Cyber Skills Training at SANS Seattle Fall 2018. Save $400 thru 8/22!

SEC561: Immersive Hands-on Hacking Techniques

To be a top penetration testing professional, you need fantastic hands-on skills for finding, exploiting and resolving vulnerabilities. Top instructors at SANS engineered SEC561: Immersive Hands-on Hacking Techniques from the ground up to help you get good fast. The course teaches in-depth security capabilities through 80%+ hands-on exercises, maximizing keyboard time on in-class labs and making this SANS' most hands-on course ever. With over 30 hours of intense labs, students experience a leap in their capabilities, as they come out equipped with the practical skills needed to handle today's pen test and vulnerability assessment projects in enterprise environments.Throughout the course, an expert instructor coaches students as they work their way through solving increasingly demanding real-world information security scenarios using skills that they will be able to apply the day they get back to their jobs.

Topics addressed in the course include:

  • Applying network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation.
  • Manipulating common network protocols to reconfigure internal network traffic patterns, as well as defenses against such attacks.
  • Analyzing Windows and Linux systems for weaknesses using the latest enterprise management capabilities of the operating systems, including the super-powerful Windows Remote Management (WinRM) tools.
  • Applying cutting-edge password analysis tools to identify weak authentication controls leading to unauthorized server access.
  • Scouring through web applications and mobile systems to identify and exploit devastating developer flaws.
  • Evading anti-virus tools and bypassing Windows User Account Control to understand and defend against these advanced techniques.
  • Honing phishing skills to evaluate the effectiveness of employee awareness initiatives and your organization's exposure to one of the most damaging attack vectors widely used today.

People often talk about these concepts, but this course teaches you how to actually do them hands-on and in-depth. SEC561 shows penetration testers, vulnerability assessment personnel, auditors, and operations personnel how to leverage in-depth techniques to get powerful results in every one of their projects. The course is overflowing with practical lessons and innovative tips, all with direct hands-on application. Throughout the course, students interact with brand new and custom-developed scenarios built just for this course on the innovative NetWars challenge infrastructure, which guides them through the numerous hands-on labs providing questions, hints, and lessons learned as they build their skills.


You Will Learn:

  • How to model the capabilities of today's advanced attackers in your penetration tests, including how to evade anti-virus tools and bypass UAC.
  • How to confirm and exploit system flaws identified by vulnerability assessment scanners.
  • How to reliably get remote shell access on victim systems through phishing attacks.
  • How to apply advanced network pivoting attacks to reach internal vital systems.
  • How to identify, exploit and leverage common web application flaws.


Course Syllabus


The first day of the course prepares students for real-world security challenges by giving them hands-on practice with essential Linux and Windows server and host management tools. Students will start by leveraging built-in and custom Linux tools to evaluate the security of host systems and servers, inspecting and extracting content from rich data sources such as image headers, browser cache content and system logging resources. Students will then turn their attention to performing similar analysis against remote Windows servers using built-in Windows system management tools to detect misconfigured services, identify password guessing attempts and track down the user performing the attack, evaluate the impact of malware attacks and analyze packet capture data. By completing these tasks, students build their systems management skills (applicable to post-compromise system host analysis) as well as their defensive skills (defending targeted systems from persistent attack threats). By adding new tools and techniques to their arsenal, students are better prepared to complete the analysis of complex systems with greater accuracy in less time.

CPE/CMU Credits: 6


Linux Host and Server Analysis

  • Identifying users and permission exposure
  • File system data harvesting from common applications
  • Network traffic analysis and data extraction techniques
  • File and malware analysis tools

Windows Host and Server Analysis

  • Remote registry analysis
  • Windows malware executable analysis
  • Common and extremely damaging enterprise Windows vulnerabilities
  • Windows file system and permission management analysis

In this section students investigate the critical tasks for a high-quality penetration test. We will look at the safest, most efficient ways to map a network and discover target systems and services. Once the systems are discovered, we will search for vulnerabilities and reduce false positives with manual vulnerability verification. We will also examine exploitation techniques, including the use of the Metasploit Framework to exploit these vulnerabilities, accurately describing risk and further reducing false positives. Of course, exploits are not the only way to access systems, so we also leverage password-related attacks, including guessing and cracking techniques, in order to extend our reach for a more effective and valuable penetration test.

