Archive for the 'Penetration Testing Certifications' Category

February 6, 2017


Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.


The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.


According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.


Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:


“Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”


However, the proof-of-concept exploit code,, has already been released publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser.


The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.


“In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” CERT said in the advisory.


“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”
Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.


Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.


The vulnerability has been given Common Vulnerability Scoring System (CVSS) score of 7.8. Proof-of-concept code has been published on GitHub.


March 4, 2016



Each and every day we’re becoming increasingly connected. This has been driven by an acceleration of the Internet of Things – a highly complex network of physical devices and systems with embedded electronics and network connectivity – that enable devices to communicate and exchange data.


This rapid uptake has been largely made possible by the transition into IPv6 – the latest version of the IP networking protocol that underpins every aspect of our digital lives. This new protocol provides us with 340 Trillion Trillion available addresses, which to give you some perspective – is 1021 addresses per square meter on earth. This new version solved a serious problem that was inherent in its predecessor IPv4 – that there were not enough addresses available to cope with the blistering expansion of the internet.


In the future every single device that we own will be interconnected to every other – but has anybody thought about the security implications that this presents? The evidence to date suggests not. Building security into these devices appears to be an after-thought. Security has become a bolt-on addition to products following their development cycle, rather than being integrated into the product design from the ground up.


As the result?

A network of interconnected & insecure devices that are publicly accessible from the internet. You may not have known but a project exists that aims to automate the detection and cataloguing of these devices.


Screenshot from 2016-03-04 21:39:51


Shodan is a search engine much like Google, however that’s where the similarities end. Rather than indexing web content over ports 80 (HTTP) or 443 (HTTPS) like Google – Shodan crawls the web searching for devices that respond on a host of other ports including 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 80, 443, 3389 (RDP) and 5900 (VNC). Once Shodan discovers a host that’s responding on a given port it connects to the machine and pulls down the port banner. This information then becomes indexed along with the devices geolocation data.


Since launching in 2009 Shodan has discovered and indexed a wide range of internet connected devices, including webcams, traffic signalling equipment, routers, firewalls, CCTV systems, industrial control systems for nuclear power plants and electrical grids, domestic home appliances and much more. These devices have been connected to the internet without any thought for security – often without even implementing basic protections such as a strong username and password.




Screenshot from 2016-03-04 21:42:49


Screenshot from 2016-03-04 21:42:13


Searching on Shodan is simple and powerful and gives you the ability to find what you’re looking for with ease. Your number of results is limited with a basic account – so you may need to upgrade if you’d like to access and make use of premium features. These include accessing the full search listings, plotting the host locations on maps and finding exploits for ports and services based upon version information.

Like any good search engine Shodan also gives you the option to search using various filters – which makes it much easier to narrow your results down and find what you’re looking for.

city: find devices in a particular city

country: find devices in a particular country

geo: you can pass it coordinates

hostname: find values that match the hostname

net: search based on an IP

os: search based on operating system

port: find particular ports that are open

before/after: find results within a timeframe


We could for example use these filters to search for apache city:”Newyork” to find Apache servers in Newyork or even Server: “Apache” country:”US” to find all webcams in the United States.



Screenshot from 2016-03-04 21:40:47



While it’s frightening to learn how many Internet of Things devices are completely unsecured – there’s also another story behind the ones that are. Many of the devices that Shodan detects and indexes do have some security in place – requiring authentication for example, but even these devices aren’t 100% safe from unauthorised access. In the ever-changing world of cyber security nothing remains static, and new exploits and vulnerabilities are being discovered and disclosed all of the time.


A significant example involves one of the largest and most well-known computer networking companies in the world – Juniper. In a recent public disclosure Juniper revealed that the firmware running on some of their devices contained a hard-coded back-door password that would allow anybody connecting to a vulnerable device to simply supply that password against a valid user account to gain full administrative access to the device over Telnet or SSH. This exploit for against a vulnerable NetScreen firewall. You can read the full disclosure here: CVE-2015-7755.


Using Shodan we can search for Juniper firewalls and browse through the list to find those that are running a vulnerable version of the ScreenOS firmware. Once we’re connected we’d be able to supply the known backdoor password with a default ScreenOS user account (system) and be able to begin remote management of those devices.


Screenshot from 2016-03-04 21:45:32


We’re  talking about firewalls that are live on mission critical networks all over the world. And how many of these potentially vulnerable NetScreen firewalls has Juniper indexed? More than 18,000. Assuming only 10% of those are vulnerable (which is an extremely conservative estimate) that’s 1,800 vulnerable Juniper firewalls that are currently sitting targets right now on the internet.


