Training courses - Nerd steroids

A few years ago when I was trying to break free of the more mundane trappings of IT, I decided to take some certifications. I began with compTIA and took my Network+ and Security+ exams. Imagine my surprise when these certification exams took me no more than 15 minutes apiece to ACE. They were so easy it became embarrassing to tell people that i had bothered to take them. I have considered many times going for my CCNA and CCSP but never gotten around to it. I am now in the process of taking a 10day course from infosecinstitute. This course is actually comprised of two courses jammed together into a single bootcamp. I am doing the online version of the course, unable to get my company to buy in for the additional costs of actually attending a physical class. these courses are centered around the CEH, CPT, and CEPT certifications. I am not very far into the first week of material and I am starting to get that sinking feeling again.

I don't want to bad mouth infosecinstitute and it's training...at least not yet. However, the entire first day was essential an introduction into using vmware and linux. They do this because they want to be able to cater to people who might not have experience in those areas. My question is, what are such people doing taking courses on pentesting? If you don't know how to set up a VM, or how to kill a process in linux, you've got a long way to before you can be a pentester, and it is going to take a lot longer than two weeks. This is where the steroid analogy comes in. People seem to approach these classes as a quick fix, rather like steroids. "If I take this class, i will learn to be a 1337 h4x0r".

DarkNet has a post about training courses right now too. In it he talks about how the CEH is pathetic(I am inclined to agree so far) and then talks about a few other courses/certs. Frankly speaking, these look much the same as every other one I've looked at. They seem tantalizing at first, then you realize it's the same recap bullshit and you learn nothing new.

 Let's give up on steroids guys, and start thinking about some workout regimens. I want to see training courses out there that say outright "If you don't know what the different kinds of vulnerabilities are, or if you don't know how to find SQL injection, xss etc...don't take this class" Let's have some classes that start with "So you know how to find some vulnerabilities, let's talk about advanced techniques, and things you never thought to try before". Let's talk about how you maximize your extraction from a SQL injection, or what things work in Oracle or in MSSQL, or U2, or Sybase etc. Let's talk about some advanced encoding tricks, and how to pack javascript to get around filters. Let's talk about writing shellcode to try and exploit in a buffer overflow.

I am tired of having to rehash the same crap over and over again. Then I read what things RSnake or someone else is up to. I stop and think "hrm, what are they doing differently than me. What do they do better than me. Why?" I want to see training courses that answer those questions. I want something that says "okay, you're a pentester. now let me show you how the big boys do it"

Anyways, that is my rant for the day. Stay tuned as I am going to be working on putting together a bit of a SQL Injection cheat sheet in the coming weeks. I hope to have something comparable to RSnake's XSS cheat sheet and a lot better than the other ones I've seen.