What is the PNPT you might ask?
The PNPT or Practical Network Penetration Tester certification is a relatively new certification offered by the the team at TCM Security, the brain-child of Heath Adams (@thecybermentor). TCM Security aims to make cyber security certifications available to the wider community at an affordable price.
The below is from the TCM Security site ( https://certifications.tcm-sec.com/pnpt/ ):
My Decision to take the PNPT
Why did I take the Practical Network Penetration Tester exam and certification?
I have worked in the IT field for over 20 years and have had an active interest in Cyber-security for several years. Along with this I have been participating in other online hacking training sites like TryHackMe, HackTheBox, etc, and I have been wanting to get certification in the field.
The price point of many of the other current certifications out there were making it more of a financial stretch for me to be able to obtain them, especially with the exchange rate for me living in Australia. When Heath and the TCM Team said they were offering this certification at the price they did it was a no-brainer for me to take it.
You have two options available to you if you want to get the PNPT certification.
The standalone certification exam for only US$299 (AUD$400), or
The certification exam with training for US$399 (AUD$540).
These prices are discounted 20% for veterans (current and former military) as well as first responders (Police, EMTs, Firefighters, Nurses, Doctors, etc.), regardless of country. They also extend this discount to students.
For details on these offerings and related FAQ please refer to the official TCM Security PNPT certification page.
PNPT Training Courses
The quality of the training material is of a high standard and the instructors present the material in an easy to follow manner which helps in understanding course content and concepts covered. Along with the courses they each have a discord channel or group where you can ask any questions you have about the material.
One thing that I can’t stress more is the need to take good notes while taking any training course. Good notes will help you to no end during the exam or in any other engagement.
I ended up purchasing the standalone certification exam as I had been fortunate enough to get the training material for a cheaper price from one of the many discounts that Heath and the TCM Security team offer for their courses, and every couple of months or so the TCM Team offer their Practical Ethical Hacker course for free.
With these discounts I was able to get the suggested courses (Practical Ethical Hacking, Linux Privilege Escalation for Beginners, Windows Privilege Escalation for Beginners, Open Source Intelligence [OSINT] Fundamentals, External Pentest Playbook) along with the Movement, Pivoting and Persistence course.
While you don’t need all these courses to complete the PNPT certification exam they all offer great material and other insights or attack paths you could use for the exam or other everyday pentester needs, and learning new things can’t hurt, right?
PNPT Certification Exam
When you think you are ready to take the PNPT exam you can book your exam with the certifications team. They will provide you a link to a calendar with meeting times where you can choose a day and time to start your exam. The calendar will show you 15 minute intervals to choose from. This time will be when the certifications team will send you out the connection and exam details and spin up the exam environment.
The exam itself has been set up to be like a real penetration testing engagement, where you receive a rules of engagement document from the client along with the scope of what the engagement involves. Once you receive your engagement email you will have 5 days (120 hours) to complete the exam with the end goal of complete domain controller compromise.
On top of this you have an additional 2 days (48 hours) to prepare a professional report on your findings that is to be submitted to the certification team.
If your report is detailed enough and shows how you compromised the network you will receive an email from the certifications team to book your 15 minute client debrief with a member of the TCM Security Team. This will be a link to another calendar where you can choose a day and time that would suit you best that falls in line with the availability of the Certification Team.
My Exam Experience
I booked my exam to start on a Sunday morning, as I had booked the following week off from work and due to being in Covid lockdown I didn’t really have anywhere to go.
At around 8:30am I received my email with the Rules of Engagement document along with the VPN file to connect to the exam environment. From here, I connected to the VPN to make sure that everything was working and I could get an initial response from the network, and run some base scans while performing OSINT on the company provided in the RoE document.
I hadn’t done much in the way of OSINT previously and it was good to have some time to explore it. To try and see what information I could find about the business and their online presence and make note of anything that could be useful to help in exploring their network once access was gained.
