SEC660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (GXPN)

In this edition of the Kage Okami blog, I will share my experiences during the SEC660 course hosted at SANSFIRE DC in June of 2013. The SANS Instructors for this course were Stephen Sims and James Shewmaker. I was recently studying my renewal material and thought it a great idea to bring this information over to this blog.

Please note, the course has changed in several fashions since my taking and passing of the course, however, the fundamentals have remained the same.

I have organized this review by day and have given a general synopsis of what occurred in the classroom as well as concepts we learned. Over my time in this course, I gained the sense that it was designed to give you the extra knowledge you’ll need to begin or continue working towards senior level penetration testing and some strategies to think about and implement when your junior testers are looking to you as the last man standing between the success or failure of an engagement.

On day one, the instructors introduced themselves and conveyed their objectives and some expectations for the class. This is a 600 level course and within a couple minutes, we were on the ground running as expected. The day started with setting up our laptops for use in their lab environment, exploiting Captive Portals and Web Authentication. The next portion of the day involved an introduction to dealing with IPv6 on pentesting engagements and attacking various network and routing protocols such as DTP, OSPF, EIGRP, HSRP as well as escaping network restrictions via VLAN Hopping. Towards the end of the day, students were engaged in labs where they would perform functions such as poisoning network routes, posing as update servers to deliver payloads to common applications and intercepting/stripping SSL transactions. This course had a lot of content on using Ettercap for Man-in-the-Middle (MiTM) operations and creating custom filters to modify traffic in transit (all of which were quite interesting). Generally, it is said that testing network protocols is rarely done in penetration tests but having this knowledge will definitely round you out should the need arise.

It is important for any penetration tester to understand cryptography on at least a basic level and on day two, James Shewmaker and Stephen Sims began their lecture on common encryption mechanisms, obfuscation, analyzing entropy, cipher collisions and Oracle padding vulnerabilities. This then led to a discussion by the resident virtual infrastructure expert, James Shewmaker, on DHCP and BOOTP in the enterprise, pre-boot attacks and payloads and Hypervisor attacks. Next, students were taught how to recognize and escape restricted environments and for the rest of the day, we labbed a variety of these scenarios in both Windows and Linux environments.

On day three, Stephen began his lecture detailing two of the most important aspects of pentesting (outside of technical effects); the process for proper Product Security Testing and Risk Management strategies used in scheduling and establishing a penetration testing engagement. Without knowing your target audience and infrastructure, asking the right questions pre-engagement, understanding your company’s disclosure policies and drafting a solid Rules of Engagement (RoE), a potential tester could find themselves in hot water relatively quickly and this was the subject of the first third of the day. Stephen then segued into an introduction to Python and showed us a few helpful scripts he’s created to help analyze applications. As a side note, in my opinion, it is often a good thing to go “back to basics” especially with programming languages as you never know what little gems you might find when digging deeper into the documentation of common functions you use every day.

The next section of the day involved the use of Scapy to perform packet analysis from both an offensive and defensive perspective. The last part of the day went into the art of Fuzzing, understanding various types of string vulnerabilities, analysis of code blocks, and the fuzzing for file format vulnerabilities.

Day four began with a topic I feared for many years, the art of Assembly (ASM). After days of non-stop immersive labbing (both in class and after hours) and trying to process all the new attack techniques I learned, Assembly was the last thing I was ready to handle. Surprisingly, Stephen broke down the use of registers and implementation of instructions in such a way that we, as students, were able view ASM code as sub functions of the Python we learned the day before (which I didn’t think was possible). An example of this is relating JLE <MEM ADDRESS> or JGE <MEM ADDRESS> to “if 1 < 2:” and “if 3 > 2” respectively. Stephen then went through stack overflows, stack canaries, unlinking and memory allocation, defeating ASLR, understanding how heap works on Linux, ret2libc attacks and more.

Though all the days were great, this was by far the most exciting of them. Stephen walked us through the various types of protection mechanisms Microsoft has implemented in its Operating Systems and .exe compilers over the last decade. We learned to understand how Microsoft Portable Executables (PEs) work and Windows memory structuring. The agenda was then switched to learning how to perform basic stack overflows on a variety of earlier Windows editions and Service Packs but within an hour or two of labbing, the level of content quickly escalated to the performing things such as using ROP to disable Data Execution Prevention (DEP) measures and exploiting Windows 7 x64 and Windows 8. At the end of this day, we manually reversed and exploited a particularly tricky application from start to finish.

The Scoreboard was set and the battle lines were drawn. Security mechanisms were then initiated to penalize and disrupt anyone thinking about attempting to edit the scoreboard application (well played SANS, well played). We set ourselves up in teams of 4-5 and began the war for the almighty SEC660 Serpent Coin. The majority of the challenges revolved around the course material but there were a few twists and turns in efforts to force you to think what we’ve learned the last five days and think outside the box. Overall, this was a beautiful way to end a very informative and inspirational SANS session and after a whole day of battling, we were victorious and were awarded the coveted SEC660 Serpent Coin:

Front of the challenge coin

In the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) examination, you are tasked with completing 75 questions with a passing score of 66% in three hours. As users have said in other blogs and even in the class, this is definitely one of the hardest SANS exams out there. This will call upon all the knowledge you have attained from various points and positions in your cyber security / information technology career. Listed below are some tips I suggest for preparing and passing this exam:

1.   Lab, Lab, Lab, Lab and when you get tired of labbing, lab some more. This is the most critical aspect to success when passing the exam.
2.   Keep a structured index of important topics, the location of the content relative to the book/day it was taught, and a memento to help you remember the general concept.
3.   Make sure to complete BOTH of your practice exams (I cannot stress this enough). The three hour time limit comes and goes very quickly and becoming acclimated to this type of environment (if you have never taken a SANS exam before) can be a bit daunting at first.

Once again, I would like to thank SANS Institute’s Stephen Sims and James Shewmaker for this amazing course and their instruction and I eagerly await what comes next from SANS Institute in the way of Exploit Development and Reverse Engineering curriculum.

For more general information about this SANS course, please see the link below:

• SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

If you have already taken this course and are looking for another challenge in the advanced SANS course set, take a look at SEC 760:

• SEC760: Advanced Exploit Development for Penetration Testers

At the time of taking this course, I was of a mid-level pentest skill set and definitely needed that extra nudge to help understand topics that initially seemed foreign and almost impossible to understand. This course is extremely hands-on and will give you some experience with tactics you can take back to your client organization to hopefully apply in future pentest engagements. A year after having taken this course, I still reference some of the materials that were given to me that alone demonstrates the content’s recurring value. There are so many appendixes to go through, binaries to exploit, and extra content to research and practice. While SANS courses are typically expensive, I can wholeheartedly say that this one was worth every penny.

For more information about SANS courses and the instructors of this course, check out:

• SANS Course List
• Stephen Sims
• James Shewmaker

Until next time, happy hacking.