\x01 Introduction

I sat the Practical Network Penetration Tester exam in June of this year and wanted to do a quick write-up of my experience to help those who are looking to take the exam. I will cover the courses recommended by TCM Security, exam preparation, the exam itself, and final thoughts. Look, I know it's October when writing this but, hey, better late than never...right?

For those who don't already know, the Practical Network Penetration Tester exam is a 5-day long practical exam with an additional 2-days to turn in a professionally written penetration test report. As per TCM Security, to obtain the PNPT certification, you need to:

• Perform Open-Source Intelligence (OSINT) to gather intel on how to properly attack the network
• Leverage their Active Directory exploitation skillsets to perform A/V and egress bypassing, lateral and vertical network movements, and ultimately compromise the exam Domain Controller
• Provide a detailed, professionally written report
• Perform a live 15-minute report debrief in front of our assessors, comprised of all senior penetration testers

\x02 Purchase Options

When it comes to purchasing an exam voucher, you have two options to choose from -

• Standalone ($299) - You don't get any of the TCM training courses and only receive an exam voucher to sit the exam. This is a lifetime voucher so you can sit on it for as long as you need to and should you fail, you get a free retake. Cool!
• With Training ($399) - You get access to over 50 hours of training material over 5 courses ranging from the infamous Practical Ethical Hacking course to the External Pentest Playbook. With this option, you also get a lifetime exam voucher, and a free retake should you not pass your first time around. It's nice that TCM Security provides a free retake - they aren't trying to profit from your failures.

Bundled TCM Academy Courses

The following are the five courses included in the included training option and are listed in the order they are recommended to be completed.

• Practical Ethical Hacking (25 hours)
• Open-Source Intelligence (OSINT) Fundamentals (9 hours)
• External Pentest Playbook (3.5 hours)
• Linux Privilege Escalation for Beginners (6.5 hours)
• Windows Privilege Escalation for Beginners (7 hours)

I suggest checking out the training syllabus and exam overview document that TCM Security prepared which outlines the exam objectives, training options, and a detailed breakdown of the content that's covered across the five courses.

\x03 My Thoughts on the Courses

When I purchased my PNPT voucher, I did so with the training bundle and worked my way through all five of the courses before sitting the exam.

Overall, I thought the courses were excellent and explained the material very well and in a way that just made sense. I am a very hands-on learner so having videos to follow and then trying the same thing in my lab environment just cemented what I learned rather than death by PowerPoint. Death by PowerPoint might work for others, but not for me.

A good chunk of the 50+ hours of material is taken up by the PEH course and is the bread and butter of it all. In the PEH, Heath will take you through the basics such as the basics of networking, introductions to Linux & Python, and the various sections of the attack lifecycle. In the PEH, Heath walks you through building your Active Directory lab environment to test exploits such as LLMNR poisoning, SMB relaying, IPv6 takeover with MITM6 to covering topics such as Kerberoasting, dumping credentials with Mimikatz, and other topics. I don't want to go too far down the rabbit hole since the topics covered are outlined in the training syllabus.

In the other courses, Heath goes over important topics like all things OSINT, external attacks such as information gathering, common assessment findings to privilege escalation for both Windows and Linux.

Overall, you will learn a lot in the 50 hours you spend with Heath, and throughout all that time, make sure you are taking detailed notes with not only what he discussed, but also commands used, screenshots of the expected output, and any research you did yourself on whatever topic you're on.

I took my notes in Obsidian (but have since transferred to Notion) and broke them down by course, parent topic, and then each smaller section below the topics. As an example, here is a snippet of my note structure for the Windows privilege escalation course -

My Overall Suggestion

If I can suggest one thing, it would be to do the Active Directory lab build-out and practice the attacks Heath covers. Take the time to build each VM (domain controller + 2 Windows 10 workstations), adding the workstations to the domain and the various attacks. Especially with the AD attacks, it's imperative to do them and understand what's happening rather than just watching Heath do them and take notes - trust me, it's not the same. With that being said, I realize not everyone has a computer with the resources to do a lab build-out, but if you do, please do it. It's a good experience overall and you get to break stuff - what's not to like about that?

Overall, I think the courses do an excellent job at preparing you to sit the PNPT exam, assuming you did the due diligence in completing them all and took decent notes. If you did, you shouldn't have any issues in the exam environment.

