PNPT Experience

Introduction

This blog post was written to help provide information and express my feelings about studying for and taking the Practical Network Penetration Tester (PNPT) exam by TCM Security.

The reason I decided to take this exam was because I felt that I struggled with Active Directory Pentesting and this exam offered a means for me to improve in that area and help me to level up as a pentester. I currently work on external pentests, web application pentest, and external red team pentest. However, I also wanted to acquire the skills needed to work on internal pentesting.

I bought the exam and training material for $400. One major plus for the PNPT is that it felt like the first exam I have taken that I would be confident in saying that the course material is all you really need in order to pass the exam. The study material points to other references for reading or practicing your skills, so I did not feel the need to buy anything else to study.

One more thing I would like to highlight before I get into the study material is the material and exam take a real world approach. The biggest hurdle some might have to overcome is to not treat this like a CTF and to instead treat it like a real engagement. As someone that does penetration testing for a living, this exam and study material hit the mark.

Study Material

The Practical Ethical Hacking course is a great resource packed with essentials information. The material includes:

  • Basic Networking
  • Introduction to Linux
  • Introduction to Python
  • Information Gathering
  • Vulnerability Scanning
  • Buffer Overflows
  • Active Directory
  • OWASP Top 10
  • Wireless Penetration Testing
  • Report Writing

My attention was purely on the Active Directory portion of the material and what I spent the majority of my time on. However, I want to stress that I used the Buffer Overflow material here to ready myself for the eCPPT and for the eventual OSCP. TCM Security offers courses I would argue could replace other vendors’ study materials.

Going through this should help give someone the basic knowledge of penetration testing.

The Windows Privilege Escalation course is packed with excellent material and might have been my favorite course to go through. The course will cover:

  • Kernel Exploits
  • Stored Passwords
  • Potato Attacks
  • Registry
  • DLL Hijacking
  • Service Permissions
  • Capstone Challenges to test knowledge of Windows Priv Esc. via Hack the Box and TryHackMe.

The Linux Privilege Escalation course will help provide material on how to escalate privileges on a linux host. I want to say that I truly appreciate the inclusion of capabilities and Docker. The course includes:

  • Kernal Exploits
  • Enumeration
  • File Permissions
  • Sudo
  • SUID
  • Capabilities
  • Scheduled Task
  • Root Squashing
  • Docker
  • Similar to Windows, you will get Capstone Challenges via Hack the Box and TryHackMe.

The OSINT Fundamentals course provides material on how to gather information about a target. This provides a real world engagement feel on encountering a target and gathering all the information information about that target. The course will teach you how to hunt down:

  • Emails
  • Passwords
  • Usernames
  • Social Media Accounts including
    • Facebook
    • Twitter
    • LinkedIn
      Instagram
    • Reddit
  • Website OSINT
  • Using tools to gather information
  • Report Writing

The final course is the External Pentesting Playbook. This material is designed to help show what pentesters do when attacking an external network. It goes against the CTF style of just checking exploits at a machine and seeing what sticks. It has a focus on:

  • Attacking Login Portals
    • Office 365
    • OWA
    • Standard Login Portals
  • Insufficient Encryption
  • Username Enumeration
  • IKE Aggressive Mode
  • Insufficient Traffic Blocking
  • Open Mail Relays
  • Client Debriefs

The Exam

The exam’s structure gives you five days with the exam lab and then two days to write a professional report. After writing the report you will submit it for review and if you meet the objectives you will get an email to schedule a time to do a fifteen minute debrief over the report. Again capturing that real world feel of talking to a client and going over the report and findings. You can use whatever tools you want for the exam.

When the exam started I was given all of the information needed to complete the exam including what objectives need to be met and a sample report to help show how the final report should be structured.

TCM Security provided a stable and solid network to attack. This was a breath of fresh air after working on the eCPPT and eWPT this year, with their unstable exam environments that were unusable for hours.

As I moved through the exam environment I took breaks, ate meals, spent time with my family, and rested my mind when I needed to. I would get stuck a few times, but I felt the exam did a good job of rewarding for enumerating, taking good notes on the findings, and using that information in the exam. I never felt frustrated, which is a great feeling taking a major exam.

The best advice I can give is:

  • Know and understand the study material and do the labs provided by TCM Academy.
  • Feel confidant in Active Directory Attacks.
  • Know how to write a good and professional report.
  • Understand the exploits and how to remediate them.
  • Read through the provided information from TCM Security thoroughly and understand what you can and cannot do.

Final Thoughts

I really enjoyed this exam and the content provided by TCM Security through TCM Academy. I learned a lot going through it and had a lot of fun doing the exam. It’s one of the exams I would do over again just because I felt it was a lot of fun. The report writing is always the boring part, but the exam was great. I truly enjoyed this experience and the fact that it captures the feel of a real life pentesting engagement.

I hope more pentesters and aspiring pentesters look into TCM Security as a budget friendly and quality training material and wish you luck on the exam if you choose to take it!

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eCPPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and the eCPPT this year. Mission accomplished.

I’m writing this post because I want to provide helpful feedback for the eCPPT. I will cut away the fluff and get to the important stuff to help answer common questions. I will not be doing a day by day break down.

The lab is seven days of testing/hacking and seven days of report writing. It took me four days with the exam lab to get everything knocked out and two days of report writing. I had the results back in a couple days after submitting the report.

To prepare for the exam, I did all of the INE Penetration Testing Professional labs under the Penetration Testing: Network Security and Penetration Testing: Linux Exploitation.

