In April 2019, I took CompTIA’s PenTest+ exam. Along with CySA+, this bridges the gap between Security+ and CASP. As the name suggests, it’s all about penetration testing.
This is a relatively new exam, and it’s still on the first release (PT0-001). Because of that, it’s not very well known, so I haven’t seen any job adverts asking for it. Personally, I took the Security+ exam in November 2016, so that was due to expire in November 2019 (along with the A+ and Network+). Doing this exam was a good way to renew all of my existing CompTIA certifications, while learning some new skills, so I don’t regret it. However, I mainly see it as a stepping stone towards a more useful certification.
Pen testing exams generally fall into two categories: theory and practical. Like the other CompTIA exams, PenTest+ is (primarily) multiple choice. This has the advantage that it can be graded automatically by the testing software. However, it also has the downside that it’s less realistic, because it’s more fragmented. It’s entirely possible to pass this exam without ever actually doing a penetration test, which makes the certification less valuable to employers.
As an analogy, think of a driving test. Normally, you would drive around the area for a while to demonstrate your general ability, then the examiner would ask you to perform a few manoeuvres (e.g. parallel parking). Imagine instead that the examiner drove you to a suitable location, then you swapped seats so that you could do a manoeuvre, then you swapped seats again so that they could drive you to the next location. PenTest+ feels a bit like this, e.g. they might ask you how you would set up a reverse shell but you won’t need to choose when to do that.
On the CompTIA website (blog), they ask: “How does CompTIA PenTest+ compare to EC-Council’s Certified Ethical Hacker (CEH) certification?” Unsurprisingly, they conclude that PenTest+ is better, but I agree with their logic. Aside from anything else, PenTest+ is significantly cheaper! That said, I’m not sure that this is the best comparison. CEH is well known, but the EC-Council blog says that “the C|EH is not a penetration testing certification”; it’s a foundation course, so I’d say that CEH is closer to Security+.
Looking at the Continuing Education section of the CompTIA website, they seem to agree. If you want to use an EC-Council certification to renew a CompTIA certification, you can use CEH, ECSA, or LPT to renew the Security+ but you can only use ECSA or LPT to renew PenTest+ and CySA+. Based on that, I think that PenTest+ is somewhere between CEH and ECSA.
Normally I use a textbook to prepare for an exam. However, none of them had been published when I did this exam, so I used Jason Dion’s Udemy course as my primary resource. Here’s my review of the course:
I think the course does a good job of covering the syllabus, and the demos are particularly useful: it’s easier to see how software works in a video than by reading a book.
I’m glad that he omitted some stuff (e.g. a description of rainbow tables) on the basis that we should already know that from the Security+ exam; that way, he could focus on what’s new. At the same time, it’s also useful that he went into some stuff that isn’t on the exam but will be relevant in real life. The key difference is that the extra content is specifically relevant to penetration testing, rather than being general networking principles etc.
On the downside, I noticed that there are a few mistakes in the course. Sometimes this is just a typo or a slip of the tongue, e.g. writing “structered” instead of “structured”. Some of them are a bit misleading, e.g. when he mentions that Wannacry exploited a vulnerability in SMB but didn’t mention that this is specific to SMB 1.0; later versions of SMB don’t have that problem. There are also some bits that are flat out wrong, e.g. when he said that PowerShell doesn’t put a dash before comparison operators; you actually need to type “-eq” rather than just “eq”. (Curiously, the printed slide was correct but the spoken description was wrong.)
It’s also a bit odd that so many of the examples use Windows XP or Windows 7. In particular, he recommends using the “at” command to create scheduled tasks, but that has been deprecated in Windows 10 and you need to use schtasks.exe instead. To be fair, I know there are still some organisations using Windows 7, and it’s possible that some people are still using XP (although I hope not); however, since this course was created in July 2018, it would be nice if it was a bit more up to date.
Overall, Jason Dion freely admits that this course won’t prepare you for the exam on its own: you actually need some hands-on experience using the tools. I think it’s a good starting point, to identify any gaps in your knowledge which you can then investigate in more detail.
Aside from Jason Dion’s course, I also installed Kali Linux in a virtual machine and went through the (free) Metasploit Unleashed course, which gives a decent overview of Metasploit and Meterpreter.
The CompTIA website also has some practice questions, but they’re far easier than the actual exam! I got all of them correct before I’d started Jason Dion’s course, but when I took the real exam (after I’d finished his course), it was the hardest CompTIA exam that I’ve done so far. As an intermediate exam, you should expect it to be harder than the A+, Network+, and Security+. In theory, it’s equal to the CySA+, but I personally thought the PenTest+ was harder.
NB Just to emphasise the point, it’s harder than (some) other CompTIA exams, but it’s significantly easier than some exams from other organisations (e.g. the OSCP).
As always, you should get the exam objectives from the CompTIA website, then do further study on anything you’re not sure about. However, in this case I found them a bit misleading. In particular, section 4.1 lists particular parameters for Nmap, but the exam asked about other parameters which weren’t on that list. Similarly, section 4.2 lists various tools, and explicitly says “The intent of this objective is NOT to test specific vendor feature sets.” For the most part, that’s true: they want you to know what each tool does (e.g. you should know that Burp Suite is a web proxy) but you don’t need to know how to use them. However, I found that the exam required you to know about nc and hashcat parameters. Obviously I’m restricted by the non-disclosure agreement, so I can’t be any more specific than that, but I advise you to spend some time on the Nmap website. Even if some of the info is beyond the scope of this exam, it will be useful to you in the long run (assuming that you pursue a career in penetration testing).
When you book the exam, I recommend buying a voucher from the CompTIA store, then redeeming that voucher on the Pearson Vue website. The main benefit is that you can use a discount code in the CompTIA store: Jason Dion included a 10% discount with his course, but I got a 15% discount as an ACM member.
Pearson Vue allocated 210 minutes (3½ hours) for my appointment: that includes 165 minutes (2h45m) for the exam itself and another 45m for “overhead” (e.g. the demo and survey). Personally, I was in the test centre for about 2½ hours: I had enough time to review all my answers, and I still finished a bit early, but I didn’t have loads of time left over. So, I’d say the allocated time is about right.
I took the exam on Friday afternoon. I then received the email confirmation from CompTIA the following day (Saturday evening); I think they have an automated task that runs once every 24 hours, after the various databases have had time to synchronise. As usual, I then logged into their website and updated my “intent level” on the CE dashboard.
Passing this exam also gave me a stackable certification: Network Vulnerability Assessment Professional (Security+ and PenTest+).