SEC660: A

 dvanced Penetration Testing, GXPN

Exploit Researcher &

Exploit Writing, and Ethical Hacking Advanced Pen Tester

giac.org/gxpn

6 46 Laptop This course is designed as a logical progression point for those who have completed SEC560:
Required
Day Program CPEs Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing
experience. Students with the prerequisite knowledge to take this course will walk through
You Will Be Able To dozens of real-world attacks used by the most seasoned penetration testers. The methodology
• Perform fuzz testing to enhance your of a given attack is discussed, followed by exercises in a real-world lab environment to solidify
company’s SDL process advanced concepts and allow for the immediate application of techniques in the workplace.
• Exploit network devices and assess Each day includes a two-hour evening bootcamp to allow for additional mastery of the
network application protocols techniques discussed and even more hands-on exercises. A sample of topics covered includes
• Escape from restricted environments on weaponizing Python for penetration testers, attacks against network access control (NAC) and
Linux and Windows
VLAN manipulation, network device exploitation, breaking out of Linux and Windows restricted
• Test cryptographic implementations
environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic
• Model the techniques used by attackers to
perform 0-day vulnerability discovery and implementations, fuzzing, defeating modern OS controls such as ASLR and DEP, return-oriented
exploit development programming (ROP), Windows exploit-writing, and much more!
• Develop more accurate quantitative and
qualitative risk assessments through Attackers are becoming more clever and their attacks more complex. In order to keep up
validation with the latest attack methods, you need a strong desire to learn, the support of others, and
• Demonstrate the needs and effects of the opportunity to practice and build experience. SEC660 provides attendees with in-depth
leveraging modern exploit mitigation
controls
knowledge of the most prominent and powerful attack vectors and an environment to perform
• Reverse-engineer vulnerable code to write
these attacks in numerous hands-on scenarios. This course goes far beyond simple scanning
custom exploits for low-hanging fruit, and shows penetration testers how to model the abilities of an advanced
attacker to find significant flaws in a target environment and demonstrate the business risk
associated with these flaws.
SEC660 starts off by introducing the advanced penetration concept, and provides an overview
to help prepare students for what lies ahead. The focus of section one is on network attacks,
an area often left untouched by testers. Topics include accessing, manipulating, and exploiting
the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP,
GXPN SNMP, and others. Section two starts off with a technical module on performing penetration
Exploit Researcher &
Advanced Pen Tester testing against various cryptographic implementations. The rest of the section is spent on
giac.org/gxpn network booting attacks, escaping Linux restricted environments such as chroot, and escaping
GIAC Exploit Researcher and Windows restricted desktop environments. Section three jumps into an introduction of Python
Advanced Penetration Tester for penetration testing, Scapy for packet crafting, product security testing, network and
The GIAC Exploit Researcher and Advanced application fuzzing, and code coverage techniques. Sections four and five are spent exploiting
Penetration Tester certification validates programs on the Linux and Windows operating systems. You will learn to identify privileged
a practitioner’s ability to find and mitigate
significant security flaws in systems and
programs, redirect the execution of code, reverse-engineer programs to locate vulnerable
networks. GXPN certification holders have code, obtain code execution for administrative shell access, and defeat modern operating
the skills to conduct advanced penetration system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and
tests and model the behavior of attackers to
improve system security, and the knowledge
remote exploits, as well as client-side exploitation techniques, are covered. The final course
to demonstrate the business risk associated section is dedicated to numerous penetration testing challenges requiring you to solve
with these behaviors. complex problems and capture flags.
• Network Attacks, Crypto, Network Booting,
and Restricted Environments Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through
• Python, Scapy, and Fuzzing the labs and the additional time allotted each evening to reinforce daytime material and
• Exploiting Windows and Linux for
master the exercises.
Penetration Testers

“SEC660 is the right balance between theory and practice;

it’s hands-on, not too hard, but also not too easy.”
— Anton Ebertzeder, Siemens AG