CPE/CMU Credits: 6


Network Mapping and Discovery

  • Optimizing scanning techniques for efficient host discovery
  • Passive discovery and system analysis
  • Advanced enumeration with interactive and automated interrogation tools

Enterprise Vulnerability Assessment

  • Data harvesting for effective vulnerability assessment
  • Manual and automated vulnerability correlation
  • Vulnerability prioritization for remediation
  • Open-source and commercial tools for effective vulnerability assessment
  • Assessing network infrastructure as part of a vulnerability assessment

Network Penetration Testing

  • Reduction of false positives through exploitation
  • Exploitation via Metasploit for an effective penetration test
  • Using Meterpreter for pillaging and pivoting
  • Effective use of Netcat for network communication

Password and Authentication Exploitation

  • Effective password guessing techniques
  • Developing custom wordlists for effective password cracking
  • Exploiting weaknesses in common cryptographic password storage
  • Evaluating Windows and critical network infrastructure authentication weaknesses

This section will look at the variety of flaws present in web applications and how each of them is exploited. Students will solve challenges presented to them by exploiting web applications hands-on with the tools used by professional web application penetration testers every day. The websites that students attack mirror real-world vulnerabilities, including Cross-Site Scripting (XSS), SQL Injection, Command Injection, Directory Traversal, Session Manipulation and more. Students will need to exploit the flaws and answer questions based on the level of compromise they are able to achieve.

CPE/CMU Credits: 6


Recon and Mapping

  • Identification of target web applications
  • Directory brute-forcing
  • Manual creations of web requests
  • Web application scanning and exploitation tools

Server-Side Web Application Attacks

  • SQL injection
  • Command injection
  • Directory traversal

Client-Side Web Application Attacks

  • Cross-site scripting
  • Cross-site request forgery
  • Cookie and session manipulation

Web Application Vulnerability Exploitation

  • Evaluating logic flaws in popular web applications
  • Leveraging public exploits against web application infrastructure

With the rapidly increasing use of mobile devices in enterprise networks, organizations have a growing need to identify expertise in security assessment and penetration testing of mobile devices and their supporting infrastructure. This section will examine the practical vulnerabilities introduced by mobile devices and applications, as well as how they relate to the security of the enterprise. Students will look at the common vulnerabilities and attack opportunities against Android and Apple iOS devices, examining data remnants from lost or stolen mobile devices, the exposure introduced by common weak application developer practices, and the threat introduced by popular cloud-based mobile applications found in many networks today.

CPE/CMU Credits: 6


Mobile Device Assessment

  • Extracting data from mobile application network activity
  • Passive mobile device identification and fingerprinting
  • Mobile device wireless behavior analysis
  • Effective man-in-the-middle attacks against mobile devices

Mobile Device Data Harvesting

  • Bypassing passcode authentication on mobile devices
  • Leveraging compromised hosts for mobile device backup data recovery
  • Mobile device file system access over USB devices
  • Exploiting common password disclosure data sources on iOS and Android

Mobile Application Analysis

  • Reverse-engineering Android applications
  • Android vulnerability analysis through code inspection
  • Static and dynamic automated application analysis systems

This portion of the course is designed to teach the advanced skills required in an effective penetration test to extend our reach and move through the target network. This extended reach will provide a broader and more in-depth look at the security of the enterprise. We will utilize techniques to pivot through compromised systems using various tunneling/pivoting techniques, bypassing anti-virus and built-in commands to extend our influence over the target environment and detect issues that lesser testers may have missed. We will also look at some of the common mistakes surrounding poorly or incorrectly implemented cryptography and ways to take advantage of those weaknesses to access systems and data that are improperly secured.

CPE/CMU Credits: 6


Anti-Virus Evasion Techniques

  • Manipulating exploits to bypass signature-based anti-virus tools
  • Leveraging packers and obfuscators
  • Altering tools to evade heuristic analysis engines

Advanced Network Pivoting Techniques

  • Protected network infrastructure tunneling with SSH
  • Remote proxy exploits with the proxychains tool
  • Host redirection with Meterpreter host routing

Exploiting Network Infrastructure Components

  • Routing infrastructure manipulation attacks
  • Manipulating hosts through network management interfaces

This lively session is the culmination of the course, giving students the opportunity to apply the skills they have mastered throughout all the other sections in a hands-on workshop. The Capture the Flag Challenge is and expanded version of the exercises conducted in the previous sections. The aim is to independently reinforce skills learned throughout the course.

