SEC560: Enterprise Penetration Testing™

GIAC Penetration Tester (GPEN)
GIAC Penetration Tester (GPEN)
  • In Person (6 days)
  • Online
36 CPEs

SEC560 prepares you to conduct successful penetration testing for entire modern enterprises, including on-prem systems, Azure, and Entra ID. The course doesn't just focus on network devices, Windows, Linux, macOS, identity systems, etc. -- instead, it focuses on the combined business risk of the entire enterprise. You will learn the methodology and techniques used by real-world penetration testers in large organizations to identify and exploit vulnerabilities at scale and show real business risk to your organization. The course material is complemented with 30+ practical lab exercises concluding with an intensive, hands-on Capture-the-Flag exercise in which you will conduct a penetration test against a target organization and demonstrate what you've learned.

What You Will Learn

SEC560: Enterprise Penetration Testing, the flagship SANS course for penetration testing, equips you to assess and mitigate business risks across complex, modern enterprises. You will learn to plan, execute, and apply penetration tests using the latest tools and techniques through hands-on labs. Ideal for penetration testers, system administrators, and defenders, SEC560 strengthens your skills and understanding of the attacker mindset, enabling you to enhance organizational security immediately.

You Will Be Able To:

  • Properly plan and prepare for an enterprise penetration test
  • Perform detailed reconnaissance to aid in social engineering, phishing, targeting the right data, and demonstrating appropriate goals
  • Scan in-scope environments using best-of-breed tools to identify systems and targets that other tools and techniques may have missed -- you can't secure what you don't know about
  • Perform safe and effective password guessing to gain initial access to the target environment or move deeper into the network
  • Exploit target systems in multiple ways to gain access and measure real business risk
  • Understand the environment via efficient methods of gaining situation awareness to identify additional targets and attack paths
  • Thoroughly pillage exploited systems to gather information and move further into the network towards your goals
  • Use privilege escalation techniques to elevate access on Windows or Linux systems, or Active Directory itself
  • Execute lateral movement and pivoting to further extend access to the organization and identify risks missed by surface scans
  • Crack passwords using modern tools and techniques to extend or escalate access
  • Use Command and Control (C2, C&C) frameworks to manage and pillage compromised hosts remotely
  • Attack the Active Directory domains and forests used by most organizations
  • Execute multiple Kerberos attacks, including Kerberoasting, Golden Ticket, and Silver Ticket attacks
  • Conduct Azure reconnaissance remotely, both with and without credentials
  • Execute Entra ID password spray attacks
  • Execute commands in Azure using compromised credentials
  • Develop and deliver high-quality reports that clearly communicate the accurate business risk stemming from the discovered flaws and misconfigurations

SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test, and at the end of the course you will do just that. After building your skills in comprehensive and challenging labs, the course culminates with a final real-world penetration test scenario. You will conduct an end-to-end penetration test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic target organization.

What You Will Receive

  • Access to the in-class Virtual Training Lab with more than 30 in-depth labs
  • SANS Slingshot Linux Penetration Testing Environment and Windows 10 Virtual Machines loaded with numerous tools used for all labs
  • Access to the recorded course audio to help hammer home important network penetration testing lessons
  • Cheat sheets with details on professional use of Metasploit, Netcat, and more
  • Worksheets to streamline the formulation of scoping and rules of engagement for professional penetration tests

Syllabus (36 CPEs)

Download PDF
  • Overview

    In this course section, you will develop the skills needed to conduct a best-of-breed, high-value penetration test. We'll go in-depth on how to build a penetration testing infrastructure that includes all the hardware, software, network infrastructure, and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We'll then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We'll also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques. This course section features a hands-on lab exercise to learn about a target environment, the organization, network, infrastructure, and users. This course section also looks at the vital task of mapping the target environment's attack surface by creating a comprehensive inventory of machines, accounts, and potential vulnerabilities. We'll look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We'll cover vital techniques for false-positive reduction so you can focus your findings on meaningful results and avoid the sting of a false positive. And we'll examine the best ways to conduct your scans safely and efficiently.

    Exercises
    • Credential Stuffing to a Breach
    • Reconnaissance and OSINT
    • Masscan
    • Nmap
    • Nmap -O -sV, EyeWitness, Netcat, and NSE
    Topics
    • Penetration Test Overview
      • The Mindset of the Professional Pen Tester
      • Building a World-Class Pen Test Infrastructure
      • Miniature Engagement (Discovery, Credential Stuffing, Finding Single-Factor Authentication)
    • Reconnaissance
      • Understanding the organization structure, culture, and business goals
      • Finding the infrastructure (hostnames, DNS records, registered IPv4/IPv6 ranges, and certificate transparency)
      • Enumerating the employees, looking at breach data, roles, job requisitions, and more
    • Scanning
      • Tips for Scaling Your Scanning
      • Finding live systems and services with Masscan, even with millions of targets
      • Getting the most out of Nmap (Nmap Scripting Engine, Version Scanning, and integrations)
      • Using EyeWitness to triage web applications efficiently
  • Overview

