My Experience with eJPTv2

My experience preparing and passing the exam for eJPTv2 - Junior Penetration Testing certification

Introduction

Hi there! I’m Niccolò, and I recently passed my eJPT. This certification is a significant step for anyone looking to advance in the cybersecurity field. In this article, I’ll share my journey, study tips, experiences with the exam and resources to help future test-takers or anyone interested in this path.

Preparing for the Certification

Research and Resources 🔍

To kick off my preparation, I dove deep into a variety of resources. Here are some that stood out:

• Ine eJPT Course: Together with the voucher to take the exam, Ine includes a course of about 140 hours. This course is very comprehensive, covering everything you need to know to tackle the exam labs effectively. It delves into critical topics such as Enumeration, Metasploit, and both host and network exploitation.

• Websites: Sites like TryHackMe and HackTheBox are perfect for training your skills in a challenging environment.

• Communities: Joining forums and communities such as Reddit’s r/eLearnSecurity or r/netsec, and Discord groups like TryHackMe or for fellow Italians, Offensive Security Italia, offered support and advice from other learners and people who already passed the exam.

Study Plan

With the bundle, I got 3 months of access to the course, but I mostly studied for 1 month:

• Structured Schedule: I dedicated time every day in the afternoon (and after dinner when I was free) to watch lectures and practice.

• Hands-On Practice: I believe practice was the most important part of learning. The labs in the Ine course are straightforward and demonstrate how to work with specific topics from the lectures. However, the confidence gained from solving boxes on TryHackMe is what truly makes a difference on exam day.

Tools and Techniques 🛠️

Mastering the right tools and techniques is essential:

• Tools: Many tools presented in the course are necessary to pass the exam, but the most important are:

  • Metasploit: It simplifies the exploitation process, making it easier to identify and exploit vulnerabilities.
  • Nmap: A crucial tool for network scanning and enumeration. It helps you discover hosts and services on a computer network, laying the groundwork for further penetration testing activities.
  • Hydra: Used for brute-force attacks on login pages and various protocols.
  • Dirb: A web content scanner that helps in directory and file brute-forcing. It’s important for discovering hidden files and directories on a web server.
  • Searchsploit: A command-line tool for searching the Exploit Database. It helps quickly find relevant exploits for known vulnerabilities, streamlining the exploitation process.

• Techniques:

  • Host Discovery: Identifying live hosts within a network using tools like Nmap to map out the environment and understand the network’s structure.
  • Enumeration: Gathering detailed information about the discovered hosts, including open ports and running services.
  • Finding the Right Exploit: Using tools like Searchsploit and Metasploit to locate and match known vulnerabilities with appropriate exploits.
  • *Pivoting: A technique used to move from one compromised system to other systems within the same network to gain deeper access.

Study Tips and Recommendations

Study Habits

Finding your way to study is important because the lessons are numerous and sometimes very repetitive.

• Time Management: I personally got bored after a few consecutive lessons, and doing boxes and challenges on TryHackMe at those times helped me progress quickly without losing the motivation to study.

• Note-Taking: Having good notes makes all the difference during the exam, and taking them during the lessons helps you to better understand what you are doing. That said, I used notes found online, which I will leave at the end of the article.

Practice and Simulation

Practical experience is key in penetration testing. I recommend:

• Labs: Platforms like Hack The Box and TryHackMe for hands-on practice. I will list some resources at the end of the article for the best boxes suited for exam preparation.

Exam Experience

Preparation on Exam Day

I prepared for the exam by reading the letter of engagement and the explanations about the exam available on the Ine website. It is very important for a successful examination to read and understand the evaluation criteria.

From the image, you can see the actions evaluated during your exam. Since it’s not always clear where they collect this information from, I suggest going through all of it multiple times and in different machines and situations inside the lab.

Exam Structure and Content

Understanding the exam structure helped me prepare better:

• Format: The exam consisted of 35 random questions (multiple-choice, flags, passwords, etc.) that you can answer only by going through the practical labs.

• Content of the Lab: The exam is a black box Penetration Testing, and for that, I cannot say much about it. The basic idea is that you will be inside a network where there are several machines to enumerate and exploit in order to answer questions.

As I explained, answering all questions is not enough to pass the exam!

Challenges and Strategies

I faced several challenges during the exam. Here’s how I tackled them:

• Enumeration is Key: One of the most critical strategies was to meticulously enumerate everything at all times. Collecting as much data, versions, and other relevant information from every service was vital. This comprehensive approach to gathering information helped me understand the environment better, identify potential vulnerabilities more effectively, and find ways to exploit services when I was stuck.

• Embrace Brute Force: Another crucial strategy was not to shy away from brute-forcing. When faced with tough situations, employing brute-force techniques on login pages and other access points proved to be effective.

• Read All the Questions: Reading the questions at the start of the exam is important to have an overview of what you will find in the lab, and it also gives you some nice hints when you are stuck.

• Take Notes: Take notes of everything you find, as it can always be useful in the future, or in case you have to reset the machine.

Conclusion

Obtaining the penetration testing certification has been an immensely rewarding experience. The journey of studying for the exam taught me a great deal and significantly enhanced my skills in various aspects of cybersecurity. The certification itself is well-structured and provides a comprehensive understanding of the essential tools and techniques required in the field.

Final Thoughts and Encouragement

The exam is not overly difficult, especially if you have some familiarity with solving boxes on platforms like TryHackMe. This hands-on experience is invaluable and prepares you well for the types of challenges you’ll face during the certification process. Overall, I highly recommend this certification for anyone looking to deepen their knowledge and advance their career in penetration testing.

Good luck to all future test-takers! 🎉

Resources

Here are some valuable resources that helped me during my preparation:

• eJPT Cheatsheet: My favorite notes for the exam.
• Study Plan Guide: A nice list with boxes and challenges related to the different chapters of the course.
• Notes: Other nice notes on GitHub.
• Reddit’s r/eLearnSecurity: A subreddit dedicated to eLearnSecurity certifications, including eJPT.
• Reddit’s r/netsec: A subreddit focused on network security, where professionals and enthusiasts share news, resources, and advice.
• Offensive Security Italia: A Discord community for Italian speakers interested in offensive security with a section dedicated to eJPT.
• TryHackMe: An online platform that offers a wide range of cybersecurity challenges and learning paths.
• Hack The Box: A platform that provides a variety of penetration testing labs and challenges.

These resources were instrumental in my journey to achieving the eJPT certification, and I hope you find them just as useful. Happy studying! 📚