I can’t go into any great detail on the specifics of the exam as it would give away too much of the whole experience and fun to be had. But I will say that one thing that got me a couple of times was that I was overthinking certain aspects of the environment and had unfortunately slipped into a Capture the Flag (CTF) mindset, which caused me to spend the better part of a day trying and testing things that weren’t necessary to progress in the exam.
There were also a couple of points in the exam where I saw certain things on a machine or two and I thought “aah crap, this is going to be a pain” but I was relieved that it wasn’t. The creators of the exam environment did a great job and left odds and ends throughout the exam to give you a laugh and make light of certain other exams that were all in jest. These lighter moments helped break up the times where I got so focused and stuck on things that it made me realize I had plenty of time to do the exam and reminded me to take a break and rethink things.
Overall it took me the better part of 3 and a half days to get through the practical part of the exam and get to my final goal of compromising the Domain Controller. My next step was to prepare a report on my findings along with remediation to those findings. I planned to use the remaining day and a half of exam lab access reviewing my process and steps taken and make sure that I had all the screenshots and proofs that were needed to validate my steps.
One thing that happened while I was writing my report was that one of the machines broke domain trust and was playing up with my access to it. The IT Support Professional in me couldn’t leave it that way. Thankfully I had my persistence access to the machine and I was able to remove and re-join it to the domain making everything happy again.
In the end it took me a little under 5 days to complete the exam and report fully and I submitted my report on Thursday Evening.
I received the acceptance of my report and scheduling of my debrief within 3 hours of submitting it. Talk about a quick turn-around. With the acceptance of my report I received a link where I could schedule my 15 minute debrief where I would need to present my findings and remediations. With the time difference with being in Australia the soonest I could book a reasonable time for the debrief was on Tuesday morning at 7am. This gave me plenty of time to worry about how best to do my debrief, I ended up creating a slideshow to use to give a high level overview of my attack path and associated remediation steps.
First thing Tuesday morning I made sure I was ready and had all my ID and notes ready for the debrief. I was fortunate and lucky enough to have Heath for my debrief which was great and scary at the same time. After the verification of ID was done I went to start my debrief and presentation, but as luck would have it I couldn’t share my screen for some reason, so my slide show went by the wayside (maybe it was a blessing in disguise for Heath to not have to sit through another death by slide show, who knows). Heath was very accommodating with the issues I had and I ended up just talking through my findings and ways to remediate them with him.
Once my debrief was done I received an email with my certification details within a matter of minutes:
I think the Practical Network Penetration Tester course and exam is well worth taking. It is one of a very small few that offers great educational material and training at an affordable price. The material is easy to go through and the support of the community on the TCM discord server is always willing to help with understanding the course material if you get stuck.
One thing that you won’t get on the discord server, and rightfully so, is help when you are doing the exam. Anything relating to details of the exam is dealt with swiftly and removed.
A mantra you will see on Discord if you get stuck with anything in the exam is “everything you need to know to pass the exam is covered in the course material”. This holds true, and with the generous amount of time you have on the exam there is ample time to take breaks and go over your notes or re-watch any course videos you might need.
Another thing that will also help you if you plan to take the exam is to try and keep in mind that the exam environment is setup like a small business network. If you spend a lot of time on Hack The Box or TryHackMe you tend to get into a CTF mindset of having to get root or admin on everything. The exam, like many real Penetration Tests, may or may not require you to “root all the boxes” to get to your final goal. Also try and not over think things, parts of the exam aren’t as difficult as they seem and if you do get stuck, take a break, get a drink, take your dog for a walk and come back to the exam refreshed and ready to attack it again.
If you do fail your exam, don’t stress. Still go through the steps to write up a report and submit it and usually the certifications team will provide a pointer on what to improve on or check over. Take their comments and recommendations on board and use that when you are ready to do your FREE RETAKE of the exam.
The PNPT is an awesome course and certification provided by a great group of people who have the well-being and growth of the cyber-security community at heart. If you are thinking about taking the certification I highly recommend it. You won’t regret it.
If you have made it this far in my post I thank you for spending your time with me and sharing my Pathway to PNPT.
Good Luck on your own Cyber-security adventure.