    This course section includes password guessing attacks, which are a common way for penetration testers and malicious attackers to gain initial access and pivot through the network. This action-packed section concludes with another common way to gain initial access: exploitation. We'll discuss many ways that exploits are used to gain access or escalate privileges, then examine how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You'll learn in-depth how to leverage Metasploit and Meterpreter to compromise target environments. Once you've successfully exploited a target environment, penetration testing gets extra exciting as you perform post-exploitation, gathering information from compromised machines and pivoting to other systems in your scope. In this section, we'll discuss a common modern penetration test style, the Assumed Breach, where initial access is ceded to the testers for speed and efficiency. Whether the testers gain access themselves or access is provided, the testers now identify risks that are not visible on the surface. We'll examine C2 frameworks and how to select the right one for you. As part of this, we'll use Sliver and Empire and explore their capabilities for use in an effective penetration test. We'll discuss the next stage of a penetration test and situational awareness on both Windows and Linux.

    Exercises
    • Initial Access with Password Guessing and Spraying with Hydra
    • Exploitation with Metasploit and the Meterpreter Shell
    • Command and Control via Sliver and Teammates
    • Developing Payloads in Multiple C2 Frameworks
    • GhostPack's Seatbelt for Situational Awareness
    Topics
    • Gaining Initial Access
    • Password Guessing, Spraying, and Credential Stuffing
    • Exploitation and Exploit Categories
    • Exploiting Network Services and Leveraging Meterpreter
    • Command and Control Frameworks and Selecting the One for You
    • Using the Adversary Emulation and Red Team Framework, Sliver
    • Payload Generation in Metasploit and Sliver
    • Post-Exploitation
    • Assumed Breach Testing
    • Situational Awareness on Linux and Windows
    • Extracting Useful Information from a Compromised Windows Host with Seatbelt
  • Overview

    In this section, you'll learn tools and techniques to perform privilege escalation attacks to gain elevated access on compromised hosts to further pillage compromised hosts for an even more high-impact penetration test. Part of post-exploitation includes password dumping, where we'll perform cleartext password extraction with Mimikatz and password cracking. We'll also cover persistence to help you maintain access to compromised hosts that survive a reboot or a user logoff. You'll learn modern tools and techniques to perform better cracking attacks that will extend or upgrade your access in the target environment. We'll take a look at the powerful BloodHound to allow us to map attack paths to get to high-value targets. This section concludes with Responder, a tool to obtain password hashes and for relaying.

    Exercises
    • Privilege Escalation on Windows
    • Domain Mapping and Exploitation with BloodHound
    • Practical Persistence
    • Metasploit PsExec, Hash Dumping, and Mimikatz for Credential Harvesting
    • Password Cracking with Hashcat
    • Attacking Nearby Clients with Responder
    Topics
    • Privilege Escalation Methods and Techniques on Windows and Linux
    • Identifying Attack Paths with BloodHound
    • Persistence and Maintaining Access
    • Password Attack Tips
    • Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
    • Extracting Hashes and Passwords from Memory with Mimikatz
    • Effective Password Cracking with Hashcat
    • Poisoning Multicast Name Resolution with Responder
  • Overview

    This course section zooms in on moving through the target environment. When attackers gain access to a network, they move, so you'll learn the same techniques used by modern attackers and penetration testers. You'll start by manually executing techniques used for lateral movement, then move on to automation using the powerful toolset, Impacket, to exploit and abuse network protocols. We'll examine Windows network authentication, and you'll perform a pass-the-hash attack to move through the network without knowing the compromised account's password. We'll wrap up with a discussion on effective reporting and communication with the business.

    Exercises
    • Lateral Movement using Native Tooling from Windows
    • Lateral Movement using Native Tooling from Linux
    • The Impacket Framework
    • C2 Pivoting and Pass-the-Hash
    • Bypassing Application Control Technology By Living Off The Land With MSBuild
    Topics
    • Lateral Movement
    • Running Commands Remotely
    • Attacking and Abusing Network Protocols with Impacket
    • Anti-Virus and Evasion of Defensive Tools
    • Application Control Bypasses Using Built-In Windows Features
    • Implementing Port Forwarding Relays via SSH for Merciless Pivots
    • Pivoting through Target Environments with C2
    • Effective Reporting and Business Communication
  • Overview

    This course section focuses on typical AD lateral movement strategies. You'll gain an in-depth understanding of how Kerberos works and what the possible attack vectors are, including Kerberoasting, Golden Ticket, and Silver Ticket attacks. You'll use credentials found during the penetration test of the target environment to extract all the hashes from a compromised Domain Controller. We'll cover one of the most useful new techniques for privilege escalation due to vulnerabilities in Active Directory: Certificate Services (AD CS). With full privileges over the on-premise domain, we'll then turn our attention to the cloud and have a look at Azure principles and attack strategies. The integration of Entra ID with the on-premise domain provides interesting attack options, which will be linked to the domain dominance attacks we saw earlier during the course section.

