SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking™

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • In Person (6 days)
  • Online
46 CPEs

SEC660 is designed as a logical progression point for students who have completed SEC560: Enterprise Penetration Testing, or for those with existing penetration testing experience. This course provides you with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and teaches you how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws. 30+ Hands-on Labs.

What You Will Learn

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking is designed as a logical progression point for those who have completed SANS SEC560: Enterprise Penetration Testing, or for those with existing penetration testing experience. Students with the prerequisite knowledge to take this course will walk through dozens of real-world attacks used by the most seasoned penetration testers. The methodology of a given attack is discussed, followed by exercises in a hands-on lab to consolidate advanced concepts and facilitate the immediate application of techniques in the workplace. Each day of the course includes a two-hour evening boot camp to drive home additional mastery of the techniques discussed. A sample of topics covered includes attacks against network access control (NAC) and virtual local area network (VLAN) manipulation, network device exploitation, breaking out of Linux and Windows restricted environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic implementations, fuzzing, defeating modern OS controls such as address space layout randomization (ASLR) and data execution prevention (DEP), return-oriented programming (ROP), Windows exploit-writing, and much more!

Attackers are becoming more clever and their attacks more complex. To keep up with the latest attack methods, you need a strong desire to learn, the support of others, and the opportunity to practice and build experience. This course provides attendees with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

SEC660 starts off by introducing advanced penetration concepts and providing an overview to prepare students for what lies ahead. The focus of day one is on network attacks, especially the areas often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Covered attacks include NAC, VLANs, OSPF, 802.1X, CDP, IPv6, SSL, ARP, and others. Day two starts with a technical module on performing penetration testing against various cryptographic implementations, then turns to PowerShell and post exploitation, escaping Linux restricted environments and Windows restricted desktop environments. Day three jumps into Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and remote exploits as well as client-side exploitation techniques are covered. The final course day is devoted to numerous penetration testing challenges that require students to solve complex problems and capture flags.

Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through the labs and the additional time allotted each evening to reinforce daytime material and master the exercises.

Business Takeaways

  • Perform penetration testing safely against network devices such as routers, switches, and NAC implementations.
  • Test cryptographic implementations.
  • Help your organization prevent identity sprawl and tech debt through centralization
  • Leverage an unprivileged foothold for post exploitation and escalation.
  • Fuzz network and stand-alone applications.
  • Write exploits against applications running on Linux and Windows systems.
  • Bypass exploit mitigations such as ASLR, DEP, and stack canaries.

Skills Learned

  • Perform fuzz testing to enhance your company's SDL process.
  • Exploit network devices and assess network application protocols.
  • Escape from restricted environments on Linux and Windows.
  • Test cryptographic implementations.
  • Model the techniques used by attackers to perform 0-day vulnerability discovery and exploit development.
  • Develop more accurate quantitative and qualitative risk assessments through validation.
  • Demonstrate the needs and effects of leveraging modern exploit mitigation controls.
  • Reverse-engineer vulnerable code to write custom exploits.

Hands-On Training

  • Exploit routing protocol implementations such as OSPF.
  • Bypass NAC and captive portal implementations.
  • Exploit patch updates.
  • Perform MitM attacks to remove SSL.
  • Perform IPv6 attacks.
  • Exploit poor cryptographic implementations using CBC bit flipping attacks and hash length extension attacks.
  • Exploit virtualization implementations.
  • Write Python scripts to automate testing.
  • Write fuzzers to trigger bugs in software.
  • Reverse-engineer applications to locate code paths and identify potential exploitable bugs.
  • Debug Linux applications.
  • Debug Windows applications.
  • Write exploits against buffer overflow vulnerabilities.
  • Bypass exploit mitigations such as ASLR, DEP, stack canaries, SafeSEH, etc.
  • Use ROP to bypass or disable security controls.

