Ethical Hacking – The Courses & Certs You Need To Succeed

The purpose of a hacker is to find vulnerabilities in computer systems and exploit them. The goal of an ethical hacker entirely depends on who you work for.

In the private sector, ethical hackers are commonly employed as Penetration Testers, Pen Testers for short. The job of a Pen Tester is to identify vulnerabilities in a company's computer system to protect it from malicious attackers. Pen testing companies are hired in by other companies for exactly this purpose; to identify weaknesses in their systems that could potentially compromise their data.

If the ethical hacker were working for law enforcement or government agencies, however, their objectives might be entirely different. In law enforcement, they may be tasked with accessing the computer devices of a criminal or criminal organisation, to acquire evidence. If the ethical hacker were working for the government, well… governments don't spy on each other, right?

More...

Prerequisite Knowledge:

To be able to identify a vulnerability in a computer system, you need to know what you are looking at. The best ethical hackers don't just understand how to use hacking software, they understand the relationship between operating systems, software applications and computer networks. They understand how a software application, such as an Internet Browser on computer A interacts with a database on computer B, located on the other side of the world.

There are many individual careers within the realm of IT - system administration, database administration, network administration, programming, so on and so forth. The job of a pen-tester or hacker is to have a grasp of all of them. Once you've mastered those skills, you move on to understanding human flaws because it's often human flaws that create the opportunity for a hacker.

With that in mind, there is a baseline skill-set that any ethical hacking course will expect you to know already:

  • TCP/IP and networking
  • Cryptography and encryption mechanisms
  • Windows and Linux OS administration and their command-line interfaces
  • Python scripting is also useful but not essential for many courses

So, a career in ethical hacking is not for the faint-hearted. It must become a passion, like a professional sports player's dedication to their sport. This might sound overwhelming, but don't be discouraged. Ethical hackers don't work alone. When you make the grade, you'll be working in a team. You will all have a specialised skill and feed off each other's abilities. Once you have one or two certifications under your belt and your first job in the field, you'll find your knowledge will grow exponentially by working with other trained professionals.

Take heart from knowing that prospective employers realise that candidates with the right skills come from all walks of life. You don't need to have a degree from an Ivy League colleague to become an ethical hacker. You simply need to demonstrate your knowledge and ability by obtaining recognised certifications.

In any ethical hacking course, you should expect to learn the following:

  • Information gathering & enumeration
  • Identifying vulnerabilities
  • Initiating Exploits
  • Evasion Techniques
  • Recording and reporting results

Below is a list of the most respected and recognised courses available today. Unfortunately, notoriety comes at a price and these courses are not cheap. Many Ethical Hackers will look for their employers to help pay the costs of training. If that's not an option for you, at the end of this article I list a few free and cheaper resources to get you started.

#1 - Offensive Security Certified Professional

Level: Advanced

The Offensive Security Certified Professional (OSCP) and Certified Expert (OSCE) are two of the most highly recognised and sort after certifications in the industry, and for good reason. They are also the most advanced and difficult to pass.

To obtain the OSCP, participants are required to successfully penetrate multiple machines in a lab environment over the course of 24 gruelling hours.

It is as much a test of endurance as it is a demonstration of your knowledge and ability. If you pass this course, you have the qualifications needed to be an ethical hacker.

If you’re not convinced by the difficulty of this course, watch these two videos by Jan Wilkholm who vlogged his whole experience of studying for and taking the OSCP cert. JW failed the first time he sat the test, and in this first video, you can see the exhaustion and frustration etched on his face after 24 hours. 

JW re-sat the exam a few months later *no spoilers* and discussed his thoughts on the course and the exam... 

Students who sit the OSCP exam must first complete the Offensive Security’s ‘Penetration Testing with Kali Linux’ (PWK) course.

Is a *self-paced* (see price details), online course that teaches students how to identify and compromise systems using Kali Linux - a Linux operating system designed by Offensive Security for the purpose of hacking.

Upon enrolling, students will receive a 350-page course guide, 8 hours of pre-recorded video lessons and access to virtual labs to practise.

Cost: $800 USD for course, exam fee and 30 days access to labs, increasing to $1150 for 90 days access to labs. Exam retake fee is: $150.

DurationSelf-paced with time limits on access to the labs, dependent on price.

What You'll Learn

  • Passive and Active information gathering and enumeration
  • Basic scripting and recommended tools for pen testing
  • Reuse and rehash publicly available exploit code
  • How to conduct remote and client side attacks
  • How to use XSS exploits and SQL injection to compromise web applications
  • How to bypass firewalls and anti-virus software
  • Metasploit Framework

#2 - Offensive Security Certified Expert

Level: Super Advanced

Offensive Security's Expert certification ratchets up the difficulty even further. Students must pass a 48-hour exam. The requirements of the exam are ‘simple’ - identify weaknesses in multiple lab environments, execute an attack on the different systems and gain administrative privileges.

On passing the OSCE, one participant wrote, 

“This was the hardest thing I have ever done in my life both academically and professionally. This course is not for the faint of heart and requires a lot of self-discipline, perseverance and a very understanding wife.”