• Watch a preview of this course

sans.org/sec660 • Discover how to take this course: Online, In-Person
Section Descriptions
SECTION 1: Network Attacks for SECTION 2: Crypto and Post-Exploitation Who Should Attend
Penetration Testers Section 2 starts by taking a tactical look at techniques that • Network and systems penetration testers
Section 1 serves as an advanced network attack penetration testers can use to investigate and exploit common • Incident handlers
module, building on knowledge gained from cryptography mistakes. We begin by building some fundamental
knowledge on how ciphers operate, without getting bogged • Application developers
SEC560. The focus will be on obtaining access to
the network; manipulating the network to gain down in complex mathematics. Then we move on to techniques • IDS engineers
an attack position for eavesdropping and attacks, for identifying, assessing, and attacking real-world crypto
and for exploiting network devices; leveraging implementations. The day continues with advanced techniques
weaknesses in network infrastructure; and taking but focuses more on post exploitation tasks. As a major part of
advantage of client frailty. post exploitation, we cover PowerShell: including basic concepts
and tasks, enterprise tasks, and outright offensive tasks. We will “The exploit development
TOPICS: Bypassing Network Access/Admission discuss and use a variety of PowerShell attack tools to discover
Control (NAC); Impersonating Devices with vulnerabilities and gain privileges. The day ends with a challenging taught in SEC660 is a very
Admission Control Policy Exceptions; Exploiting boot camp exercise against a full network environment comprised
EAP-MD5 Authentication; Custom Network useful, niche, hard to find
of a variety of modern, representative, and fully patched systems
Protocol Manipulation with Ettercap and Custom with no obvious external vulnerabilities. and learn skill­—which makes
Filters; Multiple Techniques for Gaining Man-in-
the-Middle Network Access; IPv6 for Penetration TOPICS: Pen Testing Cryptographic Implementations; Exploiting it very valuable.”
Testers; Exploiting OSPF Authentication to Inject CBC Bit Flipping Vulnerabilities; Exploiting Hash Length Extension
Vulnerabilities; PowerShell Essentials; Enterprise PowerShell; Post- — Christian Nicholson, KPMG
Malicious Routing Updates; Using Evilgrade
to Attack Software Updates; Overcoming SSL Exploitation with PowerShell and Metasploit; Escaping Software
Transport Encryption Security with Sslstrip; Restrictions; Two-hour Evening Capture-the-Flag Exercise Against a
Remote Cisco Router Configuration File Retrieval Modern Network with Hardened Servers, Desktops and vApp Targets

