About the course
SEC760 will provide you with the advanced skills to improve your exploit development and understand vulnerabilities beyond a fundamental level. In this course, you will learn to reverse-engineer 32-bit and 64-bit applications, perform remote user application and kernel debugging, analyse patches for one-day exploits, and write complex exploits (such as use-after-free attacks) against modern software and operating systems. The course was designed to help you get into highly sought-after positions, teach you cutting-edge tricks to thoroughly evaluate a target, and defend against even the most skilled attackers
What You Will Learn
Vulnerabilities in modern operating systems such as Microsoft Windows 10 and the latest Linux distributions are often very complex and subtle. When exploited by very skilled attackers, these vulnerabilities can undermine an organization's defenses and expose it to significant damage. Few security professionals have the skillset to discover why a complex vulnerability exists and how to write an exploit to compromise it. Conversely, attackers must maintain this skillset regardless of the increased complexity. SEC760: Advanced Exploit Development for Penetration Testers teaches the skills required to reverse-engineer 32-bit and 64-bit applications to find vulnerabilities, perform remote user application and kernel debugging, analyze patches for one-day exploits, and write complex exploits such as use-after-free attacks against modern software and operating systems.
You Will Learn:
- How to write modern exploits against the Windows 7/8/10 operating systems
- How to perform complex attacks such as use-after-free, kernel and driver exploitation, one-day exploitation through patch analysis, and other advanced attacks
- How to effectively utilize various debuggers and plug-ins to improve vulnerability research and speed
- How to deal with modern exploit mitigation controls aimed at thwarting success
You Will Be Able To
- Discover zero-day vulnerabilities in programs running on fully patched modern operating systems
- Use the advanced features of IDA Pro and write your own IDA Python scripts
- Perform remote debugging of Linux and Windows applications
- Understand and exploit Linux heap overflows
- Write Return-Oriented Shellcode
- Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities
- Perform Windows heap overflows and use-after-free attacks
- Perform Windows kernel debugging up through Windows 10 64-bit Build 1903
- Perform Windows driver and kernel exploitation.
What You Will Receive
- A four-month license to IDA Pro, which is provided by Hex-Rays, is included in this course. In order to obtain the license, you must agree to the terms, including providing your name and an e-mail address, so that Hex-Rays may assign the license. After the course ends, students may choose to extend the license at a discounted rate by contacting Hex-Rays. (If you choose to opt-out, then you must bring a copy of IDA Pro 7.4 advanced or later.)
- Various preconfigured virtual machines, such as Windows 10.
- Various tools on a course USB that are required for use in class.
- Access to the in-class Virtual Training Lab with many in-depth labs.
- Access to recorded course audio to help hammer home important network penetration testing lessons.
Syllabus (46 CPEs)
SEC760.1: Exploit Mitigations and Reversing with IDA
SEC760.2: Advanced Linux Exploitation
SEC760.3: Patch Diffing, One-Day Exploits, and Return-Oriented Shellcode
SEC760.4: Windows Kernel Debugging and Exploitation
SEC760.5: Advanced Windows Exploitation
SEC760.6: Capture-the-Flag Challenge
It is mandatory that students have previous exploit-writing experience using techniques such as those covered in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as Data Execution Prevention, Address Space Layout Randomization, canaries, and SafeSEH. Experience with or an understanding of fuzzing tools such as AFL, the Sulley Fuzzing Framework, and Peach is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Programming fundamentals such as functions, pointers, calling conventions, structures, polymorphism, and classes will be assumed knowledge. Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86/x64 disassembly from within a debugger or disassembler. ARM and MIPS is not covered in this course. Experience with both Linux and Windows navigation is required. If you do not meet these requirements you may not be able to keep up with the pace of the course.
Courses that lead in to SEC760:
- SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
- FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Courses that are prerequisites for SEC760:
- SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDA Python and IDC scripts, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, and utilize return-oriented programming (ROP).
SANS gets a lot of questions about this course. Am I ready for SEC760? Should I take SEC660 first? I have taken SEC660, but am I definitely ready for SEC760? I have taken SEC560, so can I jump right to SEC760 if I only want the exploit development material? I have not taken any SANS pen testing courses, so which one should I start with? I have taken a course through Offensive Security or Corelan, is the material the same?
There is no "one size fits all" reply to these questions, as everyone has a different level of experience. SANS''recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. Course co-author Stephen Sims is available to answer any questions you may have about the subject matter in order to help you make an informed decision. You can reach him at firstname.lastname@example.org
SANS has prepared a 10 question exam that will help you determine if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes a two-day introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, network access control), pen testing cryptographic implementations, fuzzing, Python, network booting attacks, and escaping Linux and Windows restricted environments. Many SEC760 students have taken training from Offensive Security, Exodus Intelligence, Corelan, and others. Though there will certainly be overlap in some sections, there are many unique sections without overlap and students often say the courses complement one another.
"As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic and will continue to increase in importance moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 10, the number of experts with the skills to produce working exploits is highly limited. More and more companies are looking to hire professionals with the ability to discover vulnerabilities, determine if those vulnerabilities are exploitable, and carry out general security research. This course was written to help you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development."
- Stephen Sims
"Teaching and helping author SEC760: Advanced Exploit Writing for Penetration Testers has given me the opportunity to distill my past experiences in exploit writing and technical systems knowledge into a format worth sharing. This course is meant to give you a look into a number of different exploitation techniques and serves as an amazing jumping-off point for exploitation of any modern application or system. Even if you don't plan on having a career in exploit writing or vulnerability research, this course will be valuable in understanding the thought process that goes into constructing an exploit and what technologies exist to stop an exploit writer from being successful."
- Jaime Geiger
"SEC760 was a great course that I can highly recommend. It's truly the "summit" of the pen test curriculum. Jaime did a wonderful job of explaining the complex material to us n00bs and was able to describe things tangibly and in an easy-to-understand way!" - Markus Dauberschmidt, Siemens
Who Should Attend SEC760?
- Senior network and system penetration testers with exploit development experience
- Secure application developers (C and C++)
- Reverse-engineering professionals
- Senior incident handlers with exploit development experience
- Senior threat analysts with exploit development experience
- Vulnerability researchers
- Security researchers
"SEC760 is straight black magic! The course was awesome!" - Anonymous