Before sitting the exam, participants are required to complete the Cracking The Perimeter (CTP) course.

This course teaches an array of techniques used to compromise computers systems that are designed to prevent access to internal networks and computers. These boxes sit on the perimeter of networks acting as barriers to block everything except authorised access.

Students receive a 350-page course guide, access to 3.5 hours of video lessons and access to virtual lab environments for practising. There is also a forum where you can ask questions and work through problems with fellow students.

Cost: Starts at $1200 USD, for the course, exam and 30-day access to the labs or $1500 for 60-day access to the labs. Retaking the exam costs $150 and you can also pay for extended lab use.

Duration: Self-paced with time limits on access to the labs, dependent on price.

What You'll Learn

  • Cross Site Scripting Attacks
  • Creating backdoors using Windows PE files
  • Using zero-day exploits
  • How to bypass Cisco Access Lists
  • How to compromise router configurations
  • How to use GRE - Generic Routing Encapsulation - to pass through routers 

Prerequisite Skills & Knowledge:

  • Prior knowledge of Windows exploits
  • Experience using OllyDbg 
  • Familiarity with Linux, scripting and the Metaploit Framework 

Other Offensive Security Certifications:

There are 3 other certifications offered by Offensive Security, all specialising in certain areas of hacking.  

Web Expert - a 48 hours exam aimed at testing a participants knowledge of web applications and how to exploit them. 

Wireless Professional - a 4 hours exam testing the participants ability to identify weaknesses in 802.11 and gain access to secure WiFi networks.

Exploitation Expert - a 72 hours exam where participants are required to reverse engineer Windows kernel drivers to identify vulnerabilities in the code, develop an exploit and reassemble the code to gain access to several Windows servers.


#3 - GIAC Certified Pen Tester - GPEN

Level: Intermediate

The Global Information Assurance Certification (GIAC) is another industry recognised certifier. Their examinations are renowned for being challenging, which gives greater credibility to the certification and those who pass it. GIAC offer certifications in all areas of IT Security. It was established by the SANS Institute as a means of crediting students who take SANS’ training courses.

A word of warning, SANS courses and associated GIAC certs are expensive. Many participants will look for their employer to either pay or subsidise the costs.

GPEN is the GIAC Certified Penetration Tester certification. To be GPEN certified, participant must complete 82 to 115 questions in 3 hours, achieving a score of 74% or higher. The exam is, however, all question-based. You are not required to demonstrate your ability on a test system, like with the Offensive Security certs. Candidates are given two practise attempts at the exam included in the cost.

Cost: $1899 USD or $769 if purchased with SANS training as a ‘bundle’. Candidates have 120 days from the purchase date to sit the exam.

The GPEN is closely allied to the SANS Institute’s SEC560 ‘Network Penetration Testing and Ethical Hacking' training course.

Although not compulsory, SEC560 is the associated course to take for anyone considering the GPEN certification. It is the flagship penetration testing courses offered by SANS.  The course is available in several formats. Instructor-led classes are held throughout the year at multiple venues around the world. Alternatively, there are instructor-led online courses, where participants can remote into live classes; or there is a self-study option.

What You'll Learn:

  • Understanding of the Metasploit framework
  • Reconnaissance and enumeration
  • Knowledge of Windows command line and PowerShell 
  • Ability to compromise a computer, exfiltrate data and use pivot techniques to target other hosts on the same network 
  • A thorough understanding of password attacks
  • Ability to conduct injection, XSS and CSRF attacks  

On enrolling in the course students receive:

  • Access to virtual labs tutorials with 30 different scenarios
  • A copy of SANS’ own Linux distro called Slingshot, with tools and software pre-loaded that you’ll use during the course 
  • Audio lessons and PDF guides for using metasploit, netcat and other apps

Cost: $6610 USD for the self-paced, online course (the exam is extra - see above).


#4 - CompTIA Pentest+ (PT0-001)

Level: Beginner

PenTest+ is more affordable than the SANS/GIAC option and easier than OSCP and OSCE, making it ideal if you’re just starting out.

Similar to Offensive Security certs, CompTIA’s  Pentest+ certification require candidates to demonstrate their knowledge of ethical hacking by answering scenario or ‘performance-based’ questions. Unlike multiple choice questions, PBQ’s require candidates to execute commands in a simulated environment. There is more information and a sample exam question here.

Students receive a maximum of 85 questions, which must be answered within 165 minutes. Questions are a mix of multiple choice and PBQs. The pass mark is 84%

The exam requires the student to demonstrate their knowledge in the following areas:

  • Planning and scoping
  • Passive and active reconnaissance
  • Identify vulnerabilities
  • Access networks & perform exploits
  • Post exploit clean-up
  • Recording and reporting results

All the information for passing the exam is provided in the accompanying study-guide ebook, which students can purchase separately. Alternatively, there is a choice of study options - in-class tuition, live online classes, and a self-paced e-learning course.

