Got What It Takes For SEC760? Check Out this Short Quiz (Updated!)

As you may have heard, we've been adding new content to SANS SEC760: Advanced Exploit Development for Penetration Testers, including Windows 10 updates, heap exploit material, and all new kernal debugging and exploitation sections. The course was written as a follow-on to SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking, for those wanting more knowledge and experience in exploit development. There has been a lot of growth in this area and many organizations are looking for professionals with this skill set in order to perform threat modeling, bug hunting, determine bug exploitability, and possess the ability to write exploits against applications running on modern operating systems. Even if your current position does not have you spending your days writing exploits, the subject matter covered is very relevant for:

• Senior Penetration Testers
• Senior Incident Handlers and Forensics Experts
• Senior Windows Security Professionals (especially those responsible for patch management and selecting tools such as EMET to deploy.)
• Senior Intrusion Analysts (IDS/IPS/AV/Linux/Windows/OSX)
• C & C++ Developers
• Professionals responsible for a Secure-SDLC & SDL process
• Your future position in exploit research!

SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDAPython & IDC scripts, SDL & threat modeling, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to take a look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, utilize return oriented shellcode (ROP), etc...

As the authors of the course, we get a lot of questions, including:

• Am I ready for SEC760?
• Should I take SEC660 first?
• I've taken SEC660. Am I definitely ready for SEC760?
• I've taken SEC560. Can I jump right to SEC760 if I only want the exploit dev material?
• I have not taken any SANS pen testing courses, which one should I start with?
• I've taken a course through Offensive Security, is the material the same?

There is no "one size fits all" reply to these types of questions, as everyone has a different level of experience. Our recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. We are happy to answer any questions you may have about this subject matter to help you make an informed decision.

We have written a ten question exam which will hopefully help you with determining if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes two days of material on introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, NAC), pentesting cryptographic implementations, fuzzing, Python, network booting attacks, escaping Linux and Windows restricted environments, etc...

Please take the exam without any help. Do not use Google or other search engines to look up answers, ask a peer, or seek the answers by any means other than using your brain and experience. The answers along with explanations are also available in a separate link below. See how you measure up!

You can use the following as a rough guide based on the number of correct answers you achieve on your test.

• 7/10 Correct: You are likely ready to take SEC760, given that you have exploit development experience as listed in the SEC760 course prerequisite section, such as that covered in SEC660.
• 5/10 or 6/10 Correct: This I would consider a grey area where you may require some additional preparation to be successful in the SEC760 class, and again, you must have the exploit development experience as listed in the SEC760 course prerequisite section, such as that covered in SEC660.
• 4/10 Correct or Lower: You are very likely not ready for SEC760 and will really benefit in taking SEC660 first. If you have already taken SEC660 and still scored below a 5/10, it is highly recommended that you work back through 660.4 and 660.5 for a refresh and try again.

Grab a pen and some paper and write down your answers to each of the ten questions below. When you are done, click on the link at the bottom to go through the answers.

Good luck with the quiz, and see you in SEC760!

Thanks!

--Jaime Geiger & Stephen Sims

SEC760 10 Question Exam

1) DEP is to ROP as ASLR is to ____ ?

a. Memory leak
b. Stack smash
c. Control Flow Guard
d. JOP

2) What does MSR stand for in the context of a CPU?

a. Memory Standard Resource
b. Model Specific Register
c. Memory-Synchronized Range
d. Mandatory System Routine

3) What is the following 64-bit x86 assembly doing (assume it is standalone, no prologue etc.)?

    call label

label:
    pop rax
    sub rax, 5

a. Making a system call
b. Turning off DEP
c. Subverting control flow guard
d. Getting the current execution address

4) Which of the following byte sequences can be used as an x86 64-bit ROP gadget (that's not just a ret or ret X)? Hint: use the Shell-Storm disassembler

a. \xff\xc0\x48\x89\xd8\x48\x31\xf6\xcc\xcd\xc2\xcc
b. \xb6\x2d\x1d\x00\x41\x89\xd8\xff\xc3\x31\xc0
c. \x48\x31\xf6\x48\x89\x43\x08\xb3\xc3\x0f\x05
d. \x0f\x85\xed\x00\xb6\x47\x18\xbb\xc2\x74\x36

5) Which of the following C code snippets will never cause a buffer overflow on Windows?

a. unsigned char *mem = malloc(2); memcpy(mem, userbuffer, 4);
b. RtlCopyMemory(buf, userbuf, userlen);
c. char *str = malloc(stringsize); strncpy(str, userbuffer, stringsize);
d. int len = sprintf(NULL, "fmt %s", userstr); char *str = malloc(len+1); sprintf(str, "fmt %s", userstr);

6) In what situation(s) must you allocate data on the heap and not the stack in C/C++?

a. When the size of the data is not known at compile time
b. When the data must outlive the current function
c. When the data is larger than 1 page
d. When the data is sensitive

7) Which of the following is not a component of a fuzzer?

a. Mutator
b. Generator
c. Executor
d. These are all fuzzer components

8) True or False: In general, all Windows API functions use the stdcall calling convention, where arguments are put in registers (64-bit) and then the stack in reverse order and the caller is responsible for cleaning up the stack space allocated.

9) Which of the following is not a valid way of getting execution from a stack buffer overflow, despite the presence of a canary?

a. Repair the canary
b. Cause an exception before the canary is checked
c. Use a ROP chain to avoid the canary all together
d. Jump to or call an indirect function pointer you control

10) Which of the following statements are true regarding the difference between hardware and software breakpoints?

a. Hardware and software breakpoints can only be triggered on code execution
b. Hardware breakpoints cannot be removed with code, while software breakpoints can
c. Hardware breakpoints are set in registers, while software breakpoints are set by overwriting instructions
d. An unlimited number of hardware breakpoints can be set, while only a limited number of software breakpoints can be set

For the answers and a brief explanation of each, please click here.

We hope you enjoyed the quiz!