatting matched Eastern Europe rather than the US/UK. That’s not inherently wrong, but it can be confusing.
- Quotes were done as ,,foo” rather than “foo”
- Numbers were written as 1.234,59 rather than 1,234.59
- I suspect that they hired a professional voice actor to narrate the videos (rather than an IT professional). On the whole, it was fine, because he spoke clearly. However, there were a few words which he pronounced in an unusual way, e.g. he said popen as “pope-un” (rather than “pee-open”), and meterpreter as “meeter-preeter” (rather than rhyming with “interpreter”). There were other words which were just flat-out wrong, e.g. “tree view” became “three view”, and “DBMS” (Database Management System) became “DMBS”.
Although I did the PTSv4 course, some of the videos were from PTSv3, and they were out of date with the (then) current versions of tools. I appreciate that software is always being updated, so it’s a moving target, and this is an issue you’ll encounter in the real-world (e.g. if you look at an old blog post or YouTube video). However, as an example, one of the Metasploit videos used Nmap 6.47 (released in 2014), with a particular script (smb-check-vulns) which was removed in Nmap 6.49 (released in 2015). The course was updated in 2019, so this information was 4 years out of date at the time of release.
As a related issue, I used Kali Linux 2020.1 for my VM. The big change in this release was Non-Root by default. I.e. you log in as “kali” and then use the “sudo” command when necessary, rather than logging in as “root” and running all commands with root privileges. However, the PTS documentation was written for an older release of Kali, so some of the example commands needed to be adjusted.
My biggest concern is that they didn’t have a clear target audience, particularly when it comes to C++ programming. You don’t need to know this for the exam, and the training material won’t actually prepare you to do the labs. So, you either have to rely on prior knowledge, do independent research, or “cheat” by looking at the answers. My advice is to treat this as a stretch goal, i.e. come back to it after you’ve covered the rest of the material.
To elaborate on that:
- One of the exercises asked you to write a program which would exfiltrate data using DNS queries. Looking at the forum, someone said: “Data Exfiltration is an advanced topic covered in the WAPT or WAPTX course (PTS is designed to be a beginner/introductory course for those interested in penetration testing and information security).”
Based on that comment, it seems odd to put this exercise in a beginner course! More specifically, this should not have been in the “prerequisites” section (implying that you need to understand this to do everything else); it would have been better off in “next steps”, along with the black box labs. - In another section, the training material was very basic, e.g. “this is a variable”. The lab then asked you to write a keylogger, with a hint: “you might want to use the GetAsyncKeyState() function”.
There’s a separate conversation about whether you need to be a programmer in order to be a penetration tester. I think the answer depends on what you’re doing, e.g. it will certainly be helpful if you want to understand buffer overflow attacks or modify an exploit script. In my case, I had previous experience as a programmer (including C++) so I was able to figure out the course material, but that won’t be the case for everyone. I think there’s also a difference between “You’ll need to know this later” (e.g. for the eCPPT) vs. “You need to know this now” (for the eJPT).
Putting this another way, I think there are 2 valid approaches for the course to take:
- It could tell students that there’s no prior programming experience required, and then make sure that the training material includes everything they need to know.
- It could tell students that they need to be comfortable in language X before doing this course (and maybe offer a beginner’s guide as a separate course).
Either of those approaches would be fine, but the people in charge need to pick one and then be consistent. I suspect that this was partly a case of “too many cooks spoil the broth”, i.e. there were various modules created independently, but no overall vision.
NB The new course (on the INE website) has been updated and expanded, so hopefully these issues have all been addressed, but I haven’t done the new version so I can’t say for sure.
I realise that all sounds quite negative, but I did also learn some things from the course.
In the PenTest+, they might ask you “What type of tool is Burp Suite?”
- A packet analyser
- A debugger for assembly language
- A proxy server
- A password cracker
So, in preparation for that exam, I did my best to memorise lists of tools, many of which I’d never used. By contrast, the PTS course demonstrates exactly what Burp Suite is (a proxy server) and how to use it. This is something that will definitely be useful to you later on as a pen tester.
More generally, the course is similar to TryHackMe, by introducing tools and making sure that you actually practice with them.
Exam
The exam takes (up to) 72 hours, so it has to be done remotely rather than going to a test centre. Unlike other exams, I didn’t book a slot for this in advance. Instead, I bought the exam voucher (which was valid for 180 days), then I clicked a button on the website when I was ready to start. Like the labs, the exam uses virtual machines (dedicated to each student rather than shared), and those VMs are created on demand.
Bear in mind that some tasks are very interactive, e.g. you might run a port scan against an IP address and then decide what to do next based on which ports are open. Other tasks can run in the background, e.g. using DirBuster to look for hidden directories on a web server or crunching a word list against hashed passwords. With a long exam like this, you can multi-task, e.g. set a background task running while you eat or sleep.
It’s an “open book” exam, so you can look up any command syntax that you’re not sure about rather than having to memorise all the parameters. You can also take a break to watch a YouTube video; there’s no proctor peering over your shoulder at your screen.
Personally, I started my exam at 20:30 on a Friday, after I’d finished work for the week. That way, I would have 2½ days at home (Friday evening, all day Saturday/Sunday, and Monday morning). I could have booked the Monday off work as annual leave, but I was confident that I wouldn’t need the full 3 days for this. In fact, it took me about 6 hours to answer all the questions (finishing at 02:30). I then went to bed, and left a couple of tasks running overnight. When I got up on Saturday morning, I double-checked my answers, then ended the exam. I scored 95% (19 out of 20), so I passed with a comfortable margin, and I’m happy with that.
Looking at other blogs, I think my experience is fairly typical:
- “It took me around three and a half hours to complete it with a perfect score of 20/20, that is despite a dinner break, a high temperature and falling into a few rabbit holes with the machines.”
(Arnav Tripathy) - “I took 19 hours to complete my exam [..] This time includes 6 hours and 41 minutes of sleep along with 1 dinner, 1 breakfast, few unwanted and 5 “let’s free up my mind” breaks. I think I was able to finish the exam in around 7-8 hours, which also includes the time for writing a very lengthy writeup/report I made for the pentest.”
(Mehtab Zafar) - “Deciding to just give the exam a try, I purchased an exam voucher and passed in just over 3 hours.”
(KentoSec) - “It took me 3 hours to “pass”, but I continued on for another 2 hours for a total of 5 hours straight. If you are not experienced, it will likely take you even longer than that, and that is OK!”
(Casey Erdman)
This isn’t a race, and you might prefer to set aside the whole 3 days (e.g. on a bank holiday weekend) just to play it safe, but I think they’ve been quite generous with the time allocation.
If you fail the exam, you get one free attempt at a re-sit. This has to be done within 14 days; I don’t think there’s a minimum “cooling off period”, but realistically if you’ve spent the whole weekend on this then you’ll probably want to wait until the following weekend to try again.
Sadly, the eLearnSecurity certifications don’t have digital badges (e.g. at Credly). However, a few people have suggested/requested this in the forums, and it might come later.