Open in app

Sign in

Write

Sign in

PNPT : All You Need To Know

0liverFlow
11 min readAug 18, 2024

--

The Practical Network Penetration Tester (PNPT) is an intermediate-level practical offensive security certification intended for penetration testers and issued by TCM Security. It mainly focuses on network penetration testing which includes both external and internal network penetration testing.

An external penetration testing consists of looking at an organization’s security from the outside. The methodology will heavily be geared towards OSINT.

External Network Penetration Testing

On the other side of the coin, an internal penetration testing consists of assessing an organization security from the inside of the network. Here, the methodology will heavily be focused on Active Directory.

Internal Network Penetration Testing

The certification costs $499 and includes one exam attempt, one free retake and lifetime access to courses. Talking about the courses, they are divided into five categories :

Practical Ethical Hacking (PEH)

PEH

In this section, you are going to start with networking, Linux and Python basics before diving deeper with Active Directory (enumeration, exploitation, post-exploitation) as well as web applications attacks (SQL injection, command injection, insecure file upload, authentication attacks, XXE). Furthermore, you will learn how to build an Active Directory lab and will be given hands-on exercises to put in practice what you learned.

At the end of this course, you should :

  • Be comfortable with conducting an internal penetration test using various Active Directory attacks (LLMNR/NBTNS poisoning, mitm6, passback attack, token impersonation, kerberoasting) and tools (impacket, crackmapexec, mimikatz, bloodhound, ldapdomaindump).
  • Have a better understanding of common web vulnerabilities and how to exploit them.
  • Understand what is pivoting, why it is important and how it works.

Open-Source Intelligence (OSINT)

OSINT

In this section, you are going to learn how to leverage publicly available information on the Internet to have a better understanding of your target.

Specifically, you will learn how to search for valid emails, breached passwords, usernames, business information, physical location, phone numbers as well as how to use search engine operators and perform a reverse search image.

Moreover, before finishing the course, you will also have case studies where you will get your hands dirty.

Linux Privilege Escalation

Linux PrivEsc

As the name suggests, this course will teach you the various ways of escalating your privileges (user → root) on a Linux machine by exploiting different misconfigurations on the system manually and automatically.

For instance, you will learn how take advantage of SUID bit, docker group, sudo, cronjobs, passwords & file permissions, kernel exploits, etc.

As usual, you will have a set of CTFs (challenges) to complete on platforms such as HackTheBox and TryHackMe. Therefore, a subscription will be needed.

Windows Privilege Escalation

Windows PrivEsc

Similar to the Linux privilege escalation section, Windows privilege escalation course will teach you the various privilege escalation vectors that you can leverage to escalate your privileges on a Windows host.

Among these privilege escalation vectors, you will have unquoted service paths, DLL hijacking, token impersonation, insecure service permission (binary path exploitation), AlwaysInstalledElevated, etc.

Here again, you will put in practice what you learned through CTFs on HackTheBox and TryHackMe.

Last but not least, completing the Linux and Windows privilege escalation will also help you prepare certifications such as the OSCP.

External Pentest Playbook

EPP

This section is the shortest and less practical one. Nevertheless, you should not overlook it as it will teach you the organizational aspects (rules of engagement, client communication, report writing, client debrief, retest) that take place prior and after a penetration test. In addition to that, you will also learn how to conduct a vulnerability scanning using Nessus, attack login portals and bypass Multi Factor Authentication (MFA).

This is a prominent part to understand because a penetration test is not only about the technical aspects but also about the organizational aspects.

Below you will find a summary of all the different sections highlighted above :

PNPT Courses

Going through all these courses and hands-on labs will help you get prepared to tackle the exam. Indeed, they cover everything you will need for the exam.

Note : As you are learning, build your own methodology or pentest workflow so that you know exactly how to approach a penetration test. Furthermore, create a checklist for testing specific vulnerabilities or conducting a particular attack. For instance, here is my checklist when I find that SMB is open on a target machine :

SMB checklist

PNPT Review

During my PNPT journey, I had good and bad days but I learned a lot and enjoyed it. Sometimes, I felt like I was making no progress especially on the Active Directory part because it was quite new to me which is a normal feeling. But guess what ? After building my own AD lab and practicing again and again, I finally got comfortable with Active Directory. That’s to say that you don’t become good at something overnight, you need to feel stuck, frustrated and keep on practicing until you get better.

That said, here are the positive points I noted :

  • The courses are well structured, well explained and easy to grasp. Moreover you have lifetime access to the course material.
  • The exam is practical and realistic. There is no flag to capture or multi choice questions to answer. You will have your rules of engagement and an environment on which you will be tasked to conduct a penetration test and then provide a detailed report of your findings and recommendations.
  • The certification’s price is affordable compared to some well known certifications.
  • The exam environment is stable.
  • The time allocated for the exam is enough.
  • The TCM Security support team is always available.
  • For those with no experience in CTFs, this can be a great start knowing that you will have to complete some CTFs on HackTheBox and TryHackMe in some sections of your courses.

Here are the points that can be improved :

  • The PNPT focuses on Active Directory Domain Services (ADDS). Though this is a good start, it would have been great to talk a little bit also about the Active Directory Domain Certificate (ADCS) which is as interesting as ADDS.
  • Compared to some certifications, PNPT is not well-known from Human Resources so far. Nevertheless, we can also contribute to give it the attention it needs.

