I failed my first exam in 20 years, and I have taken many of them. Between my time in real estate and IT I have taken over 30+ exams in the last several years alone. It happens, but it is very frustrating when you think you failed because you experienced issues with the exam environment AND the actual exam itself.
INE (formerly eLearn Security), the keepers of the excellent eJPT recently refreshed their eCPPT (Certified Professional Penetration Tester) exam. I observed that there were very few reviews available of version 3, and those that existed mentioned there were some issues with the exam. Therefore, I approached the exam with cautious optimism.
The exam consists of 45 questions that must be answered based on the activities you perform while “pentesting” a network in a 24 hour time period. The previous version of the exam gave you several days to do a pentest and submit a professional report, this change seems like a step in the wrong direction at a time when most certification companies are moving towards actually having you do a “realistic” pentest; the removal of the report is a mistake in my opinion. Most pentesting consists of a short time doing the actual test and a much longer period doing the report. The report IS the customer deliverable so it is extremely important, I am not sure what INE was thinking with this change.
Here are my issues with this exam:
- Let us start with the training – The training for the eJPT was exceptionally good. The training for this exam was not good. It will also not be enough to pass this exam. The trainer is all over the place and the videos seem like a non-linear mish mash. It is mentioned several times that we covered something previously in the series or we would cover it in the next video and that video was the end of the module. I do not know if they just recycled content or what, but I do not feel it was effective. Also note this: there are tools that are used by trainer in the training that are not available during the exam.
- Letter of engagement – There are some extremely misleading statements in the letter of engagement provided by INE, so much so that you could set yourself up for failure by listening to any of their recommendations, in fact, completely ignore most of their “advice” on what tools and wordlists to use unless you want to waste extreme amounts of time. In the interest of confidentiality that’s all I will say but there are hashes you need to crack that you will not be able to using just those lists.
- The exam environment – Hey INE, the 2000’s called, they want their exam technology back. All kidding aside, you are required to use an in-browser instance of kali. Come on, no one does that. TCM-Security (PJPT, PNPT), Offsec (OSCP+), and even EC-Council (C|PENT) all allow you to use your own tools over VPN. It is fine for the entry level eJPT but for your professional level cert there should be a professional level environment. The exam environment itself was sluggish, and I had to reset mine twice.
- Internet access – Even worse than an in-browser instance of kali is and in-browser instance of kali with no Internet access. I had issues (explained more below) and not having Internet access made fixing those issues or getting alternative tools impossible.
- Things just not working – One tool they recommend using in the letter of engagement is evil-winrm, well that tool was critical at a point in the exam, and it was throwing an OpenSSL Digest error no matter what I did. I emailed support and they graciously autoreplied with, “we’ll get back to you in 2-3 business days and BTW we’re off on Monday” …great. There were also hashes that I could not crack no matter what list I used. Pretty difficult when they ask for the clear text password in a question for that hash. There were questions that just did not make sense, and I spent time trying to decipher what INE wanted. Also note: hashcat did not work in the exam environment either (another error thrown), not as big of a deal but still very annoying. If you want me to use your environment everything should work, I should not have to use hashcat on my machine.
I am thankful I got this exam package for half price during their holiday sale at the end of the year because I would be irritated if I paid full price for this. I have a free retake, but I am going to sit this out for a few months until they work the bugs out, if they even are (they may believe everything is peachy keen). I did find a potential fix for the evil-winrm issue but alas it was too late for me at that point I had already submitted the exam.
I am not taking any exams moving forward that use this terrible model of in-browser kali instances. That is ridiculous and nothing like a real penetration test would be. I therefore cannot recommend this exam. If you do plan to take it or if you paid for it already you may want to check with INE regarding what their plan is to address the issues with it before you click the “start exam” button.
UPDATE: INE got back to me finally and expressed their sympathies for my issues but apparently their exam is perfect. Well, it’s up to you all if you believe them or the many reviews on the Interwebz that say otherwise (I have found several that are very recent, including folks who passed the exam and they still advise people to stay away)…so don’t expect any changes. Honestly, after I use my free retake (and either pass or fail) I am pretty much done with INE moving forward. I truly feel like they try to make their exam harder through trickery when this stuff is hard enough. INE is heading in completely the wrong direction compared to people who are now ahead of them in their exam technology and methodology.
