With the benefit of hindsight I think I should have approached the course differently. While it was certainly helpful to have the two weeks off to concentrate solely on the course you can't think of it like a normal 09:30 - 17:00 five day course at a training centre. Although my evening time is limited it would have been helpful to use the time between study weeks to kick off large port scans, brute force password checking etc. This would have saved quite a bit of the "quality" time I had dedicated to my training.
Anyway the course has certainly been extremely useful and it has definately accelerated my learning. The only area I still feel a bit weak on though is web application attack vectors. This is covered at the end of PWB and therefore I did not have as much time to spend in the labs with this as I would have liked. I also think that this is such a vast topic that it would require a course all to itself. I am going to try and fill some of the gaps in my knowledge before the exam.
My pen tester contact had mentioned to me previously that a good source of information on web application attacks is the OWASP project (www.owasp.org). The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software. Browsing through their site they have a project called WebGoat which is designed to teach people how to test for and exploit typical web vulnerabilities. I'm going to install it and see what its like, if I get the time I will try and post up the installation procedure and usage.
