Edoardo Ottavianelli

Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.

Contact me

eJPT - Certified Junior Penetration Tester

Author: Edoardo Ottavianelli

TL;DR: Notes I took while preparing for eJPT certification

Hi everybody! Such a long time since I don't post here. I'm fine btw, just wanted to write a bit! Yesterday I took the eJPT exam and this will be the main topic of this blog post. First of all: what is eJPT? It's an acronym that stands for "eLearnSecurity Junior Penetration Tester"; eLearnSecurity is a company owned by INE. Why this certification? Tbh idk :) I have to say that 99% of the things/topics/techniques/hacks/tools used and taught during the course I already knew, but I think it's good to follow a path! I hope I will try the eWPT (Web Pentester) in some months, so as a starting point I took the eJPT (as almost anyone does as far as I can understand). You can learn more about the certification here.
ejpt edoardottt elearnsecurity certification

eJPT Preparation
Do you need preparation? In my honest opinion... 'IT DEPENDS' as always šŸ„². I'm following (2 exams left at the time of writing) a Master Degree in Cybersecurity and so I think I didn't need too much training, I think I could do it without preparation, but not knowing the exam and since I don't like wasting money I thought it was a good thing to follow the course. Yes, there is a course and it's free:
  1. Sign up on https://my.ine.com/
  2. Search the course "Penetration Testing Student"
How is the course? In my opinion, it's well done; there is plenty of videos, laboratories, slides and so on that can help you learn the basics. There are four sections: Penetration Testing Prerequisites, Preliminary Skills & Programming, Penetration Testing Basics and eJPT Exam Preparation. They explain the basics of some topics like information gathering, recon, web security, routing and networking, and vulnerability exploitation.
N.B: The course is free!

  1. Take notes during the course.
  2. Try each lab they propose to you.
  3. Take notes during the course.
  4. If you don't understand something, don't skip it! Google the topic and read about it.
  5. Take notes during the course.
  6. If you're lazy, these are the notes I took

The exam
Since I can't spoil you anything about the exam, I just want to give you some advice regarding it. Be aware that this isn't a CTF (or Capture The Flag), this wants to be a real scenario, so don't search for stupid CTF-like methods to leak info, instead heavily focus on information gathering and recon. You have 3 days to complete the exam, I started at 8:50 AM and submitted it at 3 PM (Rome timezone). Honestly, I think I already finished it like before lunch (1 pm) but I wanted to be sure to have completed all the questions (Got 19 correct answers out of 20). Another piece of advice on the exam: take notes (a lot of notes!) also during the exam, because they can help you and also answer the questions during the test, not all at the end. Then, a lot of people will tell you that you need a Virtual Machine to do the exam, but I think it's way easier to use your principal OS. I have an ubuntu machine as the main OS with all the necessary tools (Nessus, Metasploit, all recon and info gathering tools...). The connection part is very easy:
  1. Download the OVPN file with your credentials
  2. Execute "sudo openvpn file.ovpn"
  3. Enter the credentials
  4. Once you see "Initialization Sequence Completed" you're effectively connected
  5. Type CTRL+Z
  6. Execute "bg"
  7. Ping a machine inside the internal network to test your connection
Another useful piece of advice: there is a rar archive to be downloaded, read the PDF file very carefully! Trust me. Read it twice.

Paths to follow
In the end, once certified, I have to say it was not such a big step ahead, but I hope it will help me for other certs in the future. I'm focusing on network and web targets, so I hope I will be able to take eWPT or another equivalent cert.
If you have any doubt or just want to ask me something, ping me here.