    Exercises
    • Kerberoast Attack for Domain Privilege Escalation
    • Domain Dominance and Password Hash Extraction from a Compromised Domain Controller
    • Golden Ticket Attacks for Persistence
    • Silver Tickets for Persistence and Evasion
    • Identifying Vulnerabilities and Attacking Active Directory Certificate Services (AD CS)
    • Azure Reconnaissance and Password Spraying
    • Running Commands in Azure Using Compromised Credentials
    • Lateral Movement inside Azure
    Topics
    • Kerberos Authentication Protocol
    • Kerberoasting for Domain Privilege Escalation and Credential Compromise
    • Persistent Administrative Domain Access
    • Evaluating and Attacking AD CS
    • Obtaining NTDS.dit and Extracting Domain Hashes
    • Golden and Silver Ticket Attacks for Persistence
    • Additional Kerberos Attacks Including Skeleton Key, Over-Pass-the-Hash, and Pass-the-Ticket
    • Effective Domain Privilege Escalation
    • Azure and Entra ID Reconnaissance
    • Azure Password Attacks and Spraying
    • Understanding Azure Permissions
    • Running Commands on Azure Hosts
    • Tunneling with Ngrok
    • Lateral Movement in Azure
  • Overview

    This lively section represents the culmination of the enterprise penetration testing course. You'll apply all the skills mastered in the course in a comprehensive, hands-on exercise during which you'll conduct an actual penetration test of a sample target environment. We'll provide the scope and rules of engagement, and you'll work to achieve your goal to determine whether the target organization's Personally Identifiable Information is at risk. As a final step in preparing you for conducting penetration tests, you'll make recommendations about remediating the risks you identify.

    Exercises
    • A Comprehensive Lab Applying What You Have Learned Throughout the Course
    • Modeling a Penetration Test Against a Target Environment
    Topics
    • Applying Penetration Testing Practices End-to-End
    • Detailed Scanning to Find Vulnerabilities and Avenues to Entry
    • Exploitation to Gain Control of Target Systems
    • Post-Exploitation to Determine Business Risk
    • Merciless Pivoting
    • Analyzing Results to Understand Business Risk and Devise Corrective Actions

GIAC Penetration Tester

The GIAC Penetration Tester (GPEN) certification validates a practitioner's ability to properly conduct a penetration test using best-practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits, engage in detailed environmental reconnaissance, and utilize a process-oriented approach to penetration testing projects

  • Comprehensive Pen Test Planning, Scoping, and Recon
  • In-Depth Scanning and Exploitation, Post-Exploitation, and Pivoting
  • Azure Overview, Integration, and Attacks, and In-Depth Password Attacks
More Certification Details

Prerequisites

SEC560 is the flagship penetration test course offered by the SANS Institute. Attendees are expected to have a working knowledge of networking basics and a basic knowledge of the Windows and Linux command lines before they come to class. While SEC560 has in-depth information, it is important to note that programming knowledge is NOT required for the course.

Courses that lead in to SEC560:

Courses that are good follow-ups to SEC560:

Laptop Requirements

Important! Bring your own system configured according to these instructions.

To get the most value out of this course, students are required to bring their own laptop so they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Workstation Player is required for the class. If you plan to use a Mac, please make sure you bring VMware Fusion. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Disc Space Requirements

The course includes two VMware image files: a Windows 10 Virtual Machine (VM) and Slingshot Linux. You will need at least 60GB free on your system for these VMs.

VMware

You will use VMware to run Windows 10 and Slingshot Linux VMs simultaneously when performing exercises during the course. The VMs come with all the tools you need to complete the lab exercises.

We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all our tools pre-installed that runs within VMware.

Windows and Native Linux Users: You must have either the free or commercial VMware Workstation Player 16 or later installed on your system before coming to class. You can download VMware Workstation Player for free here.

Mac users: You will need VMware Fusion 12 (or later) or the free VMware Fusion Player 12 or later installed on your Mac prior to class. You can download the free VMware Fusion Player here.

Virtualbox and other virtualization products: While this may work in the course, it is not officially supported. If you choose to use this software, you will be responsible for configuring the virtual machines to work on the target range. Also, installation of both VMware and Virtualbox can sometimes cause network issues. We recommend only installing one virtualization technology.

Mandatory Laptop Hardware Requirements

  • x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended
  • 50 GB available hard-drive space
  • Any patch level is acceptable for Windows 10

During the Capture-the-Flag exercise, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"All security professionals need to understand how companies are being breached, from modern attack tactics and including the underlying principles. As a defender, incident responder, or forensic analyst, it is important to understand the latest attacks and the mindset of the attacker. In this course, penetration testers, red teamers, and other offensive security professionals will learn tools and techniques to increase the impact and effectiveness of their work. As the lead author for this course, I'm proud to bring my years of security experience (both offensive and defensive) as well as network/system administration experience to the course. We aim to provide a valuable, high-impact penetration testing course designed to teach experienced pen testers new tips, help prepare new penetration testers, and provide background to anyone dealing with penetration testers, red teams, or even malicious attackers. I personally enjoy teaching this course and sharing my experience and real-life examples with you."

Jeff McJunkin

Reviews

SEC560 introduces the whole process of penetration testing from the start of engagement to the end.
Barry Tsang
Deloitte
I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend SEC560.
Marc Hamilton
McAfee
Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!
Robert Adams
Microsoft

    Register for SEC560

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...