The eLearnSecurity Penetration Testing eXtreme or PTX is the most advanced offensive course offered by eLearnSecurity. You can find the official course page here.
Let me clarify this first, I haven't completed the course yet (I'm about at 60%) so my opinion on this MAY change over the next few months.
The PTX course is about advanced exploitation concepts in modern environments like (and only?) Active Directory. The ideal audience is composed by seasoned penetration testers that may want to shift to more modern approaches or hard-core defenders that may want to understand a little bit better what the enemy is doing.
The course is splitted into three modules:
- Advanced Social Engineering
- In this module you will learn about some interesting topics like phishing (SPF, DKIM, DMARC) and payload creation and delivery.
- Some techniques are very good and realistic, in fact after studying the course material I read a lot about APT groups that used similar approaches to attack real people (succeeding).
- You'll have the chance to learn about VBA, PowerShell and some C#.
- Advanced AD Reconnaissance and Enumeration
- In this module you will learn about the next logical step after compromising a user: figuring out where you are and what you have to do.
- You will heavily rely on PowerShell for most of your activities, and you primary focus will be identifying various attack paths and high value targets like administrative users.
- You'll learn a lot about PowerView and in general more about Active Directory and its inner parts like Kerberos, LDAP and so on.
- Red Teaming of critical domain infrastructure
- In this big module you will learn about the actual attack techniques that you will need to move laterally and increase your privileges inside the AD.
- You will learn about Responder, SMB Relay, Kerberoasting, Golden/Silver tickets, DCSync, Pass-the-tickets and much more.
- You'll attack various component of a Windows network like Exchange, MSSQL and WSUS.
- By far my favourite section, here you'll find the juicy stuff!
This course is not beginner friendly and during this review you'll understand why.
Overall the course is very advanced, currently I don't think that there is a comparable offer in the market.
I really liked the fact that they covered modern and relevant techniques that are employed in red teaming. Even if you're not going to be a full red teamer at the end of the course, the skills and knowledge that you'll learn will help you in every aspect of the penetration testing. I think that having skills in Windows networks and AD is a must for everyone that calls himself a penetration tester.
You're not going to exploit MS08-067, don't worry. The attacks you'll encounter will be applicable to environments with Windows Server 2012 and 2016, the workstations will be at LEAST Windows 7 (probably patched for EternalBlue). The majority of them will be Windows 10.
Will you be the BEST red teamer on the market at the end of the course? Well not really, but the important thing is that you'll understand the process behind a targeted attack, the phases, the methodology and the tools (and how not to rely on them).
And by the way, those techniques will help you even in more white-box assessments like AD configuration review and so on.
Some may complain that you could find every information that's in this course for free in blog posts, well it's true! You can learn a lot reading blog posts from spectreops and adsecurity (just to make an example) BUT how much time and effort will it take you to:
- Find everything that you need to learn?
- For each topic find the most relevant resources?
- For each topic, find somewhere to make practice?
The eLS founder Armando Romeo once said that you don't actually NEED eLS courses to become a pentester, but it will speed up the process for sure. The only question is how much do you value your time?
...but not that bad!
Every rose has spines, right?
In this section I'll discuss some of the things that I didn't like and other things that I'd like to see in the next version, but also considerations to make sure that you appreciate this course at the fullest.
Let's start talking about the labs, with the course you'll have access to four labs that will prepare you for the final exam. Honestly I was used to the PTP labs, where you have 20+ practice environments where you can isolate the single skill you want to practice and eventually get better at it. In the PTX course you don't have the chance to do this simply because the lab scenarios are very complex and intricated (which is not a bad thing per-se).
For example in one lab you'll have to elevate you privileges dumping the LSASS with ProcDump and extracting the hashes with mimikatz (no spoiler, it's the lab guide), now I know for sure that there are more ways of doing it because it's in the eLearnSecurity's style, but in that lab I just practiced the 1% of the techniques that are taught in the course.
Again, having a very specific lab scenario isn't a bad thing, but when you have only 4 of them you may end up finishing the course material without enough practice.
The opposite was the PTP, where you actually were guided in most of the steps in single-purpose scenarios. I know a lot of people that complained with that approach (altough I really liked it), so I understand the move made by eLearnSecurity of putting together hard labs that simulates complex environments BUT I totally suffered from the absence of environments where I could practice various techniques without limitations (think of it as a whitebox test), you'll have for sure the need of installing you own AD and playing with the tools, more in the final recommendations.
And by the way, a virtual machine with MS Office/Visual Studio would be very appreciated!
The course material
The quality of the eLearnSecurity's material is always high, the explanations are clear and all, but you have to realise that PTX is very different from other eLS courses.
In PTX don't expect to be spoon-fed at all, you'll be presented a lot of techniques and you have to dig in the official MS docs by your own. This may irritate some people who pretend to have everything served on a silver plate, which after buying a 2k€ course I can understand (even tough I have a different opinion).
You'll have to put a lot of effort to understand the explained concepts (unless you're a seasoned AD administrator).
Is this course for me?
I don't know!
I'm genuinely enjoying this course, but I understand that it's not for everyone. If you're new in the world of cyber security don't fall into the trap of a new cool argument (yes it's cool) and spend 2k€ into something that probably you're not going to understand.
But if you are comfortable in the classic way of pentesting, this course can be really interesting. It's quite unique and the effort that has been made to put together a structured path is remarkable.
Do I need additional meterial to get started?
Well, probably yes!
Maybe for obtaining the certification the course material is enough, but studying from different resources is always useful for a different point of view.
Plus, don't forget to study from the external suggested resources that you'll find in the slides!
A book that I personally used multiple times for references is Active Directory: Designing, Deploying, and Running Active Directory
You could also use this GitHub reference for additional topics: https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
And obviously the free course made by the creator of Cobal Strike: https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
Did you like this course? Would you recommend it?
I'm really enjoying this course, even though I'd like to see some improvements in the labs, but that's a known issue and the eLS team should be address this sooner or later.
If you have the money, why not, this course can be a gread addition to your collection.
How much of this stuff I'll use in my day to day activities?
Well, that totally depends on what you do! If your job consists in doing Nessus scans all day and you're happy with it probably you're not going to benefit a lot from this course.
Do you get paid for these reviews?
How this course compares to <whatever>?
- OSCE: Since the PTP and the OSCP are often compared and since the PTX and the OSCE represent their corrispective advanced versions it could be natural to compare them. However the OSCE has nothing to do with the PTX course, the OSCE (actually OSCE is the certification and not the course, which is called Cracking The Perimeter) is about classical exploitation with memory corruptions and so on. Clearly PTX is NOT about fuzzing and finding 0-days, but finding common misconfiguration in modern environments and abusing them to reach your goal.
- SpectreOps Adversary Tactics: I never took the SpectreOps course (sadly), however I know for sure that the people working there are amongst the best in the world on the subject so I have no doubt that that course is top-notch and constantly up to date. However it's not fair to compare the PTX with Adversary Tactics, one is an online self-peaced course that you pay a little less that 2k€ and the other one is a 5 day full-immersion that costs about 5k€.
This is just a personal opinion, but I value a lot the possibility to consume the course material at your own peace and practice whenever you want. In my life I mentored penetration testing courses that lasted 5 days each (much easier content that this! I'm not a boss!) and what I realised is that in 5 days people are not going to learn a lot, they will probably remember 20-40% of the stuff you'll teach them (also depends on how good is the teacher). What I fount to be very beneficial is previous exposure to the subject, it would be optimal to study your PTX material and then when you reach a decent level attend the SpectreOps course!