My PNPT Exam Review
12 Nov 2022 (1988 Words, 12 Minutes)
The Practical Network Penetration Tester (PNPT) certification tests candidates ability to emulate a real world adversary in a penetration testing engagement. Realistically it does stand upto those parameters, right off starting from Rules of Enagagement letter, to kick off email, the actual engagement period and ending with a well documented report on findings and a follow up debrief presentation. It’s a lot! but genuinely it’s worth the experience.
PNPT is affordable, real-world oriented, more holistic in terms of an actual pentest engagement you would encounter in enterprise networks. One gets freedom to use any tool they want and I personally used some of my own there. There’s something better than making a human sit behind the screen to proctor your activities, and yeah PNPT is proctored via “Non-evasive exam monitoring” techniques, so you can feel comfortable and focus on doing pentest in the exam window. PNPT’s recognition out there is increasing, more and more companies want PNPT holders who have demonstrated their pentesting abilities and including the reporting part with debrief. PNPT is not about
cat /home/user/user.txt or
cat /root/root.txt there’s nothing wrong inherently with capturing the flags throughout the engagement, but the point is that you don’t necessarily have flags in real world. You have to do a real world pentest as simple as that.
All PNPT exam purchase comes with 1 FREE re-take. Yes!
Look upto PNPT when you want something affordable and better than OSCP in terms of realistic standards. I believe each and every well established certification has its own clientele on both the sides - the ones taking the cert and the one who seeks individuals who have those certs. But anyways this dicussion is for sometime later.
Exam Environment Experience
My exam started on 2nd November 2022 and I ended up pwning their DC by 5th November 2022, and the remaining time I spent on making sure I had properly taken all the relevant screenshots and I was heading towards documenting it all. On November 9th I gave the debrief presentation.
Exam environment is very stable and fast. You get full 5 days to pentest their network. If by any chance you land in some troubles regarding the exam environment then please contact them as soon as possible at
[email protected] inform them about your issue and they’ll fix it at their best. I love their support. I ran into issues after getting certified. I had a (CE) Continuous Education in my PNPT cert, meanwhile the cert was purchased way earlier, so it got resolved quickly. I just love their promptness and mindfullness.
Read this twitter thread for more context.
Keeping it simple on your preparation strategy I would suggest using these 3 resources :
TCM Security Academy They have beautiful courses there.
Try Hack Me Begineer friendly and a must have to begin with doing hands-on labs.
Hack The Box Hands-on pentesting labs, amazing learning experience.
How to prepare for the exam
Use the resources listed above. Make a plan and execute it. Learn from TCM Academy and do hands-on practice on TryHackMe. You can filter by “Difficulty = easy” and “Type = Challenges (CTF)” tags on TryHackMe and have fun pwning machines. Once you have gained confidence then you can move on to pwning Active boxes (20) on HackTheBox, however their retired labs are only accessible via their subscription model, you might consider investing there. TryHackMe is roughly 80% free, the remaining 20% falls under their subscription plan because hosting windows machines is relatively expensive and also because of the efforts that goes into making certain type of contents.
You can also aid your preparation with all sorts of free resources available out there, YouTube channels, blogs, forums and so on…
Tips for the exam
Tips for the preparation phase :
Don’t stress over the syllabus, nature and complexity of the exam. Enjoy having a good learning experience from TCM Academy and lab platforms like TryHackMe and HackTheBox respectively.
Set realistic goals for yourself and have a clear vision about the resources you will be using throughout your prep phase, areas you need to focus more on and most importantly achieve those goals.
Be focused, streamline your prep strategy and achieve accelareted pace of learning through hands-on labs.
Tips for the exam itself :
Use your notes when you’re stuck. And don’t go out looking for exotic pokemon exploits which will help you. No, actually most of the things you’ll end up doing in the exam is already well taught in the courseware. And you can pretty much not touch a C2 and still make it till the end.
Keep track of your actions, It’s easy to lose track of it so make sure to take screenshots, properly name it or time-stamp it. Make sure you save your scan outputs. You can also make mind-maps and diagrams to visualize how far you have been in the network.
It’s much better to make a new directory and keep all the essential files in there, related to the exam environment. Like VPN, screenshots, credentials, any custom tool you wanna try out, scan outputs and so on.
Take breaks, 5 days is good enough time to pass this exam. So take healthy amount of breaks and get back at your phase where you left it, but with a clear mindset.
Tips for report writing :
Review the sample report template they send, try to follow that template, irrespective of whether you use the same or make a custom report. Briefly you should must include - Title, Index of contents, description about the engagement and details such as ROE, executive summary, summary of findings, you can use CVSS3 Vector rating as well, and details about actual technical findings. I used writehat tool from BlackLantern Security. However it will list the findings based on their severity and not their occurrence and so for that you can use tools like
pdfseparateto split each individual page in the pdf locally and then use
pdfuniteto join / arrange them back again. These two tools are part of the poppler-utils package, so to install them on your Linux run this command:
sudo apt-get install -y poppler-utils. To effectively use these tools refer to this answer.
