Hello, hello, hello to the wonderful Infosec world. I'm back (again) with another certification review, this time of the Practical Network Penetration Tester (PNPT) from The Cyber Mentor, AKA, Heath Adams. I've been pretty quiet with university work recently so managed to find the time to crack this out, and I have to say, I was not disappointed!
This review will highlight the course contents, pricing variables, exam thoughts, and finally, the question that I see plastered everywhere: How does it compare to the OSCP?
The course is available as a standalone exam at $299 - This includes a free retake and no time limit as to when it must be used by.
Alternatively, and what I would recommend for the majority, you can purchase it "With Training" for $399. This option has the same free retake clause, no time limit on when it must be used by, plus 5 courses:
- Practical Ethical Hacking
- Linux Privilege Escalation for Beginners
- Windows Privilege Escalation for Beginners
- Open Source Intelligence (OSINT) Fundamentals
- External Pentest Playbook
When compared with other certifications on the market, you're definitely getting much more bang for your buck, so to speak, compared to alternative courses and certifications.
Oh, and if you fail? Turn in your report anyway and you'll be given a hint for your next exam. Don't see that anywhere else, do you ;-)
Furthermore, they do provide discounts to specific employment areas, so make sure you check that out, too.
The PNPT is described by TCM Security as:
... a one-of-a-kind ethical hacking certification exam that assesses a student’s ability to perform a network penetration test at a professional level.
You can view the official syllabus here, which contains all the course content that comes with the training version of the certification purchase. You will learn how to plan a penetration test, perform external enumeration, attack login portals, harvest potential credentials and even build up a profile of your targets, using real-world examples that you are guided through. From here, there's an invaluable section in the Practical Ethical Hacking course that teaches you how to gain initial access in an AD environment, then how to enumerate your surroundings, move laterally, and ultimately identify pathways to the domain controller.
Now, I have taken the OSCP (Old Style), OSEP, and CRTP, so you'd think by now I'd have the majority of basic AD attacks on lock. Nope! There were still large portions of the content that I'd either not come across or hadn't properly understood. I was humbled by the sheer quantity of knowledge that came with the course content. Heath has a very unique teaching style, and everything that gets taught is taught in a way that leaves no stone unturned. You will learn defenses for specific attacks shown, too, and there are consistent references to things you may, or may not, be asked at an interview based on his experience.
The bread and butter of this course, for me, was definitely the AD section. However, that's not to say there aren't bits of everything in there. You will also learn web application attacks, be guided through setting up your home practice labs for both web applications and AD, be taught how to do a penetration test report, see a real-life report whilst Heath goes through the contents... There's really too much to talk about on here. I'd definitely advise taking a look at the syllabus, as it's absolutely jam-packed. For the purpose of this review, I'll focus mainly on the External Pentest, OSINT, and AD aspects, as that is what you'll face in the exam.
The exam itself is 5 days long. Yep - 5 days. None of these hyper-stressful 24/48 hour exams. You then get a further 48 hours for reporting! After waking up with bald patches in my beard after my OSEP (Haha - it's true), this was a really refreshing change of pace.
You get sent the rules of engagement letter when your exam starts which highlights everything you need to know about the test, including your scope, out-of-scope environments, point of contact, and what you need to produce by the end of it.
As a student, I can't comment on how realistic this is from my experience, but everyone who works in the industry, that I've spoken to, has said it's very true to form.
From here, you're required to start performing Open Source Intelligence Gathering against your target and extract useful information from public-facing assets. Once you've built up your profile on the target, you'll have to identify an entry point to the external network by scanning your given IP ranges. This part felt exceptionally realistic. Once inside the perimeter, you have to work out how to gain access to the internal network and start pivoting through machines, with your goal being to compromise the domain controller. You should be mindful to treat your environment like a real clients environment, which means not treating it like you'd treat a CTF environment, and being mindful of anything that you upload/move onto their servers.
OSINT and External Attacks
This part was fun, and something I've not seen on other certifications I've taken. It could have gone into a bit more depth, but the concept is to teach you the methodology, and see how you can adapt what publicly available information is out there to your target's external infrastructure. Be prepared to have to think a bit out of the box, it's not an exam where you can just copy verbatim commands from the content and pass. You're taught everything you need to know in the course content, but you may have to adapt your methodology in intricate ways to make it work for the exam. Stay calm, remember what you have been taught in the course content, and read everything carefully.
