Practical Junior Mobile Tester + Certified Mobile Pentester (CMPen) – Android Review

December 31th, 2023 by r0secr01x

Happy Holidays everyone!

Been a bit since my last post. Took a little bit of time off for the Holidays and figured I'd put some exam vouchers to use. I recently sat for and cleared the PJMT (from TCM Security) and the CMPen - Android (from The SecOpsGroup). I wanted to share some of my experience with both. 

To level set, my background with Pentesting Mobile Applications is pretty minimal. Back in 2020, I sat in on SEC575, taught by s14 at the time. Even though I picked up GMOB after taking the class, I sat on the material, and didn't actually perform a Mobile Penetration Test until a year and a half later or so. Mobile Pentesting currently makes up a tiny percentage of my 8 to 5 grind. When I do get to do it on my shift, there's always part of me that gets stoked because it's not something I regularly do.

Couple months back, when I read about TCM Security releasing their PJMT Certification, and additionally seeing TheSecOps Group also releasing their CMPen Android Exam, I thought to myself, finally a couple hands-on keyboard exams for Mobile Pentesting are out.

Certified Mobile Pentester (CMPen) – Android

The SecOps Group is always transparent about what to expect from their exams in their Exam Syllabus. They lay out and allude to what tools and attacks you'll be performing on the exam. They've also taken it a step further with the release of their Mock Exams, where you can get practice in for an actual exam. As of today's date, The CMPen (Android) Mock Exam is currently under development.

What I enjoyed about this exam is how I walked into it with my Genymotion emulator installed with all my tools, ready to go. It's a very straight forward exam that consists of X amount of questions that appear to be close to evenly weighed. 

The questions you're asked hint at & inform you exactly what you need to do to provide the correct answer. Some questions are multiple choice, some are actual flags you'll have to collect and submit. Everything on the exam is straight forward.

My only complaint on this exam is what I feel all SecOps Group Exams suffer from. The pass rate of 60% is too low and should be upped to 70 or 75% minimum. The minimum passing score currently means an individual only needs to answer slightly more than half of the questions correctly in order to successfully pass the exam. Some of the questions on the exam are incredibly easy, or dead give aways to where 30-40% of the exam can easily be answered. This leaves 20-30% left of actually having to try to pass the exam to know you hit the minimum score. 

The questions do range in difficulty of course! One question I knew would take me awhile to solve so I put effort into solving all other questions. Knowing I had answered at least 60% of it correctly, I felt no inclination to answer the hardest question I saw because I could already taste victory.

Practical Junior Mobile Tester

What I found neat about the PJMT exam is how TCM Security literally supplies you the Attack Box. All the tools you need for the exam are installed on it, and the vulnerable Mobile App that you'll be testing comes installed and ready to go. You are also given a formal Rules of Engagement Letter that gives you clear objectives, informs you of what's out of scope, and lays out expectations for getting existing tools you want to make use of. It's all smoothly setup and configured. 

The 2 days allotted for the exam are more than enough time to complete it. I personally cleared it in 3-4 hours and that's with a little bit of overthinking the obvious. 

My only complaint on this exam is I was left feeling like something was missing. I'll avoid getting into details because I want to avoid exam spoilers. My feeling was met by the reality of it being a Junior Certification. Approaching it with that frame in mind, everything on the exam made sense. What I had a love/hate relationship with was the report. The report is what the client's ultimately paying for when you're performing a Pentest. I spent 10-12 hours on writing it vs obtaining the exam objective. Being honest though, it do be like that (most) times. The good news here is like with OffSec's Exams, you're linked out to a Report Template you're welcome to use.

--

Some honest feedback for both are:

PJMT is properly labeled Associate Level, while CMPen (Android) should be labeled as Associate - Intermediary. TCM Security is well aware of what they're missing on their exam to bring it's difficulty level up to Mid. In CMPen, you'll get to experience what that missing piece of the puzzle is.  

In my opinion the difficulty of each of these exams has been intentionally setup to pave the way for each Vendor to release more Mid or eXpert level exams in the future as natural follow ups. These 2nd level exams will cover a wider range of attack vectors, potentially have on them a sample vulnerable iOS App, in addition to the Android App, and will have more developed features as part of their exam apks, ipas, etc.

