Thoughts on the CREST CRT

Personal, Tech

Continuing my thoughts on exams series (see CISSP & CPSA) here are some notes on the CREST CRT. These are notes to help you prep, they are not the answers – CREST have a robust NDA and I have no intention of breaking it!

Pre-Reqs

You will need to have sat and passed the CPSA MCQ at a Pearson Vue test centre first. You book this direct with Pearson Vue  using a credit card.

Once that’s done, book the CRT direct with CREST by filling out the form at https://www.crest-approved.org/wp-content/uploads/UK-Exam-Booking-Form.pdf and emailing it to them. Nominate a month you want to do the exam and CREST will come back to you with some dates and morning/afternoon session availability.

You’ll need to travel to Slough – the test centre is 5 minutes’ walk from the station. Although there are several car parks, I really struggled to find spaces so the train might be your best bet, especially if you have a long drive.

CREST were really helpful and friendly during the booking process so don’t be shy about dropping them a line if you have any questions.

Your laptop

You’ll need to take in your own laptop but remember that CREST will want to wipe the hard drive on it afterwards. They didn’t seem too concerned about the swish M2 SSD I had in mine, but if your drive is non-standard, drop them a line. Either clone your existing drive or build fresh onto a new disk as they’ll be hanging onto the one in the machine for a few days and you’ll be without a working machine otherwise.

Kali should get you through the majority of the test, but you’ll need a vulnerability scanner too so license up a copy of Nessus or OpenVAS. Similarly a web proxy tool like Burp will be helpful for the webby bits. If you’re sitting this exam then these will all be tools you use daily anyway. Maybe.

Make sure you’re comfortable with configuring networking on your laptop and any VMs you have. I’d recommend bridging, not NATing, if you have VMs though. You can take in a subnet crib sheet to help, or install ipcalc. As the candidate notes point out, there are 10 marks up for grabs just for getting connected.

Read through the syllabus and write down the relevant tools and switches you’ll need for each section – some of them don’t come as standard on Kali and you’ll need to install.

General strategy

Time will run away from you, even if it doesn’t usually in these kinds of tests. Be organised! It’s an open book exam so take in tool notes and crib sheets, you do not want to be scrabbling around trying to figure out the syntax for things. I found https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ to be really helpful, so save a copy of that offline somewhere.

The test network is not internet-connected, although there is a machine in the corner of the room that you can use to Google, but frankly, if you’ve gone there then move on as it’s just a time suck.

Read through the question paper first. It’s a series of MCQs, but some questions are weighted more than others, so plan your time so that you don’t miss out on some of these more valuable ones. It’s not negatively-marked, so if you get to the last 5 minutes then just guess, don’t leave answers blank.

None of this is anything the invigilators won’t tell you at the start!

Good luck!