Cost: Individually, the exam costs $349 USD, but it can also be bought as part of a ‘bundle’. For example, the exam, plus study-guide eBook and one exam re-take voucher costs $549. Alternatively, the exam, plus one resit voucher and the self-paced eLearning course is $949 USD. 

Learn for PenTest+ is the associated online ‘eLearning’ course for the PenTest+ exam. CompTIA’s website is short on actual syllabus information, except to say you will learn what is required in the exam (see above).

The PenTest+ e-learning course is self-paced and completely online, although you must complete the course within 12 months. It provides over 40 hours of pre-recorded online tutorials, separated into 10 lessons. There are quizzes, flashcards and 100 questions throughout the course to test your knowledge.

A final assessment simulates the actual exam, giving you an idea of what to expect. CompTIA do not have their own Linux distribution, but the course will demonstrate the use of various tools plus basic scripting in Bash, Python, Ruby and PowerShell.

PenTest+ and CEH v10 (discussed next) are the only two courses in this list to cover wireless and RF-based exploits. SANS and Offensive Security require you to take separate courses with separate certifications for this field of study.

Cost: The PenTest+ eLearning course is $549 USD when purchased on its own or $949 when purchased with the exam and one voucher for a re-sit, should you need it.

The cheapest option is to buy the study guide - ebook. The ebook costs $159  individually, or $549 when bundled with the exam and a re-take voucher.


#5 - Certified Ethical Hacker - EC Council

Level: Beginner/Intermediate

EC-Council’s Certified Ethical Hacker is one of the most established hacking certifications on the market. It was originally released in 2003 and is now in its tenth iteration, as CEH V10.

The EC-Council have three certifications aligned to ethical hacking: the Certified Ethical Hacker, Ethical Hacker (Practical), and the Ethical Hacker (Master). After completing these EC-Council also offer more advanced certs - Security Analyst and Licensed PenTester.

The Certified Ethical Hacker Master is the only certification of the three CEH certs not to require its own exam. Students are awarded the Master certificate for passing both the CEH and CEH(Practical) exams.

Both CEH and CEH(Practical) can be taken without having to take an EC Council course. Although to sit the CEH exam without enrolling in a course, you will need to apply and prove you have the required experience. This means either completing a previous version of the CEH or having two years of experience working in IT Security. There is a $100 application fee, which is non-refundable.

If you don’t have the necessary experience, then the Certified Ethical Hacker course is recommended for both the CEH and CEH (Practical) certifications.

CostSitting the CEH without taking a course is $950USD and $550 for the CEH (Practical exam).

Exam Format: For the CEH, Candidates are required to answer 125 multiple choice questions in 4 hours.  The CEH (Practical) exam is 6 hours, requiring candidates to demonstrate their knowledge in 20 practical lab environments.

The course is recommended for those wishing to take the CEH and CEH(Practical) exams. It can be taken in various formats - self-study, live-online classes and in-person training.

The cheapest bundle, which includes training and an exam voucher, is to buy the self-study course.

Cost: The self-study course costs $1899 USD. For this you get 1-year access to pre-recorded lessons, 1-year access to an electronic version of the e-Courseware training manuals, 6 months access to iLabs test environment and the exam voucher. 

The pre-recorded lessons and courseware are designed to teach you everything you need to pass the exams, while the iLab test environment has 107 different exercises to test your knowledge on virtual machines. Here’s an example of the iLabs practice environment.

In addition to the usual syllabus entries the CEH also covers:

  • Social Engineering
  • Hacking Wireless Networks
  • Hacking Mobile Platforms
  • IoT Hacking
  • Cloud Computing

The next step up from the self-study route is to join an online, instructor-led class (iWeek). The syllabus is the same, the only difference is the cost.

Cost: The week-long tuition costs $2899. You also receive a copy of the e-courseware training manuals, 6 months iLab access and an exam voucher.

Many comments on Reddit have expressed the benefits of instructor-led classes over self-study. Most people who commented also recommended the following study-guides over the e-courseware:


#6 - The Freemium Route

Taking any of the courses listed above require a significant substantial financial investment.

If you're just starting out and short on cash, the cheapest certificate and a good foundation is CompTIA's PenTest+, which cost $349 for the exam.

Rather than taking the official course, you can look at alternatives like this course offered by Udemy - CompTIA Pentest+ Course and Test Exam. Udemy courses are often heavily discounted, so look to get it during one of their many sales events. ​

The Kali Linux operating system, created by the Offensive Security team, is free to use and comes with numerous hacking tools pre-installed. Many courses will expect you to know Kali Linux so the sooner you get familiar with using it, the better off you'll be.

This course - Kali Linux Hacking Lab for Beginners - will show you how to download and install Kali Linux and create your own virtual hacking environment.

Once you have a grasp of Kali Linux and you've set up your virtual environment, you can test your knowledge using sites like Vulnhub.

Vulnhub provides free virtual machines created with specific vulnerabilities that you can use to prove your hacking skills. Each VM comes with a scenario and a capture-the-flag type challenge. If you get stuck, you can find walk-throughs by searching YouTube and Google.

If you can recommend any certifications, courses or free resources, be sure to leave a comment below. Best of luck!