A SANS Review Trifecta (Part 2): SEC660, GXPN & Facilitating

I’m always looking to improve my skills in penetration testing, it’s my work, but also the hobby which I love. This drives me to be constantly training, either on my own studying new areas and attacks, or via more structured official training, often with attached certifications.

While some hardcore hackers (and some of my friends) scoff at the value of certifications, I think they are an important way to demonstrate your proficiency in certain areas. Especially if you are early on in your career and the drive and passion to advance quickly into more senior positions.

With this in mind, I set off looking for a way to help boost myself, up from a consultant and into the realms of a senior. Not as any sort of guarantee you understand, but simply as nice addition to my CV.

Previously I had focused on Offensive Security certifications, attaining the OSCP and then the OSCE. I love Offensive Security, but I think it’s always good to spread your wings and try new things, so I looked for a new body to gain accreditation with. Considering I wanted a top tier certification, I basically had to decide between SANS/GIAC or Crest.

While Crest is an incredibly well renown body, their certifications are just that, certifications. No training is provided, no materials are given besides the syllabus. So, after a fantastic previous experience taking the SEC642, I decided to go with SANS again, this time with a goal to achieve their top penetration testing certification, the GXPN (GIAC Exploit Researcher and Advanced Penetration Tester).

As I would be self-funding (and taking holiday), I signed up to facilitate again with the SANS work study program and was lucky enough to be chosen to facilitate SANS Copenhagen.

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

After previously taking the SEC642, which did not have a corresponding certificate, I really wanted to attain a GIAC certification. I chose the SEC660 because I wanted to try and complete their most advanced course and certificate. Also as SANS is quite expensive, it would mean I didn’t have to come back for a more advanced exam, I wanted to “test out” of SANS.

The course I attended was taught by Tim Medin, the man who popularised Kerberoasting back in 2014. He really was excellent, and I can’t recommend him enough. The personal stories and anecdotes which Tim included when teaching really helped bring the material to life.

A perhaps interesting point for those in the private consulting arena, is that you will generally be a minority when you attend a SANS event, with most other students coming from government and public sector institutions. There were a number of incredibly technical people on the course with me, who it was quite obvious worked for 3 letter agencies or their equivalent through Europe. This seems to be because governments give 1–2 free SANS courses a year to technical employees, so they take them as free trips and have a week off work. I actually had quite a lot of fun asking people if they were here to learn how to pentest their own networks or other countries, then watching them stammer and not want to answer 😂.

So onto the actual course content! I personally found that it brought something for everyone, each section started quite basic (in my opinion), but then ramped up quickly into more advanced areas. It also got more difficult day by day. Here is a brief summary of what was covered each day:

• Day 1 primarily covered network attacks, I found this incredibly helpful in covering some knowledge gaps I had due to types of testing I hadn’t performed. Some of the highlights for me were VLAN hopping, Bypassing NAC and the more advanced forms of MITM attacks. While the material did cover basic ARP spoofing, it also covered protocols such as HSRP, VRRP and OSPF which I was previously unfamiliar with.
• Day 2 was split into two parts, the morning covered cryptography, primarily focusing on web applications (which seemed strange for a network penetration testing course). It covered different cipher types and various attacks on them, such as bit flipping, hash length extensions, padding oracles and key stream reuse attacks. The afternoon covered restricted desktop escapes, powershell for penetration testers and post exploitation of various hosts. This was the least interesting day for me, as the only real learning was the restricted desktop escapes, which I’ve never had to opportunity to test before.
• Day 3 was solely focused on learning python and fuzzing. While I had done some fuzzing with python and sully before, some of the more advanced tools that were introduced later in the day were incredibly interesting. Learning how to combine IDA with DynamoRIO Drcov to monitor which parts of the code base you were hitting with your fuzzer was fantastic. This allowed you to identify where you were missing, and adjust your fuzzer to take alternative code paths. American Fuzzy Lop and the sheer power of it was also covered and extremely eye opening.
• Day 4 was when things really started to ramp up, it was focused on exploit development for Linux and after spending the morning on a lot of theory and a basic 32bit stack overflow, we moved onto topics such as ret2libc attacks, brute-forcing ASLR and writing a 64bit exploit.
• Day 5 was solely focused on Windows exploit development. The morning consisted of theory on Windows OS protections, another 32bit stack overflow and a SEH overwite. The afternoon was supposed to be solely focused on building a ROP chain. However due to the slowness of the class, with many students never exploiting 32bit Windows before, the morning overran and the ROP exercise had to be squeezed into the final few hours of the day.
• Day 6 was the day of the CTF. After successfully managing to get my hands on the Samurai & Dragon 642 coin and the NetWars coin last time, I was incredibly keen to win one of the coveted Conan the Barbarian coins 660 coins. I spent some time earlier in the week networking, carefully crafting a crack team from the best the 3 letter agencies had to offer, and I’m happy to say that through a combined effort from Britain, Belgium and Latvia, we were able to defeat the German Bundeswehr at Copenhagen!

We did have to agree to sell Greenland to Trump via Tim (An American) in the process.

Conan the Barbarian SEC660 Coin

I’ve said above that I really enjoyed the course, however I think it’s important to be honest with the downsides of SANS training courses too. So I’ll attempt to do that here in a fair and balanced manner.

I think the primary issue with SANS is they don’t have a proper baseline for their more advanced courses. This leads to frustrations amongst the students. Those less experienced complain that the course is too advanced and moves too quickly, while those more advanced feel like they aren’t learning anything new for certain sections of the day. They then feel the more advanced and interesting sections are squeezed into a shorter than normal learning period, because the basic sections took so long to cover.

