Cert Review – TCM Security’s Practical Network Penetration Tester (PNPT)

---

TLDR

• The five courses under the PNPT package are phenomenal value for the price you pay.
  • Practical Ethical Hacking (PEH) itself is worth every last penny and is a far better resource on Active Directory Enumeration, Attacks, PrivEsc and Persistence than Offsec’s PEN-200
• Stands out for having an OSINT component to the exam and having the candidate execute the entire Kill Chain from Reconnaissance to Actions on Objectives
• Quite possibly one of the rare few certifications at the beginner to intermediate level that requires a fairly comprehensive report and an actual debrief
• IMO, a lot easier than the OSCP due to much longer test period (5 days) and the attack vectors are fairly straightforward (in hindsight)
• Unfortunately not as recognized in terms of HR value but nevertheless rates highly on the knowledge gained value

Review

#whoami

I graduated from the National University of Singapore in the mid 2010s with an Economics degree. My passion was in the humanities; particularly in the fields of history and geopolitics. My only touch point with the world of computers was a foundation module on computing hardware and software in my first year of university. I didn’t like it.

Fast forward to 2022, I was exposed to the world of APTs and ransomware actors during the course of my work. Not having the slightest clue of what the CTI folks were talking about during their routine briefs, I did some (poor) research online to look for courses on cybersecurity. By misfortune or design (EC-Council worked hard on advertising), I paid a grand for Certified Ethical Hacker (CEH) since it was heavily promoted online as “the course to learn about hacking”. I know what you are thinking and be assured that I have the exact same thoughts as you. Suffice to say, dont waste your money on CEH. It is not completely useless but it is terrible value for money at a grand and the assessment portion is bad. Take that grand and sign up for TryHackMe and HackTheBox instead.

So what can a person with no computing or cybersecurity background but full of interest in learning more about hacking look for without blowing a hole in his/her wallet and yet find resources comprehensible to beginners?

Enter TCM Security and its Practical Network Penetration Tester (PNPT) Certification and its associated courses.

#whatweb https://tcm-sec.com

I will give a brief background on TCM Security, the PNPT Certification and its associated courses before diving into the PNPT review.

TCM Security (Source: https://tcm-sec.com/about/)

TCM Security is a US-based veteran-owned cybersecurity company focused on providing top of the line penetration testing, security training, and compliance services.

Of note, TCM Security also provides training and as of Jan 2024, six certifications including the PNPT (Source: https://certifications.tcm-sec.com/).

PNPT (Source: https://certifications.tcm-sec.com/pnpt/)

The PNPT certification exam is a one-of-a-kind ethical hacking certification exam that assesses a student’s ability to perform an external and internal network penetration test at a professional level. Students will have five (5) full days to complete the assessment and an additional two (2) days to write a professional report. As noted, there are NO FLAGS to capture and the environment is a microcosm of what might be a realistic Active Directory environment.

In order to receive the certification, a student must:

• Perform Open-Source Intelligence (OSINT) to gather intel on how to properly attack the network
• Leverage their Active Directory exploitation skillsets to perform A/V and egress bypassing, lateral and vertical network movements, and ultimately compromise the exam Domain Controller
• Provide a detailed, professionally written report
• Perform a live 15-minute report debrief in front of our assessors, comprised of all senior penetration testers

Note that TCM Security considers PNPT to be an intermediate level course. Its junior counterpart is the Practical Junior Penetration Tester (PJPT). Note: When i first purchased the PNPT certfication in 2022, the PJPT did not exist.

That said, with hard work, curiosity and good note keeping skills, one can consider jumping straight to PNPT as a beginner as I have done so.

#The Road to PNPT: The Five Courses

In the past, one was able to purchase the PNPT certification independent of the courses but now you are required to purchase the certification and the five training courses at US$399. The package grants you the right to take the PNPT exam (with one free retake) and access to the following courses:

• Practical Ethical Hacking (PEH);
• Linux Privilege Escalation for Beginners (LPE);
• Windows Privilege Escalation for Beginners (WPE);
• Open Source Intelligence (OSINT) Fundamentals; and
• External Pentest Playbook (EPP)

The certification test voucher DOES NOT EXPIRE so you can take the time to go through the materials and take the test when you are ready to do so. Also if you are a military veteran (from any country) you may be entitled to a discount.

PNPT Review

Do note that to preserve the integrity of the PNPT, there will not be any hints of what the exam is beyond what is published by TCM Security.

