A couple weeks ago, I finally accomplished a goal I had for a long time; I completed my EC Council Licensed Penetration Tester, Master -- a.k.a. LPT (Master) -- certification. The LPT (Master) certification is the culmination of EC Council’s penetration testing track, following Certified Ethical Hacker (CEH) and EC Council Certified Security Analyst (ECSA). The LPT (Master) exam is hands-on only. There is no course or written exam to take prior to this hands-on exam. The LPT (Master) simulates a real penetration test, complete with a follow-up report to the customer.
Several months back, I passed the Offensive Security Certified Professional (OSCP) certification examination. I had originally hoped to get the certification within three or four months of starting, but it took me a total of eight months to finally complete it. I had to take a break in the middle to teach several classes and focus on work, so I could not devote my full attention to the labs.
Before taking the LPT (Master) examination, I searched around the internet to find anyone who had taken both the OSCP and the LPT (Master) and written up a comparison. Many people asked the question, “How do the two courses compare?”, but no one seemed to have an answer. Since I could not find a comparison, I thought I would write one up.
Both certifications are challenging, but they differ greatly in what they attempt to teach and to measure. The OSCP is a very advanced course which is focused primarily on what I call “hard-core hacking skills.” These include skills such as:
- Web, Application, Configuration, and Operating System Exploitation
- Client-Side Attacks
- Buffer Overflow Exploit Writing
- Privilege Escalation
- Post Exploitation
- Manual Exploitation using Exploit-DB and Other Custom-Written Exploits
- Self-Guided Research
- “Out-of-the-Box” Thinking
Although EC Council’s Penetration Testing Track does teach some of the same exploitation skills, the LPT (Master) examination’s primary focus is to accurately simulate a real penetration test engagement, teaching the following skills:
- The ECSA/LPT Penetration Testing Methodology
- Using a Wide Array of Penetration Testing Tools
- Achieving Repeatability of Results
- Achieving Specific Objectives
- Producing an Accurate Penetration Test Report, Complete with Effective Remediation Recommendations
The OSCP’s lab or “cyber-range” environment is quite extensive and elaborate. Students are dropped into a multi-network laboratory of approximately 60 Virtual Machines (VMs) that encourages “free-range exploration.” Students attack the VMs in whatever order they like. Some VMs contain “Easter egg” clues that can lead students to other VMs in the lab. These clues encourage students to spend considerable time in Post Exploitation activities, trying to find “goodies” or “loot.” Students must pivot off certain machines to get into other networks that are not exposed directly to their attacking VM. To get all the machines, students must spend a significant amount of time in researching exploits, since the course material does not cover all the different exploits. Some students feel that certain lab (and test) machines are very “trollish” or unrealistic examples of what one would find on a real penetration test. Some of the machines are very straight-forward to exploit, while others feel more like honey-pots or Capture the Flag puzzles. Regardless, the students will come out of the lab with some serious hacking skills! There are two primary downsides to the OSCP labs. Students are not allowed to do any Man-in-the-Middle attacks or Denial of Service (DoS)-type attacks against any targets. Also, lab environments are shared with other students. There is nothing more frustrating than almost getting an exploit you’ve been working on for days, only to have another student reset the VM!
Although the LPT (Master) certification does not have its own lab for students to practice skills, the CEH and ECSA courses do come with time in EC Council’s iLabs environment. Depending on how it was purchased, an official CEH course often comes with six months of iLabs time. ECSA comes with 30 days. Students can spend that time exploring the iLabs environment. Although it does not have as many computers as the OSCP lab, iLabs has a web-based interface. Students can access iLabs from anywhere that has internet access and a browser… it even works on a Chromebook! There are labs that are assigned to the CEH and ECSA students, with step-by-step guidance on how to do the labs. However, it is also possible to go “free-range” in the iLabs and experiment with the hundreds of tools that EC Council makes available to the students. Students also get to conduct Man-in-the-Middle attacks, DoS attacks, and even play with malware makers!
The two exams are quite different as well. The OSCP is an extremely grueling 48-hour exam, with 23.75 hours for exploiting up to five computers, followed by another 24 hours to submit the “penetration test” report. The exam VMs seem to be set up intentionally to make the students waste time (and it is very easy to do so). The tools that the students may use are very limited: no automated tools such as Burp Pro, ZAP, or sqlmap may be used at all. Metasploit Framework may be used on a single computer, and once it is chosen, Metasploit may not be used on another. The machines are all very tricky, especially with the short time allowed for the test. Personally, I found it very difficult to concentrate after hour 17 or 18.
The LPT (Master) exam was, (by comparison) a quite leisurely five-day exam, followed by up to 25 days more to complete and submit the realistic penetration test report. I felt one of the biggest advantages of the LPT (Master) exam over the OSCP exam was SLEEP! I have yet to work on a real penetration test where we had to work for 23.75 hours and not sleep! Additionally, the LPT Master exam environment was a much more realistic representation of a genuine penetration test than the OSCP exam (the OSCP lab environment was more like a corporate network than the OSCP exam machines were). The LPT (Master) also had an advantage in that you had all the tools that you learned in CEH and ECSA available to you for use on the exam, whether Windows or Kali Linux tools. The objectives were more flexible (and realistic), in that you had to complete the objective in whatever way you could find. On the OSCP, you were only allowed to complete the objective by obtaining shell access to the target computer first. The LPT (Master) exam target machines also had much less “trolling” going on. If a machine looked vulnerable to an exploit, it probably really was. I did find one example where a computer should have been vulnerable to an exploit, based on the enumeration I did. However, if it had been, it would have been too easy. Finally, there was one challenge that I can’t go into much detail to avoid giving it away. I must say it was the most interesting (and even fun) challenge I’ve seen on any penetration testing course or exam! It was quite unique, and I only stumbled across the answer while looking for something else. Overall, the LPT (Master) exam, like the OSCP, required some research and out-of-the-box thinking to complete, while more accurately simulating the network, the objectives, and the final report of a penetration test.
I am very happy to have achieved both the OSCP and the LPT (Master) certification programs. I think both are worthwhile, because they have different focuses. The OSCP certification is great for individuals with several years of experience in system administration, networking, or software development, who wish to learn “elite hacking skills.” The LPT (Master) is great for those who want to pursue penetration testing as a career and who are looking for a certification that demonstrates that they can complete a realistic penetration test simulation on their own.
Daniel "Doc" Sewell works as a Lead Cybersecurity Engineer and Trainer for Alpine Security. He currently holds many security-related certifications, including EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (Master), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). Doc has many years of experience in software development, working on web interfaces, database applications, thick-client GUIs, battlefield simulation software, automated aircraft scheduling systems, embedded systems, and multi-threaded CPU and GPU applications. Doc's cybersecurity experience includes penetration testing a fighter jet embedded system, penetration testing medical lab devices, creating phishing emails and fake web sites for social engineering engagements, and teaching security courses to world-renowned organizations such as Lockheed Martin and the Hong Kong Police Department. Doc's hobbies and interests include home networking, operating systems, computer gaming, reading, movie watching, and traveling.