For example, on day 4 and 5 of the course, there were students who were unfamiliar with introductory 32bit buffer overflows with no operating system protections. I feel its unrealistic to think they can get to grips with this, and progress into canaries, DEP and ASLR within two days.

On the flip side, for students such as myself who are familiar with these, the more advanced topics were squeezed into the late afternoons of day 4 and 5, with the mornings spent on re-covering these basics. In my opinion, basic buffer overflows should be covered on the SANS SEC560 (GPEN) course. Alternatively, they could be provided as a learn from home training component/refresher before coming on the full course.

This was also the case on day 3, when a good 2–3 hours in the morning was spent on explaining the basics of the python programming language. In my humble opinion, this should either be set as a course requirement, or provided as a training component to be completed before the course. This is supposed to be a course for advanced penetration testers! Knowing how basic programming types work (int, float, string) and how to manipulate them should be a given!

Another issue was that the morning of SEC660 day 2 was completely the same as the morning of day 3 on the SEC642 course. I feel this overlap should be addressed, as those taking both courses (which I high recommend to be rounded in web and network penetration testing!) end up repeating half a day of material.

A final downside of attending a smaller SANS event such as Copenhagen was that the NetWars tournament was not run at the event. Considering how fun it is, and is completely free to attendees, if you are paying the full price for the course, I would highly recommend going to a larger event for the same price and enjoying this free add on.

With all this said, I will finish by saying it is an excellent training course. I learnt a lot from it, and thoroughly enjoyed it. For me facilitating, it was a bargain, it felt like good value for money and if your work gives you free SANS courses I would highly recommend.

However, if you are self-funding, or your work has a flexible budget, there are of course other training's out there to consider. Ones which are more focused on teaching beginners or advanced students, rather than a mix in one class might be better.

Tips For Becoming a GXPN Facilitator

I previous spoke about the SANS work study facilitating process in another blogpost. So out of a desire not to repeat myself, as it was very similar, I instead want to mention a few tips for becoming a facilitator for this course.

The SEC660 with the GXPN is the most popular SANS course to facilitate on. I found out from the organisers that around 60% of facilitating applications are only for this course. It is also almost always the largest course at a SANS event, with smaller events such as mine in Copenhagen pulling in 30 students while the other courses were only bringing in 10. The larger events such as those in London and big US cities can pull in between 60 and 200 students for the SEC660.

This means that the SANS organisers almost always choose someone with existing facilitator experience for the SEC660 course, to help everything run more smoothly. This means that if you want to take the course and certification, you should seriously look at applying to facilitate another course first.

If you wish to facilitate SEC660, I would highly advise you to look at facilitating with SANS as a package deal. Budget around £3120 (£1560+£1560) plus accommodation/flights, and over a period of 6–12 months go on two courses. The first one to gain facilitator experience with a course of your choosing, then again to facilitate the SEC660+GXPN. If you don’t do this; while not unheard of, it is very unlikely you will be chosen to facilitate the SEC660 course.

That said, I wish you the very best of luck!

GXPN: GIAC Exploit Researcher and Advanced Penetration Tester

With the course now over, there is an exam the prepare for! 🥳

First off, I want to address the mistaken notion that the GXPN exam only consists of multiple choice questions. This is not the case anymore! It consisted of 60 multiple choice questions and 6 larger practical questions which are answered by connecting to a Windows and a Linux virtual machine. These practical questions involved using several exploit dev tools, analysing assembly instructions, writing python code and identifying overflow points.

I think this move away from only multiple-choice questions is great for SANS/GIAC. It proves to employers that someone really understands the subject matter and is not simply memorising or looking up answers. I really hope more of the GIAC exams follow in these footsteps, as it helps make the certification much more prestigious.

I began by scheduling my exam at a Pearson Vue test centre, then started looking online for the best way to study for a GIAC exam. I came across the concept of a SANS GIAC exam index, which is basically a nicely formatted spreadsheet that you can build for quick reference lookups, as the exam is open book.

I followed this guide by Eric Ooi on how to build my index, and I created it over a number of days in the weeks preceding the exam. The only extra addition I made was highlighting the rows for tools (bad_char.py, afl-fuzz, etc) in yellow to make them easier to spot. Additionally I scanned and printed out the SANS Index at the end of the day 5 SEC660 book. Finally, I printed out the notes I took during the class, which were mainly useful terminal commands from the course.

My Class Notes, The SANS Index, My Index

The day before the exam I took the online practise test. I managed to finish in half the time with a score of 83%. Following this I felt reasonably confident about the exam, and didn’t take the 2nd practice test.

The GXPN exam is 3 hours long and needs a score of 67% to pass. Previously I had only taken the 48-hour OSCP and the 72-hour OSCE, so this was a nice change of pace. The exam took me 2 and a half hours to complete, and I managed to get a score of 87%, more than enough to pass!

GIAC sends you an email confirming your pass, then has you fill in a form so they can post you your certificate.

GXPN — Much more shiny in person.

So, to summarise, taking the SEC660 course and the GXPN exam/certification has been a great experience. I would again recommend facilitating at SANS to anyone wanting to up-skill in cyber security on a budget. The reduced work study price makes SANS course very competitive with other providers.

As a cherry on the cake, I just secured myself a position as a Senior Security Consultant at a new firm, which perhaps my newly certified status helped contribute too! I’m really looking forward to a fresh start in 2020 at a company where I don’t have to take holiday to attend training courses!