What You Will Receive

  • Access to the in-class Virtual Training Lab for over 30 in-depth labs.
  • A course USB with many tools used for all in-house labs.
  • Virtual machines full of penetration testing tools and specimens specially calibrated and tested to work with all our labs and optimized for use in your own penetration tests.
  • Access to recorded course audio to help hammer home important network penetration testing lessons.

Syllabus (46 CPEs)

Download PDF
  • Overview

    Section one serves as an advanced network attack module, building on knowledge gained from SEC560: Enterprise Penetration Testing. The focus will be on obtaining access to the network; manipulating the network to gain an attack position for eavesdropping and attacks, and for exploiting network devices; leveraging weaknesses in network infrastructure; and taking advantage of client frailty.

    Exercises
    • Captive Portal Bypass
    • Credential Theft
    • IPv6 Attacks
    • HTTP Tampering
    • Router Attacks
    Topics
    • Bypassing network access/admission control (NAC)
    • Impersonating devices with admission control policy exceptions
    • Custom network protocol manipulation with Ettercap and custom filters
    • Multiple techniques for performing network-based tampering
    • IPv6 for penetration testers
    • Exploiting OSPF authentication to inject malicious routing updates
    • Overcoming TLS/SSL transport encryption security with SSL-stripping
  • Overview

    Section two starts by taking a tactical look at techniques that penetration testers can use to investigate and exploit common cryptography mistakes. We begin by building some fundamental knowledge on how ciphers operate, without getting bogged down in complex mathematics. Then we move on to techniques for identifying, assessing, and attacking real-world crypto implementations. We finish the module with lab exercises that allow students to practice their newfound crypto attack skill set against reproduced real-world application vulnerabilities.

    The section continues with advanced techniques but focuses more on post exploitation tasks. We leverage an initial foothold to further exploit the rest of the network. We abuse allowed features to escape restricted environments. First, we will build up knowledge of local restrictions on hosts. Once we establish a set of possible restrictions, we leverage that knowledge to circumvent them. We will cover the core components that restrict the desktop and a variety of escape possibilities. The Kiosk escape exercise is a perfect, real-world demonstration of the risks of relying on obfuscation and deny controls to thwart attacks.

    As a major factor in post exploitation, we cover both exploiting administrator's use of PowerShell and PowerShell attack tools. We'll use specialized and alternative tools to escalate privileges, pivot, and deliver additional payloads. The section ends with a challenging boot camp exercise against a full network environment comprised of a variety of modern, representative, and fully patched systems with no obvious remote vulnerabilities.

    Exercises
    • Detecting Cryptography Implentations
    • CBC Bitflipping Attacks
    • Hash Extension Attacks
    • Kiosk Escape
    • Client-side Post Exploitation
    Topics
    • Pen testing cryptographic implementations
    • Exploiting CBC bit flipping vulnerabilities
    • Exploiting hash-length extension vulnerabilities
    • PowerShell as a victim
    • PowerShell as an attacker
    • Post Exploitation with PowerShell and alternatives
    • Escaping Software Restrictions
    • Two-hour Capture the Flag exercise against an enterprise Data Loss Prevention solution
  • Overview

    Section three brings together the multiple skill sets needed for creative analysis in penetration testing. We start by discussing product security testing and how products often use open-source software that can sometimes be involved in software supply chain attacks. Before we get into fuzzing, we take a look at leveraging Scapy for custom network targeting and protocol manipulation. Using Scapy, we examine techniques for transmitting and receiving network traffic beyond what canned tools can accomplish, including IPv6. Next, we take a look at dynamic analysis and fuzz testing.. We leverage fuzzing to target both common network protocols and popular file formats for bug discovery. We use hands-on exercises to develop custom protocol fuzzing grammars to discover bugs in popular software. Finally, we carefully discuss the concept of code coverage and how it goes hand-in-hand with fuzzing. We will conduct a lab using the DynamRIO instruction manipulation library and IDA Pro to demonstrate the techniques discussed.

