CEH Master, An Honest Review

This post is meant to be an honest review of the CEH Master, if you're unhappy with my review, I'm sorry.

Published on Aug 10, 2020

Reading time: 3 minutes.


Certified Ethical Hacker | Master

The CEH Master offered by EC-Council, claims to be a real-world, hands-on approach to everyday life as an ethical hacker:

/uploads/cehrev.png

In the above photo, what stood out the most to me was, “We test your abilities with real-world challenges in a real-world environment, and a time limit, just as you would find in your job.”

The CEH Master is a combination of the CEH Exam and the CEH Practical. You have to pass both to achieve CEH | Master

Background

Several years ago, I had high hopes of becoming a Penetration Tester. The first step in that equation appeared to be the Certified Ethical Hacker Certification.

Unfortunately, the CEH Exam is but the tip of an ever-winding road. I had read horror stories about people who had failed the CEH Examination 3+ times, struggling to pass it, even claiming to have studied for “two full years.” Here’s my hot take on the situation:

If you’ve studied for the CEH Examination for TWO FULL years, you may want to rethink your career as a hacker. I understand everyone has a different level of ability and expertise. However, it’s beyond basic. You can expect questions covering syntax for scanning tools, banner grabbing, cracking hashes, hacker theory, etc. Passing this exam will not make you a hacker at all; it will show that you’re interested enough in hacking to learn some basic syntax and lingo.

The Examinations

Part 1: CEH Exam
Multiple Choice Exam, 125 Questions
4 Hour Time Limit

As stated previously, I took part 1 of the exam years ago. However, I can tell you this:

If you can read course material and memorize basic hacking tool syntax, definitions, and port numbers, you can pass the exam.

Part 2: CEH Practical
20 Practical Challenges
6 Hour Time Limit

I had the opportunity to take the practical exam through an EC-Council scholarship. However, being that I had been hacking for a couple of years already, it was a joke to me. I mean seriously - a joke. The material was dated, and besides a specific type of Web Application attack, everything was basic.

The examination feels like a CTF, find ‘x’ or figure out ‘y’. It was ironic that the claim is a real-world representation of Penetration Testing because this exam is FAR from that. I have never performed a Penetration Test where all of the information was neatly gathered for me and discovered in the reconnaissance phase, however, this exam requires minimal realistic exploitation methodology. Additionally, you don’t even have to shell a system, escalate privileges, etc.

The type of hacking that is practiced on the CEH Practical is not realistic, and while you may use some of the skills from the exam in the real world, you would have to be critically lucky to exploit systems using the methodology tested on the CEH Practical exam. However, you would still have to know what to do with the information gathered and how to exploit it - which is something EC-Council does not teach their “World Class Hackers”. Trust me, I have the OSCP and CEH Master. It’s a night and day difference.

For instance, if you have been hacking for years and take the OSCP, there’s a good chance you may still fail. Compare that to the CEH Practical: where hacking for a few years and attempting the exam is like showing up to a 1st-grade class and taking an English exam.

I felt so cruel taking this exam; this was me:

/uploads/lol.png

Summary

  1. Is the CEH Examination worth it? No.
  2. Is the CEH Practical worth it? No.
  3. Will I learn how to be a Penetration Tester after taking the course/these exams? No again.
  4. Are there any better certifications for close to the same amount of money? Yes! Probably any of the Penetration Testing Courses offered by eLearnSecurity.
  5. Should I pursue this certification? If you have the means to, and it’s not a financial struggle - go for it. However, if money is an object, I recommend avoiding it.
  6. Does anyone care about this certification? Yes and no. It shows you have the drive and willingness to step into the Hacking Arena. It also looks good for basic security roles for HR purposes. It does not prove that you know how to hack. It will be exceedingly difficult to become a Penetration Tester off of this certification alone. You have to take the time to prove that hacking is much more than coursework, and show some solid skills and methodology.