Saturday, March 24, 2018

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) Review

A few weeks ago I passed the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification exam. This is the exam offered after their SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. Below is my review.

The SysAdmin, Audit, Network and Security (SANS) Institute provides training for cyber and network defenses, penetration testing, incident response, digital forensics, and audit. The SEC660 course is their level 5 course out of 6 and their most advanced GIAC certification offered in the realm of penetration testing.The SEC660 course is a natural progression from SEC560: Network Penetration Testing and Ethical Hacking course which offers the GIAC Penetration Tester (GPEN) certification. SANS recommends taking either SEC560 or SEC504 as a prerequisite, but I opt'd to pass since I had already taken the PWK: OSCP which I have a write-up here.

SANS offers their courses either through Live training or Online via Private Training, SelfStudy or OnDemand. I took the course through OnDemand since it best mapped my method of learning. With my schedule and learning style, it was best for me to take the course at my own pace and allow the material to sink in. The OnDemand course replicates the Live training, in that it is broken up into 5 Sections instead of 5 days. Additionally, they have a CTF section which is normally reserved for the CTF day. The only downside I found with OnDemand is that I was unable to be among my peers and ask the difficult questions that an instructor could do while participating in the live training.

Section 1: Network Attacks for Penetration Testers

The first section starts out as an advanced network attack module, covering topics such as:
  • Bypassing Network Access Control (NAC)
  • Exploiting EAP-MD5 authentication
  • Exploiting OSPF authentication
  • Custom network protocol manipulation with Ettercap and Bettercap
  • And even IPv6
I found this section to be the easiest to grasp. There were certainly some excellent nuggets. The bypassing NAC section was an eye opener and helped me realize some techniques that I didn't realize existed. The Main in the Middle techniques were great, and they even covered network protocol manipulation and OSPF exploitation which is usually overlooked during assessments. Essentially, this section helps the penetration tester get a foothold into the organization. This will be the first step in an engagement and is worth understanding. 

Section 2: Crypto and Post Exploitation

The second section begins by showing the student different techniques when investigating and exploiting common cryptography mistakes. The instructor doesn't necessarily dive into how the different crypto algorithms work, instead, they help the student grasp the different flaws that each one have. These flaws include exploiting CBC bit flipping and hash length extension vulnerabilities.

The post exploitation was a real treat. This portion of the section showed advanced techniques after gaining the initial foothold on the network. There are sections on escaping restricted environments such as circumventing, obfuscation and blacklisting. This section also contained a great chunk of PowerShell essentials and utilizing PowerShell and Metasploit for privilege escalation and pivoting deeper into the network.

Section 3: Python, Scapy, and Fuzzing

The third section of the SEC660 course was all Python, Scapy and Fuzzing. The topics included:
  • Leveraging Python Modules for real-world penetration testing tasks
  • Using Scapy
  • Using The Art of Fuzzing (Taof) 
  • Using AFL
This section really delved deep into using different tools and customizing them for product security testing. The instructor showed multiple fuzzers and the pro's and con's of each. This included using Paimei Reverse Engineering Framework, IDA Pro, TAOF and AFL. 

Section 4 and 5: Exploiting Linux/Windows for Penetration Testers

The fourth and fifth section was where the material really got good. The exploiting linux and windows section was by far my favorite. This section heavily covered topics such as:
  • Identifying vulnerable programs
  • performing ret2libc
  • Return-oriented programming (ROP) 
  • Building ROP chains
  • Defeating stack protection such as ASLR and DEP
The amount of information in these 2 sections were amazing. The instructor really helped explain why and how the different techniques worked during exploitation. Taking the OnDemand course really helped me watch, re-watch and re-re-watch these 2 sections so I really understood what was going on. 

Capture the Flag Challenge

The capture the flag challenge was also very fun. SANS allows the students to hop into a network and offered a Jeopardy style CTF. The challenges ranged from simple to very difficult and requires the student to think outside the box and solve challenges such as privilege escalation, remote exploitation and networking attacks. Since there were no answers, it really forces the student to try harder and not give up when approaching the challenges.

The GXPN Exam

The GXPN exam was unlike any other exam I've taken. SANS allows the student to bring an armful of books and notes into the testing center while taking the exam. While this may seem like a huge advantage, it really isn't. This just means that SANS won't be asking "true or false" or "definition" style questions. Each question usually contained multiple topics and requires the student to fully understand what is being asked and how to approach the answer. 

SANS also offers 2 practice tests for purchase which I highly recommend. These practice tests emulate what it's like to take the true exam. It is time based and contains similar question styles as the exam. Once the practice test is completed, a score will be given and will show the student which topics and sections they were strong/weak at and will allow the student to return back to studying. 

What I did to prepare for the exam:
  • Study, study, study, study
  • Watch the videos at least 2, 3 or X times through
  • Perform all practice labs and document the actions taken
  • Participate in the CTF and get as many flags as I could
  • Create an index for the test listing the topics and the book/page they are referenced on. For example:
    • dlmalloc() - 4.069 (Book 4, page 69)
  • Take both practice tests with all notes
  • Take the end of the section quizes
Also, like all penetration testers, I used the Internet. Any topic I still felt weak on, I read blogs/whitepapers.


Overall, I felt SEC660 and the GXPN were great. I feel like I gained a ton of knowledge along with a desire to dive even deeper into the sections covered. I was recently given a rough estimate that there were only about 1500 students who have obtained the GXPN certification. I don't know if it's because the price of the course is so high or the difficulty. Either way, I hope for more students to take this course because anyone wanting to enhance their penetration testing skills will be rewarded ten-fold. Like anything, the amount of effort put in is what the student will get out of it.

Until next time. 

No comments:

Post a Comment