TCM CPEH Exam / Certification Review

Quick Facts:

  • Practical exam, no multiple choice
  • Use any tool you want, seriously
  • 5 days for testing, 2 days report writing
  • $299 standalone exam
  • $399 exam with training
  • Veteran and student discounts available

What is the CPEH?

Certified Practical Ethical Hacker (CPEH) is a fully practical examination which requires the student to prove their proficiency in the realistic facets of conducting a penetration test. The training and exam seek to provide students with a baseline of knowledge which is expected of a professional seeking a career in penetration testing. The goal is to perform a full front-to-back assessment of a companies assets as provided in the scoping information with the ultimate goal of compromising the exam Domain Controller. This includes Open Source Intelligence (OSINT) gathering, gaining internal network access from the external perimeter, moving laterally from within the internal network, and exploiting common attack vectors within Active Directory.

Background

Heath Adams (thecybermentor) reached out to myself and others to take the beta version of the exam. While it was in beta mode, it was essentially in it’s completed format. All he asked for was honest feedback and to let him know if any issues were encountered.

The Exam

Rules of Engagement (ROE)

Since the exam is made to replicate an actual penetration test, students are sent a Rules of Engagement (ROE) document to the email they enrolled in the course with. This Rules of Engagement document clearly outlines the purpose of the engagement, the scope of the engagement, points of contact, assessment dates, etc.

I found the Rules of Engagement document to be similar to what I’ve seen in the past in my career. Unlike eLearnSecurity’s WAPTv3 exam where I felt there was some ambiguity in the scope, CPEH scoping was very clear and concise. I knew exactly what I can attack and what is off-limits.

OSINT

Open Source Intelligence (OSINT) gathering is an important part of the exam. This is clearly stated multiple times on the TCM Security certification page as well as the ROE. This will test the student in their attention to detail, as well as drive home the importance of enumeration and gathering any and all information which may prove beneficial to compromising an in-scope asset.

External Penetration Test

Part of the exam will test the students ability to identify external perimeter assets and then find a valid attack vector to gain internal network access. Without giving out hints or answers, I can simply just say refer to everything you’ve identified thus far in the exam. Enumeration is always very important to identify the full attack surface. And taking good notes is crucial to your success.

Edit: Someone on LinkedIn asked a great question regarding the External portion of the exam. You will not scan an actual external range. You are given the “external range” in the ROE document which is only accessible via a VPN.

Internal Network Penetration Test

Again, as clearly stated, you will be tested on your internal network / active directory penetration testing skills. I found this part of the exam to be the most challenging, yet fun. To navigate your way through the internal network, you’ll be challenged with pivoting, escalating privileges, taking advantage of windows services, observing lazy user habits (definitely realistic), and gathering loot.

I will refer again to what I believe is crucial to a students success — taking good notes! If and when you get stuck, it’s important to look back at what you’ve already attempted, what information you’ve gathered thus far, and what you’ve exploited. Go back to every step and think if there is something else you could do, see if there is something you may have missed, and do some research on what you can do with the current permissions you have.

Bottom Line

The exam mimics a real penetration test from start to finish. You have 5 days to complete the assessment which is absolutely fair, and then an additional 2 days to write up a professional penetration test report to provide to the “client” along with a 15-minute debrief. At a price point of $299 for the standalone exam, I feel this is an excellent certification and exam for anyone who is looking to gain the fundamental knowledge to get into penetration testing.

As of writing this post, the certification is very new. This means it currently does not have the industry recognition among HR folks and likely most hiring managers. However, that does not mean it should be looked past. I wish this exam existed when I was starting my career as a penetration tester because it fills in the gaps of knowledge that I don’t believe other certifications are currently providing. I can say with complete confidence that the experience gained from performing this exam would have helped greatly in my interviewing when seeking that initial employment as a penetration tester.

Related Post