Breaking Barriers: A Deep Dive into My GIAC Penetration Tester (GPEN) Certification Journey 2024

GPEN — GIAC PENETRATION TESTER

Hello everyone, in this article I will explain about my journey during training at the SANS Institute and passing GPEN certified.

First of all We first need to be a little realistic. When it comes to SANS training courses, they are not cheap. everyone complains about it, and does comparisons with other courses. in this article i will not discuss about the price or comparison of SANS with other courses, I only discuss how the class conditions during training, the modules obtained and tips on passing the exam.

Training Class

I signed up for the Live in-person SEC560: Enterprise Penetration Testing session in November 2023 — Jakarta Indonesia and the class is led by Tim Medin (who invented the kerberoasting method at 2014.)

The training class spanned 6 days from (Monday -Saturday), covering five days of intensive classes featuring hands-on labs. The sixth day culminated in a Capture the Flag event, where participants formed teams and put their newly acquired skills to the test.

in the training session, I feel this is the time to ask as many questions as possible to a professional in the field of cybersecurity directly. my advice is if you want to take this training you should prepare as many questions as possible after the first day’s session is over. and you can discuss this on the next day.

Modules

In the GPEN traning, I was given 5 module books and 2 lab manuals + 2 VM (Windows & Linux Slingshot). I will explain a little bit about what will be covered in the 5 module books.

Book — 1
An in-depth exploration of Comprehensive Pen Test Planning, Scoping, and Recon provided a broad overview of the professional Penetration Testing process. This encompassed various test types, strategies for structuring a pentest approach and navigating through the distinct stages of a test with precision. in my pov in this module I also get a new point of view. in this module explains that this training does not explain “how I can hack a company in a nutshell”. Instead, this really is taught how to be a real professional. This module discusses starting from pentest preparation: making NDA, planning pentest scope with the client, making RoE (Rules Of Engagement) conducting thorough penetration tests, and providing value to an organization. that’s so sick, right? While it’s not a very technical book, it did a great job of guiding me to think like a professional pentester.

Book — 2
An in-depth Scanning and Initial Access are fairly self-explanatory topics. Participants learn into various scanning and enumeration tools, mastering their optimization, and acquiring skills to establish a foothold within an organization utilizing the gathered information.

Book — 3
An in-depth Exploitation focuses on the initial actions to undertake upon gaining a foothold. It covers prominent exploitation frameworks, their utilization, pivoting techniques, evasion of AV/EDR systems, and introduces command line usage. This book offers excellent technical depth and insight. in this module, I gained extensive knowledge about the functioning of exploitation frameworks and how to effectively employ them.

Book — 4
In Book Four, Post Exploitation, the focus was on password attacks, further exploration of pivoting techniques, and strategies for pivoting within a network to continue exploiting the target. in this module, I learned a lot about password-cracking tools. like using Jhon the Ripper and Hashcat more deeply.

Book — 5
In Book Five, will discuss the exploitation of active directory and Azure active directory. this is the book that I read most often. I am very very NOOB on this topic. I understand how to exploit an active directory, I learned it in another course. but what about the azure active directory? I have never even tried to figure out how it works. I have to admit listening to the godfather of Kerberoasting Tim Medin explain how it all works to me was the amazing part. for me, Tim Medin is the best instructor I have ever met in cybersecurity training.

Last Module — Penetration Testing Workshop
the last module only discusses the CTF Writeup that has been completed by participants on day 6. in the CTF session, I got the SANS SEC560 coin, I completed the CTF challenge and got the coin. it is an honor to get one of the SANS coins :D

Me And Mr. Tim Medin

Tips Exam

The GPEN exam had 82 questions and I had to answer them all in 3 hours. The minimum passing score was 75% and I had to answer 63+ questions to pass the exam.

Format Giac Exam

1. Time Management
   I am a security consultant in my company. of course, I have work every day for 5 days a week. that’s why I put time management at the beginning of my tips. I do the concept of 2 hours reading books and 3 hours doing labs I do that after my working hours are over, which is from 7:00 p.m. to 00:00 a.m.
2. Recognize My Weak Spots
   After I read the modules and did the labs over and over again. I found that I always struggled with some modules. and I determined that those modules were my weak points in the exam.
3. Build My Personal Notes
   I am a fast learner but have trouble remembering things for a long time, that’s why I made a personal note so I wouldn’t forget. My personal notes are more about theory and not technical stuff.
4. Indexing, Indexing Indexing!!!!
   I read a lot of tips from people who have taken some giac certification, they suggested indexing the module books. I think this is a very important thing when doing the exam. I did a lot of revisions regarding my indexing , I made the revision based on the results of my first practice test which did not go well. but I passed my first practice test. and I also did the same thing on my second practice test and made the final indexing before the exam. maybe you can read Lesley Carhart’s indexing tips here : https://tisiphone.net/2015/08/18/giac-testing/.
5. Stay Safe And Keep Healthy
   It cannot be denied that in our daily lives there are still many things that are out of our control and predictions, maybe you could get sick during the exam. to save your money to reschedule, I recommend taking care of your physical and mental health in advance so that it does not distract you during the exam.
6. Ego Management
   Control your ego, you don’t have to be perfect and get a lot of points during the exam. You only need to meet 75% passing score right? Answer questions you know, skip questions you don’t know. Don’t spend time on just one question. 6 out of 82 questions are hands on labs. be careful with it, don’t spend time on it.

My practice test

My Index

PASSED!

Conclusion
GPEN is the best course I have ever taken. I highly recommend it for those of you who want to learn Pentesting Professional from scratch to professional (from Pentest planning to compromised machines.) For now, though I am going to take a break after five straight months of this program.

Thanks to :

Digit Oktavianto — (As a Mentor for guidance and support throughout this journey)
Tim Medin —(As a Instructor for technical advice)