SEC760: Advanced Exploit Development for Penetration Testers

  • In Person (6 days)
  • Online
46 CPEs
You will learn the skills required to reverse-engineer applications to find vulnerabilities, perform remote user application and kernel debugging, analyze patches for one-day exploits, perform advanced fuzzing, and write complex exploits against targets such as the Windows kernel and the modern Linux heap, all while circumventing or working with against cutting-edge exploit mitigation.

What You Will Learn

Vulnerabilities in modern operating systems such as Microsoft Windows 10 and 11, and the latest Linux distributions are often very complex and subtle. Yet, when exploited by very skilled attackers, these vulnerabilities can undermine an organization's defenses and expose it to significant damage. Few security professionals have the skillset to discover why a complex vulnerability exists and how to write an exploit to compromise it. Conversely, attackers must maintain this skillset regardless of the increased complexity. SANS SEC760: Advanced Exploit Development for Penetration Testers teaches the skills required to reverse-engineer applications to find vulnerabilities, perform remote user application and kernel debugging, analyze patches for one-day exploits, perform advanced fuzzing, and write complex exploits against targets such as the Windows kernel and the modern Linux heap, all while circumventing or working with against cutting-edge exploit mitigations

You Will Learn

  • How to write modern exploits against the Windows 10 and 11 operating systems.
  • How to perform exploit development techniques such as advanced fuzzing, kernel and driver exploitation, one-day exploitation through patch analysis, Linux heap overflows, and other advanced topics.
  • How to effectively utilize various debuggers and plug-ins to improve vulnerability research and speed.
  • How to deal with modern exploit mitigation controls aimed at thwarting success.

You Will be Able To

  • Discover zero-day vulnerabilities in programs running on fully-patched modern operating systems.
  • Use the advanced features of IDA Pro and write your own IDAPython scripts.
  • Perform remote debugging of Linux and Windows applications.
  • Understand and exploit Linux heap overflows.
  • Fuzz closed-source applications
  • Unpack and examine Windows update packages
  • Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities.
  • Perform Windows Kernel debugging B
  • Reverse engineer and exploit Windows kernel drivers

You Will Receive With This Course

  • A 4-month license for IDA. The license will come from Hex-Rays and you will need to agree to the terms where your name and e-mail address will be provided.
  • Various preconfigured virtual machines, such as Windows 10.
  • Various tools on a course USB that are required for use in class.
  • Access to the in-class Virtual Training Lab with many in-depth labs.
  • Access to recorded course audio to help hammer home important network penetration testing lessons.

Hands-On Labs

  • Perform labs to reverse-engineer Microsoft patches to identify the patched vulnerability and take them through exploitation.
  • Fuzz closed source applications
  • Remote-debug both Linux and Windows applications, and debug the Windows 10 Kernel.
  • Exploit Linux heap overflows.
  • Bypass modern exploit mitigations.
  • Write your own IDA Python scripts.
  • Debug drivers

Syllabus (46 CPEs)

Download PDF
  • Overview

    The course starts with a deep dive into both mature and modern exploit mitigations. It is rare today to come across an application or operating system that doesn't use a combination of mitigations to thwart the exploitation of a vulnerability. Outdated operating systems and applications do exist, such as in the industrial control system and Internet of Things space, but that is not the focus of this course. We address the effectiveness and technical details behind each control, such as those implemented in Windows Defender Exploit Guard, and take a deep dive into Kernel mitigations. We then spend the remainder of day one using IDA Pro, which optionally comes bundled with the course. We quickly ramp up on the basics of IDA Pro as a disassembler and then move into remote debugging with the tool. We finish up section one utilizing IDA FLIRT and FLAIR and writing IDAPython scripts to help with bug hunting and analysis.

    Topics
    • Exploit mitigations
    • Windows Defender Exploit Guard
    • Windows Kernel Mitigations
    • Introduction to IDA Pro
    • Debugging with IDA Pro
    • FLIRT & FLAIR
    • Scripting with IDAPython
  • Overview

    The ability to progress into more advanced reversing and exploitation requires an expert-level understanding of basic software vulnerabilities, such as those covered in SANS' SEC660 course. Heap overflows serve as a rite of passage into modern exploitation techniques. This section is aimed at bridging this gap of knowledge in order to inspire thinking in a more abstract manner, which is necessary to continue further with the course. Linux can sometimes be an easier operating system to learn these techniques, serving as a productive gateway into Windows. Most courses on exploit development focus purely on the Windows OS, and it's important to have an understanding of vulnerability research on the Linux OS as well.

    Topics
    • Linux heap management, constructs, and environment
    • Navigating the heap
    • Abusing macros such as unlink() and frontlink()
    • Function pointer overwrites
    • Off by One bugs
    • TCache Poisoning
    • Format string exploitation
    • Using format string bugs for ASLR bypass
  • Overview

    The focus of this section is on more advanced fuzzing tools and techniques than the ones that were covered in SEC660. After a fuzzing overview/refresher, we dive into more advanced fuzzing techniques and architecture including closed-source application fuzzing, fuzzing metrics such as code coverage, building fuzzing harnesses, and full-system fuzzing. You will utilize the popular WinAFL fuzzer to fuzz a PDF reader in search of vulnerabilities.