A caveat: This is my first cybersecurity certification (I did not bother signing up for the CEH examination)

IMO, the PNPT is a fantastic entry-point for those interested to learn more about Ethical Hacking and experience what a Pentester might be expected to work on. Why do i say this? Let me summarise with the following points:

1. The exam environment is set up to simulate a pentest engagement. There is a rule of engagement PDF issued at the start of the exam; literally no flags to capture; and it is not a series of “boxes” waiting to be pwned. If you come in with a CTF mindset, chances are you are going to fail or go down rabbit holes.
2. The OSINT portion is fairly basic but still provides an opportunity for the test taker to at least practice and exploit OSINT to gain information leading to the initial foothold. OSINT isn’t something that is normally found on other certification exams. Remember that the PNPT is meant to simulate a real pentest engagement and I am glad that this portion is included. Surprisingly it seems that a fair bit of people had issues getting the OSINT portion right which again reinforces the idea that if you are looking at this like a CTF, you are going to have a bad time.
3. Without revealing anything, sometimes it is human laziness and carelessness that allows attackers to burrow their way into the system. Just like real life.
4. Everything you need to pass the PNPT are in the five courses. There are no curveballs.
5. You need to write a fairly comprehensive post engagement report and conduct a debrief to a TCM Security Staff. This in itself was an excellent learning opportunity and also a good barometer on whether a career in pentesting might be suitable. You will need to communicate your findings in a clear and effective manner and put some thought into remediation measures that the client should undertake.

Environment Stability

I had ZERO issues with the exam. No crashes, no weird glitches. It was stable throughout. TCM staff was very responsive even though it was during the holiday period. Kudos to TCM Security.

Difficulty

I failed the PNPT twice in October 2022 and early 2023. I was able to reach the Active Directory part of it but was not able to progress further because I was overthinking it. This time, I got the credentials of the Domain Controller in about 36 hours.

What changed? I stuck to my methodology, took good notes and ensure that I did not skip steps. I took frequent breaks and even went out for drinks on the night of Day 1 as I was stuck. The next morning, I woke up and realise that the solution was literally in my face the whole time. All I can say is sometimes, the way forward is not some crazy exploit or wizardry. It can be something very simple and innocuous. Best of all, it is literally taught in the PEH course. Listen carefully to what Heath Adams teaches in the Active Directory portion. Once I got the way forward, it took me less than 2 hours to get Domain Controller.

Is the exam difficult? It is if you approach it with a CTF mindset and you overthink it. Looking back at the path to Domain Controller, I would say that the PNPT is “easy” on the technical portion but moderate when it comes to discovering the path to laterally and vertically move through the networks.

#How to prepare for the PNPT

1. Get used to taking good notes. I liked using Microsoft OneNote and Cherry Tree. Take good notes for the five courses especially PEH. You will need it!
2. Finish minimally PEH, OSINT and EPP. Make sure you practice the boxes recommended in PEH. Make sure you have a good methodology and stick to it. Take the report writing portion seriously. There are people who fail because of their reports!
3. I prepared a clean kali linux and updated it with the pimp my kali tool prior to starting the PNPT. Last thing you want happen is having your impacket tools fail. I also prepared scripts like linpeas and winpeas in a folder for transfer. Might also want to have a static binary of nmap ready.
4. Practice Pivoting and the different tools that you can use for pivoting. Understand which tools are for which situation. Tools like Sshuttle require SSH access but does not require you to be root.
5. Get used to using different tools for Active Directory. Sometimes one tool might not work. Be prepared to use another tool.
6. Did I say Active Directory again? Active Directory is the main meat of PEH and is the centre-piece of the PNPT. Get familiar with the attack vectors, lateral and vertical movement paths taught in the PEH.
7. Not necessary but no harm watching IppSec’s Active Directory videos on YouTube (https://www.youtube.com/watch?v=jUc1J31DNdw)

During The Exam

1. Enumerate x10. Dont get lazy.
2. Take screenshots of EVERYTHING. the last thing you want to happen is you forgetting to take a critical screenshot and failing the report because you did not have pictorial evidence.
3. This hint from Heath Adams from discord.

4. Use an excel sheet to keep tracks of credentials if you need to. I did and it was very useful to have a graphical representation of what were the current credentials that were discovered and what they could do.

5. Be curious and just click at things you find. You never know what kind of interesting information there are.

6. Everything you need is taught in the five courses. If you are stuck, it may help to go through your notes or to rewatch the videos.

7. Take frequent breaks. Have eight hour sleep. Go for a run or a gym break. Have fun. Watch cat videos to destress.

What’s Next

As a rather early adopter of TCM Security courses, I have courses that are permanently in my catalogue as I have purchased them before the switch to the Subscription model. I am planning to work on the Practical Web App course, Movement-Pivoting-Persistence course and the Mobile App Pentesting course.