SANS Online Training Special: Get an iPad Mini, Chromebook Flip, or $250 Off until 10/30! 

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC660 was hands-on, packed with content, and current to today's technology!

Michael Horken, Rockwell Automation

Day six of SEC660 was a fantastic conclusion to a very enjoyable, fun, and valuable course. It was money well spent.

Olly Balmer, BAE Systems AI

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking is designed as a logical progression point for those who have completed SANS SEC560: Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing experience. Students with the prerequisite knowledge to take this course will walk through dozens of real-world attacks used by the most seasoned penetration testers. The methodology of a given attack is discussed, followed by exercises in a hands-on lab to consolidate advanced concepts and facilitate the immediate application of techniques in the workplace. Each day of the course includes a two-hour evening boot camp to drive home additional mastery of the techniques discussed. A sample of topics covered includes weaponizing Python for penetration testers, attacks against network access control (NAC) and virtual local area network (VLAN) manipulation, network device exploitation, breaking out of Linux and Windows restricted environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic implementations, fuzzing, defeating modern OS controls such as address space layout randomization (ASLR) and data execution prevention (DEP), return-oriented programming (ROP), Windows exploit-writing, and much more!

Attackers are becoming more clever and their attacks more complex. To keep up with the latest attack methods, you need a strong desire to learn, the support of others, and the opportunity to practice and build experience. This course provides attendees with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

SEC660 starts off by introducing advanced penetration concepts and providing an overview to prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts with a technical module on performing penetration testing against various cryptographic implementations, then turns to network booting attacks, escaping Linux restricted environments such as chroot, and escaping Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and remote exploits as well as client-side exploitation techniques are covered. The final course day is devoted to numerous penetration testing challenges that require students to solve complex problems and capture flags.

Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through the labs and the additional time allotted each evening to reinforce daytime material and master the exercises.


You Will Learn:

  • How to perform penetration testing safely against network devices such as routers, switches, and NAC implementations.
  • How to test cryptographic implementations.
  • How to leverage an unprivileged foothold for post exploitation and escalation.
  • How to fuzz network and stand-alone applications.
  • How to write exploits against applications running on Linux and Windows systems.
  • How to bypass exploit mitigations such as ASLR, DEP, and stack canaries.


Course Syllabus


Day one serves as an advanced network attack module, building on knowledge gained from SEC560: Network Penetration Testing and Ethical Hacking. The focus will be on obtaining access to the network; manipulating the network to gain an attack position for eavesdropping and attacks, and for exploiting network devices; leveraging weaknesses in network infrastructure; and taking advantage of client frailty.

CPE/CMU Credits: 8

  • Bypassing network access/admission control (NAC)
  • Impersonating devices with admission control policy exceptions
  • Exploiting EAP-MD5 authentication
  • Custom network protocol manipulation with Ettercap and custom filters
  • Multiple techniques for gaining man-in-the-middle network access
  • IPv6 for penetration testers
  • Exploiting OSPF authentication to inject malicious routing updates
  • Using Evilgrade to attack software updates
  • Overcoming SSL transport encryption security with Sslstrip
  • Remote Cisco router configuration file retrieval

Day two starts by taking a tactical look at techniques that penetration testers can use to investigate and exploit common cryptography mistakes. We begin by building some fundamental knowledge on how ciphers operate, without getting bogged down in complex mathematics. Then we move on to techniques for identifying, assessing, and attacking real-world crypto implementations. We finish the module with lab exercises that allow students to practice their newfound crypto attack skill set against reproduced real-world application vulnerabilities.

The day continues with advanced techniques but focuses more on post exploitation tasks. We leverage an initial foothold to further exploit the rest of the network. We abuse allowed features to escape restricted environments. First we will build up knowledge of local restrictions on hosts. Once we establish a set of possible restrictions, we leverage that knowledge to circumvent them. We will cover the core components that restrict the desktop and a variety of escape possibilities. The Windows escape exercise is a perfect, real-world demonstration of the risks of relying on obfuscation and blacklisting to thwart attacks.

As a major part of post exploitation, we cover PowerShell: including basic concepts and tasks, enterprise tasks, and outright offensive tasks. We will discuss and use a variety of PowerShell attack tools to discover vulnerabilities and gain privileges. The day ends with a challenging boot camp exercise against a full network environment comprised of a variety of modern, representative, and fully patched systems with no obvious external vulnerabilities.

