TL;DR Review of The Cyber Mentor’s (TCM) Practical Ethical Hacking (PEH) course and the 100% hands on Practical Junior Penetration Tester (PJPT) exam.
Exam Reviews
Altered Security Certified Red Team Professional (CRTP)
eLearn Junior Pentester (eJPT)
ISC2 Certified in Cybersecurity (CC)
Microsoft Applied Skills Administer AD DS
TCM Practical Junior Penetration Tester (PJPT)
Altered Security CRTP renewal exam
Disclaimer
I am not a pentester. I have worked everything from service desk to change management & procurement to junior admin to auditing. I am an unashamed Windows Guy. I have passed three other 100% hands on exams before the PJPT. I will invariably end up comparing PJPT to the other hands on exams I took, so bear with me there.
Should you take PJPT?
IMHO anyway, you should take PJPT if:
- You are new to AD security
- You want to learn
- You love learning via hands on
- You love a bargain when it comes to certs
You should not take eJPT if:
- You are just trying to fluff a resume
- You are trying to hit an HR filter
Background
The Cyber Mentor (TCM) was giving away their Practical Ethical Hacking (PEH) course back in late 2020 to early 2021. I had just finished studying up for a Microsoft exam, had started test.local [aka our home lab] while studying, and was working auditing and Information Assurance (IA) in a Windows domain environment.
I remember watching Heath Adams show how to enumerate and query AD using PowerView and I thought to myself “I bet I could do that using builtin PowerShell”.
I ended up learning a ton about AD security, took the CRTP exam, learned how to automate most of our inspection checklist, and started this blog on Medium to post my notes. I credit TCM for helping get me started.
The course
I heard about the PJPT certification recently on Reddit. I don’t believe it existed back in early 2021. I got a voucher for $250 and started going back through the PEH course to refresh.
The course, IMHO anyway, is a really good introduction to basic networking, nmap, and other pentest material for those who prefer videos. I don’t, I’ve always been more of a books, Google, and lots of hands on with VMs kind of learner. However I won’t judge PEH based on my personal learning style.
Some criticize TCM because the course doesn’t include access to a lab environment. They do this on purpose though to keep the cost down. The course uses a Kali VM as the pentester’s system, of course, and free VMs from Vulnhub as targets. TCM walks the student through setting up an AD lab with 2 clients and a DC for the Windows domain portion, which would require the student to set it up themselves, however we here at test.local spun the whole thing up in Hyper-V using PowerShell Direct.
Our IaC lab setup
I posted it on our GitHub here. Just
- Create two folders called PEH and ISOs
- Drop the files from our GitHub in the PEH folder
- Drop a Windows Server 2019 ISO in the ISOs folder
- Run Create-PEHLab.ps1
If you don’t already have a VMSwitch named “Testing” than create one first. We showed how to do that here.
New-VMSwitch -Name "Testing" -NetAdapterName "Ethernet" ; Set-VMSwitch -Name Testing -AllowManagementOS $trueThis creates the lab environment specified by Heath Adams. All one has to do is run Generate-Traffic.ps1 to import a function that will simulate a Domain User fat fingering a share drive name every 2 minutes. When Heath gets to the lesson on Name Poisoning and Responder just run the command Generate-Traffic.
Really my only complaint with the class was that Heath kept showing how to setup the AD environment in the GUI.
If you want a pre-packaged environment setup then feel free to use ours! No need to complain that TCM makes you create your own.
On a sidenote; the astute reader will notice that we used Windows Server 2019 for all 3 VMs in our PEH AD lab setup, whereas Heath Adams shows the setup using Windows Server 2022 for the DC and Windows 10 for the clients. This is because IaCing Windows Server VMs is much easier than Win10 and we already had an answer file ready to go for Server 2019. If you want to use Windows Server 2022 than simply take a look at the answer file and parameters we used for our lab setup here for Administering AD DS.