The System Security for Buffer Overflows has good content. It gets a bad rap in my opinion. It’s useful, but the best way to prep for the Buffer Overflow from INE is the Exploitation with Ruby under the Metasploit & Ruby section. That’s the best way to get hands on practice from INE for BOF.

The Web App Security is a personal section I did not do much of, mainly because I did the eWPT. I would recommend taking the time to go through it and do the labs as well to learn about SQL Injection, Cross Site Scripting, and the other good to know web exploits.

Now I made that section because I believe the material from INE was good. If you don’t have that material because it is expensive, I recommend the following resources.

The last bit of advice I can give are to make sure you are comfortable with pivoting, proxychains, and port forwarding. You will live in proxychains for this exam.

I will also say the exam stability for me was a nightmare and I hope it works well for you. I took a few days off from work and the lab would not start for ten hours on Saturday. I tried to start at 8AM and kept getting errors about starting up the lab. The issue eventually fixed itself around 6PM. Elearn needs to work on more stable exam labs as I have heard similar issues with other people taking this and other exams.

You most likely will not know if you are ready until you start the exam. My rule is to go with the flow and figure out as you go. Don’t stress too much. Take breaks, rest, sleep on problems, and just try stuff. Learn as you go.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eWPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and will be working towards the eCPPT later this year.

This will be a post describing my thoughts on the INE study material, thoughts on the eLearn Security eWPT exam, how I studied for the exam, and what advice I have for those looking to take the eWPT.

For those that don’t know, the eWPT is a certification offered by eLearn Security and study materials are provided by INE to prepare yourself to take and pass the exam. You have seven days with the lab to hack and seven days to write the report. The report you submit is what is graded and determines if you pass. This is not a CTF style exam. First tip I will give is to start your report and work on it while taking notes and doing the lab work.

Initial Thoughts

At the beginning of the year I was really excited to take this exam. I felt INE had great materials to learn from, although they are a bit dated. The study material on Flash is worthless in 2022. You can skip that part and I would not be surprised if it was removed this year.

I felt INE did a good job covering XSS, SQLi, information gathering, session security, file upload attacks, CMS attacks, and noSQL databases in the slides and videos.

I will cover my opinions about the transition of the labs in my study material section.

After a few weeks of working on study materials I felt ready for the exam, I picked the first Friday evening in February and started the exam. Getting it up and ready took a few minutes of tinkering with the VPN and reading the Letter of Engagement. The Letter of Engagement is pretty straight forward, but very simple and not very professional looking. It lacks details. Just make sure you read it and understand it as it states a pretty important factor that needs to be done in order to pass, although it is not enough alone to pass.

The exam was pretty fun to say the least. It is a professional looking web application and something I would see in the real world. It has vulnerabilities and your job is to find them, report them and provide remediation’s. Just like on a real engagement.

After a few days into the exam, I felt I had everything needed to create my report. I wish INE would have a section in each course to talk about report writing. I feel report writing is being overlooked and for an exam that requires a report to pass, it would help to include something for those that have never written a penetration testing report.

Study Material

The study material I used to prepare myself were the Web Application Penetration Testing videos, PowerPoint slides, and labs offered by INE. An annoying issue on the INE platform was while working on the labs in the month of January, INE decided to update the Web Application Penetration Testing labs from their custom built labs to offering DVWA and Mutillidae hosted labs.

While I am a fan of the ability to click a button and have an ready to learn environment and have hands on practice, I was enjoying the labs (that worked) that were offered by INE and I’m a bit disappointed with the Web Penetration offerings now.

I am disappointed that the custom built labs for the eWPT have become free and open-source labs anyone could download from the internet and setup on their own machine. I feel like I wasted $500 and I hope the eCPPT will help me feel not so ripped off.

I also used The Web Security Academy from PortSwigger to get more hands on practice. Honestly if you only cared about getting the eWPT and wanted to save money, you could easily get the materials you need to pass the exam with the WebSecurity Academy from PortSwigger. They offer amazing labs and learning material that in a few cases are better than what INE offer. I find it funny that PortSwigger Labs are free, but a much better value than INE labs that cost $500 (when on sale) to access.

Other than these two sources I did not use anything else to prepare myself. The INE Web Application Penetration Testing course shows everything you need to know to pass the eWPT. I feel PortSwigger Academy is a great resource to also prepare yourself, but it’s not required to pass.

Final Review and Advice

My final thoughts about the eWPT exam are: I feel it is a good web penetration testing exam. It is fun and I am proud of my accomplishment in earning my certification. I did learn a few things while taking the exam.

My critiques are: the Letter of Engagement needs more detail. I feel it’s a bit too simple and vague to be passed off as a professional letter of engagement.

The labs from INE are bad. I cannot sugar coat this. I feel ripped off that I paid money for open-source labs. When I first started off with INE, they had great labs that you needed to access via a VPN and they were better than DVWA and Mutillidae. INE, please go back to having quality labs you built to prepare students to pass an exam.

The good parts are the exam is fun. It really is a great feeling when you find an exploit in the exam. A few of them really make you work for them.

My last bits of advice. When I do web penetration test I use two main tools. Burp Suite and SQLMap. These are my go to’s and I had them open for the entire exam. They can do almost all of the work if you know how to use them correctly.

SQLMap will save you time and headaches. BurpSuite Repeater is also important. Everyone has different tools, but all I needed to pass was a good knowledge on how to use these effectively. (If you prefer ZAP, go for it. Burp is just my go to. Proxy tool)

Good luck!