Personal Bits

GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)

Intro

SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses.

Prerequisites

Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols.

Course Coverage

This course covers material in a variety of subject areas:

Network Attacks for Penetration Testers
Crypto and Post-Exploitation
Python, Scapy, and Fuzzing
Exploiting Linux for Penetration Testers
Exploiting Windows for Penetration Testers

My Impression

I pleasantly learned something from every module of the course. I was most keen on the Linux and Windows exploit development and enjoyed learning how to get around/repair stack canaries, defeat ASLR, defeat DEP and how to defeat other security controls.

I was most worried about how hard the course would be but I found that, despite all the warnings about it being an advanced course, only a few subjects were not covered in enough detail for me to understand them without some external research. The try harder motto from the OSCP course probably helped a bit.

I took the OnDemand format for the course due to my being located away from major centers and the cost and time involved in traveling to a large center.

The CTF

Typically if you had attended a classroom format of the course you would have been given 5 hours to attempt to complete a number of CTF challenges. You would have been part of a team of students competing against other teams to get the highest score. Challenges are rated with differing scores depending on their difficulty.

If your team got the highest overall score in 5 hours you would be awarded a SEC660 medal/coin.

This aspect is something that is typically missing with the OnDemand format and usually you would not be awarded a coin. I put in the extra effort and time to solve all of the CTF challenges and gain a score of 100% which amounts to 4800 points. One of the instructors at SANS indicated that he had never seen anyone do this before so he requested a coin be sent to me.

The GXPN Exam

I was quite stressed about the exam due to the fact that COVID 19 hit and the closest exam center was closed. The next closest exam center was a 7 hour drive away (each way). I had to attempt the GXPN via a new testing option known as ProctorU. There were a lot of prerequisites for the machine used for the ProctorU test which I was expected to provide. It all worked out after some due diligence with getting the ProctorU technicians to test my machine in advance (I did more than just the automated test of the machines configuration in other words), and I ended up achieving a score of 93% on the exam.

I was also concerned about the difficulty of the hands on component for the exam. I actually found the hands on to be easier than the multiple choice questions so my concern wasn't warranted. The hands on questions are "tricky" so read the question carefully or you will provide the wrong answer despite having a mastery of the task.

GIAC Advisory Board

Any time that you take a GIAC test (beginner to advanced) and achieve a sore of 90% or higher you are invited to join the GIAC Advisory Board as a member. My score of 93% on the GXPN exam qualified me to receive an invitation which includes a GIAC Advisory Board badge to post on social media.

Credits

First of all I would like to thank God who knew me before I was born and gifted me with life and talents. Then I would like to thank my employer who without which I would not have had the time or money with which to take such a course. I would also like to thank SANS and the instructors Stephen Sims and Jim Shewmaker for a great course. Last, but certainly not least, I would like to thank my wife who has put up with me spending more than the average amount of time on the computer and taking courses throughout the last 30 years of our relationship.

What's Next?

My plan is to, God willing, take the "SEC760 - Advanced Exploit Development for Penetration Testers" course in 2021.

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I