The exam
TCM gives you 2 days for the hands on test, 2 days to write a report, and a free re-take if you don’t pass on the first attempt. Much like eJPT, PJPT is meant to be a fun learning experience and low stress. There’s no proctor watching you creepily on a webcam the entire time and yelling at you because there’s a coffee cup on your desk, there’s no SIEM, IDS, or EDR in the environment, and you are free to use Metasploit as much or as little as you like. Personally I took the exam on my refurbished Dell laptop on my living room couch.
I gave myself 3 days and a weekend, much like I did with eJPT, as I didn’t want to assume I could finish in a matter of hours and be wrong.
TCM provides an OpenVPN file, ROE, and a scope and sets you loose. It’s on you to scan, do host discovery, enumerate the network, get credentials, enumerate AD, move laterally, and escalate to Domain Admin. Obviously I can’t say much about the exam itself, but the course is all the preparation one needs. I probably overthought it, but there’s nothing wrong with that. I still passed.
I had escalated to Domain Admin 1 hour and 21 minutes into the exam, according to the timer on TCM’s exam site. I might have made it a few minutes quicker, but I forgot an important TTP … and then one of our adorable little foster kittens jumped on my keyboard and I had to hit Ctrl + L really quick before she started typing and screwed up my Meterpreter session.
She’s way too cute to be mad at though.
One can hit an end exam button on TCM’s exam site, but personally I wouldn’t recommend it. I simply grabbed a copy of TCM’s report template from here and started writing. I referred back to their DC multiple times while writing the report in order to double check that their Group Policy, OUs, groups, etc was set the way I had thought. After all, I didn’t want to put in the report that they should do something that the environment was already set to do.
I had the report finished, proof read, and submitted before I went to sleep at the end of day 2. Their exam environment ends itself the moment you submit the report, no need to hit that big red stop button. They let me know within a few hours that I had passed.
On another sidenote, we used a ForEach loop after getting Domain Admin and running scretsdump to parse out the NTLM hashes so we could feed them into crackstation.net and check the password strength of the Domain Users.
$Hashes = Get-Content ".\PEH\00 Exam\Domain_Hashes.txt"
ForEach($Hash in $Hashes)
{
$Hash.split(':')[3]
}Thoughts overall
I believe Heath Adams did OSCP and began working on security testing before Offensive Security began including AD in the OSCP. He stated the PEH course is meant to cover material that he didn’t learn back then and needed to know once he started working, such as AD security.
I’m probably preaching to the choir, but as some certification outfits still barely mention AD, Group Policy, PowerShell, etc in any of their exams maybe I’m not. It definitely bears mentioning that about 85% of Fortune 500s and Government use AD. AD has been around since 2000, and to this day contains default settings for backwards compatibility with NT domains. It also contains default settings like leaving LLMNR and NetBIOS enabled and not enabling SMB signing on Win10 or 11, probably to ‘just make things work’ and reduce Enterprise support calls to Microsoft. Vendors often care more about it working than security, and I honestly can’t blame them too much.
Hence it’s on the analysts, security engineers, auditors, administrators, etc to ensure that they configure their environment to be as secure as possible and adhere to best practices. The PEH course is IMHO a really good introduction to this.
Summary
Some might find PJPT simple and easy, but those people are probably taking OSCP anyways. I liked the course, I learned a few new tricks, it was a good refresher, and the course & exam bundle are well worth $250. IaCing the lab was a good learning experience as well.
References
Install-ADDSForest: https://learn.microsoft.com/en-us/powershell/module/addsdeployment/install-addsforest?view=windowsserver2022-ps
Disable SMB Signing: https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-signing?tabs=powershell
Set-LocalUser: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/set-localuser?view=powershell-5.1
Map a share as a different user: https://stackoverflow.com/questions/1530733/powershell-how-to-map-a-network-drive-with-a-different-username-password
AD CS setup: https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/?view=windowsserver2022-ps
GOAD: https://github.com/Orange-Cyberdefense/GOAD
Abusing GPO Control: https://wald0.com/?p=179
Storing creds in credman: https://childebrandt42.blog/2020/07/07/using-windows-credential-manager-with-powershell/