CPE/CMU Credits: 8

  • Pen testing cryptographic implementations
  • Exploiting CBC bit flipping vulnerabilities
  • Exploiting hash length extension vulnerabilities
  • Delivering malicious operating systems to devices using network booting and PXE
  • PowerShell Essentials
  • Enterprise PowerShell
  • Post Exploitation with PowerShell and Metasploit
  • Escaping Software Restrictions
  • Two-hour evening Capture the Flag exercise against a modern network with hardened servers, desktops, and vApp targets

Day three brings together the multiple skill sets needed for creative analysis in penetration testing. We start by discussing product security testing. The day continues with a focus on how to leverage Python as a penetration tester - the aim is to help students unfamiliar with Python start modifying scripts to add their own functionality, while also helping seasoned Python scripters improve their skills. Once we leverage the Python skills in creative lab exercises, we move on to leveraging Scapy for custom network targeting and protocol manipulation. Using Scapy, we examine techniques for transmitting and receiving network traffic beyond what canned tools can accomplish, including IPv6. Next, we take a look at network protocol and file format fuzzing. We leverage fuzzing to target both common network protocols and popular file formats for bug discovery. We use hands-on exercises to develop custom protocol fuzzing grammars to discover bugs in popular software. Finally, we carefully discuss the concept of code coverage and how it goes hand-in-hand with fuzzing. We will conduct a lab using the Paimei Reverse Engineering Framework and IDA Pro to demonstrate the techniques discussed.

CPE/CMU Credits: 8

  • Becoming familiar with Python types
  • Leveraging Python modules for real-world pen tester tasks
  • Manipulating stateful protocols with Scapy
  • Using Scapy to create a custom wireless data leakage tool
  • Product security testing
  • Using Taof for quick protocol mutation fuzzing
  • Optimizing your fuzzing time with smart target selection
  • Automating target monitoring while fuzzing with Sulley
  • Leveraging Microsoft Word macros for fuzzing .docx files
  • Block-based code coverage techniques using Paimei

Day four begins by walking through memory from an exploitation perspective as well as introducing x86 assembler and linking and loading. These topics are important for anyone performing penetration testing at an advanced level. Processor registers are directly manipulated by testers and must be intimately understood. Disassembly is a critical piece of testing and will be used throughout the remainder of the course. We will take a look at the Linux OS from an exploitation perspective and discuss privilege escalation. We continue by describing how to look for SUID programs and other likely points of vulnerabilities and misconfigurations. The material will focus on techniques that are critical to performing penetration testing on Linux applications.

We then go heavily into stack overflows on Linux to gain privilege escalation and code execution. We will first cover using a debugger to expose weak passwords. Then we will go over redirection of program execution and, finally, code execution. Techniques such as return to buffer and return to C library (ret2libc) will be covered, as well as an introduction to return-oriented programming. The remainder of the day takes students through techniques used to defeat or bypass OS protections such as stack canaries and address space layout randomization (ASLR). The goal of this section is to expose students to common obstacles on modern Linux-based systems.

CPE/CMU Credits: 8

  • Stack and dynamic memory management and allocation on the Linux OS
  • Disassembling a binary and analyzing x86 assembly code
  • Performing symbol resolution on the Linux OS
  • Identifying vulnerable programs
  • Code execution redirection and memory leaks
  • Identifying and analyzing stack-based overflows on the Linux OS
  • Performing return-to-libc (ret2libc) attacks on the stack
  • Return-oriented programming
  • Defeating stack protection on the Linux OS
  • Defeating ASLR on the Linux OS

Day five starts off covering the OS security features (ASLR, DEP, etc.) added to the Windows OS over the years as well as Windows-specific constructs, such as the process environment block (PEB), structured exception handling (SEH), thread information block (TIB), and the Windows application programming interfaces (API). Differences between Linux and Windows will be covered. These topics are critical in assessing Windows-based applications. We then focus on stack-based attacks against programs running on the Windows OS. After finding a vulnerability in an application, the student will work with Immunity Debugger to turn the bug into an opportunity for code execution and privilege escalation. Advanced stack-based techniques such as disabling data execution prevention (DEP) are covered. Client-side exploitation will be introduced, as it is a highly common area of attack. We continue with the topic of return-oriented programming (ROP), demonstrating the technique against a vulnerable application, while looking at defeating hardware DEP and address space layout randomization (ASLR) on Windows 7, Windows 8, and Windows 10. We then have a module on porting over an exploit into the Metasploit Framework and on how to quickly identify bad characters in your shellcode and as input into a program. Finally, we will take a quick look at shellcode and the differences between shellcode on Linux and Windows, followed by a ROP challenge.