Don’t over-populate the fields in findings or exploitation PoC. Keep it crisp and concise.
Since report is not a detailed walkthrough of the attacks we mount, using the reporting tool mentioned above helped a lot with its “Background” segment in each individual findings I had listed. This particularly helped me a lot to transition well into subsequent findings and helped client (exam assessors) to better understand the history of attacks.
Tips for debrief presentation :
Stay calm, don’t worry about anything and neither be anxious. Try to listen to songs which makes you calm and drink plenty of water.
Make sure to make your PPT you can use any tool, service or software you like - for instance I make instant PPTs in Google Slides when I am running out of time. I use Canva when I have time and wanna deliver a professional presentation. They have beautiful templates ready to customize. However you can deliver your debrief in PNPT via report itself by walking them through it. But I’ll highly recommend making a PPT.
Keep it simple while presenting the findings as they get technical in nature. Definitely cover the affected resources, background of the attack, the exploitation PoC and the remediations.
Practice beforehand. I can’t stress this enough. Time your mock presentation and see how well you do in terms of effectively delivering it. Time limit for debrief is 15 minutes, so aim for roughly 10 minutes and you’ll do fine in the actual debrief.
Critical Analysis of the exam
I have a fair amount of CTF experience and I have been rooting plenty of boxes on HackTheBox and doing rooms on TryHackMe. I am pretty sure that anyone with decent amount of penetration testing experience (whether from doing labs or real world) will breeze through the exam’s network like a hot knife through butter. Apparently I expected a little more in terms of the complexity of attack chains. Exam’s network is real-world oriented that’s true for sure, and it definitely ain’t a CTF. The vulnerabilities I exploited in the exam are mostly what you’ll be exploiting in the real world. Use of any C2 framework totally depends upon your wish, I didn’t use any and I had temptations though.
I would argue that the exam’s network could have been a little bit better on the privilege escalation part, Web App pentest, Active Directory pentesting and the credential access. That’s just my opinion and don’t fall under the assumption that they will come easy on the exam, absolutely no. My critical analysis comes from the fact that - Is exam assessing me on the objectives of the syllabus designed in first place. I would deviate here from the mainstream argument, I am not saying that it could have been a lot better, but just a little bit of tweaks would do fine. Hopefully those who have given and passed the exam will know what I am talking about.
It’s just my belief that if an exam touches upon every objective it has covered in the syllabus, then it derives a more holistic dimension to its credibility.
Most of the things are already taught in the courseware by TCM Academy, but as always the exam is a learning experience, so you have to learn few things on the fly and might spend some time troubleshooting as usual. So I can point it relatively fair 5/5 on OSINT, 5/5 on external pentest, 3.5/5 on Internal pentest, 5/5 on the reporting and debrief.
PNPT vs other certifications
I will name a few certs here, and the moment I pass others I will update the comparison in their reviews itself. For instance I have attempted
eJPTv2 Beta exam and I will review it soon here. Moreover I am looking forward to attempt HTB’s latest shiny cert CPTS as well, so I will post CPTS vs PNPT in their reviews. I am really excited to attempt the CPTS and review it soon.
PNPT is about ideology as it gives us a new stream of options, it’s affordable and all sort of qualities I had mentioned earlier. OSCP is much better option if you consider going through the HRs and the chances of your resume being selected by ATS. I believe PNPT will gain such reputation and demand too. You can truly ace CompTIA’s Pentest+ if you have done some real world engagement, you’re very well versed with the whole process, meanwhile the exam is experience and knowledge oriented in the form of MCQs and some performance based questions. It definitely helps proving your “experience oriented knowledge”, but we have something better in terms of proven hands on and going through the whole process of pentest.
eCPPTv2 from eLearnSecurity does good as its focusing on different stacks - The exam has pivoting, custom exploit development, I have heard its heavy on metasploit that’s cool, and it has Buffer Overflows as well. It’s objectives are fairly different than PNPT’s and yes we have to submit a professional report in the end to pass that exam.
One can definitely have these certs mentioned under their belt and it does not harm. The only thing that makes me indignant about certs is their pricing model as of now. eLearnSecurity has $400 for every of their cert, CompTIA - varies but its doable. Offensive Security - Hell naah, I will have to consider my balance. In the price of 1 OSCP I can get 1 PNPT, 1 CRTO and one other cert of my choice.
Anyways, this is all from me as of now. I am waiting for Internal Pentest Course from TCM Academy and I am aiming to go after CPTS and review it soon. PNPT has been a beautiful experience for me. Stay tuned for more interesting contents on this blog site, as you can see it’s fairly new and I will be actively delivering contents here.Thanks for spending your time and giving it a read.