\x04 The Exam Experience

I scheduled my exam for June 13th at 1000 AM. Right at 10 AM, I received an email from the TCM Security team containing two things: my OpenVPN config file and the rules of engagement document. The rules of engagement were very detailed and did an excellent job of outlining the objective, what was in and out of scope, and other important details. Overall, great job TCMS team for the realistic document.

To pass the exam, you need to compromise the domain controller along with maintaining persistence in the environment. It's not enough to own the domain controller - you need to go the step further to keep that access and document the steps to do so. After completing the exam objective, you then have 2-days to provide a professionally written penetration test report that outlines each of the findings you documented and, if accepted, you need to brief a panel of senior penetration testers from TCM Security about your report.

If you don't compromise the domain controller, don't fret! Still do the report the best you can and submit it. Not only do you get a free retake, but if you turn in a report, you also get a hint from the TCM Security team for when you do your retake. That's cool - Heath and Co. want you to succeed here.

Exam Pros and Cons

Pros

• The exam is a real-world assessment and very much not a CTF. If you come into the exam with a CTF mindset, you are going to struggle. Make sure you treat the environment like a real client's network. Document everything, even if that piece doesn't directly aid your attack progression.
• There are no limitations on the tools you use. I can't stress this enough - this is a simulated real-world penetration test. Feel free to use whatever tool you want in the exam environment. There are no limitations on Metasploit or LinPEAS. No client is going to tell you what tooling you can and cannot use - this is no different.
• The exam environment was very stable, and my scans were completed very quickly. Even if I left the environment open overnight, the next morning it was like I never left. It was amazing. Again, great job Heath and Co.
• No proctoring. This can be a catch-22 for sure, but with the addition of the debrief at the end, I feel that helps balance out the lack of proctoring and is a good way to weed out cheaters. If you plan on cheating, you're probably going to get caught, and you're only hurting yourself.
• You get a full 5 days in the environment without the stress of competing against the clock to finish in 24 hours. This helped reduce stress levels and allowed me to have a balance between time spent in the environment and out of the environment. Being able to get a good night's rest, having time to eat dinner, and taking breaks to rest was great and I feel helped me succeed even more.

Cons

• HR awareness isn't as much as other certifications. This isn't the fault of TCM Security at all and given time, the PNPT will get there. While the PNPT might not carry as much weight on a resume as something like the OSCP, once you're in the interview, having the PNPT under your belt will allow you to talk the talk.
• Light OSINT. It's no secret that OSINT is required to pass the exam, but I wish there was more in-depth OSINT that was required. Having to do more of it would just add to the realism of the overall exam. I don't think it hurt the overall exam experience, but just something to call out.

Reporting

As stated in the rules of engagement, you need to provide a professionally written penetration test report to clear the exam. Seeing as this was my first time writing a report, I took two full days to do it as I wanted to make sure it was dialed in and had screenshots, practical mitigations, and references before sending it off. I am glad I didn't rush because I felt proud of the report I had turned in.

A template is provided to use for your report, which took away some of the stress of making your own and whatnot. By the time I was finished, my report was 27 pages long and was completed using the supplied template.

I turned in my report on June 17th and the TCM Security team replied 38 minutes later informing me I had moved on to the debriefing portion. I was blown away by how quickly they replied, seeing as how some vendors take weeks to tell you if you passed or not. Again, great job TCMS team.

Debrief

I chose the soonest available date for my debriefing which was June 21st and about 30 minutes before my scheduled debrief, I ensured I had everything in order such as my ID and making sure my webcam & mic worked. I was prepared - so I thought...

Of course, it was my luck that when it was time to join the call, neither my video nor mic worked, and I had to drop and join back on my main computer. Thankfully, the TCMS team member I met with was very patient and after I got squared away, I walked them through my report without issue. At the end of the call, they let me know I had passed and that my certificate would be issued shortly and that the PNPT role was assigned to me on the TCM discord.

\x05 Overall Thoughts

At the end of the day, I thoroughly enjoyed not only the courses but also the exam. I thought the exam tied everything that I had learned thus far perfectly and was a nice challenge. I would recommend this certification to anyone looking to get a start in offensive security and at the end of the day, I am happy to have gone through it.

If you made it this far, thank you for sticking with me through my ramblings and if you're ever around on the TCM Discord, feel free to say hi - I go by gray around there.