Practical Network Penetration Tester (PNPT) Course and Exam Review

Blog posts have been sparse this past month due to my preoccupation with the Practical Network Penetration Tester (PNPT) courses/exam from TCM Sec. Luckily as of this post, I've successfully completed the certification and thought I would share my experience and thoughts for others who may be looking to take this exam. For those unfamiliar with the PNPT exam or TCM Security, here's a quick rundown of the exam, course, and company.

TCM Security

TCM Security is a security company that offers security assessments, penetration tests, and security related training/certifications. Heath, also known as The Cyber Mentor, is the founder of the company. TCM launched their own training platform as well as penetration testing certification within the past two years in order to compete with many of the other training providers out there. TCM's main claim to fame is their extreme desire to keep the cost of cyber security training as affordable as humanly possible. The group offers many free seminars/live events as well as frequent discounts on their many courses. Earlier this month they ran an insane sale in which many courses were as little as 1 dollar for lifetime access! The dollar sales aren't an uncommon thing either. TCM really is out for the betterment of the profession rather than making an insane profit off information that's readily available for free on the Internet.

Professional Network Penetration Tester

The PNPT, at the time of this writing, is TCM's only certification. I certainly hope they come out with more but this article will be about the PNPT. According to TCM's site: "The PNPT exam is a one-of-a-kind ethical hacking certification exam that assesses a student’s ability to perform a network penetration test at a professional level." The exam is a three part exam, which is definitely a first in the cybersecurity world. The exam has a training course known as Practical Ethical Hacking. The course is stated to cover all the necessary aspects required to be successful on the PNPT exam. There is a course multi-pack that is also suggested as a more thorough training collection for folks who may be brand new to penetration testing called PNPT Exam Attempt with Training. This course collection is quite literally a ground-zero collection of training for people new to the field. The collection includes five courses and an exam attempt with a free retake for the price of $399 at the time of this writing (TCM also offers discounts for military, EMS, and students). Even without the discount, the $399 price is unheard of in the ethical hacking training/certification space; it's REALLY low for the quality of what you get!

I opted for the training bundle as my mantra is you can never over-prepare for an exam. The training bundle provides five courses; Practical ethical hacking, Open-Source Intelligence methods, Windows privilege escalation, Linux privilege escalation, and external pentest playbook. I have many years of background in the materials but it never hurts to review materials. Worst case it's a good refresher and provides some insights into what the exam might be like and best case the training materials teach some new techniques to add to one's arsenal. I also worried about the Active Directory (AD) aspects of the PNPT since my day to day work often doesn't involve AD. So taking the time to go through the PEH course and associated labs to learn some AD skills was beneficial. 

Exam Preparation

Exam preparation is one of the most common questions for any certification exam. While there's no one path for everyone, below is the process I used. Since I bought the whole training bundle, I made sure to go through PEH, OSINT, and External Pentest Playbook. PEH is stated to be the only thing you need for the exam but I had heard from numerous reviews that OSINT was crucial to the exam. After going through the courses, I went back and did the mid-course capstone boxes from the PEH course; originally skipped them though. These boxes were decent but I was still worried about the Active Directory part of the exam so I went to TryHackMe to partake in a number of Active Directory related rooms there to supplement PEH. The list of rooms I'd recommend are as follows:

----- THM Resources ----
-- No requirements --
Post-Exploitation Basics
Attacktive Directory
Raz0rblack
VulnNet Roasted
VulnNet Active
Enterprise

-- 7 day streak req --
Breaching Active Directoy
Enumerating Active Directory

 The PNPT Exam

The PNPT exam consists of three components. The first component is the actual hands on exam where the student is expected to use the skills learned from the materials to successfully compromise an administrative account on the exam client's domain. Upon completion of the first part of the exam, the second part is the creation of a professional penetration test report to be reviewed by tester's with TCM's organization. If the student's report is satisfactory, the student is then invited to the third part of the exam which is a live debrief with a "member" of the fictitious company to present the results of the penetration test. The third portion of the exam is unique to the PNPT among all of the penetration testing certifications at the time of this writing!

Exam Phase One

This part of the exam started off like many of the other practical penetration testing exams. The student picks an exam time and once that time arrives, the student receives VPN credentials and a letter of engagement to begin the test. The PNPT provides 5 full days to perform the actual technical part of the exam. The practical part covers most of the topics of the PEH course well. I was a bit worried about the OSINT portion as I had heard from many reviews that it would be a deal breaker if the student wasn't good at OSINT methods. While I agree that the OSINT part is important, it was honestly extremely trivial in the grand scheme of the exam. On top of the OSINT part, I would also suggest PNPT prospects also make sure that they focus on privilege escalation techniques, lateral movement and pivoting, as well as system pillaging. 

I really enjoyed this portion of the exam. One of the best aspects of this exam was how stable the exam environment was during the exam! Windows machines are often the bane of many practical pentesting exams as the machines often aren't stable, connections to RDP are flaky at best, boxes tend to be unstable when trying to pivot through or interact with but the PNPT exam environment was honestly the most stable environment I've experience thus far with penetration testing certs. The machines themselves were far more realistic than the vanilla windows boxes seen in other exams. There were a number of other things that the PNPT implemented in the exam environment that I felt patched holes that existed in other exams I've done but I can't say more since it might provide answers to other exams. The goal of this part of the exam is to gain administrative access to the client's domain controller. Upon successful and persistent access to the domain controller, it is safe to start phase two of the exam.

Exam Phase Two

This portion of the exam is relatively easy compared to phase one and students are given 2 days to write the report after the five days for phase one ends. The report writing is simply a matter of proper documentation of the vulnerabilities and methods used to continue gaining access into the clients network. TCM provides both a report template that can be used as well as a video on how to write a professional report. The report writing was arguably the longest part of the exam for me as I wanted to make sure my notes accurately reflected how I moved through the environment. As I went back through my notes, I also wanted to make sure that adequate screenshots were available to help drive home critical points in the report. All in all I'd say the phase one part took about 25 hours due to some oversights on my part in a few areas and then the actual report writing and analysis was maybe another 30-35 hours. All said and done I was able to complete the report and send it in on the final day of Phase 1. Shockingly I heard back from TCM within 4 hours of my submission and was happy to hear that I would be proceeding on to the final stage of the exam.

Exam Phase Three

The final phase of the exam is a live debrief with a member of TCM Sec. I'm not sure if Heath (The Cyber Mentor) does all of the debriefs or not but I was excited to get to meet him and present my findings. TCM provides students with a large number of options for partaking in the debrief so scheduling was very easy. The student is given no more than 15 minutes to present their report in any fashion they desire.

Final Thoughts

All said and done, the PNPT was a great experience and I appreciate the thoroughness of the exam. The test, report, and debrief are all great experiences. The real topping to the cake was getting to actually meet Heath during the debrief! He's doing great things for the industry and it was a pleasure to get to meet him. The cert and training TCM-Sec has developed is a great starting place for beginners and useful skills development for seasoned individuals alike. The price point is great as well, especially compared to the more expensive and toxic training providers out there.