At DefCon 2012 an independent security researcher and penetration tester Dan Tentler demonstrated how he was able to use Shodan to find control systems for evaporative coolers, pressurised water heaters and even garage doors. He was also able to find a hydroelectric plant in France, a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with the click of a button. He even found a city’s entire traffic control system was connected to the internet and could be interrupted with some simple commands.


If these large enterprises haven’t got the resources to lock down and protect their infrastructure then what chance do we have? It’s up to manufacturers to build security into our products and services so that it removes the responsibility from ourselves.


Attacks on critical infrastructure until now have been minimal to non-existent. Unfortunately it’s only a matter of time before this changes. Attacks on networked industrial control systems are going to become a significant threat to our safety and security – given that computer systems regulate the treatment plants that deliver our drinking water, the traffic lights that allow us to drive safely, the signalling systems on a transport networks and the nuclear reactors that deliver our energy.


As consumers we need to think carefully about the smart products that we purchase and consider the security implications that come with many of these devices. As businesses we need to make sure that we have a proper risk management framework in place – and that the person or organisation that’s looking after our technology is also capable of looking after our security.


April 16, 2015

A lot of people reach out to us asking us for free Penetration Testing programs. Well we found one, signed up – and surprisingly enough – it’s really free! Whilst it certainly doesn’t come anywhere near to the Offensive Security Training or personal Pentesting Training, it’s a great resource for those starting out in Pentesting.


Mile2 CPTE and CPTC Certifications

Author: Martin Voelk
April 4, 2015

Thank you for all your emails recently. We keep getting messages from ambitious engineers who seek a career in Penetration Testing. Quick recap: Most of our new clients ask us for either of the following prior to an engagement: CEH (Certified Ethical Hacker), LPT (Licensed Penetration Tester), OSCP (Offensive Security Certified Professional). Those 3 remain the big certs in the Pentesting industry.

Recently U.S. customers also ask/accept Mile 2 certifications. Mile 2 offers the Certified Penetration Testing Engineer (CPTE) and the Certified Penetration Testing Consultant (CPTC). Those are good because they are recognised and endorsed by the U.S. government and earn you CPE credits as well. 2 certs certainly to keep on the radar. 

In general, there are only a handful Pentesting Certs from the following vendors:

  • EC Council
  • Offensive Security
  • Mile 2
  • GIAC
  • SANS
  • CREST (UK only, not recognised outside of the UK)

That’s pretty much about it at the moment. There are a lot of funny HTML5 websites around which offer their own Penetration Testing certification programs, but have no accreditations with governments, so please stay clear of those. Unless a know vendor/brand or government is backing a certification track, it’s usually not worthwhile doing.

Our advice in general. Don’t spend too much time on certs. A lot of Pentesters we know don’t even have a CEH, but they are able to break into any client network during a Pentest. Nothing beats real world experience and thinking out of the box. 1 or 2 certs are nice to have (especially if recognised worldwide or government endorsed) but rather spent your time and effort on Offensive Security, Metasploitable, Metasploit Unleashed etc. to gain real Pentesting skills.


March 18, 2015

We have done a few posts around this topic already, but as we receive a lot of questions around this we would like to share our views. If you need a Pentesting Cert for your resume and recognition, then the CEH/LTP from EC Council along with Mile 2 certifications and every program that has some U.S. government endorsement or backing is a good choice.

If you are doing the certification to actual learn real hands-on Ethical Hacking and Penetration Testing, there is only one choice. Offensive Security. We are not part of them but because their courses and exams are so good, detailed and tough – we highly recommend them. Anyone passing those exams will be a real hands-on expert. They currently offer 5 different classes associated with 5 different certifications:


The Offensive Security Certified Professional certification (OSCP) is the accompanying certification to the Pentesting with Kali Linux course and is unique in its field in that it is the only security certification in the market that requires a fully “hands on” approach, leaving no space for multiple choice questions. The student is placed in a lab network with several vulnerable machines and points are awarded if a successful hack is performed. The student must demonstrate their depth of understanding by submitting both the steps they took to penetrate the box as well as the proof.txt file.


The Offensive Security Wireless Professional (OSWP) certification demonstrates that students of the Offensive Security Wireless Attacks course possess the knowledge and skills needed to successfully attack wireless networks in varying configurations. In order to earn the OSWP certification, the student has to attack a series of wireless networks in a real deployment, requiring the student to be responsive to unexpected situations and demonstrate they know how to use the right technique for a given scenario.