    Exercises
    • Use the Scapy packet fuzzing framework to create custom packets to use for exploitation
    • Leverage fuzzers to identify vulnerabilities in open-source and commercial programs
    • Utilize fuzzing frameworks to build intelligent mutation fuzzers
    • Use code coverage tools to aid in fuzzing both closed-source and open-source applications
    • Utilize DynamoRIO and custom fuzzing tools to instrument closed-source binaries
    • Use IDA Pro to work on reversing vulnerable programs
    • Use AFLplusplus to instrument open-source programs for maximum code coverage
    Topics
    • Manipulating stateful protocols with Scapy
    • Using Scapy to create a custom wireless data leakage tool
    • Product security testing
    • Using Sulley for quick protocol mutation fuzzing
    • Optimizing your fuzzing time with smart target selection
    • Automating target monitoring while fuzzing with Sulley
    • Source code-assisted binary fuzzing and code coverage measurement using AFL++
    • Block-based code coverage techniques using DynamoRIO
  • Overview

    Section four begins by walking through memory from an exploitation perspective as well as introducing x86 and x86-64 assembler and linking and loading. These topics are important for anyone performing penetration testing at an advanced level. Processor registers are directly manipulated by testers and must be intimately understood. Disassembly is a critical piece of testing and will be used throughout the remainder of the course. We will take a look at the Linux OS from an exploitation perspective and discuss privilege escalation. We continue by describing how to look for SUID programs and other likely points of vulnerabilities and misconfigurations. The material will focus on techniques that are critical to performing penetration testing on Linux applications.

    We then go heavily into stack overflows on Linux to gain privilege escalation and code execution. We will first cover using a debugger to expose weak passwords. Then we will go over redirection of program execution and, finally, code execution. Techniques such as return to buffer and return to C library (ret2libc) will be covered, as well as an introduction to return-oriented programming. The remainder of the section takes students through techniques used to defeat or bypass OS protections such as stack canaries and address space layout randomization (ASLR). The goal of this section is to expose students to common obstacles on modern Linux-based systems.

    Exercises
    • Identifying and exploiting a buffer overflow vulnerability in a Linux program
    • Utilizing a technique known as ret2libc to avoid Data Execution Prevention (DEP)
    • Analyzing stack canaries and looking for opportunities to repair them for successful exploitation
    • Exploiting binaries with Address Space Layout Randomization (ASLR) enabled
    • Exploiting 64-bit binaries
    • Extended hours exercises allowing you to continue using the techniques covered in class to exploit additional programs
    Topics
    • Stack memory management and allocation on the Linux OS
    • Disassembling a binary and analyzing x86/x86-64 assembly code
    • Performing symbol resolution on the Linux OS
    • Identifying vulnerable programs
    • Code execution redirection
    • Identifying and analyzing stack-based overflows on the Linux OS
    • Performing return-to-libc (ret2libc) attacks on the stack
    • Return-oriented programming
    • Defeating stack protection on the Linux OS
    • Defeating ASLR on the Linux OS
  • Overview

    Section five starts off covering the OS security features (ASLR, DEP, etc.) added to the Windows OS over the years as well as Windows-specific constructs, such as the process environment block (PEB), structured exception handling (SEH), thread information block (TIB), and the Windows application programming interfaces (API). Differences between Linux and Windows will be covered. These topics are critical in assessing Windows-based applications. We then focus on stack-based attacks against programs running on the Windows OS. After finding a vulnerability in an application, the student will work with Immunity Debugger to turn the bug into an opportunity for code execution and privilege escalation. Advanced stack-based techniques such as disabling data execution prevention (DEP) are covered. Client-side exploitation will be introduced, as it is a highly common area of attack. We continue with the topic of return-oriented programming (ROP), demonstrating the technique against a vulnerable application, while looking at defeating hardware DEP and address space layout randomization (ASLR) on Windows 11. Finally, we will take a quick look at shellcode and the differences between shellcode on Linux and Windows, followed by a ROP challenge.

