Affordable Pen Testing Courses

[confuscious1080]

Anyone know of any affordable pen testing courses I cannot afford the OSCP and think the CEH is probably irrelevant.

Was looking at some of Elearns courses specifically the EJPT but thought it may be to junior as I already have a Cisco CCNA in Cybersecurity

[digininja]

Check pentester academy and security tube, well worth the money.

[confuscious1080]

Do you get certifications and exams for these courses though or are they just courses

[digininja]

Why not go and look?

[confuscious1080]

Good Idea thank you for the replies they both look like very good websites I am also UK based myself

[elkentaro]

8 hours ago, digininja said:

Check pentester academy and security tube, well worth the money.

Yep, +1 for Security Tube, even their free mega-primers are some solid courses. 

[digip]

The goal should be training, and not so much a certification. Certs are a bonus. Once you HAVE the training and some practical hands-on training, and can do all the things (or some) then I'd say shoot for things like your OSCP, Sans, etc. Employers want people with skills first, and certs, while a great foot in the door, can come later and many employers today, may be willing to even pay for your course if you want to get your OSCP, and you can tell them this when being interviewed, about your training goals. 

I'd say, do the hard work first, self training, etc, put the time and effort in, learn everything you have an interest in (even if just introducing the concepts into your daily work), and be passionate about what you want to do. People often hit plateaus, get discouraged, or even quit because they think they can't afford it, aren't learning fast enough, but I can tell you, if you really love what you're doing, you'll find a way to pay for those courses(eventually) and that should only be for you to validate to yourself you know and understand these things, and competently do them for a living, if that is your end goal.

One thing you can also do to practice, VulnHub and Hack the Box CTF's, 2 free online resources with the ability to get hands-on experience, much like you would with the OSCP course's labs. You can self pace yourself, and use walkthroughs to help better understand some of the basics as well. Just understand, labs leave you to learn on your own, where training like Security Tube, is a learning side/book knowledge and examples, where OSCP, is both lecture, reading and video materials, and, full lab access to hack real networks(which is required to pass your exam). While OSCP might be too expensive for you now, I also wouldn't say waste your money if you aren't already at some level of experience getting shells on windows and linux machines and pivoting through them on a network. You'd be better served spending a few months getting acquainted with much of this through some of those other resources I and others listed here, and I'm sure some will offer some other alternatives too.

Good luck!!

[confuscious1080]

Thank you for your detailed response on the subject at present I am reading through the Web Application Hackers Handbook had a recent interview for a pen test company and failed the test rig scored to low with regards to XSS and SQL injections. I have also been practicing more with Mutillidae.

At present I have also just achieved a Cisco CCNA in Cyersecurity through their scholarship programme, this is where I believe that I learned the most especially with regards to network protocols and attacks ie ARP spoofing, DNS poisoning, DHCP starvation, MITM stuff on switched networks.

Looking for more experience actually pen testing think I need to run through more CTF's have a solid knowledge of all the tools and how they work its just the looking through code and finding injection points in say HTML etc that lets me down as I have zero programming knowledge though picking up HTML, CSS and Javascript quite quick would also like to learn Python.

[confuscious1080]

Also reading Hacking the Art of Exploitation by Jon Eriksson but I find that really heavy going.

[digininja]

For the real world side of this, get yourself to conventions. In the UK we have BSides {London, Leeds, Manchester}, SecuriTay, and, in my biased opinion, SteelCon. Various areas also have Defcon groups and OWASP chapters.

The social side of security is a huge one when trying to get a job, there is a lot about who you know and who you impress at the right time. That doesn't mean you have to have amazing skills to impress, just be enthusiastic and show it. Most smaller firms, when they hire, they hire on enthusiasm and if you are at a con raving about the talk you've just seen or the lab you've just built at home then it will do you a lot better than any cert will do.

[confuscious1080]

Yeah that is true I do not really have any connections at all in the real world concerning it I have a LInkedin people and also people I met on my Cisco course but I have not met any of them in real life lol

[digininja]

Get out and meet people then. Most of the people I know who change jobs, do it as a result of who they know in the new company, especially in either smaller firms or big firms with dedicated security teams.

Another option is to get a job with your current skills in a company that has a security team and then somehow slide your way across. Become the bridge between your team and theirs or put in some extra hours helping them with things. I was on site with a client a few weeks ago just as a guy was moving from basic call centre member to the security team. He had introduced himself to the head of security, told her what he wanted to do then put in hours to prove it. Was really good to see him swap his call centre ID for a security one. He was mostly self taught in a small Scottish town with very little local resources.