Monday, 3 September 2012

CEH vs OSCP vs GPEN

Hey guys,

It's been an interesting few months for me, I moved to Manila, attended BlackHat 2012 in Vegas and I've completed my CEH, OSCP and GPEN certs. Time just seems to have flown by.

Anyhow, today I wanted to compare and contrast the CEH, OSCP and GPEN certifications. Hopefully it might provide some guidance to those folks interested in qualifications but don't know what to go for, what content is covered by each and whether its ultimately worth doing or not.


So first up Certified Ethical Hacker (version 7) by EC-Councilhttp://www.eccouncil.org/courses/certified_ethical_hacker.aspx

I completed this back in May and from what I remember it was heavily theory based (and at times not even the most relevant theory). The cert quite often focused on the basics, for example, what is DNS, what is a virus/worm/rootkit, the in's and outs of WPA/WEP, symmetric vs asymmetric encryption and key lengths and block sizes. Now while this is all excellent information I couldn't help wonder how useful this would actually be for most people on a day to day basis. So good information that's worth knowing, but maybe not all that relevant. And the one big thing missing from the CEH is some decent hands-on activities. They do give you a disc with some crappy windows tools and some simple exercises but it would be better just to have some exercises using the more powerful (and more relevant) tools in BackTrack.

For someone starting out in security this is a great introduction, they cover the basics as well as the most commonly used attack vectors. For me personally though, I found the material too dated, too high level and without good quality practical exercises at times I found myself bored and unmotivated.

Cost: $500 for exam only ($1000+ for course materials)
Rating: 6/10



Next up is the Offensive Security Certified Professional course offered by Offensive Security (the makers of BackTrack). http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Wow, what a course. I started this back in October 2011 and after months of reviewing the material and working through the lab, i finally passed the exam in May 2012. This course is not for the faint hearted! There are two components, the study materials (videos/pdf textbook) and the lab. The course materials are very practical, every concept and activity is accompanied and demonstrated by a real example. And you are given exercises to complete for each section. The course covers what you actually need to be a certified ethical hacker (unlike the CEH!). It follows the usual attack methodology, recon/scanning/exploitation/persistance/pivoting and for each step you're guided through the theory, which tools to use and how to use the information you gain.

The lab is where the OSCP really shines. You are thrown into a virtual lab environment with 50 machines situated on different networks all with various vulnerabilities and hidden surprises. Your challenge is to hack your way through to the admin machines deep in the network. Putting theory into practice was such a great learning experience and I learnt that knowing theory and putting theory into practice are two very different things. A lot of what you need for the lab is not covered in the course material and you are forced to do background reading and research. It's this which separates the OSCP from other certifications. The OSCP motto - "Try Harder".

The exam is the icing on the cake. Instead of the usual multiple choice exam bullshit, you are challenged to hack a series of machines within 24 hours. Its pretty crazy but a hell of a lot of fun. Oh and you are required to submit a real life pentest report of all your activities in the lab!

Cost: ~$1500 (I extended my lab time a few times)
Rating: 10/10 



And last but not least, SANS 560 - Network Penetration Testing and Ethical Hacking (GPEN)http://www.sans.org/course/network-penetration-testing-ethical-hacking

I completed the multiple choice exam for this last week and after the OSCP I felt a little let down by this course. The material was decent, I completed the OnDemand version which was a series of powerpoint slides with narration by Ed Skoudis. Ed was really entertaining and did a great job of keeping the material interesting and relevant. My issue with this course was the depth. Whilst the content they covered was spot on, I felt they could have gone into more detail, in fact I wanted them to go into more detail. Its a shame that the material is written to fit in with the 6 day course because they ultimately have to compromise on the quality of the course. Ed, if you reading this, why not offer an online version that is twice as long and covers everything?

My favorite aspect of the course was the emphasis on providing business value. Logistically what is the best way to perform a penetration test? There's a lot to consider and Ed does a great job of breaking the tasks down and showing you how to effectively structure a full penetration test. He gives plenty of useful tips as well, for example, for large networks only scanning a subset of representative machines or obtaining firewall rules to reduce the time/cost of the test. And he gives a great overview of how to write an awesome final report.

