This year I took the SANS SEC660 advanced penetration testing course and recently passed the GXPN certification test. I want to share my experience with taking the course and passing the test, which is the purpose of this post.
Overall the course is good and I enjoyed the instructors. I took the course in-person and I would recommend that for any SANS course that has a high difficulty level. The ability to ask questions in-person can really be helpful.
The bulk of the course is focused on exploit development, which is apparent if you review the course description. That means understanding how to fuzz applications, then how to take a vulnerability and turn that into an exploit. Even evading protections like ASLR is covered. The first two days covered things like ARP Spoofing and post-exploitation. Days one and two were pretty easy for me as a current penetester. Most of it was techniques I was familiar with. Days 3-5 kicked my butt. If you like low level details on memory and all that, you will be in heaven, but it made my brain hurt. I spent a lot of time after the class reviewing days 3-5 to prepare for the GXPN exam because I knew that was a weak area for me.
Is it worth it? If you want the GXPN cert to your name, or are looking to get into exploit research, then the course and cert are worth it. Is it a good step up from SEC560/GPEN to get more advanced skills most penetration testers will use day to day? I have mixed feelings on that. The main idea of the course is to get the students to think outside of off-the-shelf tools and techniques and start to go custom when needed. From that aspect, it is great, but as a pentester I am not regularly doing exploit research and development on a penetration test for clients. You can spend months fuzzing one application and most of my projects are 2-3 weeks. Now for red teamers and internal folks, you may have the time to do that kind of thing, so this would be a good class for you. If you are a consultant doing typical external and internal pentests, I don’t really think you will gain a whole lot from the course that you aren’t already doing. Particularly if you already have an OSCP or GPEN, and stay up-to-date with what the leaders are doing. If all you want is more training you will actually use as a typical pentester, you might be better off with a SANS web pentesting course or their red teaming course. Alternatively I hear good things about the courses at places like Derbycon, Defcon and etc.
How did I prepare for and pass the test? I scheduled the test for the last week you could, which is 4 or 5 months after the course. After that the first thing I did was build an index for the books. There is a basic one at the back of book 5, but it really isn’t that useful. I based my index loosely on Lesley Carhart’s method. You can find that on here https://tisiphone.net/2015/08/18/giac-testing/
After I took one of the practice tests I didn’t really end up caring about all the colors and etc. she uses, so let me tell you what I did. I created a spreadsheet in Google Docs with a tab for each book. On each of those tabs I had the first column be for the book.pagenumber (e.g. 1.105). Then for the next three columns I would put in key subjects or terms found on each page, sometimes the same topic written in different ways. So if one page was about a specific tool, I would note “Toolname – Fuzzing”, or “ASLR – Windows Exploitation” and stuff along those lines. I went through every page of every book noting the page number and the main terms/subjects on each page, except for where it was an exercise that covered multiple pages. Then I went back through and added blank columns in between the topic/subject columns so I could duplicate the page numbers. So in one sheet/tab you have book.pagenumber, topic/term, book.pagenumber,topic/term, bookpagenumber.topic/term across every row. I took all those bookpagenumber.topic,topic/term columns and merged them all into a single tab/sheet. So you simple have the first column of book.pagenumber, followed by a single topic/subject column. You only want one book.pagenumber,topic/term per row. I then sorted the topic/subject column in alphabetical order. I had this bound and printed for the test, but honestly I feel like the indexes I printed myself for the practice tests with a single staple were faster to go through than the bound one I used on the actual test.
After I had my index I took the first practice test. I failed by only one percentage point. The test let me know I needed to focus on the last 4 books the most. So I started with book 2 and went through every page and worked every exercise I could for every book (Some exercises you can only do in the lab, but others you can do at home no problem). Taking notes as I went. Once I had that done, which took awhile, I took the second practice test. I passed that by 9 percentage points, which made me feel confident about taking the real test. That was right before I took the test, so after that I did some basic review on areas I wasn’t firm on and tried to chill myself out before the test. The night before the test I worked out and tried to eat healthy. The day of the test I made sure I ate breakfast before the test and had a granola bar incase I was hungry during the break. You get a 15 minute break, I used five minutes of it to just walk around. My testing center’s desk was tiny and not big enough to put all my books on, so I slid the computer monitor back and put my index in front of the monitor. Then I just stacked my course books on the floor next to me. When I needed to reference them I would grab what I needed off the floor and put it in my lap. I took my time going through the test, you will get an idea of your speed from the practice tests. I finished with a little time left and passed on the first attempt. In a nut shell, if you take the course, make an index and review all the books, I think you won’t have an issue passing the test. It is hard though and the material was complex, at least for me.
If you are taking or planning to take the SEC660 course and the GXPN test I wish you luck.