Practical Network Penetration Tester (PNPT):
Certification Review

By: Zack Branch

About Me:

My name is Zack Branch, and I am currently working in my first I.T. role as a Technical Support Analyst, where I've been for the last 3 years. I started out with absolutely no knowledge of really anything in IT. I barely knew what an IP address was at the time (didn't even know about IPv6.) I took it upon myself to take a CompTIA A+ certification course, and achieved the certification along with it. I then found the position that I'm in now which started my IT/Security career, and I immediately discovered upon working within IT that I had found a passion for Cybersecurity. I began pursuing knowledge on the matter ever since. I wanted to understand fundamentals of networking and security, so I followed the A+ up with the Network+ and Security+ certifications.

At the time, I had only ever been exposed to hacking via the news during a giant breach, and was unaware of how freely available the information to gain the skills necessary to do so were available online. Being exposed to penetration testing within the Security+ exam, it peaked my interested hard. I quickly started digging into it and discovered sites such as TryHackMe and Hack The Box where I began to utilize each site daily to learn more and more about hacking. 

This led to me discovering the PNPT certification. I was looking into what to achieve after getting down the fundamentals, and had come across many offensive security certifications such as the OSCP, eJPT, etc. But the PNPT stuck out to me the most, and thus is where this whole journey began!

At the time of writing, I currently hold the PNPT certification (most recent,) as well as 4 CompTIA certifications (A+, Network+, Security+, PenTest+) and an Azure certification (AZ-900, Azure Fundamentals)

I love the everlasting learning that comes with this field, and can not wait to keep growing my knowledge and experience to help protect the world from Cyber criminals!

PNPT Overview:

The Practical Network Penetration Tester (PNPT) certification is an entry-level Offensive Security certification provided by TCM-Security for a very affordable $299 for the exam attempt only. There is also a package that includes an exam attempt plus the training courses (covered in more detail below) provided by the TCM Academy for $399. 

The exam simulates a real-life penetration test against a "clients" network where you'll have 5 full days (120 hours) to perform your test with the primary objective being achieving Domain Administrator on the "clients" Domain Controller, and compromising their entire Active Directory domain. You begin the the exam from an attackers perspective and will perform Open-Source Intelligence (OSINT) to gather information about how to attack the "clients" external facing network. Once the external network is compromised, you'll leverage your knowledge to compromise the "clients" internal network where you'll get to exploit their Active Directory environment to achieve gaining Domain Administrator. Once you fully compromise the "clients" domain, you'll then have 2 days (48 hours) to write up a detailed report outlining your findings, and steps for remediation. Finally, if your report is accepted then you'll schedule a meeting with the "Client" (TCM staff) and have 15 minute debrief over a video call where you'll present a high-level overview of your findings and remediation steps to the "clients" executives. Only after the debriefing will you find out if you passed your PNPT exam, thus achieving the PNPT Certification. 

You can find the entire course syllabus and exam overview here.

At the starting time scheduled on your test start date, you are provided a Rule of Engagements document outlining your task, what's in scope, what's out of scope, a personal OVPN file and are provided the subnets for their external/internal networks. You also receive a public website that you can use utilize to perform some OSINT on (though, you may not attack this or your exam will end and you'll forfeit your attempt and any future attempts if you try. Always stay in scope.) You are provided 2 environment resets throughout the entire five day window (it was very stable, I never needed to reset the environment) and you may use any tool that you'd like on the engagement. 

There are three big aspects about this certification (not including the price of the certification/training being an absolute selling point) that caught my eye. The first being that this is a 100% practical, hands-on exam with zero multiple choice questions. I enjoy this because it gives you the ability to prove that you not only understand the material, but can apply it to a real-world scenario. The next aspect that sold me was the presence of Active Directory, as I don't believe AD penetration testing has been widely adopted in certification exams (I believe the OSCP just adopted AD penetration testing fairly recently in it's exam) and given how prominent it is in the real-world, I felt this is a very important skill to have. Lastly, if you failed the first attempt, you get a second attempt at the exam absolutely free! And to make this bit even sweeter, if you do not achieve the exams primary objective then you'll still write the report up until the point to where you got, and TCM will provide a hint on how to get passed where you were stuck. This is a game changer in my personal opinion as every other certification I've taken had quite a hefty retake fee involved if you failed. So to see TCM offer this is such a relief because it says that they're not there to profit off you failing, and that they actually want you to pass and succeed. I'm not necessarily saying these other companies DONT want you to pass, but they definitely profit off you failing. TCM however, does not and this was probably the biggest selling point (again, besides the price) for me.

