Welcome to TheListSec!
Today I want to give my two cents on a well-known offensive security certification
SANS GPEN (SEC560).
Let’s give it a go…
1. Why start with GPEN?
I started my offsec journey back in January 2017, but the first course I tackled wasn’t GPEN. It was OSCP. I was your typical wannabe “hacker n00b” who thought mastering Metasploit would give me unlimited shells. Once I rooted the 3 or 4 point-and-click targets I hit a brick wall and no matter what I tried, I couldn’t move it. Every new topic was confusing, every new tool was complicated and I quickly came to realize I had no idea what I was doing.
Going back to the drawing board was priority one if I wanted to continue down this offsec path. I did some research on several “introduction to penetration testing” courses and identified SANS GPEN as the clear winner. Albeit the course is expensive, the in-person lectures and lab time make it well worth it.
I remember listening to Ed Skoudis lecture about how to properly use “netcat” on day 2 and the light bulbs were going off like crazy! Although I had a tremendous amount of support from my colleagues, learning from an offsec teaching professional was my missing puzzle piece. It became clear that SANS GPEN, and learning the fundamentals of penetration testing was what I needed to start my offsec journey.
2. GPEN Expectations
Walking into class on day 1 brought excitement and nerves. Even though I had a networking background, I was still unsure that the class was going to give me the necessary tools and techniques needed to start my offsec journey.
My expectations were high but they were definitely met. After 6 (long) days of lectures, labs and CTFs, I left feeling confident that I had the fundamentals needed to tackle my next challenge.
3. GPEN Course Outline
The GPEN course breaks down as follows:
– Day 1 (Comprehensive Pentest Planning and Scoping)
*Mindset of a Penetration Tester
*Creating effective engagement scopes and rules of engagements
*Detailed recon using the latest tools
*Document metadata extraction and analysis
– Day 2 (In-Depth Scanning)
*In-depth scanning tools (TCPDUMP and NMAP)
*Vulnerability scanning with Nessus
*Packet manipulation with Scapy
*Enumerating users
*Netcat for pentesters
– Day 3 (Exploitation)
*Comprehensive Metasploit coverage (exploits, stagers, and stages)
*Anti-Virus evasion
*In-depth meterpreter analysis
*Implementing port forwarding and network pivots
*Leverage Powershell Empire
– Day 4 (Post Exploitation and Merciless Pivoting)
*Windows command line for pentesters
*Password attack tips
*Account lockout and strategies to avoid it
*Automated password guessing with Hydra
*Retrieving and manipulation Windows and Linux hashes
*Extracting hashes from memory using Mimikatz
– Day 5 (In-Depth Password Attacks and Web App Testing)
*Password cracking with John the Ripper
*Sniffing and cracking Windows authentication
*Using Hashcat for maximum effectiveness
*Pass-The-Hash attacks
*Finding and exploiting a cross-site scripting
*Data plundering with SQL injection
*Command injection testing
– Day 6 (Capture-the-Flag Challenge)
Full course details can be found here:
https://www.sans.org/course/network-penetration-testing-ethical-hacking
4. Exam Indexing & Preparation
After celebrating your CTF challenge win, take some time off, let everything you learned over the past week sink in, then get back to work.
There are some great articles and blogs online that walk GPEN course takers through creating a perfect exam index. I found re-reading each book and adding colored sticky notes to each topic (tool, technique, and methodology) I didn’t fully understand was my ace in the hole. I added each topic to a Word document and organized it alphabetically.
Creating an index is a great way to pass the GPEN exam but thoroughly understanding each topic won’t just help you pass the exam, it will set you up for more advanced offsec certifications.
Once the index is complete, my suggestion is to take your first practice test. Take the practice test just like you would take the actual exam, in a quiet room, with only your index, course books, pen, and paper. The first practice test is critical because it lets you know how much of your course knowledge transferred to the exam. Once the practice test is complete, SANS is nice enough to give you a report card letting you know your strengths but more importantly your weaknesses.
Take those weaknesses, re-read those sections, add more entries to your index then take your second practice test and repeat.
When exam day comes, have a big breakfast, do something that relaxes you (listen to music, take your dog for a walk, go for a run) and most importantly, be confident! I’m not a good exam taker but answering your last question, clicking “next” and seeing “Congratulations” appear on your screen makes all the anxiety and stress worth it!
5. GPEN Pro Tips
Some quick tips to help get you through the week and prep for the exam:
*Come to class each day with a positive attitude
*Write down the day 6 CTF hints your teacher gives out
*Work on the course CTFs only when you’ve completed the course labs
*If you have a question, ASK IT! Someone else is thinking the same thing
*Compete in NETWARS if you can! 500 hackers in one room with free beer, Best
*Communicate with your team constantly during the day 6 CTF challenge
*Have fun! Learn a lot!
6. Onto the Next Challenge
SANS’ next level course is GXPN – (SEC660) Exploit Researcher and Advanced Penetration Tester. Some experts identify this course as the next logical step but I disagree.
I believe GPEN gives students enough logical and practical knowledge to begin their Offensive Security Certified Professional (OSCP) journey. This course is not for the faint of heart as it presents road block after road block but you’ll a tremendous amount.
The main reason I’d suggest OSCP over GXPN after completing GPEN is the practical experience you’ll gain working through buffer overflows; a topic covered in-depth in GXPN.
My offsec journey would look like this: GPEN -> OSCP -> GXPN -> TBD
Thanks for reading & good luck with your certification!
TheListSec 