GXPN Review – SANS660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)

Although I passed it last month, I’m just now getting to my GXPN review after a long on-site engagement!

GXPN Review – Introduction

I signed up for the GXPN back in October, and started on the 10th.

This was the first SANS course that I had ever taken, and was looking forward to see how they worked. Thankfully, work had some vouchers, so I didn’t have to worry about footing the bill.

The GXPN certification is for exploit researchers and advanced penetration testers, so it sounded right up my alley.

GXPN Review – SANS660 OnDemand

As I wasn’t sure when I’d have time for travel, I opted to go for the OnDemand edition. While this allowed me to space out the work a bit more, it did take more dedication and focus. That said, I ended up needing one 45 day extension since I didn’t start the class until the last-minute.

SEC660 is a phenomenal course, and I highly recommend it. I definitely recommend it if you are looking to do more exploit development or are preparing for your OSCE.

Network Attacks for Penetration Testers

The first section in this course was great, and I definitely picked up many new tricks.

I’ve actually used a few of the captive portal bypasses and tools during engagements, so that’s a quick win!

Other than that, the Bettercap section was great, and I’ve used it a bit more anyway.

Finally, the IPv6 section was interesting, as I’ve never actually interacted with it much before. Using a socat proxy to tunnel non IPv6 tools is super handy, and I may need to start looking at this address space more during engagements.

Crypto and Post Exploitation

I’ll be honest, this is the section that caused me to wait until the last-minute to finish the course.

While the material isn’t bad, it is just a very heavy section in general. You learn many crypto techniques and implementations, and it feels like a longer section. That, and you don’t really get to practical attacks until a bit later.

That said, I still learned a lot, and will definitely have some crypto related blog posts in the future.

The post-exploitation section was fun, and I learned a few new tricks for escaping restricted environments.

Python, Scapy, and Fuzzing

This section was awesome, and the included tools were invaluable.

I’ve never used Sulley before, but I’m a huge fan of it now. I’ve actually got a small fuzz farm running now, so maybe some new vulnerabilities soon! If not, definitely some more fodder for blog posts.

I’ve also wanted to use Scapy more, but I still don’t quite have any ideas for personal projects yet.

The IDA + PaiMei combination was awesome, and an opportunity to step up my black box testing. I wish I could figure out what applications might be good targets, but maybe soon.

I especially liked how open Stephen was about selling vulnerabilities. It was honest, and a nice departure from the “you have to responsibly disclose” discussion.

Exploiting Linux for Penetration Testers

This was the first “exploit development” section in the course technically, and it was amazing.

The introduction to memory and ELF files was a bit heavy, but pretty important.

Once you complete the introduction, the next few sections cover basic shellcode and stack overflows.

After that, you jump straight into ASLR attacks, which I’ve never done before. In addition to ASLR, there is a bit on stack canaries, which I’ve only attacked via spraying a known value before.

These techniques were wonderful, and a great addition to my knowledge of basic DEP/ROP. I look forward to utilizing these techniques soon, and maybe improving existing exploits.

I would have liked one more exercise to defeat ASLR I think, but I’ve got all the files to try on my own now.

Exploiting Windows for Penetration Testers

The Windows exploit development section was the last one, and probable the one that I had the most fun with.

First, the course materials cover Windows exploitation and protections. These sections really made me understand why kernel vulnerabilities can sell for upwards of $100,000. Once the book covers ALL of the defenses, you perform a basic Windows stack overflow.

I’m really loving mona, and have used it more since pandatrax’s exploit development course.

Next was an SEH overwrite, which I’ve performed before.

With those out-of-the-way, a the materials cover a few different attacks against DEP. It was really interesting to see how easy it was to defeat initially, and how the methods/addresses changed for some attacks.

It was also great to attack the same application again and again, to see each layer of defense come into play. I may start this example over, without my notes, and blog about each attack in the future.

I ended up not finishing the last section (Building a Metasploit Module), but I’ll do that eventually.

GXPN Review – The Exam

I took one practice test a day or two before my exam, and got a 65% on it. That said, I tried to go through it as quickly as possible (32 minutes) and without looking at my notes.

For the exam, I know a lot of people like to make indices, but I didn’t think that I’d need one. I just printed out a few of my typed notes, and brought the books with me.

The exam itself was 54 multiple choice questions followed by 6 practical ones. The questions themselves weren’t too hard with the book, but there were a few that focused heavily on syntax.

If you know roughly where in the book the information is, then answering most of the questions is fairly easy.

In the end, I finished on 19 February with a 92%!

GXPN Review – Conclusion

My score on the exam got me an invitation to the Advisory Board, which I will probably look into. Other than that, I’ve been thinking about looking into the mentor program.

I only did the first few boot camps, but I’d love to go back and knock out the rest of them. While I no longer have access to my online materials, I still have the books and USB drive.

Some of the software included with the course makes life easier (looking at you Sulley), so don’t discount that as well.

I have a nice long list of blog posts that I’d like to work on after this course, so it was incredibly motivating. That said, I think that I’d like to try an in person course if I take another SANS class. I should have an easier time following along, and I think that I’ll get more out of it.

I think this was a great course for me, and a solid bridge between the OSCP and OSCE. I’m hoping to finish my OSCE sometime in the second half of this year, so stay tuned!

Finally, I’ve now got my own GIAC professional page.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

2 Comments

Filed under Security Not Included

2 Responses to GXPN Review – SANS660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)

  1. Josh

    Great blog as usual!

Leave a Reply

Your email address will not be published. Required fields are marked *

*