    Topics
    • Fuzzing overview and review of basic fuzzing concepts from SEC660
    • Advanced fuzzing theory
    • Fuzzing challenges and how to overcome them
    • Gathering and viewing code coverage
    • Building a fuzzing harness
    • Using WinAFL to perform graybox fuzzing on a complex, closed source Windows application
    • Overview of full-system and snapshot fuzzing
  • Overview

    Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched vulnerability. Attackers are aware of this and quickly work to find the patched vulnerability in order to take control of unpatched systems as many organizations struggle with getting patches out quickly. Binary diffing and patch diffing is also performed by incident handlers, IDS administrators and vendors, vulnerability and penetration testing framework companies, government entities, and others. You will use the material covered in this section to identify bugs patched by Microsoft, taking some of them through to exploitation. The end of this section will focus on an introduction to Windows Kernel internals to help prepare you for kernel driver debugging and exploitation in section 5.

    Topics
    • The Microsoft patch management process and Patch Tuesday
    • Obtaining patches and patch extraction
    • Binary diffing with BinDiff 5
    • Visualizing code changes and identifying fixes
    • Reversing 32-bit and 64-bit applications and modules
    • Triggering patched vulnerabilities
    • Writing one-day exploits
    • An introduction to Windows Kernel internals
  • Overview

    You will perform kernel debugging on Windows 10 and learn to deal with its inherent complexities. Exercises will be performed to analyze Ring 0 driver vulnerabilities, look at exploitation techniques, and get working exploits.

    Topics
    • Understanding the Windows kernel
    • Navigating the Windows kernel
    • Modern kernel protections
    • Debugging the Windows 10 kernel and drivers with WinDbg
    • Analyzing kernel vulnerabilities and vulnerability types
    • Kernel exploitation techniques
    • Token stealing and information disclosure vulnerabilities
  • Overview

    The last section will feature a Capture-the-Flag event employing different types of challenges from material taught throughout the week. Test your reverse-engineering, bug discovery, and exploit-writing skills in a full day of Capture-the-Flag exercises!

Prerequisites

It is mandatory that students have previous exploit-writing experience using techniques such as those covered in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as Data Execution Prevention, Address Space Layout Randomization, canaries, and SafeSEH. Experience with or an understanding of fuzzing tools such as AFL, the Sulley Fuzzing Framework, and Peach is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Prior experience with Python is strongly recommended. Programming fundamentals such as functions, pointers, calling conventions, structures, polymorphism, and classes will be assumed knowledge. Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86/x64 disassembly from within a debugger or disassembler. ARM and MIPS is not covered in this course. Experience with both Linux and Windows navigation is required. If you do not meet these requirements you may not be able to keep up with the pace of the course.

Courses that lead in to SEC760:

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Courses that are prerequisites for SEC760:

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDA Python and IDC scripts, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, and utilize return-oriented programming (ROP).

SANS gets a lot of questions about this course. Am I ready for SEC760? Should I take SEC660 first? I have taken SEC660, but am I definitely ready for SEC760? I have taken SEC560, so can I jump right to SEC760 if I only want the exploit development material? I have not taken any SANS pen testing courses, so which one should I start with? I have taken a course through Offensive Security or Corelan, is the material the same?

There is no "one size fits all" reply to these questions, as everyone has a different level of experience. Our recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. Course co-author Stephen Sims is available to answer any questions you may have about the subject matter in order to help you make an informed decision. You can reach him at stephen@deadlisting.com

SANS has prepared a 10 question exam that will help you determine if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes two sections of material on introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, network access control), pen testing cryptographic implementations, fuzzing, Python, network booting attacks, and escaping Linux and Windows restricted environments. Many SEC760 students have taken training from Offensive Security, Exodus Intelligence, Corelan, and others. Though there will certainly be overlap in some sections, there are many unique sections without overlap and students often say the courses complement one another.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC760 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

Additional optional components for this course:

  • A four-month license to IDA Pro is included with this course. During registration, you must agree to the terms where your name and an e-mail address are provided to Hex-Rays in order to obtain the license. If you choose to opt-out, then you must bring a copy of IDA Pro 7.4 advanced or later.

MANDATORY SEC760 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic and will continue to increase in importance moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 10, the number of experts with the skills to produce working exploits is highly limited. More and more companies are looking to hire professionals with the ability to discover vulnerabilities, determine if those vulnerabilities are exploitable, and carry out general security research. This course was written to help you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development."

- Stephen Sims

"Teaching and helping author SEC760: Advanced Exploit Writing for Penetration Testers has given me the opportunity to distill my past experiences in exploit writing and technical systems knowledge into a format worth sharing. This course is meant to give you a look into a number of different exploitation techniques and serves as an amazing jumping-off point for exploitation of any modern application or system. Even if you don't plan on having a career in exploit writing or vulnerability research, this course will be valuable in understanding the thought process that goes into constructing an exploit and what technologies exist to stop an exploit writer from being successful."

- Jaime Geiger

"SEC760 was a great course that I can highly recommend. It's truly the "summit" of the pen test curriculum. Jaime did a wonderful job of explaining the complex material to us n00bs and was able to describe things tangibly and in an easy-to-understand way!" - Markus Dauberschmidt, Siemens

Reviews

SEC760 is the challenge I was looking for. It will be overwhelming, but well worth it.
William Stott
Raytheon
SEC760 is a kind of training we could not get anywhere else. It is not theory, we got to implement and exploit everything we learned.
Jenny Kitaichit
Intel
I've taken many other advanced exploit dev classes and none of them break it down and step through the exploits like this class.
Adam Logue
SecureWorks

    Register for SEC760

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...