TL;DR: Awesome course if you're ready to move past using other people's exploits. Pretty difficult but well worth it. Spend as much time as you can doing labs.

A few months ago I had the opportunity to take SANS's SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. I had taken SEC560 in late 2014 with Ed Skoudis and figured this would be the follow-on course that builds on when was discussed (boy was I wrong!).

This class is really intense. I'd definitely recommend it to seasoned testers, anyone who is interested in vulnerability/exploit research and bug hunting, or general offsec masochists. SEC660 is NOT a prep course for the GXPN, but rather the intro to the material. You work through the books and exercises with the instructor(s) (Stephen Sims and Jim Shewmaker in my case) in class, but afterwards you'll be rereading the books, reading the additional resources, practicing writing exploits, and banging your head against the keyboard.

Course Structure

Day 1 - Intro & Network Attacks

The first day of the course kicked off with a very short intro and then dove right into the material. A few of the key things discussed are bypassing NACs, manipulating routing protocols (especially Cisco stuff), and some stuff to do once you've got your MitM. This day is also deceptively easy. Make sure to do the labs for days 1 and 2 as much as possible because they will not be available unless you bought an OnDemand package.

Day 2 - Crypto, PXE Attacks, & Escaping Restricted Environments

Day 2 starts picking up the difficulty. Topics covered are attacking crypto implementations (hash length extension, oracle padding, IV reuse, etc.), network booting attacks, and escaping restricted environments (SRPs and GPO restrictions). There was also a small section on PowerShell, but it wasn't really in-depth and didn't play a large part in the exam.

Day 3 - Python, Scapy, and Fuzzing

The third day starts off just going over the basics of Python syntax. If you've worked with Python for any amount of time, this should be super easy. It is then followed up with some Scapy info. Again, nothing too difficult but a good refresher. The rest of the day is filled with fuzzing, most of which was focused on using Sulley. I really enjoyed this day and thought it fed into the final 2 days very well.

Day 4 - Exploiting Linux

Here's where things start to get fun. 9AM rolls around and we're immediately dumped into the guts of Linux memory and x86 assembly. Once we were done with that part (and got a much needed break), it was back to it with stack overflows and ret2libc. Stephen did an awesome jobs of breaking everything down and keeping us engaged so we didn't get lost. We worked through different difficulties starting from very basic to modern Linux protections. Thankfully there were plenty of exercises to go along with the lectures. If you're not paying 100% attention it is really easy to miss something important and the labs make sure you fully grasp the attack.

Day 5 - Exploiting Windows

Day 5 is by far the most difficult. It is very similar in structure to day 4, starting with understanding the OS's controls and history, but the exploitation techniques are pretty different. Stack overflows and SEH overwrites were the focus for the first half of the day, followed with ROP and writing Windows shellcode. By the end the room looked like a horde of zombies.

Day 6 - CTF

We all staggered back into the classroom for the final day. The class was broken up into team of 4-5, briefed on rules for the game, and then we were set off. The CTF was Jeopardy style, similar to CSAW or Pico, and well put together. There were a group of ninjas in the course who teamed up and smoked the rest of us, but it was a good learning experience and I got to work with some really smart people. As soon as we were done, I packed up, headed home, and slept for like 18 hours.

The GXPN

After the course wrapped up, there was a 2-week block for the exam to become available. Once it is available, there was 3 months to take it. I took nearly that whole block to prep for the test, going back and reading the material, doing the labs, and rewriting old exploits from exploit-db.

I took the first practice test 1 month out with no books, and the second once 2 months out using the books and my index. I passed both of them, but used the questions that I missed to make flash cards and improve my index. By test day I was as ready as I could be.

And important tactic for me during the test was to slow down. They give you 3 hours for 75 questions so you can spend 2:24 on each one. That gave me enough time to go back and read more on answers I wasn't totally sure about. I also used the "Skip Question" button on the hardest 5 questions for me and answered them at the end where I could use pretty much as much time as I wanted.

Overall, the exam was very difficult. There are no trick questions, but you really have to know the material inside and out. Most of the questions are not answers you can find in the books, but rather rely on experience with the material itself.

The Index

As with all GIAC exams, they are open book but you have to write your own index if you want to efficiently reference them. I did mine in the same format as with the GPEN, but this one was much longer.

Term Book Page Notes
ZwSetInformationProcess() 5 136 Used in disabling DEP

Conclusion

SEC660 and the GXPN were definitely worth the stress. I learned a ton of stuff, met some great people, and found a few areas of research I'd like to dig deeper into.

Next up for me is the OSCP, but I may wait and do it with some junior testers to help them along the way.

Thanks to SANS, Stephen Sims, Jim Shewmaker, and Josh Wright for an awesome course.