I took the CEH some time ago now, but I’ve only just got round to writing a review of the course and experience. I’ll start by saying that a lot of the reviews I had read before taking the course hadn’t been great, however the certification is recognised in industry, and it had caught my attention a couple of times after I’d seen it listed on requirement sheets for pen test contracts. I’d been doing a lot of web application pen testing, but hardly any infrastructure testing at the time, and this was something I was trying to get more heavily involved in.

CEH Logo

CEH Logo

The gist of the negative reviews that I’d read had been that there was far too much focus on how many names of obscure ‘hacking tools’ amongst other irrelevant knowledge you can memorize and regurgitate on demand in multiple choice format. I set this aside, and decided I was going to take the certification anyway, simply because it was recognised and might be required in pen tests that I might want to go after in future. I remember looking at a few batches of sample questions online and deciding that I was just going to self-study for this – a lot of sample questions centered on basic TCP vs UDP, port numbering and networking type material and after checking out a couple of sources of sample questions, I estimated that I already had about 70% of the knowledge needed to pass the exam. I was surprised to see that if I chose to just buy the exam voucher, I would be penalized in terms of cost and additional fees, and would have to go through additional verification in order to get the certification as I had not been through “approved training”. I therefore decided to take the official EC-Council online training material which I studied over a period of 2 weeks before taking the exam.

Eric Reed, the instructor in the video material was really very good, and I found it easy to absorb the material based first time on his teaching style. I was only too aware however that at the end of each chapter was a vast brain dump of software tools, which could have just been arbitrarily picked out from a Google search. I did pick up a good amount of knowledge along the way on interesting topics such as how an XMAS scan packet is constructed, a few nuggets on cryptography and the finer differences between a virus, worm, ‘data diddler’ and trojan(!). I have to say though, I did come to the CEH course and exam later in my career than others would have, and so I did not expect to learn an awful lot from it – it was really a case of just wanting the accreditation for me. I should stress that at the time of taking the course, I already had about 7-8 years in networking and sysadmin, and had conducted a ton of web application pen tests. Overall I enjoyed the official training material.

Once I’d finished the course videos and material, I signed up at ‘uCertify’ because I had received a free voucher to use their exam prep questions as part of my signup for the CEH live training. Upon starting, I was pretty shocked. There were all kinds of questions on material that had just not been covered.  Additionally whilst one in four of the questions were completely technically flawed, well over half made little or no grammatical sense to a native English speaker. It was apparent that these had all been written by someone who did not speak English as a first language. I was getting answers wrong to basic knowledge questions because the wording of the question just didn’t make sense and none of the presented multiple choice options were correct. At this point I was getting a bit worried and just hoping that the real CEH questions and answers hadn’t been constructed in the same way. The bottom line is that I found the uCertify test prep material really bad – this isn’t a direct criticism of the official CEH course, but they do actively recommend them, or at least did at the time.

webaudit1

I went and sat for the CEH exam in the test center in Gibraltar as I happened to be in Spain at the time. The exam was built to a good quality and was an accurate reflection of the material taught in the online course. The exam is a 4 hour, 150 multiple choice question test and the passing grade is 70/100. I ended up scoring a decent 84/100 and was pleased with the result.

Did I learn some interesting and helpful information along the way, and consolidate some knowledge? Yes. Did I enjoy the course? Yes. Would taking this course and exam alone provide me with the skills to put myself out with confidence as a pen tester, or ‘ethical hacker’? No, definitely not. I would recommend the course to anyone at the start of a pen testing career, coming from a decent networking background who wants to meet a prerequisite level of knowledge before going out and working to gain more hands on experience. I also think that the course would be very valuable to sysadmins and IT management looking to gain an understanding of the security arena, and some of the threats that exist.

My prep advice is to take the time to really learn the:

a)      Port numbers & services

b)      Networking, IP addressing, Network level attacks. TCP protocol in particular, port scanning.

c)      Learn the parameters to the port scanners discussed

d)      Learn the crypto, asymmetric and symmetric features, differences, ciphers and key lengths.

e)      The tool dumps

Over all, it was good fun and I learned a bit. I thought the tool dumps were really unhelpful, however I found the level of networking knowledge required very reasonable. If I could change the exam and course, I’d like to see 90% of the tool dumps wiped out, i.e. everything but the most popular and useful tools gone. I would then like to see far more scenario based questions added to the exam that demonstrate a practical knowledge, for example:

“John has just conducted an nmap scan and he’s found that SNMP is running on the device. His next step would be:”

  1. Testing for SQL injection and XSS attacks
  2. Testing for default community strings
  3. Brute forcing SNMP OIDs
  4. Attempting an SNMP denial of service

Correct answer B

“John is testing a Windows 2003 SP1 server and notices that ports 139, 445 and 3389 are open. John has full exploit authorization and is under a time pressure to gain access as quickly as possible. What vulnerability would he test for first?”

  1. SQL injection
  2. Remote Desktop Brute Force
  3. MS08-067
  4. NetBIOS Denial of Service

Correct answer C

“Alice visits her Company’s web mail site and uses the HTTPS protocol. She receives a certificate warning that the certificate issuer is not trusted. The expiry date is valid and domain name however matches without issue. What is most likely happening?”

  1. An attacker could be performing a MITM attack
  2. Their certificate authority’s certificate could have expired and should be investigated for renewal
  3. A temporary misconfiguration on the Company’s web mail site, the certificate should be accepted
  4. A misconfiguration on the registration authority’s site, the Company should seek a new certificate issuer

Correct answer A

“Bob has just implemented a new IDS on his corporate network and is analysing traffic from the outside. Bob receives an alert that incoming traffic matches ‘\x90\x90\x90\x90\x90\x90\x90\x90’ and violates the protocol. What is most likely taking place?

  1. A port 90 denial of service attack
  2. An SNMP spoofing attack
  3. A service exploit
  4. An IDS/IPS disabling attack

Correct answer C

I’m no test writer, and maybe I’m way off, but in my opinion it’s these types of question that show a far stronger understanding of the subject matter and that a pen tester can actually analyse and understand a scenario that he’s faced with. That said I don’t believe that there is ever a substitute for a practical assessment in an area that requires a practical knowledge.