Talk With an Expert
Talk With an Expert

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC660Offensive Operations
  • 6 Days (Instructor-Led)
  • 46 Hours (Self-Paced)
Course authored by:James Shewmaker & Stephen Sims
Course authored by:James Shewmaker & Stephen Sims
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • 46 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Advanced Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 30 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn advanced penetration testing skills to develop custom exploits, perform network attacks, analyze cryptographic implementations, and master advanced exploitation techniques.

Featured Quote

The quality of the labs and coursework in SEC660 showcases the value SANS training has over other providers. It was an excellent, challenging, and rewarding course.
Michael R.U.S. Military

Course Overview

Learn advanced penetration testing skills and explore sophisticated attack vectors and exploit development. This course spans network infrastructure attacks, cryptographic implementation testing, advanced post-exploitation techniques, and custom exploit writing for both Windows and Linux environments. Hands-on labs provide practical experience with fuzzing, return-oriented programming, exploit mitigation bypasses, and real-world application exploitation.

What You’ll Learn

  • Advanced network attack methodologies
  • Custom exploit development techniques
  • Exploit mitigation bypass strategies
  • Modern fuzzing implementations
  • Post-exploitation advancement tactics
  • Return-oriented programming mastery
  • Cryptographic weakness assessment

Business Takeaways

  • Enhanced threat detection capabilities
  • Improved security control validation
  • Reduced enterprise attack surface
  • Advanced risk assessment accuracy
  • Stronger application security testing

Meet Your Authors

  • Slide 1 of 2
    James Shewmaker
    James Shewmaker

    James Shewmaker

    Principal Instructor

    James Shewmaker, founder of Bluenotch Corporation, has over two decades of technical experience in IT, primarily developing appliances for automation and security for broadcast radio, internet, and satellite devices.

    Read more about James Shewmaker
  • Slide 2 of 2
    Stephen Sims
    Stephen Sims

    Stephen Sims

    Fellow

    Stephen Sims, an esteemed vulnerability researcher and exploit developer, has significantly advanced cybersecurity by authoring SANS's most advanced courses and co-authoring the "Gray Hat Hacking" series.

    Read more about Stephen Sims
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking.

Section 1Network Attacks for Penetration Testers

Network infrastructure in cloud environments presents unique attack vectors. In the first section, security professionals explore access manipulation, protocol exploitation, and device compromise across IPv4 and IPv6. Modern cloud setups integrate legacy components, making these skills crucial for comprehensive security testing.

Topics covered

  • Network access control evasion
  • Custom protocol manipulation methods
  • Advanced IPv6 security implications
  • TLS/SSL security considerations
  • OSPF routing attack vectors

Labs

  • Captive Portal Bypass
  • Credential Theft
  • IPv6 Attacks
  • HTTP Tampering
  • Router Attacks

Section 2Crypto and Post-Exploitation

In this section, security professionals explore cryptographic exploitation and post-compromise techniques in cloud environments. Topics include cipher operations, implementation flaws, privilege escalation, and lateral movement. PowerShell plays a key role in both attack and defense, especially in hybrid clouds.

Topics covered

  • Cryptographic implementation testing
  • CBC vulnerability exploitation
  • Hash-length extension attacks
  • PowerShell offensive capabilities
  • Software restriction bypasses

Labs

  • Detecting Cryptography Implementations
  • CBC Bitflipping Attacks
  • Hash Extension Attacks
  • Kiosk Escape
  • Client-side Post Exploitation

Section 3Product Security Testing, Fuzzing, and Code Coverage

In section three, security professionals analyze cloud-native products, focusing on supply chain security, protocol manipulation, and fuzzing. Topics include custom fuzzing grammars, network protocols, file formats, and code coverage analysis for testing effectiveness.