Training Courses:

I opted to pay the $399 and take the 5 courses included in the bundle as I had really only done TryHackMe and Hack The Box Academy lessons and felt like these courses would really benefit my chances at passing the exam. 

The 5 courses included in the PNPT Exam with Training bundle are: 

• Practical Ethical Hacking - The Complete Course
• Open-Source Intelligence (OSINT) Fundamentals
• External Pentest Playbook
• Windows Privilege Escalation for Beginners
• Linux Privilege Escalation for Beginners

All 5 courses are led by Heath Adams, the founder and CEO of TCM Security. I personally believe that Heath did an amazing job with all of the courses, and put each aspect into a perspective that was very easy to understand as a beginner. Not only does he do a great job of putting each aspect into perspective, but he also does an amazing job of providing you with the type of mindset to have in each given scenario. Given the dynamics of the Offensive Security realm, this is key.  

I would definitely say the bread and butter of the course bundle is the Practical Ethical Hacking - The Full Course as this provides everything you'll need to pass the exam. On top of the general hacking TTP's (Tactics, Techniques and Procedures) you'll cover, you'll also go over topics such as Networking Fundamentals, Basics of Linux Operation, scripting using Bash and Python and more as these all play heavily into the Penetration Testing role. I was very glad to see this content included within the course as I believe these fundamentals are crucial to know before really getting into any hacking. Otherwise, it'll be a struggle. I also absolutely loved the Active Directory portion of the course, especially the lab environment that you setup (I still use it in my Home lab today) and this in my opinion was the most fun part of the entire course.

The Open-Source Intelligence Fundamentals and External Pentest Playbook courses I thought were both great as well! The OSINT course focused more on the different tools and techniques used when performing Open-Source Intelligence, where as the External Pentest Playbook was more geared towards the entirety of an external penetration test and covered more on when to perform OSINT (again, with the OSINT course covering more on "how" to do it,) external pentest methodologies, how to attack certain external entities, and more. 

When it comes to the two privilege escalation courses, I as well thought they were both great! The one thing I did want to mention is that you'll want to have some knowledge of Web App penetration testing going into these. While these do provide great insight into escalating your privileges once your initial access to the server is achieved, you will need to know how to achieve that initial foothold to begin with prior to being able to achieve the main objectives of the course (Or it'll at least make it easier.) Each course does have a capstone of about 5 machines (varied between Hack the Box and TryHackMe) that increase in difficulty as you progress, and contains a walk through with Heath. However, it is encouraged to do each machine on your own before doing the walkthrough. And if you've ever done TryHackMe or Hack The Box, you'll know that majority of machines have you gain an initial foothold by exploiting a vulnerability in a web application. So again, these two courses are great, but it would help to have some Web App testing experience under your belt.

Open-Source Intelligence (OSINT):

There isn't much I can say regarding the OSINT portion of the exam, but one thing I will say is that I was probably most anxious about this part as I really had no idea what to expect, and hadn't practiced too much on OSINT prior. Though, I was pleasantly surprised to find that the information you are looking for comes rather naturally. This actually ended up personally being the quickest part of the exam to get past and if it's something you've been nervous over, I wouldn't put too much thought into it. If you took the OSINT Fundamentals/External Pentest Playbook courses (or have had some prior OSINT experience) you'll be just fine!

External Penetration Test:

After gathering all the information from your OSINT phase, you move on the external portion of the engagement and attempt to find assets that you can attack on their external network. Once you locate an attack point, you then get to piece the information you found from your OSINT together with attack techniques to infiltrate the external network. Once you have gained access, you will then have to enumerate to find an attack vector into their internal network.