Internal Network Attacks
After gaining access to the perimeter, you're dropped inside the internal network. This part is definitely the most enjoyable for me since I LOVE internal network attacks and the way AD works. You must take this exam as though it were a real engagement, there are no flags throughout to guide you, although the path through is kind of obvious for the most part. You don't feel lost, really. Just ensure to take thorough notes, enumerate everything and refer back to the course material regularly for inspiration: Everything that is taught in the course is enough for you to pass the exam! The environment is ridiculously stable. I went to sleep, came back to my PC 6 hours later, and still had all my sessions active so my VPN hadn't dropped at all and none of the PCs had any issues throughout.
After you manage to crack the domain controller and obtain domain administrator, you are required to send a report detailing your findings, mitigation steps, and any other relevant information that you believe the company should know about. This part took me ages! I was really trying to perfect my report, and also give myself something to base future reports on when I eventually get a job. Never written a report before? Not to worry! TCM provides not only an example report but also a video in their course where they go through a real-life recently pentest report, so you can see what it actually looks like. I spent about 8 hours reporting, and you report properly: Not just a walkthrough of how you did X or compromised X. You provide the vulnerability, provide further information and then suggest remediation. This vastly differs from previous exams and certifications I've done, in a positive way!
If your report rocks, you'll be lucky enough to be invited to de-brief with one of TCM's senior staff members. In this call, you'll get to go through your findings and discuss remediation steps, much like you would with a real company. I decided to use a Powerpoint for visual aid, but I don't believe it was necessary. The call starts with some quick identity verification before they sit back and listen to you word vomit everything you found! I was obviously nervous, not just because I'd never done a debrief, but because I was talking to Heath himself. Stay calm, Toby. Be professional.
After it was done, he took my discord details, added me to the VIP section of the TCM discord, and sent over my certificate. I sat, armpits dripping with sweat, with a big fat smile on my face!
The exam took me about 24 hours to reach the domain controller, and probably 16 of those were working hours spread over two days. 5 days is very generous, I'd expect you to run out of ideas before you run out of time! It gives you ample time to research, troubleshoot, explore additional attack vectors and accustom yourself to the environment.
PNPT Vs OSCP
This question is the one I see literally everywhere! And with good reason. I passed the previous OSCP version, without AD, so can't comment on the new version. However, I will say that PNPT was significantly "easier" due to the time constraints and real-world aspects. I personally believe the OSCP is more of a critical thinking and enumeration-under-pressure exam than anything overly technical. You are being forced to think outside the box, identify exploits, fix them based on your enumeration, and pop enough shells to pass the exam. I know many penetration testers who fail. I also know many hobby hackers who pass. The reason it sits so high on HR requirements is because of its intensity. If wasn't so hard, then it would quickly drop off. PNPT, on the other hand, tests you as a real penetration tester and examines your ability to perform your test using industry-standard methodology: Identify public-facing information, attack external assets, pivot through the network to the ultimate goal. It has many more realistic aspects than the OSCP and allows you the freedom to approach it how you would like, with no restraint on tools or resources.
The OSCP / PNPT discussion has no definitive answer, as they're so vastly different. One is a CTF, one is a real-world simulated test. Both have their benefits. I'd imagine that PNPT would help massively for the AD aspect of the new OSCP exam, as Heath teaches it so well. As a beginner, I'd personally say take the PNPT over OSCP. The cost comparison alone, for what you get, is a no-brainer. However, OSCP presents a harder challenge, and if you're like me and enjoy pushing boundaries, it's great fun. Further, the OSCP will definitely get you through the HR door, at the moment, more than PNPT.
Both of them will teach you absolutely loads, and that's all life is about right? Being a lifelong learner.
Closing Thoughts - Who's the PNPT for?!
There we have it folks, just a small summary of the exam process and course content, should you choose to purchase it. The course is fantastic value for money, given the amount of content you get, plus the exam voucher, a free retake, it's a no-brainer for your first certificate. You'll obviously understand that it's not going to get your foot quite in the door as much as bigger names, at the moment, purely because it's such a new qualification. But I've seen more and more inclusions in job applications recently, so it's definitely causing a stir. It tests you in the context of a real-world, practical penetration test, rather than in a CTF, extreme pressure, examination environment, and it's refreshing to see something that includes the debrief and pre-test documentation included.
If you are a beginner, the course 100% caters to you. It will be a struggle to pass the exam without having baseline knowledge from the course. If you're a junior penetration tester, I'd imagine the exam and course will teach you some cool new tricks but you'd probably be just fine! But again - I don't work in the industry, this is based on people I've spoken to in the past. Take everything I say with a pinch of salt, and always get a second opinion.