Failed Pentest+

Hi guys,

I humbly report that after watching Jason Deions highly rated Pentest+ training video, doing all the chapter questions in the Pentest+ Study Guide (Mike Chapple), and completing all the 600+ practice questions in the CompTIA Pentest+ Practice Tests (Crystal Panek, Rob Tracy) I still failed the exam steeply (588/1000). I was especially clueless when it came to constructing a Python script and identifying the Nmap commands when shown an Nmap scan result.

Do any of y'all have any constructive tips? Personally, I thought this place would be the best place for a first stop as I begin to re-strategize. Thanks in advance for suggestions, tips, an participation.

Summary of my study materials:
- Jason Deions highly rated Pentest+ training video
- Pentest+ Study Guide (Mike Chapple)
- 600+ practice questions in the CompTIA Pentest+ Practice Tests (Crystal Panek, Rob Tracy)

Find more posts tagged with

Pentest+ CEH CompTIA

scripting

failed

nmap

Comments

JDMurray

I only took the Pentest+ beta exam, but I'd say the number of items requiring the ability to read code (Python, Ruby, Perl, etc.) probably surprises most exam takers. The only way you can learn to read code is by writing it. (Becoming a competent programmer is practice, practice, practice.) Command line arguments for the popular tools (nmap, hping3, etc.) were a weak point with me on both Pentest+ and the CEH. It sounds like you need to be more familiar with reading the output of popular tools as well.

Elitis

I'd recommend labbing. Play around with nmap and other tools a bit. Write a script or two using Python, Powershell, Bash, etc. The sybex book (the one you're using) was very helpful to me when I took the exam as well. So maybe go after the chapters regarding scripting and drill those until you can at least make out a line or two in a script.

egrizzly

Thanks guys. I actually plan on reading the book in it's entirety this second time around. I'll patiently take Udemy courses on Python, Pearl, Bash, Powershell scripting as well.

egrizzly

It was the exact same situation for me @Aharrell . The certification preparation community should really seriously get simulated exam questions for Pentest+ that kinda sort of match the real exam questions. There's really none at all today besides those 75 questions from Jason Dion. Companies like Transcenders and Boson used to make some awesome simulated exam questions but for some reason they've omitted Pentest+

Aharrell

>make some awesome simulated

I wonder if the PenTest+ has a large enough market share to warrant someone producing content for it? I can see why CompTIA has it (for now)... but much like their old Health Care Technician cert - if the demand isn't there - they'll retire it. Junior PenTester, OSCP, or GPEN seem to be the leaders in that space. Does CompTIA publish numbers on how many holders of specific certs there are?

egrizzly

Aharrell said:

>make some awesome simulated

I wonder if the PenTest+ has a large enough market share to warrant someone producing content for it? I can see why CompTIA has it (for now)... but much like their old Health Care Technician cert - if the demand isn't there - they'll retire it. Junior PenTester, OSCP, or GPEN seem to be the leaders in that space. Does CompTIA publish numbers on how many holders of specific certs there are?

Good that you mentioned this because as of this evening I decided full speed ahead to pursue the CEH certification instead. It seems I'm partially at fault for this fail as I didn't quite scope that all the study resources were available to complete all parts of my study process adequately. A key part of this process of course is the simulated exams. This is the particular predictor on whether one is ready for an actual certification exam or not. I omitted that and paid the price!

I've since scouted the practice test resources for CEH. Both Boson and CyberVista (formerly Transcenders) have a serious simulation exam for the CEH unlike the Pentest+ that has zero tests from either of these two vendors. I'm therefore whole-heartedly zeroed in on this certification path.

spiderjericho

Aharrell said:

>make some awesome simulated

I wonder if the PenTest+ has a large enough market share to warrant someone producing content for it? I can see why CompTIA has it (for now)... but much like their old Health Care Technician cert - if the demand isn't there - they'll retire it. Junior PenTester, OSCP, or GPEN seem to be the leaders in that space. Does CompTIA publish numbers on how many holders of specific certs there are?

It seems like a power play with DoD 8140/8570 and higher demand for Cybersecurity technicians. From a reputation and demand perspective, it’s hard to know if they’re getting their RoI. I’d ask that question for CASP. That was the first one they rolled out followed by CySA+ and Pentest+. The material is solid. Vendor neutral. And the cost to get certified lower. But...compared to elearningsecurity, SANs and OFFSEC offerings, the quality of the material and level of mastery that an enrollee can obtain is lower.

My advice is to look at the score report and review/brush up on your weak areas. It’s been two years since I took it, but you had to have a decent knowledge of code languages. Which was one of my issues the first time I took it. Best approach might be to lab it. Not sure if there are labs in the Sybex book (I felt like there were for the last iteration of CySA).

JDMurray

egrizzly said:
... I decided full speed ahead to pursue the CEH certification instead.

The CEH is one freaking-expensive exam for what you get. Is your employer paying for it? What kind of ROI do you expect to get for having it?

JDMurray

spiderjericho said:
I’d ask that question for CASP. That was the first one they rolled out followed by CySA+ and Pentest+.

CASP was originally a security administrator's cert and was the first cert in CompTIA's new mid-level certification tier. CompTIA never released any other mid-level certs and ended up rebranding CASP with a "+". I assume this was in response to market trends/demands/competition and the recognition the "+" gives their brand (and may increase its ROI). If CompTIA ever again wants to create a new tier of certs they should come up with a completely unique certification naming convention that doesn't begin with "C" or end with "+".

charismaticx

The sybex CEH book covers a majority of the nmap switches. However, that may seem unrealistic or unfeasible to some. Have you thought about looking up the man pages go nmap? That would probably point you in the right direction.

As for python, it may help you to find some old scripts. Even though python is “easy” to learn. It does take some time to get better at understanding the concepts.