SECTION 3: Python, Scapy, and Fuzzing SECTION 4: Exploiting Linux for Penetration Testers
Section 3 brings together the multiple skill sets needed for creative analysis Section 4 begins by walking through memory from an exploitation perspective as well
in penetration testing. We start by discussing product security testing. The as introducing x86 assembler and linking and loading. These topics are important for
day continues with a focus on how to leverage Python as a penetration anyone performing penetration testing at an advanced level. Processor registers are
tester - the aim is to help students unfamiliar with Python start modifying directly manipulated by testers and must be intimately understood. Disassembly is
scripts to add their own functionality, while also helping seasoned Python a critical piece of testing and will be used throughout the remainder of the course.
scripters improve their skills. Once we leverage the Python skills in creative lab We will take a look at the Linux OS from an exploitation perspective and discuss
exercises, we move on to leveraging Scapy for custom network targeting and privilege escalation. We continue by describing how to look for SUID programs and
protocol manipulation. Using Scapy, we examine techniques for transmitting other likely points of vulnerabilities and misconfigurations. The material will focus on
and receiving network traffic beyond what canned tools can accomplish, techniques that are critical to performing penetration testing on Linux applications.
including IPv6. Next, we take a look at network protocol and file format fuzzing. We then go heavily into stack overflows on Linux to gain privilege escalation and code
We leverage fuzzing to target both common network protocols and popular execution. We will first cover using a debugger to expose weak passwords. Then we
file formats for bug discovery. We use hands-on exercises to develop custom will go over redirection of program execution and, finally, code execution. Techniques
protocol fuzzing grammars to discover bugs in popular software. Finally, we such as return to buffer and return to C library (ret2libc) will be covered, as well as an
carefully discuss the concept of code coverage and how it goes hand-in-hand introduction to return-oriented programming. The remainder of the day takes students
with fuzzing. We will conduct a lab using the Paimei Reverse Engineering through techniques used to defeat or bypass OS protections such as stack canaries
Framework and IDA Pro to demonstrate the techniques discussed. and address space layout randomization (ASLR). The goal of this section is to expose
TOPICS: Becoming Familiar with Python Types; Leveraging Python Modules for students to common obstacles on modern Linux-based systems
Real-World Pen Tester Tasks; Manipulating Stateful Protocols with Scapy; Using TOPICS: Stack and Dynamic Memory Management and Allocation on the Linux OS;
Scapy to Create a Custom Wireless Data Leakage Tool; Product Security Testing; Disassembling a Binary and Analyzing x86 Assembly Code; Performing Symbol Resolution
Using Taof for Quick Protocol Mutation Fuzzing; Optimizing Your Fuzzing Time on the Linux OS; Identifying Vulnerable Programs; Code Execution Redirection and
with Smart Target Selection; Automating Target Monitoring While Fuzzing with Memory Leaks; Identifying and Analyzing Stack-Based Overflows on the Linux OS;
Sulley; Leveraging Microsoft Word Macros for Fuzzing .docx files; Block-Based Performing Return-to-libc (ret2libc) Attacks on the Stack; Return-Oriented Programming;
Code Coverage Techniques Using Paimei Defeating Stack Protection on the Linux OS; Defeating ASLR on the Linux OS

SECTION 5: Exploiting Windows for Penetration Testers SECTION 6: Capture-the-Flag

Section 5 starts off covering the OS security features (ASLR, DEP, etc.) added to the Windows OS over the years as well Challenge
as Windows-specific constructs. Differences between Linux and Windows will be covered. These topics are critical in This section will serve as a real-world
assessing Windows-based applications. We then focus on stack-based attacks against programs running on the Windows challenge for students by requiring them to
OS. After finding a vulnerability in an application, the student will work with Immunity Debugger to turn the bug into utilize skills they have learned throughout
an opportunity for code execution and privilege escalation. Advanced stack-based techniques such as disabling data the course, think outside the box, and solve
execution prevention (DEP) are covered. Client-side exploitation will be introduced, as it is a highly common area of a range of problems from simple to complex.
attack. We continue with the topic of return-oriented programming (ROP), demonstrating the technique against a A web server scoring system and Capture-
vulnerable application, while looking at defeating hardware DEP and address space layout randomization (ASLR) on the-Flag engine will be provided to score
Windows 7, Windows 8, and Windows 10. We then have a module on porting over an exploit into the Metasploit Framework students as they capture flags. More difficult
and on how to quickly identify bad characters in your shellcode and as input into a program. Finally, we will take a quick challenges will be worth more points. In this
look at shellcode and the differences between shellcode on Linux and Windows, followed by a ROP challenge. offensive exercise, challenges range from local
TOPICS: The State of Windows OS Protections on Windows 7, 8, 10, Server 2008 and 2012; Understanding Common privilege escalation to remote exploitation
Windows Constructs; Stack Exploitation on Windows; Defeating OS Protections Added to Windows; Creating a on both Linux and Windows systems, as well
Metasploit Module; Advanced Stack-Smashing on Windows; Using ROP; Building ROP Chains to Defeat DEP and Bypass as networking attacks and other challenges
ASLR; Windows 7 and 8; Porting Metasploit Modules; Client-side Exploitation; Windows Shellcode related to the course material.