How I passed my PNPT after failing 3 times
There are a couple of things I wish I knew before taking my PNPT exam. For those of you who don’t know what this is, PNPT stands for Practical Network Penetration Tester and is a Cyber Security certification provided by TCM Security which assesses one’s ability to perform a real-life network penetration test.
My goal is to share my experience alongside a couple of tips and tricks so that anybody can benefit from them at least to some extent. I hope this article will be seen as useful not only by those who intend on pursuing this certification as a career milestone, but also by people interested in Cyber Security or IT in general. Without further ado, let me share my experience regarding the PNPT examination.
January 2024 came with a smile on my face as I received my examination result: I passed, although I kept doubting whether my report will be accepted or not. Did I add enough screenshots or proof of compromise? Have I missed any details? Did I follow the RoE (Rules of Engagement) precisely? The result spoke for itself: what I did was enough, the rest was only my overthinking.
Although I can’t divulge the details of the examination, I can share what you should master in order to be confident that you have what it takes to tackle the exam.
Exam details
You get 5 days for the examination and 2 more for the report writing. Your deliverable should be a final report that contains all the exploitation steps that you took in order to compromise the system.
My Experience
The first attempt was a straight disaster for me. I had an idea what to expect, but I didn’t do my reconnaissance right, and that mistake costed me 4 days out of the 5 available for the exam. My only advice at this stage would be: use a checklist or whatever makes you feel comfortable, tick what you have done and what you haven’t, because if you need to perform 100+ items from your technique toolbelt, you will probably forget about some of them, and they might as well be the decisive factor for moving forward or getting stuck where you are. Not having enough time for the rest of the exam, I accepted the result and moved on, improving my methodology and workflow as a logical and chronological to-do list that will not get me distracted from the main path.
My second attempt was somewhat better in the sense that I had my plan figured out and followed my approach until I ultimately moved further. This time, I was again distracted by other attacks and techniques such that I missed some very elementary items. Keeping things simple and not overcomplicating them will yield better results in the long run.
My third attempt was a reiteration of my second attempt.
My fourth and last attempt was not as frightening for me since I now had the experience of recording everything that I had done and organised all my attacks, order of testing and knew exactly what to check for. After some time, I eventually passed the intermediary blocker and got the keys to the castle. I knew for sure that I had to document and screenshot everything I had done so far and missed in the first place so I started screenshoting everything during the adrenaline rush I got upon compromising the entire network.
My best advice would be: take your time, allocate every hour or half an hour for something else and keep on digging. After you believe you tried everything you can, revisit your notes from the beginning and try to reproduce the attacks. You might have missed something. The exam is not easy, but is definitely doable by somebody who has their methodology on point.
Prerequisites
The certification is definitely not easy. You need to have a strong foundation before attempting the examination. This includes (in no particular order):
- OSINT methodology
- Networking Basics
- Pivoting
- Reconnaissance methodology
- Data transfer
- Bash/Python scripting
- Active Directory Basics
Now comes the important part: how do you get better at each and every point above?
TCM Security offers the possibility to purchase the PNPT voucher for taking the exam alongside training that covers everything required to pass the examination. That’s right, no external resources are required (apart from what is recommended within the courses themselves). The course material is self-sufficient.
I would recommend starting with the Practical Ethical Hacking course, as it covers most of what is needed. The External Pentest Playbook covers entirely how you should approach real Penetration Testing engagements and the PNPT is definitely one of them.
Mindset
Don’t treat the PNPT as a CTF (Capture The Flag) type hacking contest. By following a rigorous methodology as a logical step-by-step checklist, you will definitely encounter different misconfigurations or notable items that will ultimately help you move forward. TCM Security also provides an extensive checklist you can use to better keep track of what has been done, what is in progress and what is left to be done.
The mindset is very important here. If you consider CTFs to be sprints, a penetration testing engagement is a marathon, therefore the PNPT examination should also be treated as such. Patience and good organization and note-taking will definitely help. I used CherryTree for my note taking as it is simple to use, free and multi-platform, but it is by no means one that I consider the best nor advocate for using this. What matters is to stay focused, organised and taking notes. The rest are details.
Training
I highly recommend setting up your own Active Directory environment, either locally or in the Cloud. The course teaches you and helps you realise that. Having a playground to test different attacking techniques and routes will definitely make you better understand the impact each attack has and a better penetration tester in general. Don’t just binge-watch the explanatory videos, follow along every time. It is probable that you will eventually need to rewatch a part of the videos a couple of times before truly understanding the content (at least this was the case for me).
Before taking my PNPT I purchased the “Throwback” network on TryHackMe as a capstone challenge for myself after going through the entire curriculum. Recently I have seen that Throwback has been retired, but if you are serious about improving your Active Directory Penetration Testing skills, consider subscribing to the Wreath (especially for the pivoting part) or Holo networks on the same platform before tackling the exam.
I have added some of the scripts I use in my GitHub repository and will link it at the end of the article if anybody would be interested in checking it out.
Setup
Make sure to have a dedicated instance to hack from. I used a Kali Linux virtual machine on a Windows host. Having the tools ready and configured is great. If you have the time, consider creating a script that automates the process of installing the basic tools you need. This way, you can deploy your tools efficiently whenever you need to move to a new attacking machine. One of the biggest issues I had in terms of tooling was trying to make the impacket suite work. There are a lot of dependencies which need to be taken into account, especially for newer versions. One good resource is the pimpmykali repository which installs a clean specific version of impacket that is guaranteed to work.
Reporting
I used pwndoc for reporting. TCM Security provides a sample report that you can look over to get an idea of how it should look like and what you need to include. It is worthwhile to invest a couple of hours to understand how pwndoc works and to upload generic vulnerability details – it takes a yaml format as input and can be inserted on each new engagement report as a template.
Creating the template and the vulnerabilities is the most tedious part, but once you get it done, you can use it whenever you need to generate a report for any of your penetration testing engagements. This is not just investment for the exam. It is for your entire career as a penetration tester or cybersecurity professional.
Closing thoughts
The exam gave me a boost of confidence and I highly recommend starting the journey to passing the certification as it is a gold-mine of hands-on learning that will help you in other IT aspects as well. It doesn’t really matter if you fail it a couple of times – the process of learning is what matters most, and every success story had a couple of failures along the way as well.
If you want to check out some of my scripts and tools I use, including one I have created for password generation, I invite you to check my Projects repository:
I hope this article was found useful and good luck in everything you are pursuing!