Questions naturally arise:

• Would you recommend 1 over the other? Answer: I recommend doing the PJMT first and then taking the CMPen (Android). Doing the PJMT first will give you an idea of some of the setup involved to get the Mobile Pentest going smoothly. With PJMT you're provided the infrastructure needed to pass the exam. With CMPen (Android), you either need to bring your own phone, or an emulator with all your tools properly setup.
• Are both worth the cost? Answer: Yes. PJMT retails for $199 USD, though TCM Security gives some discounts couple times a year near holidays or Black Friday. If you keep up with their posts on LinkedIn and/or X, you can get your hands on a promo code. Likewise, following TheSecOps Group on X and/or LinkedIn will show you how often their exams are discounted. On occasion you will find them 75-80% off. The SecOps Group is also currently working on a Mock Exam for it. Keep your eyes peeled. The ability
• Any study recommendations to pass either? Answer: TCM Security's Mobile Application Penetration Testing course has all the content you need to walk into each exam and pass successfully.
• How do either compare and differ with SEC575? Answer: The course content in both courses are solid. My recommendation is taking a look over the SEC575 Syllabus and also look at what's covered in TCM's course.  There's course content that's in SEC575 that's not in TCM's class, and vice versa. The SEC575 content is stretched out with a bit more depth. Compare course content alone of 9 hours vs a lot of your SANS courses being around 5 days worth of content, lab-time, etc. Cost for value wise, being able to get your hands on TCM Security's Mobile Application Penetration Testing course through their Academy, or just purchasing the PJMT voucher (comes with the course), sets you up in a good enough spot where you can clear PJMT and CMPen (Android) mobile like I did, but also have your hands on some of the same content taught in SEC575. 
• How realistic are the vulnerable Exam Applications? Answer: Not incredibly realistic in terms of what we see in Mobile Applications these days, but you have to remember these apps were intentionally coded insecurely. They were written poorly in order for you to use whatever you've learned to take advantage of various flaws in them to answer various exam questions & complete exam objectives. 

Sources

Practical Junior Mobile Tester

TCM Security

TCM Security (X)

CMPen - Android

The SecOps Group (LinkedIn)

The SecOps Group (X)

Certified AppSec Pentester (CAPen) Review

May 29th, 2023 by r0secr01x

The Certified AppSec Pentester (CAPen) is an intermediate-level exam to test a candidate's knowledge on the core concepts involving application security. It's offered by The SecOps Group, who is a globally recognized IT security company having extensive and varied experience of providing cyber security consultancy and education services.

CAPen is a natural follow up to the Certified AppSec Practitioner exam. It's a 4 hour hands-on exam that entails capturing flags, answering multiple choice, and true/false questions. As of May 2023, there's 17 questions. The questions & challenges range in difficulty from easy to intermediate level and The SecOps Group is transparent about what you'll see on the exam:

Preparation wise, I'd recommend studying up on the best free resource for Web Application Security, PortSwigger Academy. I'm giving myself this advice too because I walked in a little cocky and left a couple questions unanswered Lol. I felt confident on the questions I answered and figured taking an L on the couple questions would still get me the victory.

4 hours is enough time for the exam. A tip I have to keep a good pace, is at the start of the exam, make your way through the questions and take mental notes of what's being asked for. It'll come in handy while you're mapping out the Web Applications because you'll have insight on what they're having you look for. There were a couple questions where you had to get creative to find the right solution. I really enjoyed these! There were also low hanging fruit type / softball questions. The way the questions are structured are direct and to the point on what theyll give you points for. For example, one hypothetical question would be something like: Can an IDOR vulnerability be used to successfully exploited to view other user's items in their shopping cart? Another hypothetical question could be something like, exploit the XXE Vulnerability on the Administrator Panel to successfully obtain the flag.

All around, I had a good time with the exam experience. You're given VPN Access to their environment and the environment's stable and fun. My main recommendation is switching out a couple of the true/false questions, along with 1 or 2 of the low hanging fruit questions. There were a few answers that could be found within a few seconds or within a minute or 2. This is good for making the test taker feel like their pace is good, but I wanted to work harder for an exam pitched at intermediate level intensity. The passing bar isn't set high enough at 60% in my opinion, because if 60% could be obtained by putting in some effort, (but not fully going all in having to try harder).

