+ Reply to Thread
Page 1 of 3 1 23 Last
Results 1 to 25 of 67

Thread: ECSA review

  1. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #1

    Default ECSA review

    I started ECSAv9 recently. Had initially signed up for another course but switched to ECSA due to course availability issues, so here is a short review.

    v9 course includes lectures, hands-on lab and what EC-C calls Pen Test Challenge.
    There are no printed books unlike GIAC SANS; you are given DRM protected PDF course materials.
    Neither are you given VMware images for labs. Both the labs and challenges are conducted in their iLabs environment which is accessible from internet, so you can do it during class or at home. You are given 30 days to complete the labs and challenges.

    The trainer will start a lecture module, you do the corresponding labs if any and start on day's challenge at the end of the day. Labs manual have step-by-step instructions with screenshots. You get to install and use tools such as Nessus, OpenVAS, ZenMap, Metasploit, sqlmap and a couple of other tools. You do get to use Metasploit a fair bit to run the exploits and get meterpreter shells.

    The challenges do make the course interesting. On Day 1, you need to do host discovery and scanning of 172.16.0.0/12 and 10.0.0.0/8 networks. Day 2 to 4 challenges require you to compromise specific windows and Linux servers and get hashes of specified files among other tasks. There are 10 servers to compromise. EC-C provides 4 VMs for your pen testing: Windows 2012, Windows 8, Kali and Kali rolling. The VMs do not have internet connectivity and you are unable to transfer files in and out of them. They do mount an ISO of different Windows tools for you to install and use.

    Different points are assigned to each challenge and the final report is 14 points; you need 70 out of 100 points to pass. I have already completed the challenges and is putting finishing touches to the report. You need to upload pen test report to EC-C within 60 days. EC-C did provide a "sample" report template to help with the documentation. Once the report is marked and a passing mark is achieved, you are then allowed to take the MCQ exam.

    I find some of ECSAv9 challenges interesting and enjoyable. I was using the newer Kali rolling VM most of the time as I am comfortable with Linux, but had to switch to older Kali VM at times as some programs only work in older Kali VM. I used Windows Server VM once to run a Windows tool. You get to compromise different types of systems and applications including Linux, Windows, databases, web applications and CMS.

    I know ECSA is not that well recognised, but this was a good learning experience. Let me know if you have any questions.
    Now back to work and eCPPT study.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    863

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #2
    I'm curious as to the use of ZenMap over straight up nmap. I know it's easier, but nmap isn't that hard once you know the switches (or know how to Google them)
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #3
    Quote Originally Posted by 636-555-3226 View Post
    I'm curious as to the use of ZenMap over straight up nmap. I know it's easier, but nmap isn't that hard once you know the switches (or know how to Google them)
    Guess they were trying to make it more user-friendly. I prefer to use nmap and did include both nmap and Zenmap screen shots in my report.
    Last edited by Mike7; 12-12-2016 at 11:47 AM.
    Reply With Quote Quote  

  5. Junior Member Registered Member
    Join Date
    Feb 2017
    Posts
    5
    #4
    Hi Mike,

    I am currently working on the ECSA. In the beginning it was a lot of fun but it seems that none of the challenges are similar to the ones for the practice lab. Can you provide any insight? I am wondering if I am over thinking it.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #5
    Yes, the challenges are not the same as your practice. You need to do some reading up and that is where the fun is. I was running tools and metasploit exploits that were not covered.

    Make sure you are able to discover the servers and enumerate running services. Then run other tools such as Nessus to look for security vulnerabilities that can be exploited or weak passwords to gain access.

    Good luck and have fun!
    Reply With Quote Quote  

  7. Junior Member Registered Member
    Join Date
    Feb 2017
    Posts
    5
    #6
    Thanks Mike! I have found a lot of tools that weren't covered. It has been interesting.
    Reply With Quote Quote  

  8. Junior Member Registered Member
    Join Date
    Feb 2017
    Posts
    5
    #7
    Hi Mike,

    I am new to pen testing and still working on the ECSA report. I extended it due to its very hard. I feel like I am leaving out a step or something when I am doing the attacks. I do all of the information gathering but I am still having issues with the attacks. Any advice is greatly appreciated.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #8
    Not sure where you are stuck at. I am assuming your challenge is same as mine so here are some tips without giving you the direct answer. You have been warned.


    Some dead ends that I encountered. Some of the servers are not very robust in that excessive scanning or brute force attacks will kill them. Nessus scan will flag out some critical Windows vulnerabilities. However, these vulnerabilities may not have an appropriate Metasploit exploit that you can use to gain access; a DoS exploit can only crash the server and some exploits only work on 32-bit but not 64-bit Windows. As per my original review, I had to use older Kali in one instance as a Metasploit exploit does not work on Kali rolling. Also remember to configure the correct Metasploit option settings when running them.

