Prior to taking 660, I took the SANS course Network Penetration Testing and Ethical Hacking (SEC560) back in January of 2013. Although I'm not going to write about that course in this post, 560 is another fantastic penetration testing course offered by SANS. My day-to-day job and personal interest has me focus more on the vulnerability and exploit development based research more so than the hands on penetration testing. As a result, a lot of the network based attack topics covered in this class were fairly new to me. Every day had so much content that the normal hours of the class were augmented with additional bootcamp labs. To make things even more interesting, I attended 660 during the SANS Virginia Beach conference which hosted their NetWars tournament. So I was spending pretty much every waking moment during the week hacking in some way, shape, or form.
The class is broken up into 6 days. Days 1-5 are content based learning days with frequent lab exercises. Day 6 wraps up the class with a capture the flag (CTF) challenge. Since there is so much content associated with this class, each day is fully packed. The instructor, Stephen Sims, did an absolutely amazing job at teaching this class. The following sections give a high level impression of each day. For more detailed topics covered during each day, I highly recommend checking out the course description on the SANS website.
Day 1 - Network Attacks for Penetration Testers
Day 1 was admittedly the most difficult for me. To start off the course, students are introduced to an extremely diverse set of advanced network attacks. Networking is one of my weaker areas, and as a result, I did need to spend a little more time completing some of the labs and studying this material. One of the best things I enjoyed about day 1 is the focus on obtaining access to a network that has security access controls. Many times, penetration testing descriptions start off with, 'assume you've been given initial access to the target network'. This is not always the case and it is extremely valuable to the customer when a penetration tester can bypass whatever network access controls may be in place.
Day 2 - Crypto, Network Booting Attacks, and Escaping Restricted Environments
Personally, I felt that Day 2 was the most unique content from course in the sense that the topics covered during this day are probably not areas immediately thought of when performing penetration tests. For example, cryptography. Often times as penetration testers, we'll look for a known implementation flaw online if we discover a particular crytographic algorithm being used, or defer the cryptanalysis to another time so that our testing event isn't consumed by trying to break cryptographic implementations. One of the take aways from this day is a methodology for efficiently evaluating a cryptographic implementation. Immediately with this skill set, your ability to provide a more comprehensive penetration test for you client greatly increases. Other notable topics covered in this class are delivering hypervisor boot images across a network (as a means to silently shim in between your victim's OS and hardware) and breaking out of kiosk style restricted environments.
Day 3 - Python, Scapy, and Fuzzing
This day of class was a lot of review for me. I've used Scapy for work projects, and I've been coding in Python for a few years now. I've also used a variety of fuzzers for both personal and work projects. The best part of this day, however, is getting some automagic scripts built by the SANS team for helping alleviate the pains that are associated with installing certain fuzzing platforms (I'm looking at you Sulley...). I love making things as simple as possible and having these new setup scripts eliminate the pains that come with installing some of these platforms is almost worth the entire cost of the class by itself ;).
Day 4 - Exploiting Linux for Penetration Testers
I really enjoyed days 4 and 5. I've worked through all the exercises in Hacking: The Art of Exploitation (ref) a couple of times and I've participated in a few CTFs requiring exploitation of Linux binaries. As a result, a lot of the information presented in this day was review for me. It was still a great lecture and lab day, however, because the best way to improve your exploit skills is to write exploits! I also find that relearning a topic taught by another knowledgeable instructor (in this case Stephen Sims) only helps solidify your understanding of a specific topic.
Day 5 - Exploiting Windows for Penetration Testers
Moving on from day 4, day 5 was all about Windows. Admittedly, I have a much greater understanding of low level Linux internals than I do Windows. That is something I'm currently working on. As a result of day 5, I came away with a much better understanding of the Windows linking and loading procedure and the in-memory process structure. Day 5 also focuses more on return-oriented programming (ROP) exploitation. To facilitate this, the class learned about the Immunity Debugger plugin, mona.py (source, manual), from the amazing Corelan team. Learning about this tool was the best part of Day 5 in my opinion.
Day 6 - Capture the Flag Challenge
After 5 intense days of instruction, it was time for us to put our new knowledge to use during the CTF event. Our class broke up into 4 teams of about 4 to 5 members per team. We had 6 uninterrupted competition hours. I focused mainly on the Linux exploitation challenges in the beginning and then moved on to Windows exploitation and a particularly tricky fuzzing challenge. After an absolutely thrilling competition, our team came out on top, taking home the SEC660 challenge coin!
Certification and Closing Thoughts
In November I successfully acquired my GXPN certification by taking the test associated with this class. I procrastinated studying much longer than I wanted to, but sometimes things come along that you can't plan for. In the end everything worked out. Additionally, I'd like to advocate this class for anyone seriously considering doing more exploit development in their career. Shortly after earning my GXPN, I was given an amazing job offer to be a full time exploit developer. I can honestly say that this class gave me the confidence and edge I needed during my interviews. Right now I'm currently transitioning into a fantastic opportunity within my current job so I didn't end up taking the new offer. Someday down the road, though, things might be different.
Overall I thought SEC660 was an absolutely amazing class and Stephen Sims did a fantastic job teaching. I'm already trying to plan out when I can take SEC760 - Advanced Exploit Development for Penetration Testers.