By the time you get to questions that require a higher level of effort, those could be skipped and the test taker could still end up passing with the passing score being set at 60%. The point values for each question aren't equally weighed (which I found good), but I was also anticipating a lower score for intentionally skipping 2 questions that required more effort than other questions. I recommend a median range average be taken and the passing score be upped/set over time. This is similar to how we've seen GIAC switch up their passing scores here and there over the years. Passing with Merit should be for folks who score 85% or 90% in my opinion.

Sources

https://secops.group/product/certified-appsec-pentester/

The SecOps Group (LinkedIn)

The SecOps Group (X)

OSWA Review

May 8th, 2023 by r0secr01x

Back in December 2022, OffSec was offering $500 off of their LearnOne Subscription. If you're not familiar with OffSec's LearnOne Subscription, it currently costs $2499 and grants you 1 year access to a course of your choice from OffSec's Content Curriculum (Figure A). You also get 2 exam attempts for the course you pick out. Gone are the days enrolling in OffSec courses and purchasing 30 or 60 Days lab access at a time. The 90 day option still exists though, thankfully! The 90 day option is good if you want to get straight into the material and hit it hard + knock the exam out.

Figure A: OffSec Courses as of May 2023

The LearnOne Subscription's price model's a bit pricier compared to how OffSec sold courses in the past. OffSec attempts to balance out the price hike by additionally including access to their Level 100 courses, also called Fundamental Learning Paths, with the course you purchase. Their Level 100 courses are great and most of them have an associated assessment exam with it that could earn you a Credential.com Badge. See their Essentials Badges here.

Couple of my favorite modules in the course were the Introduction to SQL, SQL Injection, and SSTI. I enjoyed the SSTI module because it has coverage of templating engines I hadn't seen attacked before. All of the attacks in the course are broken out into 2 Steps, Identification and Exploitation. What I enjoyed about the SQL modules is there's no database bias. You're literally taught how to query and attack MySQL, Oracle, SQL Server, and PostgreSQL fairly and equally. The Introduction to SQL Module may feel tedious because you're taught how to attack each DB and it has a lot of exercises of completing the same task across them.

The course is all about taking a Black Box approach with pentesting web apps. With black box pentesting in the context of web, you're supplied with a target URL and told, "goodluck". With WEB-200, you'll learn quick that half of the battle is getting that discovery/identification piece going in the form of mapping out the application, fuzzing it and observing how it reacts, and tuning your proof-of-concepts to get successful exploitation.

My other favorite portion of OffSec's classes is the last section where you put it all together. It really shows off the attacker's mindset, and l personally use it to mentally compare in my head what l would do if I was in the instructor's situation demoing the walkthrough. OffSec also gives you 5 sample machines to own from start to finish as final preparation before walking into your OSWA Exam. It's fantastic preparation and a close assessment of what you might be facing on the exam.

My recommendation for passing the exam is watching the video content, keeping the various proof-of-concepts provided throughout the course close by in your notes, and take notes on various tool & flag usage. I personally use Obsidian for my notes.

Prepare to become intimately familiar with Daniel Miessler's SecList's Repository as well as the Payload all the Things Repository.

Exam Time

As laid out in the OSWA Exam Guide, the minimum passing score is 70%. There's local.txt and proof.txt submissions that are valued at 10 points each.

The OSWA is somewhat of a unique OffSec exam experience. I'm used to OffSec not allowing for any vulnerability scanners or automatic exploitation tools, but surprisingly Burp Suite Professional and SQLMap are allowed. These tools are not required to pass the exam. 

Tips

You probably see this recommended everywhere else, but I highly recommend scripting all the things. As you're working your way throughout the course content and labs, whenever you see an opportunity for automating the same boring process, or repeated usage of fuzzing, scanning, etc, I recommend scripting it out.

The exam is about 24 hours and there's a lot of flags to get. If you could whip up bare bones scripts, such as automating your relevant nmap scans, with relevant nmap scripts ;), and getting creative with scripting your favorite fuzzer, and wordlists, you will be ahead of the game.