Topics covered

  • Protocol state manipulation
  • Automated fuzzing optimization
  • Binary analysis fundamentals
  • Code coverage measurement
  • Wireless data leakage testing

Labs

  • Custom packet manipulation
  • Framework-based fuzzing
  • Binary instrumentation techniques
  • Source code analysis methods
  • AFL++ implementation strategies

Section 4Exploiting Linux for Penetration Testers

Linux exploitation is crucial in cloud security. In this section, professionals explore memory management, privilege escalation, SUID exploits, and advanced bypass techniques like ROP and ASLR evasion.

Topics covered

  • Stack memory management
  • Symbol resolution methods
  • Code execution redirection
  • Stack protection defeat
  • Return-oriented programming

Labs

  • Linux buffer overflow exploitation
  • Return-to-libc implementation
  • Stack canary analysis
  • ASLR bypass techniques
  • 64-bit binary exploitation

Section 5Exploiting Windows for Penetration Testers

Windows systems remain prevalent in hybrid cloud environments, necessitating deep understanding of Windows-specific security features. In this section, practitioners examine process structures, exception handling, and API interactions. Content covers stack-based attacks, DEP bypass, and ROP chains, with special attention given to client-side exploitation.

Topics covered

  • Windows OS protection analysis
  • Stack exploitation fundamentals
  • ROP chain construction
  • Client-side attack vectors
  • Shellcode development

Labs

  • Windows 11 vulnerability analysis
  • SafeSEH bypass implementation
  • ROP chain development
  • DEP mitigation techniques
  • Commercial application testing

Section 6Capture The Flag!

A comprehensive challenge environment integrates cloud and traditional infrastructure components. Students face escalating difficulties across Linux and Windows systems, network infrastructure, and cloud services. The scoring system provides immediate feedback on successful exploitation, with point values reflecting real-world complexity and impact.

Topics covered

  • Multi-vector attack planning
  • Escalation path identification
  • Network attack implementation
  • System compromise techniques
  • Post-exploitation methods

Labs

  • Local privilege escalation
  • Remote system exploitation
  • Network infrastructure attacks
  • Protocol manipulation scenarios
  • Cross-platform attack chains

Things You Need To Know

Relevant Job Roles

Vulnerability Researcher & Exploit Developer

Offensive Operations

In this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!

Explore learning path

Vulnerability Assessment

SCyWF: Protection And Defense

This role tests IT systems and networks and assesses their threats and vulnerabilities. Find the SANS courses that map to the Vulnerability Assessment SCyWF Work Role.

Explore learning path

Vulnerability Analysis (OPM 541)

NICE: Protection and Defense

Responsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense-in-depth architecture against known vulnerabilities.

Explore learning path

Exploitation Analyst (DCWF 121)

DoD 8140: Cyber Effects

Collaborates to identify access and collection gaps using cyber resources and techniques to penetrate target networks and support mission operations.

Explore learning path

Application Pen Tester

Offensive Operations

Application penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.

Explore learning path

Cyber Operations Planner (DCWF 332)

DoD 8140: Cyber Effects

Coordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.

Explore learning path

Penetration Tester

European Cybersecurity Skills Framework

Assess the effectiveness of security controls, reveals and utilise cybersecurity vulnerabilities, assessing their criticality if exploited by threat actors.

Explore learning path

Red Teamer

Offensive Operations

In this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Showing 10 of 14

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 3
    Absolutely amazing stuff. I couldn't ask for more in SEC660. The wealth of knowledge is just mind-blowing. The extra materials presented in the course will definitely keep me going for the next couple of months.
    Deven GurungNagravision SA
  • Slide 2 of 3
    SEC660 has been nothing less than excellent. Both the instructor and assistant are subject-matter experts who have extensive knowledge covering all aspects of the topics covered and then some.
    Brian AndersonNorthrop Grumman Corporation
  • Slide 3 of 3
    No frills and goes right to the point. The first day alone is what other classes spend a full week on.
    Michael IsbitskiVerizon Wireless
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources

AltStyle によって変換されたページ (->オリジナル) /