eCPTX Review - By Yash Bharadwaj

Introduction

The Certified Penetration Testing Extreme is one of the most practical & advanced certification offered by eLearnSecurity namely ECPTX. The course is advance & arm you with various offensive techniques, it gives you the ability to think like threat actors and can widely broaden your pentesting skills.

The exam was so challenging that it kicked my ass on first attempt but at the same point it taught me how to really think out of the box and perform offensive actions in a stealth manner. It really do requires a solid background in pentesting (specially network), understanding of advanced Active Directory concepts & attacks. However, if you are on the way of learning these things, the course covers a ton of information.

The purpose of this blog is to post a review about ECPTX course designed by Dimitros & team at eLearnSecurity. The course is really capable in upgrading following skills: -

• Advanced penetration testing processes and methodologies
• Advanced Exploitation using Metasploit and Empire
• Network/traffic manipulation
• Pivoting
• Advanced Lateral Movement (WMI, PS Remoting, DCOM, etc.)
• Advanced Active Directory Information Gathering, Enumeration and Reconnaissance
• Custom Attack Vector Development
• Deep knowledge of Active Directory and Windows internals
• Knowledge of Windows authentication weaknesses
• Web application Manual exploitation
• Stealthy Scanning and Profiling the target
• Advanced Persistence / Backdooring
• Privilege escalation

If you are good in scripting languages like Power Shell & bash then it will be a bonus for you, else you can start practicing it beforehand.

CourseWare

As the course covers modern Active Directory environment, I strongly recommend diving deep into the inner workings of Active Directory working & protocols.The course has 6 modules in total which give a loads of information starting from Advanced Social Engineering to Windows Server Update Service exploitation.

I recommend following the below flow path of Red Team Attack cycle while planning and exploiting environments. The quote

"While preparing for a battle, I have always found that plans are useless but planning is indispensable"

by Mr. Dwight might make sense here :)

Let me walk you through modules & some labs present in the course:

Module 1: Advanced Social Engineering

From my point, this module is a separate course in itself, it covers various techniques employed by APT groups while targeting organizations, it dives deep into the crafting custom attack vector plus payloads. This module deals with first two phases of the above attack path cycle, Recon & Initial Compromise.

Module 2: Advance AD Recon & Enumeration

Once the attacker is under the organization infrastructure, performing enumeration activities in a stealthy manner is necessary. You will learn how to identify & profile a target while making minimum noise to avoid flagging any alarms. Personally, I have learned a lot enumerating Domain environment from a Linux machine, as the course do not start just by running tools or giving access to a beachhead machine. It would be required to make custom scripts for enumeration based on the environment.

Module 3: Red Teaming Active Directory

This module starts with fundamentals of Active Directory & the working of protocols in depth. I would like to add, start making your own AD lab locally, my lab structure looks as follows & I was able to mimic almost all the attacks in this architecture demonstrated in the module. 

I recommend you to make an attack path scenario which covers mis-configured Constrained, Unconstrained delegation, unintended ACL path, Silver & Golden Ticket, DCSync attack, abusing cross forest trust & understand in depth the concepts of kerberos protocol.

Before scheduling my examination, I had thoroughly practiced the following local environment with close to all possible attack vectors.

Fig: My Local Domain Environment

The module also covers active Power Shell defenses in depth with their bypasses too. It was my hard time trying to implement & bypass Constrained Language Mode (CLM) & Applocker Policies deployed locally. The course was launched in 2017 & some of the bypasses discussed might get picked up nowadays due to signature/code update of AV's, I strongly recommend actively looking for blogs online & twitter threads discussing bypasses of latest defenses. During preparation, I have made custom scripts in Power Shell & C# which bypasses AMSI in-memory and defender too.

The videos that come along with this particular module is just awesome. I have gained a lot from these by implementing & doing my hands dirty in local environment.

Module 4: Red Teaming MS SQL Server

This module is very well organized as it covers attacking critical infrastructure from all user perspective. You will be targeting various components of SQL server stealthily & learn methods to backdoor a SQL server. As previously said before attacking, you should focus more on understanding the concepts & SQL Server internals. You will find setup labs & detailed info about the SQL internals & working at Scott's NetSPI blog.

The lab of this module is really mind blowing, as you compromise the whole environment by just identifying SQL injection vulnerability in the target network.

Module 5: Red Teaming Exchange Server

You will see how to compromise an organization over the internet by targeting its exchange infrastructure. Sadly, there is no lab in this module but the module gives a brief in & out working of exchange server internals, all the specific protocols & how it can be abused.   

The Video is awesome as it covers gaining initial access to the target infrastructure plus stealthily backdooring the target infrastructure. The one of the many things I like about eLearn is scenario specific problems, as it teaches you the ability to think out of the box & multiple ways to act at that particular scenario.

Module 6: Red Teaming WSUS

WSUS servers are deployed in-premises on an organization for updating systems regularly. This module will teach you to expand the compromise through Windows Server Update Services, the network which was previously inaccessible through our point of compromise can now be accessible by abusing WSUS capabilities.

Positives

The course contains in-depth topics & external links to some awesome blogs for learning & exploitation. There are 4 labs but trust me they require intermediate to expert level knowledge to understand & achieve the complex tasks. You will not be throwing exploits but the most important thing that you will learn is the time require to understand the working & figuring out ways to compromise the target in most hideous ways. The main focus is on functionality abuse & leveraging mis-configurations to laterally move in our path of full domain compromise.

Always try to keep in mind that achieving highest privileges like Domain or Enterprise Admin in the environment is not the only goal, identifying critical assets & exfiltrating them in a stealth manner must be the goal. One of the thing I learned is cleaning footprints on the compromised machine as leaving a Power Shell or cmd process open is not a good habit. Living off the Land techniques or file-less techniques must be followed while performing assessments. 

Negatives

Personally, I do not feel anything bad in this course because I had focused more on gaining & implementing knowledge. Yes, people say that there is a shortage of lab & all the information in the course can be easily found on blogs online. 

Since, the primary driving force for most new inventions is a need, if there is a shortage of lab, one can always spend some time figuring out how to build an AD lab locally (just like I did), which can setup a more thorough learning path. Also, you will be in a position to figure out yourself how to defend against such attacks because you have setup the whole lab :) 

The course is known for it's beautifully organized structure, there is a lot more information in the online blogs & threads than present in the course but it is structured in such a way that you will not confuse on your learning path & understand the tactic to think like a real threat actor.

Thank You <3

Find me here: 

Twitter: @flopyash

LinkedIn: https://www.dhirubhai.net/in/bharadwaj-yash/