Perhaps the biggest issue with this course is the price. For the course and exam it costs just under $5000 which for a set of online videos (only valid for 3 months) and a pile of books is a little overpriced to say the least.

Cost: ~$5000
Rating: 8/10


Summary

Certs are cool, its great to learn new things and brush up on the old. (And its cool to have some new letters after my name) Employers like certs, it shows that you know stuff and they will be more likely to choose you over someone with no certs. I learnt a lot doing all three certs, the OSCP was my favorite by far but it really is a baptism of fire and you need to be dedicated to it. The others were useful but more as a CV filler.

It was interesting at BlackHat and Defcon how a lot of people frowned on certs and tbh I do agree with them. For example both the CEH and GPEN used relatively easy 150 question multiple choice exams and the GPEN was open book. Realistically they aren't that hard to pass. So should you employ someone with these certs? Yes of course! Should you expect them to be super 1337? No. But how else can you judge if someone knows their shit? Experience alone?

I think what people don't like is these certs and others (I'm looking at you CISSP) are a convenient way for non-security and even non-IT folks to get into IT security when they have no real experience. More people working in security is great but in-experienced people deploying security in Fortune500 companies is probably not a good idea.

OSCP's (and OSCE's) are the exception to the rule, if you ever meet one of this rare breed, give them a pat on the back, they earned it.

This is pwndizzle, over and out.

30 comments:

  1. great review. I was initially going for CEH, but now I have to think things over because my worries seem to be true. It's to much talk.

    ReplyDelete
  2. Agreed with "unknown" above. I was studying material for CEH but in regards to your comments here and based off Instructors from my InfoSec B.A recommending the same thing, I will definitely shift my purpose over to OSCP! Thanks!

    ReplyDelete
  3. Hi,

    I was planing on starting OSCP.... Can you please tell me how much is the exact OSCP exam fee is?

    ReplyDelete
  4. The OSCP exam is included when you buy the course. More information on fees can be found on the official page: http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/

    Thanks for all the comments!

    ReplyDelete
  5. I kinda have to agree with your comments on CEH. It's one of the most over-hyped certifications in my country. They're just cashing in on the brand at the moment. The syllabus is horribly outdated. I wasted a my time and money on CEH. Now its on to OSCP!

    ReplyDelete
  6. Thanks for the writeup. I was originally thinking of going for the CEH, but the OSCP looks to be a better fit. I have my Sec+, CASP, and just passed the CISSP. Thanks for your help.

    ReplyDelete
  7. Great article... To summarize:
    CEH - Theory
    OSCP - Practical

    ReplyDelete
  8. Granted this article was written in 2012, has there been updates to how CeH is now being taught?

    It's too bad the GPEN class wasn't as hands on as you expected. From experience, SANS does try very hard to balance theory with the practical. The GCIH and GCFA (and possibly others) have end-course challenges that's verbatim Offensive Security.

    But you hit the nail on the head w/ SANS, they are still VERY expensive and many employers shy away from them unless they piss money. In SANS' defense, they are really are highly regarded and the material is constantly being updated to reflect the security landscape. Also, the folks who teach it are of very high caliber. The cost, to an extent, does reflect that commitment.

    Where OSCP shines is the hands-on lab/exam. However, the applicability of the hands-on seems to have limited use (at least in the US anyways) because much of it is either illegal or very little settings of where it could be applied. So, it's more of a "fun thing." But knowing how to break-in teaches one to defend against it as well. And that's value!

    ReplyDelete
  9. Great Review buddy,thanx .Now I can think about what i wanna do next !