    Exercises
    • Identify vulnerabilities and exploit commercial applications on the Windows 11 OS
    • Identify exploitable stack overflow conditions
    • Use techniques to evade exploit mitigations, such as SafeSEH
    • Utilize Return Oriented Programming (ROP) to work around the DEP mitigation on Windows
    • Write your own ROP chain with the help of tooling, and learn to debug ROP chains to ensure their success
    Topics
    • The state of Windows OS protections on the Windows OS
    • Understanding common Windows constructs
    • Stack exploitation on Windows
    • Defeating OS protections added to Windows
    • Advanced stack-smashing on Windows
    • Using ROP
    • Building ROP chains to defeat DEP and bypass ASLR
    • Windows 11 exploitation
    • Client-side exploitation
    • Windows Shellcode
  • Overview

    This section will serve as a real-world challenge for students by requiring them to utilize skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture the Flag engine will be provided to score students as they capture flags. More difficult challenges will be worth more points. In this offensive exercise, challenges range from local privilege escalation to remote exploitation on both Linux and Windows systems, as well as networking attacks and other challenges related to the course material.

GIAC Exploit Researcher and Advanced Penetration Tester

The GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification validates a practitioner's ability to find and mitigate significant security flaws in systems and networks. GXPN certification holders have the skills to conduct advanced penetration tests and model the behavior of attackers to improve system security, and the knowledge to demonstrate the business risk associated with these behaviors.

  • Network Attacks, Cryptography, and Restricted Environments
  • Python, Scapy, and Fuzzing
  • Exploiting Windows and Linux for Penetration Testers
More Certification Details

Prerequisites

This is a fast-paced, advanced course that requires a strong desire to learn advanced penetration testing and custom exploitation techniques. The following SANS courses are recommended either prior to or as a companion to taking this course:

Experience with programming in any language is highly recommended. At a minimum, students are advised to read up on basic programming concepts. Python is the primary language used during class exercises, while programs written in C and C++ code are the primary languages being reversed and exploited. The basics of programming will not be covered in this course, although there is an introductory module on Python.

You should also be well versed with the fundamentals of penetration testing prior to taking this course. Familiarity with Linux and Windows is mandatory. A solid understanding of TCP/IP and networking concepts is required.

This course is appropriate for alumni of the following courses:

SEC660 is also great preparation for students planning on taking SEC760: Advanced Exploit Development for Penetration Testers.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Enabled "Intel-VT"
  • USB 3.0 Type-A Port
  • 16 GB RAM (8 GB min)
  • 60 GB Free Hard Drive Space
  • Latest version of Windows 10 or 11, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • A wired network connection
  • VMware Workstation Pro 17.5.2+, or Fusion 13.5.2+
  • Local account with local administrative privileges
  • Ability to disable your enterprise VPN client temporarily for some exercises
  • Ability to disable your anti-virus tools temporarily for some exercises

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"When conducting an in-depth penetration test, we are often faced with situations that require unique or complex solutions to successfully pull off an attack, mimicking the activities of increasingly sophisticated real-world attackers. Without the skills to identify and implement those solutions, you may miss a major vulnerability or not properly assess its business impact. Target system personnel are relying on you to tell them whether an environment is secured. Attackers are almost always one step ahead and are relying on our nature to become complacent, even with regard to the very controls we worked so hard to deploy. This course was written to keep you from making mistakes others have made, teach you cutting-edge tricks to thoroughly evaluate a target, and provide you with the skills to jump into exploit development."

- Stephen Sims (Lead Author)

Reviews

No frills and goes right to the point. The first day alone is what other classes spend a full week on.
Michael Isbitski
Verizon Wireless
SEC660 has been nothing less than excellent. Both the instructor and assistant are subject-matter experts who have extensive knowledge covering all aspects of the topics covered and then some.
Brian Anderson
Northrop Grumman Corporation
The quality of the labs and coursework in SEC660 showcases the value SANS training has over other providers. It was an excellent, challenging, and rewarding course."
Michael R.
U.S. Military

    Register for SEC660

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...