Be sure to take breaks if you end up getting stuck. Keep your notes and relevant urls from the course material handy just incase you have to go back and study content during the exam. 

OSWA vs GWAPT vs eWPT?

Having successfully completed all 3 exams, if I had to go back and pick 1 course to learn Web Application Pentesting from, it'd be WEB-200. Sure, it's the more recently rolled out/refined of the 3 certifications, it's also priced in the middle of INE's eWPT and SANS SEC542. I personally enjoyed going through the content and exam. You're literally tested on all of the attacks covered in the course, be sure to have it down! Plus, any exam OffSec rolls out, you're going to see job posts already looking for the accompanying certification. If you're in doubt, plug OSWA into your favorite job board.

If you already have the eWPT or the GWAPT, it's somewhat overkill going through and doing the course, but it's still fun. 

Sources

• https://github.com/swisskyrepo/PayloadsAllTheThings
• https://github.com/danielmiessler/SecLists
• https://www.credential.net/issuer/81055/credentials?page_size=20&page=0
• https://help.offsec.com/hc/en-us/articles/4410105650964-OSWA-Exam-Guide#exam-restrictions

CNPen Dropped!

May 5th, 2023 by r0secr01x

If you follow The SecOps Group on X or LinkedIn, you are likely aware they've dropped their latest exam, the Certified Network Penetration Tester. Speaking to the format of their exam,

"CNPen is an intense 4 hour long practical exam. It requires attendees to solve a number of challenges, identify and exploit various vulnerabilities and obtain flags. The exam can be taken online, anytime (on-demand) and from anywhere. Attendees will need to connect to the exam VPN server to access the infrastructure set up for the exam."

The exam syllabus looks like you're tested on quite a bit in a 4 hour period:
The SecOps Group has an offer right now on the CNPen: if you purchase it before 5/31/2023 and you pass the exam with a 90% or higher, they'll refund you 100% on the exam fee. I don't know another Company out there in this space with that kind of offer. It's hard to pass up! I was able to get my hands on an exam voucher. I need some time to study up! I plan on taking it within the next couple months. Will return back and report on my experience with the exam!

Tags: CNPen The SecOps Group

---

Sources

• Certified Network Pentester
• https://X.com/TheSecOpsGroup
• https://www.linkedin.com/company/secops-group/

PenTest+ Review

February 28th, 2023 by r0secr01x

I cleared the PenTest+ exam back on February 18th. I wanted to share my study experience & recommendations on what I did to pass. Just a quick disclaimer: I've never taken an exam for CompTIA before. Back in High School, I did take Computer Hardware & Networking. They were ROP classes offered where we all got access to the A+ and Network+ Material via Testout, however I actually never ended up sitting for the exams back then. My recommended first step is buying an exam voucher and setting a testing date. Purchasing a voucher and setting your exam date is the equivalent of setting your intention. Do everything to stick to your intention & gear your study plan for being ready for that exam date.

The couple folks I know studying for this exam are using the PenTest+ Path offered at TryHackMe. While this is a good route to go down to study, I personally studied by viewing the following courses on Pluralsight:

• Tools & Code Analysis for PenTest+
• Network and Application Attacks for CompTIA Pentest+
• Specialized Attacks and Post Exploitation for CompTIA Pentest+
• Exam Review and Tips for CompTIA Pentest+
• Information Gathering and Vulnerability Scanning for CompTIA Pentest+

In addition to using Pluralsight, I feel blessed my employer provides an O'Reilly subscription that I leveraged to go through and study Ethical Hacking and CompTIA PenTest+ Exam Prep (PT0-002).

Validate you're ready to test with these Practice Tests from uDemy: https://www.udemy.com/course/comptia-pentest-exams-002/. I recommend taking all 6 just to get a feel for all of the questions in the practice test bank. The author often does 80%+ off of the practice tests on uDemy. If it's not on Sale at the time you're reading this, I advise checking back in a day or a few while continuing your studying. There's a reason why these Practice Tests are rated as high as they are. They're right up the alley to questions you'd see on the actual exam. The author of these tests sets a 90% minimum in order to pass you. Just keeping it 💯, I didn't score the minimum on any of the 6 practice tests, however was still able to pull out a Victory on the exam. Don't be discouraged if you don't hit the minimum bar set by Jason. I suggest reviewing every question you got wrong and correlating it back to the objectives you need to study up on more to come out on top.