Exam Overview

Regarding the exam, you will have five (05) days to conduct your penetration test and two (02) additional days to write your report. Once the five days are over, you will no longer be able to access your client’s information system. Therefore, make sure to take your screenshots properly during each step of your penetration test so that you do not miss any information that could lead to a failure.

PNPT Attempt

Concerning the report template, you can find one here. However, feel free to use your own template if you already implemented one. Just make sure that it is professional.

Well, after submitting your report, you will get an email from TCM Security a few hours later (I got mine two hours after my report submission) saying that your certification attempt has been updated on the exam’s website.

After connecting to the website, you should get your results.

If you pass the exam, you will be provided with a link to schedule your debrief. For the debrief, you will need to bring your ID card and enable your webcam during your presentation. All in all, you will be asked to present your findings and recommendations for remediation in a 15 minute time slot. Concerning the document format, you are free to prepare a powerpoint presentation or use directly your exam report. You just need to ensure to not go beyond the timeframe allocated to you. Thus, make sure to prepare your presentation enough before scheduling your debrief.

Notes :

  1. If you did not finish your pentest during the 05 days, you can still send your report so that TCM Security staff can give you a hint for your free retake.
  2. Beware that you can fail at your exam if your report is not well written even though you compromised your client’s infrastructure. Remember that your goal is not only to compromise the domain controller but to bring your client as much as value you can in order to enhance its security posture by providing him a well written and detailed report.

Overall, if your debrief goes well, the staff member will save your information in their database and send you your certification in your mailbox. Here is how the certification looks like :

PNPT Certification

Nice, right ? You’re the next :)

Tips

Here are a few tips that may help you during your journey :

  • Consistency > Intensity

It is far better to study for a few minutes or hours each day than studying 5 hours just one day. Based on your agenda and objectives, schedule a time to learn and practice every day. On one hand, this will help you remember the information in the long run through daily repetition and on the other hand, it will keep you motivated.

  • Notetaking
Source : Pejman Milani

Taking good notes during your courses will help you summarize and organize what you learned in your note-taking application so that you can easily and quickly find any piece of information (command, mindmap, etc.) when you need it.

  • Sleep enough and take breaks

Every so often, when an attack fails or doesn’t provide the desired output, we get frustrated and try over and over the same attack or similar attacks until we realize that we made a minor error such as omitting a command’s option or specifying the wrong target. This is where taking breaks and having enough sleep can be game changers. Sometimes we just need to get some fresh air or have some good rest to come back with new and better ideas.

  • Read carefully the Rules of Engagement (RoE) and make sure to exactly do what your client asked you to do. Do not target systems that are out-of-scope as this will lead to failure at the exam.
  • The exam is not a CTF, it is a real-world scenario, so treat it as if you were hired by a real company to perform a penetration test on their infrastructure. You must put yourself in the shoes of a user without any security awareness. Ask yourself what such a user will do, then conduct your penetration test accordingly.
  • I found this hint of Heath very helpful
Source : TCM Discord
  • Acquiring practical knowledge > getting a new certification
    Passing the PNPT is good but learning new skills and growing as a penetration tester is much better. You should not forget that you are learning these skills to help making companies more secure and not just for obtaining a sheet of paper.
  • Success is not final, failure is not fatal: it is the courage to continue that counts — Winston Church
Source : Pejman Milani

When I was taking the PNPT, I read and watched some exam reviews of people that failed at the exam to know what mistakes they made so that I can avoid doing them. While some were seeing their failure as a learning process for doing better the next time, others were blaming themselves.

Dear readers, don’t be too hard on yourself because you failed once or twice at your exam. One thing you should absolutely avoid to do after failing is to take your free retake immediately. Instead, pause, then ask yourself these questions : What could I do differently to not fail ? Did I manage my time very well ? Did I take breaks ? Did I forget to conduct certain attacks ? Did I try to use different tools, wordlists, payloads ?

I believe that answering these questions will help you have a better understanding of the reasons why you failed. Furthermore, as I mentioned earlier, send your report even if you did not finish your penetration test. Based on what you have done, TCM Security staff will give you a hint so that you can move forward during your next attempt.

Resources

In addition to your courses, here are other resources that can be helpful :

PNPT Reviews (YouTube + Writeups)
How to Pass the Practical Network Penetration Tester Exam (PNPT)
PNPT Exam Review
TCM Security’s PNPT Exam Review (Formerly CPEH)
PNPT Reddit

TCM Security Discord
https://discord.com/invite/MzpSsVzKvj

TryHackMe Network And Room
Wreath
https://tryhackme.com/r/room/breachingad

Wrapping Up

To connect the dots, I would definitely recommend the PNPT to anyone who want to improve their skills in network penetration testing. In one word, the most important thing for passing this certification is PRACTICE. Don’t just learn the theory without applying what you learned.

Knowledge without practice is useless. Practice without knowledge is dangerous. Confucius

Lastly, enumerate, enumerate and enumerate. A good enumeration will considerably ease the later stages of your penetration test. If you are unable to get an initial access to the target system, that simply means that you need to enumerate more or take a break. Keep in mind that there is nearly always a way in. By saying that, I don’t mean to overcomplicate things, keep things simple but do your due diligence.

Give me six hours to chop down a tree and I will spend the first four sharpening the axe. Abraham Lincoln

With that said, I wish you all the best guys and feel free to ping me if you have any questions.

Pnpt
Tcm Security
Penetration Testing
Ethical Hacking
Certification

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams