SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
Vulnerabilities in modern operating systems such as Microsoft Windows 10 and the latest Linux distributions are often very complex and subtle. When exploited by very skilled attackers, these vulnerabilities can undermine an organization’s defenses and expose it to significant damage. Few security professionals have the skillset to discover why a complex vulnerability exists and how to write an exploit to compromise it. Conversely, attackers must maintain this skillset regardless of the increased complexity. SEC760: Advanced Exploit Development for Penetration Testers teaches the skills required to reverse-engineer 32-bit and 64-bit applications to find vulnerabilities, perform remote user application and kernel debugging, analyze patches for one-day exploits, and write complex exploits such as use-after-free attacks against modern software and operating systems.
You Will Learn:
How to write modern exploits against the Windows 7/8/10 operating systems
How to perform complex attacks such as use-after-free, kernel and driver exploitation, one-day exploitation through patch analysis, and other advanced attacks
How to effectively utilize various debuggers and plug-ins to improve vulnerability research and speed
How to deal with modern exploit mitigation controls aimed at thwarting success
SEC760.1: Exploit Mitigations and Reversing with IDA
SEC760.2: Linux Application Exploitation
The ability to progress into more advanced reversing and exploitation requires an expert-level understanding of basic software vulnerabilities, such as those covered in SANS’ SEC660 course. Heap overflows serve as a rite of passage into modern exploitation techniques. This day is aimed at bridging this gap of knowledge in order to inspire thinking in a more abstract manner, which is necessary to continue further with the course. Linux can sometimes be an easier operating system to learn these techniques, serving as a productive gateway into Windows. Most courses on exploit development focus purely on the Windows OS, and it’s important to have an understanding of vulnerability research on the Linux OS as well.
CPE/CMU Credits: 8
Linux heap management, constructs, and environment
Navigating the heap
Abusing macros such as unlink() and frontlink()
Function pointer overwrites
Format string exploitation
Defeating Linux exploit mitigation controls
Using IDA remote debugging for Linux application exploitation
Using format string bugs for ASLR bypass
Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched vulnerability. Attackers are aware of this and quickly work to find the patched vulnerability in order to take control of unpatched systems, as many organizations struggle with getting patches out quickly. Binary diffing and patch diffing is also performed by incident handlers, IDS administrators and vendors, vulnerability and penetration testing framework companies, government entities, and others. You will use the material covered on this day to identify bugs patched by Microsoft, taking some of them through to exploitation. We will also focus on using Return Oriented Programming (ROP) to string together gadgets that emulate shellcode.
CPE/CMU Credits: 8
The Microsoft patch management process and Patch Tuesday
Obtaining patches and patch extraction
Binary diffing with BinDiff 5
Visualizing code changes and identifying fixes
Reversing 32-bit and 64-bit applications and modules
Triggering patched vulnerabilities
Writing one-day exploits
Using ROP to compiled shellcode on the fly (Return-Oriented Shellcode)
The Windows kernel is complex and intimidating, so this day aims to help you understand the Windows kernel and the various exploit mitigations added into recent versions. You will learn how the kernel works with drivers to talk to devices and how some functionality can be exposed to user-mode, sometimes insecurely! You will perform kernel debugging on Windows 10 and learn to deal with its inherent complexities. Exercises will be performed to analyze Ring 0 driver vulnerabilities, look at exploitation techniques, and get working exploits.
CPE/CMU Credits: 8
Understanding the Windows kernel
Navigating the Windows kernel
Modern kernel protections
Debugging the Windows 10 kernels and drivers
Analyzing kernel vulnerabilities and vulnerability types
Kernel exploitation techniques
Token stealing and information disclosure vulnerabilities
The focus of this day is on the advanced exploitation of applications running on the Windows OS. For many years now memory corruption bugs have been the de facto standard regarding exploiting Windows applications. Examples include Use After Free (UAF) and Type Confusion bugs. Many of these vulnerabilities exist due to complexities with large C++ applications such as object tracking and dynamic memory management. In this section we focus on these types of application vulnerabilities on the Windows 7, 8, and 10 operating systems.
Get immediately download here SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
CPE/CMU Credits: 8
Windows heap management, constructs, and environment
Understanding the low fragmentation heap
Browser-based and client-side exploitation
Understanding C++ vftable/vtable behavior
Use-After-Free attacks and dangling pointers
Avoiding protections such as MemGC and Isolated Heap
Dealing with ASLR, DEP, and other common exploit mitigation controls
Day six will feature a Capture-the-Flag event employing different types of challenges from material taught throughout the week. Test your reverse-engineering, bug discovery, and exploit-writing skills in a full day of Capture-the-Flag exercises!
CPE/CMU Credits: 6
You must bring VMware to run multiple operating systems when performing class exercises. All necessary virtual machines with all necessary tools will be provided on the first day of the course, including Windows 10, various Linux distributions, and a 2-month license of IDA Pro with the option of purchasing it through Hex-Rays at a discounted price. There are some labs where the OS and application configuration are very specific. For these labs you will use RDP to connect to virtual machines residing on the in-class network. You will not be able to take these systems home, but you are given the details required to recreate them at home if you are able to obtain the specific OS and/or application builds.
Make sure that you have the administrative ability to disable all security software and protections, including antivirus and personal firewalls on your host OS if it is causing connectivity issues between virtual machine guests. You may not be able to complete the exercises without this level of control. In addition, make sure that you can install software that may be blocked by administrative or security controls due to its nature. You will need to be able to install Windows debugging tools onto your host OS for Windows Kernel debugging via a network connection. A Windows 10 host is recommended. If your host is Mac OS or a Linux distribution you are required to bring a Windows 10 guest VM with you.
Adherence to the following requirements is mandatory:
A minimum of 16GB of RAM.
VMware Workstation, Fusion, or Player. A 30-day free trial is available at http://www.vmware.com. VMware will send you a time-limited serial number if you register for the trial on its website. VirtualBox is also acceptable, though not thoroughly tested.
100 GB of free hard disk space to hold VM’s.
64-bit Intel i5/i7 2.0+ GHz processor
A two-month license to IDA Pro is included with this course. During registration you must agree to the terms where your name and an e-mail address are provided to Hex-Rays in order to obtain the license. If you choose to opt-out, then you must bring a copy of IDA Pro 7.4 advanced or later.
If you have additional questions about the laptop specifications, please contact [email protected]
Senior network and system penetration testers with exploit development experience
Secure application developers (C and C++)
Senior incident handlers with exploit development experience
Senior threat analysts with exploit development experience
It is mandatory that students have previous exploit-writing experience using techniques such as those covered in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as Data Execution Prevention, Address Space Layout Randomization, canaries, and SafeSEH. Experience with or an understanding of fuzzing tools such as AFL, the Sulley Fuzzing Framework, and Peach is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Programming fundamentals such as functions, pointers, calling conventions, structures, polymorphism, and classes will be assumed knowledge. Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86/x64 disassembly from within a debugger or disassembler. ARM and MIPS is not covered in this course. Experience with both Linux and Windows navigation is required. If you do not meet these requirements you may not be able to keep up with the pace of the course.
Courses that lead in to SEC760:
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Courses that are prerequisites for SEC760:
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDA Python and IDC scripts, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, and utilize return-oriented programming (ROP).
Get immediately download SANS SEC760: Advanced Exploit Development for Penetration Testers Labs
SANS gets a lot of questions about this course. Am I ready for SEC760? Should I take SEC660 first? I have taken SEC660, but am I definitely ready for SEC760? I have taken SEC560, so can I jump right to SEC760 if I only want the exploit development material? I have not taken any SANS pen testing courses, so which one should I start with? I have taken a course through Offensive Security or Corelan, is the material the same?
There is no “one size fits all” reply to these questions, as everyone has a different level of experience. SANS”recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. Course co-author Stephen Sims is available to answer any questions you may have about the subject matter in order to help you make an informed decision. You can reach him at [email protected]
SANS has prepared a 10 question exam that will help you determine if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes a two-day introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, network access control), pen testing cryptographic implementations, fuzzing, Python, network booting attacks, and escaping Linux and Windows restricted environments. Many SEC760 students have taken training from Offensive Security, Exodus Intelligence, Corelan, and others. Though there will certainly be overlap in some sections, there are many unique sections without overlap and students often say the courses complement one another.
Perform labs to reverse-engineer Microsoft patches to identify the patched vulnerability and take the patches through exploitation
Perform use-after-free exploit labs against popular web browsers
Remote-debug both Linux and Windows applications, and debug the Windows 10 Kernel
Exploit Linux heap overflows
Bypass modern exploit mitigations.
Write your own IDA Python scripts
Navigate the Windows front-end (LFH) and back-end heap allocators
A two-month license to IDA Pro, which is provided by Hex-Rays, is included in this course. In order to obtain the license, you must agree to the terms, including providing your name and an e-mail address, so that Hex-Rays may assign the license. After the course ends, students may choose to extend the license at a discounted rate by contacting Hex-Rays. (If you choose to opt-out, then you must bring a copy of IDA Pro 7.4 advanced or later.)
Various preconfigured virtual machines, such as Windows 10.
Various tools on a course USB that are required for use in class.
Access to the in-class Virtual Training Lab with many in-depth labs.
Access to recorded course audio to help hammer home important network penetration testing lessons.
Discover zero-day vulnerabilities in programs running on fully patched modern operating systems
Use the advanced features of IDA Pro and write your own IDA Python scripts
Perform remote debugging of Linux and Windows applications
Understand and exploit Linux heap overflows
Write Return-Oriented Shellcode
Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities
Perform Windows heap overflows and use-after-free attacks
Perform Windows kernel debugging up through Windows 10 64-bit Build 1903
Perform Windows driver and kernel exploitation.
“SEC760 is a kind of training we could not get anywhere else. It is not theory, we got to implement and exploit everything we learned.” – Jenny Kitaichit, Intel
“I’ve taken many other advanced exploit dev classes and none of them break it down and step through the exploits like this class.” – Adam Logue, SecureWorks
“As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic and will continue to increase in importance moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 10, the number of experts with the skills to produce working exploits is highly limited. More and more companies are looking to hire professionals with the ability to discover vulnerabilities, determine if those vulnerabilities are exploitable, and carry out general security research. This course was written to help you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development.”
– Stephen Sims
“Teaching and helping author SEC760: Advanced Exploit Writing for Penetration Testers has given me the opportunity to distill my past experiences in exploit writing and technical systems knowledge into a format worth sharing. This course is meant to give you a look into a number of different exploitation techniques and serves as an amazing jumping-off point for exploitation of any modern application or system. Even if you don’t plan on having a career in exploit writing or vulnerability research, this course will be valuable in understanding the thought process that goes into constructing an exploit and what technologies exist to stop an exploit writer from being successful.”
– Jaime Geiger
Take your learning beyond the classroom. Explore our site network for additional resources related to this course’s subject matter.