    The first challenge is very important as this is where you discover all the hosts; else you are unable to continue with the rest. Different machines require different attacks. Servers with web services are to be compromised via web vulnerabilities. One web server was a bit tricky in the sense that you need to brute-force search for a hidden directory. As for the other challenges, one of them requires Nessus scan to detect an old but infamous Windows vulnerability that you can exploit. The others require brute force password guessing; you can use Hydra or Metasploit to do it. There is one server where you can either brute force the password or exploit a vulnerable service listening on a non-standard port to gain access.

    Do take note you do not need to complete all the challenges. 70 out of 100 points is enough to pass.
    Last edited by Mike7; 02-25-2017 at 03:22 PM.
    Reply With Quote Quote  

  10. Junior Member Registered Member
    Join Date
    Feb 2017
    Posts
    5
    #9
    Everything you written is what I have been doing. I think I am over thinking it (which I am prone to doing). I appreciate your response. I wasn't going for the answers just trying to get a sense of what I am overlooking . I think I am going to start over, clear everything out. Thanks again!!!
    Reply With Quote Quote  

  11. Junior Member Registered Member
    Join Date
    Oct 2011
    Posts
    3
    #10
    i m struck in the first step itself. not able to gather the ip addresses. please help me.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #11
    Quote Originally Posted by shank.appu View Post
    i m struck in the first step itself. not able to gather the ip addresses. please help me.
    Spoilers below... You have been warned.

    You are to discover hosts in the private IP ranges; i.e. 172.16.0.0/12 and 10.0.0.0/8 subnet. This can be executed using Nmap host discovery. The default host discovery is not very fast as it does a lot of things besides ICMP ping. I used custom switches to execute a pure ICMP-only echo request at a faster rate and with more parallelism and was able to scan 16.7 million IPs in 10.0.0.0/8 subnet within 6 hours. You will find servers in the 172.16.0.0/12 subnet as well.
    Read nmap documentation, try different switches and use WireShark to validate.



    Alternatively, you can also scan for NetBIOS servers. This method is much faster but will only reveal some servers. Follow up by doing a nmap host discovery scan of the servers' (much smaller) subnet to discover more servers.



    Once you have found all the IPs, run complete port and OS discovery scan on them. Nmap SMB-OS-discovery will give you computer name and OS. You can also run Nessus scan on discovered hosts to extract host info and in addition find vulnerabilities for exploitation. Or you can use OpenVAS; I prefer Nessus though. Some servers have SNMP enabled with default community string; if you are familiar with SNMP, you can extract the network subnet range among other things via SNMP queries.


    So the approach is to do a rapid sweep scan, followed by host discovery of the smaller network subnet and then targetted host enumeration scans. There is more than one way to do host discovery and enumeration. Be familiar with nmap switches, try different tools and learn from the experience.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #12
    Quote Originally Posted by Charli View Post
    Everything you written is what I have been doing. I think I am over thinking it (which I am prone to doing). I appreciate your response. I wasn't going for the answers just trying to get a sense of what I am overlooking . I think I am going to start over, clear everything out. Thanks again!!!
    Make sure you discover all the servers and do sufficient enumeration. Challenge 1 (host discovery) is very important. You should be able to identify which server subsequent challenges refer to. If you are stuck with one challenge, switch to another. There was one server where I guessed the password correctly without even using Hydra.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #13
    And for those following and are still interested.

    Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

    So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.
    Reply With Quote Quote  

  15. Member
    Join Date
    May 2013
    Location
    Singapore
    Posts
    36

    Certifications
    Network+, MTA 98-349, MTA 98-365, SSCP, CHFI, eJPT
    #14
    Quote Originally Posted by Mike7 View Post
    And for those following and are still interested.

    Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

    So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.

    Still following this thread indeed Congrats on the pass!
    Reply With Quote Quote  

  16. Junior Member Registered Member
    Join Date
    Oct 2011
    Posts
    3
    #15
    hi Mike,
    i tried with many combinations and some scans are still in progress (nearly 20hrs) but still no results. can you help me with the nmap switch for the first challenge,
    thanks
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #16
    Quote Originally Posted by shank.appu View Post
    hi Mike,i tried with many combinations and some scans are still in progress (nearly 20hrs) but still no results. can you help me with the nmap switch for the first challenge,thanks
    No. You need to figure the switches yourself.

    Did you read up Nmap host discovery switches? Did you fine tune the switches for faster discovery? Can you use Wireshark to verify the nmap scanning?

    Nmap is not the only way to search for hosts; there are other tools in Kali that you can use and even the Windows VM have an ISO of tools. All hosts in the network respond to ICMP pings and some have NetBIOS or HTTP ports open. You can write your own script and use ping command if this is easier.

    You have 2 subnets to scan, 172.16.0.0/12 and 10.0.0.0/8. Start with the smaller subnet. Do your own research, read up, test out and learn.
    Last edited by Mike7; 02-28-2017 at 01:25 AM.
    Reply With Quote Quote  

  18. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #17
    Quote Originally Posted by Mike7 View Post
    And for those following and are still interested.