Students will apply their newly developed skills to scan for flaws, use exploits, unravel technical challenges and dodge firewalls, all while guided by the challenges presented to them by the SANS NetWars Scoring Server. By practicing the skills in a challenging workshop that combines multiple focus areas, participants will be able to explore, exploit, pillage and continue to reinforce skills against a realistic target environment.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.


Students must bring a Windows 10, Windows 8/8.1 or Windows 7 laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, but this will result in reduced performance when running some lab exercises.

Administrative Windows Access

For several tools used in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.


Students will use a virtualized Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may cause delays in carrying out lab exercises, preventing their timely completion. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware-intensive and require more system resources than what might be required otherwise for day-to-day use of a system. Please ensure that your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM (4 GB recommended)
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card
  • 30 GB free hard disk space
  • DVD drive

Minimum screen resolution of 1024x768; a larger screen resolution will reduce scrolling in for several applications and enable an easier end-user experience

If you have additional questions about the laptop specifications, please contact

  • Security professionals who want to expand their hands-on technical skills in new analysis areas such as packet analysis, digital forensics, vulnerability assessment, system hardening and penetration testing.
  • Systems and network administrators who want to gain hands-on experience in information security skills to become better administrators.
  • Incident response analysts who want to better understand system attack and defense techniques.
  • Forensic analysts who need to improve their skills through experience with real-world attacks.
  • Penetration testers seeking to gain practical hands-on experience for use in their own assessments.
  • Red team members who want to build their hands-on skills, and blue team members who want to better understand attacks and defend their environments.

To get the most out of this course, students should have some prior hands-on vulnerability assessment or penetration testing experience (minimum six months), or have taken at least one other penetration testing course (particularly SANS SEC560 or SEC542). The course will build on that background, helping participants ramp up their skills even further across a broad range of penetration testing disciplines.

Other Courses People Have Taken

Courses that lead in to SEC561

Courses that are prerequisites for SEC561

Courses that are good follow-ups to SEC561

  • Course book.
  • Daily lab answer books detailing all the course challenge labs, with questions, hints and answers.
  • Handouts and cheat-sheets used for quick reference to detailed information sources.
  • Course DVD and associated software, files and analysis resources.
  • MP3 audio files of the complete course lecture.
  • Use network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation.
  • Use password analysis tools to identify weak authentication controls leading to unauthorized server access.
  • Evaluate web applications for common developer flaws leading to significant data loss conditions.
  • Manipulate common network protocols to maliciously reconfigure internal network traffic patterns.
  • Identify weaknesses in modern anti-virus signature and heuristic analysis systems.
  • Inspect the configuration deficiencies and information disclosure threats present on Windows and Linux servers.
  • Bypass authentication systems for common web application implementations.
  • Exploit deficiencies in common cryptographic systems.
  • Bypass monitoring systems by leveraging IPv6 scanning and exploitation tools.
  • Harvest sensitive mobile device data from iOS and Android targets.
  • Using PowerShell for Compromised Host Pillaging
  • Custom Wordlist Generation for Smart Password Cracking
  • Privilege Escalation Attack Following a Host Compromise
  • Manipulating Website Security Rules with Firefox
  • Exploiting PHP Server Misconfiguration Flaws
  • Evaluating Network Traffic with NetworkMiner
  • Extracting Chat Logs from Skype on iPhones
  • Attacking Mobile Device Password Managers
  • Identifying Flaws through Reverse-Engineering Android Applications
  • Bypassing Anti-Virus Tools with Customized Exploits
  • Exploiting Volume Snapshot Service on Windows
  • Advanced Pivoting Attacks with Secure Shell Tunneling and Redirection

Here is what SEC561 alumni say about the course:

"20% lecture...80% lab - Excellent format!"

"80% hands-on is intense and the best way to build on previous pen-testing-focused SANS courses."

"Great learning for at-your-own-pace students."

"Love being able to get hands-on all day."

"Such a fun learning experience."

"A really great course! I loved every minute!"

Author Statement

In creating this course, we focused on getting as much practical, hands-on skill building into the classroom as possible. Each day begins with a short briefing on the technical topics students will work on throughout the day. Then, students build their skills analyzing real-world target systems in the classroom. When students walk out of the class, they will have mastered over 100 new techniques for finding, exploiting and then fixing security flaws. Just as aircraft pilots need more 'stick' time learning how to fly, this course provides penetration testers and other security professionals with the real-world experience they need to excel in their work. - Josh Wright

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

1 Training Results
Type Topic Course / Location / Instructor Date Register

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.