In this post I will give you my review of the Learn Ethical Hacking From A-Z: Beginner To Expert Course from Udemy by Juan E. Galvan and Anthony Timbers.
Context
‘Buying’ this course was again a no-brainer for me, since it was in a sale which made the course completely free. I was hesitant about whether or not the course would be worth my time, but free is free and perhaps there were some hidden gems I would uncover in the later sections. You never know!
I have tried to be constructive and have tried to remove any roasting. Apologies for any acidic comments that I have missed but as you will soon find out, I am not a fan of this course.
For Beginners?
As stated in its name, the course focuses on beginners. It is also stated that you can get away with having basically no security or programming experience at the start of this course. Some of the basics are indeed touched upon in the first few sections, and although you will be able to get a better introduction to those subjects elsewhere they were acceptable.
If you do however have little in terms of a security background to rely on, you will likely get lost from the the wireless security section on. Terms like IV and RC4 cipher stream are used, but not explained. After condensing the relevant vulnerability down to a few slides (in a very lossy format) you’ll be provided with a very basic and fleeting understanding of the underlying principle before showing off an attack that exploits it.
This approach is more-or-less what you can expect throughout the practical part of the course. You’ll be offered very little in terms of explanation, instead most of the course will function as a walk-through of well-known tools.
As an author of a ‘zero to hero’ style course such as this I would think you have two approaches available to you. You either go ‘all-out’ and assume very little knowledge (like the authors did in the first few sections) or don’t, and assume knowledge about key concepts when explaining an attack (like the authors did right after the introductory sections). It is regrettable to see that this course combines both, but understandable since this is a hard type of course to get right.
Hype
I get the impression the authors are riding on the hype of ‘becoming a hacker’ while mostly sidestepping the importance of the foundational knowledge and practice required to actually go from ‘beginner to expert’. Perhaps it is up for discussion whether or not you need a good computer science foundation before diving into security, but I firmly believe one should learn to crawl before one tries to walk1. You can go through my For Beginners resource section to help you check up on your fundamentals. In there you’ll come across DFIR Madness’s post about The five pillars, which also offers a few compelling arguments in favor of this approach.
For Nobody.
Perhaps I shouldn’t be so hard on the authors, it is merely a 12h Udemy course. It is naive to believe you’ll actually “Learn how to become an elite ethical hacker and easily hack networks, computer systems, web apps and so much more…” but it really bugs me that this is exactly what they’re selling their course as. As DFIR Madness puts it: “The cert farms that tell you A+, Net+, Sec+, and CEH in 6 weeks will get you a career are stealing your money.” Those who claim to make you an elite ethical hacker in 12 hours are -in my opinion- also wasting your money.
Flawed Content
For those who have gone through the ‘Learn Ethical Hacking From A-Z’ course, please forget everything you’ve heard in the ‘How to remain anonymous on the web’ section. You DO NOT just need to run TOR or rent a VPS/VPN to become “completely anonymous on the internet”. This is just plain false. Please do your own research!
I’ve also not heard many good things about the Certified Ethical Hacker (CEH) certificate. Depending on where you want to work (the US DoD seems to require it) you might want to look for a more foundational and well-respected certificate like the Offensive Security Certified Professional (OSCP) cert. It will make sure you’ve mastered the fundamentals of offensive security and get the credit you deserve for the heaps of work (and money) you put in.
Actually A List
The introduction to bash exposes you to an excruciatingly limited amount of bash, touching upon the basics of the basics, at best. It is of course exactly what you’d expect from a 9 minute video, but this just makes me feel like this course tried to check all of the basics on their list without actually providing their students with the resources and incentive to understand the subject. Where are the exercises? Where is the pile of external resources?
In my opinion, and I know it might be harsh, this course is pretty much only good for exactly that, a checklist of the basics. That they recommend you get a ghost writer to write your information security book for you speaks towards the quality of this course.
A Course Recommendation
The Cyber Mentor (AKA Heath Adams) released his 25h Practical Ethical Hacking course, the first 40% of which you can get for free by previewing the content. This is not an accident, he specifically allows you to just learn the basics for free and learn you will in this course. If you learned a lot in the first half of the course you should probably think about getting the second half.
Conclusion
I was rather disappointed by this course. Perhaps my expectations were set rather high after the Offensive Security Engineering course on Udemy (which was absolutely fantastic). I don’t understand how this course got to 4.5 stars when the Offensive Security Engineering one only got to .1 more. Perhaps I’m alone in my opinions, or perhaps I’m just wrong.
If you do not agree with any my writing I urge you to contact me so we can discuss your arguments and fix my mistakes. Contact information is available on the bottom-left of the page, as always.
My Takeaways
To end on a brighter note, I did take some things away from this course:
- The python SMTP user enumeration script inspired me to start writing user enum scripts in Python.
- The statistics from the beginning of the course were an eye-opener to me.
- Especially the fact that 43% of attacks target small business, yikes.
- I checked out a tool I didn’t know existed, an open-source alternative for Nessus: openvas
- The Waterholing attack: infecting a public website which you know your target will visit in order to get to them.
Footnote
This way you can still crawl your way back home when the inevitable bone-break occurs from trying to walk on underdeveloped legs. Being able to fall back on a well-rounded foundation of knowledge and experience will allow you to ground yourself when dealing with the unknown, something a security expert will continually be doing through their life. Please don’t try to rush experience, you have to put in the work. ↩