Cracking the Perimeter students can opt to take the Offensive Security Certified Expert (OSCE) certification challenge. Going far beyond the material directly covered in the CTP course, the OSCE exam validates the student’s grasp of the concepts presented in the material and proves their ability to think laterally under pressure, devising creative methods to achieve the exam objectives. Due to the challenging nature of this exam, candidates are provided with 48 hours to complete it successfully.


The Offensive Security Exploitation Expert (OSEE) certification is the companion certification to the extremely demanding Advanced Windows Exploitation course. The OSEE certification thoroughly assesses not only the students understanding of the course content, but also their ability to think laterally and adapt to new challenges while under pressure. In this extremely challenging exam, the student is provided with 72 hours in order to develop their exploits and fully document the steps taken.


The Offensive Security Web Expert (OSWE) certification is the accompanying certification to the Advanced Web Attacks and Exploitation course. In this 24-hour exam, students are placed in an unknown exam environment where they are to demonstrate their knowledge not only of the course material, but web application vulnerabilities in general. Exam candidates are required to analyze and exploit a selection of vulnerable targets and provide comprehensive documentation detailing their attacks.

To find out more:


We have decided to make another blog post around this topic as we receive a lot of questions daily around Pentesting Certifications from students, college grads and other IT consultants. Now if you want to offer Penetration Testing services, which certifications should I possess?

The answer is tricky. There is no international standard like with vendor certifications from Cisco, Juniper and the likes. The main question is, where do you want to conduct Pentests / where are your customers?

United States

The EC Council and the relevant certifications Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) are usually required for US engagements. We have also seen that companies recognise the value of the Offensive Security Certifications (OSCP, OSWP etc.) because those certs really show practical skills and the exams are 100% hands on. Mile 2, GIAC/GPEN are also gaining momentum in the US. As the US typically sets the benchmark for IT innovation and certification, those exams are a good starting point for Pentesters. As for exam fees, the CEH is around $500 USD for the exam, Offsec around $1200 for the training, lab access and the exam.

Rest of the world (Latin America, Africa, Asia, Oceania and Europe (except the UK)

The certifications which are typically asked for anywhere else in the world are the CEH and LPT from EC Council. Offensive Security also gets more and more attention outside North America.


Unfortunately they run their own country specific certification program called CREST. The content is very much alike the one from the EC Council but it’s a UK certification only. The problem with CREST is that a lot of the UK businesses require that certification for a Pentest engagement, whilst it’s completely unknown and unrecognised anywhere else in the world except for Australia. So if you are a Pentester in the UK, you have to get CREST certs for UK work and the other international ones in case you want to do engagements in mainland Europe, North America or elsewhere. We recently wanted to engage a highly skilled CREST certified contractor from the UK for a US client with offices in Europe, but the customer did not accept CREST, so we had to swap consultants on this engagement. Also the pricing is very expensive ranging from around $600 USD to $2500 USD per single exam.


It’s not as straight forward as with vendor certifications or internationally accepted certs like the CISSP. Like with all certifications, nothing beats real world experience but you need to have some certifications under the belt to give customers and employers a comfort blanket. Personally we think that the Offensive Security Certifications are the best ones in the field, as they are really touch hands-on exams rather than multiple choice questions.


Penetration Testing Certifications

Author: Martin Voelk
November 27, 2014

We often get asked, what are the benchmark Penetration Testing Certifications which are either government or IT industry accredited?

Here is our take on it:


Widely respected and known. They offer the Certified Ethical Hacker (C|EH), Licensed Penetration Tester (L|PT) amongst other IT Security and Forensic certifications. They hold a good reputation throughout the US and other countries


The offer an associate and a professional Pentesting Certification. Those have been recognised by the NSA/CNSS as well. Still widely unknown outside North America, but certainly interesting to keep an eye on.

Offensive Security

In our opinion the best training and the best exams. Rather than multiple choice questions like in exams with Mile2 and EC-Council, you actually have to Pentest/Hack in your exam, so you really need to show skills to pass.

Other certifications help, such as the CISSP, Cisco CCIE Security, Cisco CCNP Security and the likes, but those are more vendor and general technology geared, whereas those 3 above are focused around Penetration Testing.

The UK has its own certification program called CREST and CHECK and UK customers often decline companies which “only” have the US Certifications. Oh well, they need their own program just like they drive on the wrong side of the road, too :-)