Exam Day: It's go time!

I hadn't tested with Pearson Vue in a minute, but remote proctoring always consists of these same steps in a nut shell:

• Have a quiet space with no distractions
• Clear off your desk
• Have your phone off or on airplane and put away. I usually put mine in the other room. Out of sight, out of mind.
• Have your ID ready
• If you have more than 1 monitor, be ready to show they're not connected to your machine

Exam experience wise, I was unfortunately underwhelmed. It could of been all of the practice tests I took on uDemy that had me feeling ready. I ended up getting 67 questions and had 8 or so flagged questions for review. By the time I made it through all the questions, I still had time to spare, so I spent time going back over each question & answer to solidify selections made. The Pass Rate for this test is higher than GIAC's minimum requirements. You really want to make sure you feel confident with your answers.

Main curveball thrown my way, besides the one I did I threw myself forgetting to plug back in (haha), was be ready to come across identifying attacks and having recommendations on hand to remediate them. Don't be surprised if not every question you run into consists of multiple choice response 😃

Sources

CompTIA PenTest+ Practice Exams

CompTIA Exam Voucher Discounts

Certified AppSec Practitioner (CAP) Review

February 28th, 2023 by r0secr01x

The Certified AppSec Practitioner Certification is an entry-level exam to test attendees knowledge on the core concepts of application security. It's offered by The SecOps Group, who is a globally recognized IT security company having extensive and varied experience of providing cyber security consultancy and education services.
According to their site, the CAP Certification is intended to be taken by application security engineers, application developers, SOC analysts, penetration testers, red and blue team members and any appsec enthusiast, who wants to evaluate and advance their knowledge.

I've been following The SecOps Group on LinkedIn for a few months. They have been around less than 2 years and were founded by industry veterans. The SecOps Group offers Pentesting & Education services and also hosts a free platform to learn Pentesting at http://www.vulnmachines.com/. I looked up their Leadership Team on LinkedIn (most of us would, right?), and their combined experience is over 60 years. Scouting their profiles, they're a tight knit team that's successfully built out businesses before.
Back in December 2022, they were giving out free exam vouchers for their Certified AppSec Practitioner and Certified Blockchain Practitioner exams. These exam vouchers are given in the form of a coupon code that can be applied and redeemed during checkout. The exam's entry level and consists of 40 multiple choice questions. I've read a handful of reviews on LinkedIn from folks that have cleared the exam. The average amount of time I'm seeing is around 18-20 minutes. If I had to compare it to a past exam I've taken, it somewhat reminded me of an easier version of the GWAPT exam.

Testing is done remotely and it's really easy to setup & schedule. I highly recommend giving these guys a follow and turning notifications on when they post. TheSecOps Group seems to be regularly giving out free exam vouchers once a month or so for their CAP Certification and it's been paying off for them. It's getting them more exposure on LinkedIn - where people are posting reviews of their experience with the certification, along with their results. It's also getting their name out there more and serves as a way to entice you to pay for one of their Professional Level Certifications:

• Certified AppSec Pentester (CAPen)
• Certified Network Pentester (CNPen)
• BlackHat Certified Pentester (BCPen)

The perks of their Professional Level exams is they're hands-on, and not multiple multiple choice based like Essentials exams. The SecOps Group is really spot on with their Certification Syllabus of what's covered on the exam. Expect to see questions involving a majority of what they've listed in the syllabus. Overall, I'm excited to see what comes out of The SecOps Group joining in as an independent Security Company offering Certifications. There's no accompanying courses to help prepare for their exams, but this is what I feel makes them somewhat unique in this space.
With sarcasm and honesty, I asked myself:

Is a new certification born in this field daily?

This one's straight from their LinkedIn from about 16-17 hours ago:
For the next 48 hours please use the code CNSP-100 for a 100% discount on Certified Network Security Practitioner (CNSP) exam.

Sources

https://secops.group/product/certified-application-security-practitioner/

The SecOps Group (LinkedIn)

The SecOps Group (X)