eCPPTv2 - Certified Professional Penetration Tester
The eCPPTv2 (Certified Professional Penetration Tester v2) is a 100% practical and highly respected Ethical Hacking and Penetration Testing Professional certification.
Last updated
The eCPPTv2 (Certified Professional Penetration Tester v2) is a 100% practical and highly respected Ethical Hacking and Penetration Testing Professional certification.
Last updated
See my credential here:
The eCPPTv2 involves in-depth penetration testing that simulates a real world scenario, requires you to prove your analytical skills with a thorough security write-up, and is hand-graded by a security professional. This intermediate-level certification proves to employers and superiors alike that you have the knowledge necessary to run point on a host of penetration testing engagements.
None -> (3 years after 2024, with eCPPTv3)
14 days in total, 7 days with access to labs, plus 7 days to do the professional report. Just completing the lab is not enough. A professional and well-made report needs to be submitted and approved.
Network and Web Application Testing: Techniques for identifying and exploiting vulnerabilities in networks and web applications, including SQL injection and XSS.
Pivoting and internal network assessment: Assessment and exploitation of enterprise networks. Knowledge of using a compromised system to attack other systems within the same network to gain deeper access.
Buffer Overflow (BoF): Exploiting vulnerabilities by writing more data to a buffer than it can hold, causing data to overflow into adjacent memory and potentially allowing arbitrary code execution.
Post-Exploitation and Reporting: Maintaining access, data and credential exfiltration, and detailed report writing with remediation recommendations.
(4 - 18 March, 2024)
I studied for about one-two month, which was a good amount of time. I already had professional experience, as well as HackTheBox and TryHackMe platform experience. Even so, it was so much challenging, specially the buffer overflow part. For the pivoting, i had done the THM room "Wreath", and it was so good to understand and try some pivoting tools. For the BoF, i did not prepare especially, but in the real exam, i faced it very slowly and meticulously until i overcame it. For the exam, I was very focused and worked hard day and night, especially loooong nights, to pass the exam, not stopping until I succeeded. Besides that, i rested well and made sure to go for a run or walk sometimes in between, to freshen my head.
When i started it, i had VPN issues, had to change some ciphers in client side, so i started not so well. Like 15+ or 30 minutes of troubleshooting :( . With that done, i could finnaly connect and start the exam.
For the first part, do not overlook to do like a professional pentest and try to find the maximum vulnerabilities you can find. After compromising the first machine, you gain a foothold on the network, and pivoting is your friend. You should start moving and engaging in the network like a real pentester would. Here, i recommend the good old friend Metasploit, since it makes the hard things easy.
Look for ways of compromising the other machines, and remember to take note of all credentials and interesting files - the so called loot. It can be useful later.After compromising machines, do not forget about post-exploitation, since its an essential step! Here, Metasploit is again a very good tool.
For BoF, read the articles listed here and look for guides and THM walkthroughs like "Gatekeeper". It will help you. Go calm and easy, make sure you understand everything, and then when you feel ready, exploit it. You will have 3 lab resets each day if you mess things up.
Finally, you should be entering the last steps, and it should be straightforward. Very easy if you are a HTB made hacker like me. Look and enum, read, and then privesc.
If you get here, the minimum criteria is now achieved! Congratz! 🎉
But its the minimum criteria, not the decisive criteria. So start elaborating the report and make sure you make it professional, its a must! After that, submit it!
Here is a snapshot of the cover of my awesome report: 😎 (i worked really hard for it!)
Almost after 3 weeks of waiting, I finally received feedback! I had passed the certification! 😁😎
INE course - Penetration Testing Professional
Bonus - new and remodelled version of 2024 to study to eCPPTv3:
Report template (from TCM Security)
This certification its definitely worth it!
This is an awesome and challenging mid to top-level certification. It requires a lot of studying and experience. Some concepts have to be well understood, like pivoting, proxies and tunnelling, network pentesting, information gathering and reconnaissance, post-exploitation and metasploit, as well as buffer overflow and exploit development. I believe its a very good and strong foundation for the OSCP, which I'm pursuing after.
You have to demonstrate maturity in various foundational concepts and make you apply pivoting techniques, which you are not used in platforms like HTB, so this is a good way to mature on that.
The downside is the lab stability, it will make you suffer a bit. For comparison status, its worse than a open box of HTB. Since it's a paid certification lab, it should not be that unstable.
Downsides apart, im curious about the new one, with Active Directory, since it was a thing that this old one was lacking.
Definitely a good one, i recommend it!
Hope you like it, DM me or reference this if it has helped you!
