hacktricks/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md

52 lines
7.4 KiB
Markdown
Raw Normal View History

2021-07-04 14:58:30 +00:00
# INE Courses and eLearnSecurity Certifications Reviews
2021-07-04 14:49:00 +00:00
## eLearnSecurity Mobile Application Penetration Tester \(eMAPT\) and the respective INE courses
### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)\*\*\*\*
2021-07-04 15:04:08 +00:00
This is the course to **prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**.
2021-07-04 14:49:00 +00:00
2021-07-04 15:02:00 +00:00
I found the course to be a great one for **people that don't have any experience pentesting Android** applications. However, **if** you are someone with **experience** in the topic and you have access to the course I also recommend you to **take a look to it**. That **was my case** when I did this course and even having a few years of experience pentesting Android applications **this course taught me some Android basics I didn't know and some new tricks**.
2021-07-04 14:49:00 +00:00
2021-07-04 15:04:08 +00:00
Finally, note **two more things** about this course: It has **great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as **it teach you the basics to be able to understand other Android vulnerabilities**.
2021-07-04 14:49:00 +00:00
Besides, once you have completed the course \(or before\) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-apps-pentesting/android-app-pentesting/) and learn more tricks.
### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)\*\*\*\*
2021-07-04 15:02:00 +00:00
When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity.** As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.
2021-07-04 15:04:08 +00:00
However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to **get a jailbroken iOS or pay for some good iOS emulator.**
2021-07-04 14:49:00 +00:00
As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as **it teach you the basics to be able to understand other iOS vulnerabilities**.
Besides, once you have completed the course \(or before\) you can go to the [**Hacktricks iOS Applications pentesting section**](../mobile-apps-pentesting/ios-pentesting/) and learn more tricks.
### [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
> The eLearnSecurity Mobile Application Penetration Tester \(eMAPT\) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.
The goal of this certificate is to **show** that you are capable of performing common **mobile applications pentests**.
2021-07-04 15:04:08 +00:00
During the exam you are **given 2 vulnerable Android applications** and you need to **create** an A**ndroid** **application** that **exploit** the vulnerabilities automatically. In order to **pass the exam**, you need to **send** the **exploit** **application** \(the apk and the code\) and it must **exploit** the **other** **apps** **vulnerabilities**.
2021-07-04 14:49:00 +00:00
2021-07-04 15:04:08 +00:00
Having done the [**INE course about Android applications pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting) **is** **more than enough** to find the vulnerabilities of the applications. What I found to be more "complicated" of the exam was to **write an Android application** that exploit vulnerabilities. However, having some experience as Java developer and looking for tutorials on the Internet about what I wanted to do **I was able to complete the exam in just some hours**. They give you 7 days to complete the exam, so if you find the vulnerabilities you will have plenty of time to develop the exploit app.
2021-07-04 14:49:00 +00:00
2021-07-04 15:04:08 +00:00
In this exam I **missed the opportunity to exploit more vulnerabilities**, however, **I lost a bit the "fear" to write Android applications to exploit a vulnerability**. So it felt just like **another part of the course to complete your knowledge in Android applications pentesting**.
2021-07-04 14:49:00 +00:00
## eLearnSecurity Web application Penetration Tester eXtreme \(eWPTXv2\) and the INE course related
### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)\*\*\*\*
This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**.
Even having been working as web pentester for several years before doing the course, it tough me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
2021-07-04 14:53:44 +00:00
I think this course **isn't for web hacking beginners** \(there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**\).** However, ****if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
2021-07-04 14:49:00 +00:00
### [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
> The eLearnSecurity Web Application Penetration Tester eXtreme \(eWAPTX\) is our most advanced web application pentesting certification. The eWPTX exam requires students to perform an expert-level penetration test that is then assessed by INEs cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.
The exam was composed of a **few web applications full of vulnerabilities**. In order to pass the exam you will need at least to **read a "flag"** inside of one of the machines hosting a web, and **gain RCE** in at least 2 different ways in another machines. However, note that that's not enough to pass the exam, you need to **send a professional pentest report detailing** all the vulnerabilities discovered, how to exploit them and how to remediate them.
**I reported more than 10 unique vulnerabilities** \(most of them high/critical and presented in different places of the webs\), including the read of the flag and 3 ways to gain RCE and I passed.
**All the vulnerabilities I reported could be found explained in the** [**Web Application Penetration Testing eXtreme course**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**.** However, order to pass this exam I think that you **don't only need to know about web vulnerabilities**, but you need to be **experienced exploiting them**. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.