Key Points
Release Date: September 2020.
Date Reviewed: June 2024.
Author/Creator: Josh Mason, Alexis Ahmed.
Subject(s): Network and Web Penetration Testing, Vulnerability Scanning.
Prerequisite(s): Basic IT Knowledge, Intermediate Networking Knowledge, Familiarity with the Windows and Linux Command Line
Medium: Video Courses, Hands on Exercises.
Length: 148 Hours Training + 48 Hour Exam.
Price: INE Fundamentals Plan for Training Path: $39 A Month + Exam Voucher: $200
Link: https://ine.com/ (Not Affiliated)
Review Disclamer
My goal is to provide honest and consistent reviews that can help others decide if an educational resource is right for them. Due to this, reviews are not influenced by discounts given, affiliate marketing, or if product is given for free. However, it is admitted that these benefits influence if a resource will be reviewed and that I only engage in partnerships with companies who provide quality products. If you decide a resource is right for you, it is very appreciated to use any noted affiliate links as this will help Cybersec.Reviews produce more content to further help students make informed decisions on their education.
Review
The Penetration Testing Student learning path begins with the “Assessment Methodologies: Information Gathering” section by Alexis Ahmed. Alexis is a fantastic instructor and provides very clear guidance as well as explanations for why a particular technique or command is used. The section is an introduction to information gathering with passive and active concepts like scanning.
The next section continues on the subject of information gathering by covering “foot printing and scanning”. This section delve deeper into active scanning with nmap and covers more advanced topics, like OS detection and bypassing intrusion detection systems (IDS).
Most video instructions are paired with a hands on lab. The exercises were largely a repetition of what the instructor demonstrates in the previous video, leaving little problem solving to be done by the student. The labs were useful to get actual “hands on keyboard” experience, but the lack of problem solving from the exercises missed an opportunity for the student to partake in discovery based learning. I experienced frequent crashes from the labs and on one occasion, a brute forcing exercise would crash the lab itself.
The next two sections are enumeration and vulnerability assessment which included a different instructor, Josh Mason. This began one of the main issues of the eJPT training as Josh’s teaching lacks clarity and is very hard to follow. Topics are not expanded upon, the “what” is explained by the “how” is not, in a watch me do this” teaching method. Unfortunately, the enumeration phase of a penetration test is one of the most important in my opinion, leaving the student not setup for success due to the subpar lessons that requires the student to memorize commands, but have no clue what they do. Now the most content heavy section begins and covers exploitation. Fortunately for the student, Alexis is the main instructor for most of it. This section covers topics such as the Metasploit framework, privilege escalation, credential dumping, and pivoting. I found the order of the videos to be confusing, as in one instance I was learning about exploiting the eternal blue vulnerability and the next I was learning about Remote Desktop. This lack of structure made the course feel all over the place and sometimes very repetitive. This leads me to believe that the astounding course length of 148 hours could be reduced down.
The course rounded out with a presentation on social engineering and lessons on web application penetration testing. The addition of social engineering is a nice thought, however the execution is almost useless with an attempt at explaining how to use GoPhish. There’s no actual instructions on how to conduct a phishing assessment other than a half baked explanation of what phishing is. The lack of instruction continued into the web application section, with showcases of X tool does Y thing but no explanations included.
Overall the course left me feeling unprepared for the exam and that I wasted a lot of time watching repeating videos and had fear of missing out on (FOMO) of the other, better courses that I could have studied.
The Exam
The exam lasts 48 hours and includes an environment with several machines the student must exploit to answer 35 multiple choice questions. The multiple choice question format had it’s pros and cons. A pro being the questions acts a rough guide for the student, allowing them to get a sense if they are on the right track. The major con is this is very unrealistic and misses a big opportunity to teach the most valuable skill in cybersecurity - report writing. I started my exam in the morning and after about 5 hours I got to the point where I believed I answered enough questions correctly to pass. After taking a break, I continued with the exam for the fun of it. I will say, I very much enjoyed the exam, but this is due to my interest in CTFs/hacking rather than the experience itself.
At this point, the exam environment unfortunately crashed, causing me to panic and believe all of my hard work was lost. I did lose some progress which was frustrating, but luckily I kept track of my answers and was able to fill them out again. In the end, the exam was a nice experience which I would compare to a difficulty to very easy and easy challenges on Hack The Box.
EJPTv2 Exam Tips
- Be patient when executing payloads, sometimes it can take up to 30 seconds to get a connection.
- Focus on learning pivoting, discovery, and enumeration.
- Remember to set to a higher thread count when running scans to speed up the process.
- Be patient when running scans during pivoting.
- Watch a few short ippsec videos to get an idea of methodology.
Conclusion
Although the exam was enjoyable and the eJPTv2 learning path covered a very wide range of topics, I ended the experience feeling like I could have invested my time in a better training program. The knowledge gained has helped me in my day to day job, such as being able to think more like an attacker by knowing the basics of exploitation and discovery. The price at $39 a month for access to the learning path and $200 for the exam may seem to be on the “cheaper” end of penetration testing certifications. But with 6 months of studying, a student may be paying $400 plus dollars in the end.
The biggest drawback to the eJPT, is it does not respect the students time. Videos are unnecessarily long and topics seem to repeat themselves in circles. I would recommend the eJPTv2 to anyone who is relatively new to cybersecurity and penetration testing. But for anyone who is looking to learn penetration testing skills rather than just being aware of them, there might be better alternatives.
CSR Score
Quality: 2/5
+No major video quality issues
+No major audio issues
-Exam crashed (lost answers but I had them noted down)
-Labs unstable
-Brute forcing lab crashes itself
-Not organized at all and gets confusing, sections repeat themselves
-Phone video quality is terrible
Education: 2/5
+Decent primer that covers the basics of several topics
+Alexis Ahmed is a fantastic instructor
+Alexis sections were clearly explained
+Covers a very wide range of topics
-No Active Directory
-No report writing content
-Josh Mason sections were lacking
-The enumeration and discovery (most important) is taught by Mason
-Wish it showed things manually instead of just tools. Explained the “what” more
-Lab environment had issues even for the instructor
-Unnecessary repetition
-Instructor doesn’t explain things in depth, such as why certain switches in commands are used in a “just watch me do this” fashion
-Web application section was very lacking
-Social Engineering section provided little value
Value for price: 3/5
+Some industry recognition
+One of the less expensive certifications
-The value for training is lacking
Value for time: 1/5
-Very repetitive sections
-Some videos felt unnecessary
-Extremely long course that could be cut down
Verdict
Total Score: 8/20 “Not worth your time or money”
(See scoring guide here http://cybersec.reviews/aboutme/#scoring)