CPE/CMU Credits: 8

  • The state of Windows OS protections on Windows 7, 8, 10, Server 2008 and 2012
  • Understanding common Windows constructs
  • Stack exploitation on Windows
  • Defeating OS protections added to Windows
  • Creating a Metasploit module
  • Advanced stack-smashing on Windows
  • Using ROP
  • Building ROP chains to defeat DEP and bypass ASLR
  • Windows 7 and Windows 8 exploitation
  • Porting Metasploit modules
  • Client-side exploitation
  • Windows Shellcode

This day will serve as a real-world challenge for students by requiring them to utilize skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture the Flag engine will be provided to score students as they capture flags. More difficult challenges will be worth more points. In this offensive exercise, challenges range from local privilege escalation to remote exploitation on both Linux and Windows systems, as well as networking attacks and other challenges related to the course material.

CPE/CMU Credits: 6

Additional Information

You must bring VMware Workstation or Fusion to run multiple operating systems when performing class exercises. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware will send you a time-limited serial number if you register for the trial on its website. Linux virtual machines with all necessary tools will be provided to you on the first day of the course.

You must bring your own virtual machine image of Windows 7 SP0 or SP1 (32-bit or 64-bit), preferably the English version. It is highly recommended to also bring Windows 8.0 or 8.1 (32-bit or 64-bit) for some optional exercises. You may also bring Windows 10, although this is optional.

Tools needed for Windows will be issued in class. Make sure that you have the administrative ability to disable all security software and protection, including antivirus and personal firewalls. You may not be able to complete the exercises without this level of control. Also make sure that you can install software which may be blocked by administrative or security controls due to their nature. You will be installing various debuggers and vulnerable applications onto the virtual machines.

Attention Mac Users: VMware Fusion will work with the exercises for SEC660 on Mac OSX; however, there is the potential for issues depending on the version of Fusion you are running and the different types of hardware included with, or plugged into, your system. Some of these issues could inhibit your ability to complete some of the labs. Version 4.2.4 or later of VirtualBox is an alternative way to complete the exercises on Mac OSX; however, you may experience some of the aforementioned issues. You must be running OS X 10.6 "Snow Leopard" or newer. If you elect to stay with Fusion, please be prepared for the possibility of experiencing more difficulty during the lab set-up than you would using VMware Workstation on a PC. You will also need to map function keys such as F7 and F9 through any virtualization application on OSX in order to perform debugging.

You will be provided with a USB drive containing course tools. This drive is formatted in exFAT. If you are going to use Linux or Mac OS X hosts, please ensure that you have drivers installed to read the exFAT file system type.

Mandatory Laptop Hardware Requirements

  • An external, USB Ethernet adapter - this is critical for certain labs
  • PIII 1Ghz CPU minimum/M Series 1.5 GHz or higher is recommended
  • 4 GB of RAM minimum, 8 GBs or more is highly recommended
  • 100 GB hard drive minimum (HARD DRIVE SIZE IS CRITICAL)
  • 30 GB of free space on your hard drive
  • Bring your INSTALLATION DVDs or USBs to the course
  • Ensure that you have administrative access over your system
  • Verify that your processor architecture supports your VMware version. Do not wait until the day of class.

During the workshop, you will be connecting to one of the most hostile networks on earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

If you have additional questions about the laptop specifications, please contact

  • Network and Systems Penetration Testers: SEC660 provides penetration testers with the training they need to perform advanced testing against known or unknown applications, services, and network systems. And the course gives students the expertise to perform complex attacks and develop their own exploits for existing and new frameworks.
  • Incident Handlers: SEC660 gives incident handlers the knowledge they need to understand advanced threats, as handlers are often tasked with determining the threat level associated with an attack. The ability to understand advanced attack techniques and analyze exploit code can help a handler identify, detect, and respond to an incident.
  • Application Developers: SEC660 teaches developers the ramifications of poor coding. Often, a developer or code reviewer is required to clearly demonstrate the threat and impact of a coding error. This course provides developers with the knowledge to create proof-of-concept exploit code and document their findings.
  • IDS Engineers: SEC660 teaches IDS professionals how to analyze exploit code and identify weaknesses. This knowledge can be used to write better IDS signatures and understand the impact of an alert.

This is a fast-paced, advanced course that requires a strong desire to learn advanced penetration testing and custom exploitation techniques. The following SANS courses are recommended either prior to or as a companion to taking this course:

Experience with programming in any language is highly recommended. At a minimum, students are advised to read up on basic programming concepts. Python is the primary language used during class exercises, while programs written in C and C++ code are the primary languages being reversed and exploited. The basics of programming will not be covered in this course, although there is an introductory module on Python.

