May 2016 I had the chance to participate in the SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking in Amsterdam. The course syllabus gave a good outline about what to expect. For some topics I felt they would be really worth it. According to the prerequisites only basic scripting, networking and operating system knowledge were necessary. One big drawback is the price for a SANS training. It is by no means comparable to the offensive security trainings. Yet, I wanted to see if the training is really worth the buck.
The training takes a whole five days of lectures from 9 until 19 o’clock. Each theoretical section is followed by practical exercises to put the newly acquire knowledge to practice. On the 6th day the topics of the past week are covered in a concluding CTF.
Day 1 - Intro & Network Attacks
The first days gives a short introduction and kicks off quite fast. The focus for the first day is to get access to the network and to gain a first foothold. So the real course begins with NAC bypasses. Subsequently, attacks on routing protocols and network devices are covered. These enable an attack to perform a Man-in-the-Middle attack and gain access on the network. The whole day is quite easy if you are familiar with networking.
Day 2 - Crypto, PXE Attacks, & Escaping Restricted Environments
Personally, the crypto section on day 2 was a highlight. The level of detail for this section is quite basic and mostly covers implementation flaws that enable attacks, e.g. bit flipping. Yet, if you are not familiar with crypto the learning curve is quite steep. The second part of day 2 was all about restricted environments.
Day 3 - Python, Scapy, and Fuzzing
Day 3 started off with an introduction to python. This was just a primer to get started with scapy and the sulley fuzzing framework. Scapy as essential tool for a penetration tester. Sulley as an easy fuzzer to get started. The fuzzing section also covered different fuzzing approaches. American fuzzy loop being the latest addition.
Day 4 - Exploiting Linux
During this day the pace of the course skyrocketed. It starts off with an introduction to Linux memory and x86 assembly. Following this in depth look into Linux come the actual attacks. After the basic stack overflows the more current ret2libc attacks are also covered. Obviously, the course also covered the OS protection mechanisms. Cracking stack canaries and DEP are part of the exercises.
Day 5 - Exploiting Windows
Following Linux exploitation this day also starts off with the essential basics about Windows memory layout. Also, the different Windows protection mechanisms have undergone quite a development over the years. Basic stack overflows and SEH overwrites give a good start to the actual magic. Anybody who was still following the course was hit by the last part of the course. After the intro to return oriented programming and gadgets Stephen walked us through one exploit. By the end of the day, everybody looked like a zombie.
Day 6 - CTF
The concluding capture the flag really was the icing on the top of the whole course. The challenges covered most of the topics of the previous days and let you practice everything in a live session. The challenges are arranged in classical jeopardy style. Up to five people can join up to work on the challenges together in a team.
Our team had quite a good start. We were leading the scoreboard quite soon. In the last hour only one other team was close enough to threaten our first place. Just a few minutes before the ctf closed this team shot ahead. All of us hammered away at their keyboards to obtain just some more points to gain back the lead. Unfortunately, we did not win the challenge coins for the ctf.
According to Stephen, we would be one of the first students to encounter a new feature during the exam. For some questions we were supposed to work in a virtual machine that we could access via the browser during the exam. This way we would also have to prove our practical knowledge. All in all, we would have to answer 55 questions in three hours. As it was my first GIAC certification I did not know what to expect. Therefore I wanted to prepare really good and set the exam day on the last possible day.
As preparation I read through the books and watched the recordings. I also created some Anki cards in order to anticipate potential questions. This also quite gave me good idea where I would have to dig a little deeper.
During the exam you are allowed to bring along a “handful” of books. This also includes your own written documentation. I therefore create an index to quickly lookup any topic I could not answer with absolute certainty.
The day of the exam was quite stressful. A few things did not work out as expected. At some point the network cable fell loose from my exam computer - the lock latch was missing. After a few minutes the technician setup another computer so I could continue my exam. After quite some time I finish with score good enough to get me on the advisory board and allow me to become a mentor for the course. Under the given circumstances this was a good result.
After the exam I would definitely recommend doing this course for everybody who wants to learn more about technical penetration testing. Not only will you learn quite a bit about the inner workings of the foundations of the internet. You will also learn to bend and abuse those little wheels and notches.
OSCE Vs GXPN
Comparing my experience with OSEC to GXPN I would say that the two courses supplement each other. With OSCE you get to read a lot of assembly and spend a lot of time in the debugger. GXPN on the other hand provides descriptions and a solid background to the whole picture. It also covers topics that were not part for my OSCE training, e.g. crypto.