    Once your pen test report is submitted, marked and passed, you are given an exam voucher with 3-month validity. I submitted my report in mid-December. As my course was conducted by a training centre, the exam must be taken at the same place, and it took them a while to find available exam time slot.

    So I finally took the MCQ exam yesterday (Saturday) and passed. The exam duration is 4 hours with 150 questions and I have to log in to a website to take it. Fairly straight forward questions and answers can be found in the provided official PDF study curriculum.
    I did the official class and the instructor told us that after the pentest is submitted, we would have to pay $500 for the voucher. Since I don't have $500 I put this one on the back burner. Did you experience otherwise?
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #18
    Quote Originally Posted by PJ_Sneakers View Post
    I did the official class and the instructor told us that after the pentest is submitted, we would have to pay $500 for the voucher. Since I don't have $500 I put this one on the back burner. Did you experience otherwise?
    This is bad. Have you submitted your report?

    You should get a confirmation mail after uploading your report to Aspen web site from aspen@eccouncil.org.
    Congratulations! Our team has received the ECSA report you submitted in the Aspen ECSA dashboard. Within the next 7 days, we will review your entire report and grade it against our rigorous grading rubric. If you achieve a passing score, you will be granted eligibility to move onto part two of this process and challenge the ECSA Exam. As soon as we mark your report with a passing score, you will receive an email with your ECSA Exam voucher code and instructions on how to schedule your test.

    If you require any assistance with this part of the process, please write to ecsaexam@eccouncil.org and we will be happy to assist you.


    Thank You.
    EC-Council
    Once the report is marked and passed, you should receive a mail with voucher code from ecsaexam@eccouncil.org

    We are happy to inform you that your ECSA report has been approved.

    Your ECC exam voucher code is 9ECXXXXXXXXXXX, and is valid for 90 days from the date of this notice.

    Please refer to the guide for further instructions.

    Should you require any assistance, please write to certmanager@eccouncil.org


    Thank you.
    EC-COUNCIL
    My course was taken at New Horizons in Singapore.

    Reply With Quote Quote  

  20. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #19
    Mine was at a New Horzons too, thanks for the info Mike!

    I have not done the pen test yet. My class consisted of the instructor talking about everything in the CEH curriculum. We did not go over anything that would help in the practical.
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #20
    Hmm.. this is different.

    On the first day, we logged in to https://aspen.eccouncil.org/ to activate and download ECSA DRM protected curriculum PDF and pen test report template. The instructor was talking from ECSA curriculum.

    We also activated our iLabs account at https://ilabs.eccouncil.org/. The environment was provided by https://labondemand.com. ISACA's CSX Practitioner is using the same vendor with a lab test link at https://labondemand.com/Launch/122B02AA. We started the tutorial labs on day 1. There are 19 lab modules; 14 tutorial modules that correspond to the curriculum chapters and 5 classroom challenge modules for each day. The classroom challenge modules are exactly the same environment; you can do all your challenges on one challenge module.

    Your instructor is probably new. Ask your instructor if this is his first ECSAv9 class.
    Reply With Quote Quote  

  22. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #21
    We had no iLabs. In fact, he said that there were no ECSA v9 labs at all. So he called corporate and had them give us access to the CEH labs.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #22
    Quote Originally Posted by PJ_Sneakers View Post
    We had no iLabs. In fact, he said that there were no ECSA v9 labs at all. So he called corporate and had them give us access to the CEH labs.
    This is very fishy. Does he have ESCAv9 training materials?
    My DRM protected PDF have the words "EC-Council Certified Security Analyst v9" on it.

    You could be doing ECSAv8. When I started my course, the instructor claimed that the training center is among the few in our region offering v9 and other centers are still on v8. Seems that training centers must go through a certification process in order to offer ECSAv9. Is v9 stated anywhere in your invoice? You may want to contact EC Council.
    Reply With Quote Quote  

  24. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #23
    All of my courseware is V9. I have a book that says V9. We got access codes for the practicals. Maybe that is my iLabs access, but there were no learning materials other than a thick ass book of the PDF.

    To be honest, I have never been impressed with any of the EC-Council instructors at New Horizons.

    I'm not sure I'm going to pursue this cert at this time.
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    943

    Certifications
    C****, C***, C**
    #24
    Do you get ECSA in your Aspen access? Cos you are supposed to upload your report there. This feels like someone printed out his CEHv9 PDF to conduct a CEH class and call it ECSA.

    Suggest you contact ECCouncil about this. The course include practical and exam. This is clearly stated at https://www.eccouncil.org/programs/c...-analyst-ecsa/
    Reply With Quote Quote  

  26. The ceiling is glass. PJ_Sneakers's Avatar
    Join Date
    Nov 2014
    Location
    169.254.0.1
    Posts
    759

    Certifications
    AccessData, Cellebrite, CompTIA, EC-Council, IACRB, (ISC)˛, Microsoft, MSAB
    #25
    I know it's real, it's in my Aspen account and I have official courseware. I'm not going to contact ECC because they are a hot mess when it comes to emails.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 3 1 23 Last

Social Networking & Bookmarks