I definitely hit a wall for a brief period during this portion of the exam as I had came across something I hadn't encountered before. It definitely ate at my confidence because I wasn't expecting to hit a wall so early on in the exam. However, after a couple breathers and digging through some documentation, I was able to find exactly what I needed to overcome my obstacle and the confidence returned! So if you get stuck, don't give up!

Internal Penetration Test: 

Once you find your vector into their internal network, the real fun begins! This is where you'll get to utilize your Active Directory exploitation techniques as you pivot through their internal network, and eventually end up obtaining access as the Domain Admin on the companies Domain Controller. While you do have to perform a ton of enumeration to plan your next steps at each point, there is a path that you can (enumerate, enumerate, enumerate and take notes) map out throughout this portion of the exam which helps guide you with the right information available. Enumeration is key :)  

The biggest piece of advice I can give here (which technically applies throughout the entire exam) is to keep it simple, and do NOT treat the exam like a CTF. I cannot stress that enough. I found myself having this mindset a few times within this portion of the exam, and had to actively tell myself to not do so and to treat this as a real-world engagement. It definitely took a bit of a mental adjustment to get myself out of that mindset since CTF style hacking is all I had really done up to this point, but I would say it was one of the most helpful tips I was provided. Also, watch for a few rabbit holes ;)

This was personally my favorite part of the exam, and I had an absolute blast as I traversed their internal network. Though, I would definitely say it was also the hardest part of the exam (and partly why it was my favorite portion since I love a good challenge,) and having the CTF mindset at times definitely presented some brick walls. But, with patience and change of mindset came the glorious moment of obtaining the exams primary objective of gaining access as Domain Admin! 

Findings Report:

As most penetration testing jobs require a written report detailing the findings during the assessment, this added a very realistic touch to the exam. Once you have fully compromised the domain, you are allotted 48 hours to write a detailed report and send it back in for review. 

You are given a template that you can use, or you can create/use your own. I opted to use the template provided, and modified it to make it a little more personal to my situation/exam. With each finding that you present, you are to provide some remediation recommendations, and I also provided resources with each finding that would back up my statements. 

My report ended up being about 36 pages after all said and done, and I was able to finish the it within an afternoon. I think the 48 hours is plenty of time to construct and present a professional report, and having to write this report gives you a great idea of what an average portion of the field would entail beyond the excitement of legally hacking devices.

Debrief:

The debrief portion is the final step in the exam. You've compromised their domain, and have sent in your findings and remediation recommendations within a detailed report where the TCM staff will review your report and decide whether or not you move on to the final step. If your report is approved, they will provide you with a meeting invite where you can schedule a date/time to do the debrief. 

During the debrief, you have 15 minutes to present your findings and remediation recommendations over a live video call with the "clients executives." 

For this portion, I chose to create a PowerPoint presentation and share my screen during the debrief. I was greeted by the TCM staff who laid out how the debrief was going to go down, verified my identity, and then gave the floor to me.  The presentation was about 7 slides long, and I finished the debrief in a little over 11 minutes where I was then followed with a passing score to the exam. 

Concluding Thoughts: 

Overall, this was the best certification exam experience I have taken to date, and I would highly recommend it to anyone interested in Cybersecurity. Even if you don't plan on becoming a Penetration Tester or Offensive Security Engineer, I believe knowing how an attack works, and what tools & techniques are used when an attack is played out is crucial for understanding how to stop said attack. So the information and experience gained with this certification can be applied in more than just the red team.

The TCM Staff was amazing throughout the entire experience, and I have zero complaints to make about any part of the exam/training. The exam was just the right amount of challenge, and I learned a vast amount from the moment I decided to embark on the journey to the PNPT certification. And for the price at $399 for the exam and training AND a free retake, you just can't beat that. 

Thank you again to Heath, and all of the TCM staff for such an amazing journey, and the challenge brought upon by taking on the Practical Network Penetration Tester exam. I am proud to say I'm PNPT certified, and am very much looking forward to future certifications released by this company.