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Hey guys. Hmm, I'm currently doing my A-Level's, and I'm gonna sit for the exam this May 2015. I have a lot of interest in Computing. And I know some stuff about it, but they aren't going to do much in me achieving my goal. I want to become a CEH( Certified Ethical Hacker), so I picked up interest and started doing research. Only then I came across a lot of things. I understood one thing, achieving my goal isn't going to come in easy. My goal is to know everything about a hacking top to bottom. And I can't find one good reason, that is stopping me from achieving this goal. So, this site I came across had a lot of certification, and once I saw everyone of them, it was nothing was but mere curiosity of completing all those certifications. They are OSCP, OSWP, OSWE, OSEE, OSCE for those who know about this please reply me, I want complete everyone of these no matter how much hard work and dedication it takes. I just want to know how I should start with achieving my goal. You can contact me through gmail. (unophragith@gmail.com)

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Thanks for sharing your experience and congratulations on your certifications! Sorry I didn't say that before! :-)

    ReplyDelete
  14. Thanks for your comments guys. I definitely think that not all certs fit all jobs. There are a lot of different jobs out there, from security analyst, to architect, to pentester, to SOC manager and more. Each will require different expertise. While the practical skills learned from the CEH/GPEN/OSCP will help all job roles, some will definitely benefit more than others :)

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. ‌I thank you for this review. It was really helpful. I will appear in CEH next month . I request you to give me certain advices and guidance for the same.

    ReplyDelete
  17. Very good comparison indeed. Thanks.

    ReplyDelete
  18. thanks for the review PwnDizzle! and congrats on the OSCP and all your other certs!

    and an update to the people asking about CEH more recently:
    Im doing CEH right now and it hasn't improved much from PwnDizzle's description. right off the bat it started pretty weak. I'm finished with all the video series and dont feel like the "master hacker" Ec-Council makes it out to be. A lot of it is theoretical so most of it wont really work in the real world unless the target is super vulnerable.

    Granted, The CEH is a good start for newbies, but If i could do it over I would look somewhere else for the basics.

    I'm just about to start the OSCP next. :)

    ReplyDelete
  19. Anyone know if the OSCP is available in the UK? Google isnt providing me much

    ReplyDelete
  20. Anyone plzz tell me that OSCP is available in Mumbai....Plzz provide me the info google dosent provide me info

    ReplyDelete
  21. Now this was a very helpful read. Thank you!

    ReplyDelete
  22. Thank you my friend. I was also going for CEH in which I am totally not interested :). But we should realize the worth of certs output rather than labeling/tagging via MCQs.
    Once again thanks and wish you success in your future endeavors.

    ReplyDelete
  23. I stumbled on to this blogpost precisely because I was disappointed with an overhyped certification and was looking for something hands-on. Thank you. OSCP seems like the way to go.

    ReplyDelete
  24. I just completed eCPPT (eLearnSecurity). Its similar to OSCP in that the exam is practical and you have to provide a penetration report for their review.

    There are several networks that you need to pivot through (not giving away as its in the Exam outline).

    You get 7 days testing and 7 days reporting to complete it. I think this was a great jumper into the OSCP which is next on the list.

    ReplyDelete
  25. I am about do do the GPEN this week in Austin. It is expensive but as has been expressed here, that should not be the determining factor for value. The fact it is business driver (Like our paychecks) makes it the most applicable for me especially when justifying to my employer.

    Excellent write-up BTW. I plan on doing a follow-up after GPEN and doing the OSCP cert but its just for my personal satisfaction. As someone said in another comment "Where can you apply it..." Its loke buying a formula 1 race car and not being able to drive it on the main roads as its not street legal.

    I will go for the bragging rights though....LOL

    Cheers
    Steve

    ReplyDelete
  26. Hey PD,

    Amazing review, however I saw some of the members commenting against CEH.

    To be honest, I will say that yes CEH is more of a theory but the content is very powerful and efficient.

    I highly recommend to go for CEH and then OSCP, as this will provide you with very strong theory and practical knowledge.

    ReplyDelete
    Replies
    1. I was thinking the same too, I would first go for CEH, and then OSCP in order to ace it :) Thanks for the advice Ashish

      Delete