Course Review - SANS Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (SEC660/GXPN)
Hello! I recently passed the GXPN (GIAC Exploit Researcher and Advanced Penetration Tester) exam and figured I’d give an overview of the course, answer some FAQs, and share tips on how I studied.
For a quick background, this is my second SANS course and GIAC certification. I took SEC560 and passed the GPEN last year.
The Course
From the SEC660 course page:
SEC660 is designed as a logical progression point for students who have completed SEC560: Network Penetration Testing and Ethical Hacking , or for those with existing penetration testing experience. This course provides you with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and teaches you how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.
In short, it is a course is for professionals who want to take their penetration testing skills to the next level.
I took the OnDemand version taught by James Shewmaker and Stephen Sims. Both instructors are experts in the field and did a great job teaching the course.
The Syllabus
Some of the skills you’ll learn during the week-long course are
- Techniques to bypass NAC
- Man-in-the-middle attacks
- Fuzzing with Python and AFL
- Escaping restricted desktop environments on Windows and Linux
- Bypass exploit mitigations such as DEP, ASLR, and stack canaries
- Testing cryptography implementations
- Reverse engineering x86 and x64 applications
The full syllabus is available here
FAQs
What prerequisites do I need to know before taking the course?
SANS recommends taking SEC504 and SEC560 beforehand.
My personal opinion is that neither of those courses are required if you already have decent penetration testing and exploit writing experience. However, you may need to spend extra time on areas you are unfamiliar with.
Are the end of day bootcamps necessary to pass the exam?
No. I did them because I needed the extra practice, but I know people who have passed the exam without touching the bootcamp exercises.
Do I need to know how to code?
You should be comfortable in at least one scripting language. The course uses PowerShell and Python for exploiting and fuzzing.
Being able to read C or C++ will also be beneficial when reverse engineering vulnerable applications.
Is the CTF challenge necessary to pass the exam?
Nope. Do the challenges if you need extra practice, but it is not mandatory.
How much reverse engineering experience is needed?
If you are already familiar with debuggers like GDB, IDA, or Immunity Debugger than you should be good to go. The course does a great job at introducing x86 and x64 registers, process memory, etc.
Is the exam hard?
Not if you study and make an index. It’s a 3 hour, open book exam with 60 questions. The practice exams are very similar to the actual exam.
For help prepping for the test, read Better GIAC Testing with Pancakes.
What is needed beyond the course material?
Just an index. The coursebooks contain everything you need to know for the exam.
Tips for success
- Highlight definitions and key terms to quickly find them at a glance.
- Take notes as you go throughout the course. Jot down the main point of each slide.
- Create your own index instead of using a pre-made one. The process of making it will help reinforce what you’ve learned.
- Take both practice exams. The practice exams are an accurate representation of the real thing.