You should also be well versed with the fundamentals of penetration testing prior to taking this course. Familiarity with Linux and Windows is mandatory. A solid understanding of TCP/IP and networking concepts is required. Please contact the author at if you have any questions or concerns about the prerequisites.

  • Access to the in-class Virtual Training Lab for over 30 in-depth labs.
  • A course USB with many tools used for all in-house labs.
  • Virtual machines full of penetration testing tools and specimens specially calibrated and tested to work with all our labs and optimized for use in your own penetration tests.
  • Access to recorded course audio to help hammer home important network penetration testing lessons.
  • Perform fuzz testing to enhance your company's SDL process.
  • Exploit network devices and assess network application protocols.
  • Escape from restricted environments on Linux and Windows.
  • Test cryptographic implementations.
  • Model the techniques used by attackers to perform 0-day vulnerability discovery and exploit development.
  • Develop more accurate quantitative and qualitative risk assessments through validation.
  • Demonstrate the needs and effects of leveraging modern exploit mitigation controls.
  • Reverse-engineer vulnerable code to write custom exploits.
  • Exploit routing protocol implementations such as OSPF.
  • Bypass different types of NAC implementations.
  • Exploit patch updates.
  • Perform man-in-the-middle attacks to remove SSL.
  • Perform IPv6 attacks.
  • Exploit poor cryptographic implementations using CBC bit flipping attacks and hash length extension attacks.
  • Hijack network booting environments.
  • Exploit virtualization implementations.
  • Write Python scripts to automate testing.
  • Write fuzzers to trigger bugs in software.
  • Reverse-engineer applications to locate code paths and identify potential exploitable bugs.
  • Debug Linux applications.
  • Debug Windows applications.
  • Write exploits against buffer overflow vulnerabilities.
  • Bypass exploit mitigations such as ASLR, DEP, stack canaries, SafeSEH, etc.
  • Use ROP to bypass or disable security controls.

"For the first time ever, I actually understand assembly. Excellent lesson." - Alexander Cobblah, Booz Allen Hamilton

"SEC660 has been nothing less than excellent. Both the instructor and assistant are subject-matter experts who have extensive knowledge covering all aspects of the topics covered and then some." - Brian Anderson, Northrop Grumman Corporation

"Most comprehensive coverage of fuzzing - I would have signed up for the course for that alone." - Adam Kliarsky, Cedars-Sinai Medical Center

"No frills and goes right to the point. The first day alone is what other classes spend a full week on." - Michael Isbitski, Verizon Wireless

Author Statement

When conducting an in-depth penetration test, we are often faced with situations that require unique or complex solutions to successfully pull off an attack, mimicking the activities of increasingly sophisticated real-world attackers. Without the skills to identify and implement those solutions, you may miss a major vulnerability or not properly assess its business impact. Target system personnel are relying on you to tell them whether an environment is secured. Attackers are almost always one step ahead and are relying on our nature to become complacent, even with regard to the very controls we worked so hard to deploy. This course was written to keep you from making mistakes others have made, teach you cutting-edge tricks to thoroughly evaluate a target, and provide you with the skills to jump into exploit development. Contact me at if you have any questions about the course!

- Stephen Sims (Lead Author)

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

12 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Penetration Testing
Dec 2, 2019 -
Dec 7, 2019

Training Event
Penetration Testing
Dec 12, 2019 -
Dec 17, 2019

Training Event
Penetration Testing
SANS London February 2020
London, United Kingdom
Feb 10, 2020 -
Feb 15, 2020

Training Event
Penetration Testing
SANS Dubai February 2020
Dubai, United Arab Emirates
Feb 15, 2020 -
Feb 20, 2020

Training Event
Penetration Testing
SANS Munich March 2020
Munich, Germany
Mar 2, 2020 -
Mar 7, 2020

Training Event
Penetration Testing
Mar 16, 2020 -
Mar 21, 2020

Training Event
Penetration Testing
Mar 22, 2020 -
Mar 27, 2020

Training Event
Penetration Testing
SANS Secure Singapore 2020
Singapore, Singapore
Mar 16, 2020 -
Mar 21, 2020

Training Event
Penetration Testing
SANS 2020
Orlando, FL
Apr 5, 2020 -
Apr 10, 2020

Training Event
Penetration Testing
SANS London April 2020
London, United Kingdom
Apr 20, 2020 -
Apr 25, 2020

Training Event
Penetration Testing
Washington, DC
Jun 15, 2020 -
Jun 20, 2020

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.