SEC560: Enterprise Penetration Testing

GIAC Penetration Tester (GPEN)
GIAC Penetration Tester (GPEN)
  • In Person (6 days)
  • Online
36 CPEs
SEC560 prepares you to conduct successful penetration testing for a modern enterprise, including on-premise systems, Azure, and Azure AD. You will learn the methodology and techniques used by real-world penetration testers in large organizations to identify and exploit vulnerabilities at scale and show real business risk to your organization. The course material is complemented with more than 30 practical lab exercises concluding with an intensive, hands-on Capture-the-Flag exercise in which you will conduct a penetration test against a sample target organization and demonstrate the knowledge you have mastered.

What You Will Learn

As a cybersecurity professional, you have a unique responsibility to identify and understand your organization's vulnerabilities and work diligently to mitigate them before the bad actors pounce. Are you ready? SEC560, the flagship SANS course for penetration testing, fully equips you to take this task head-on.

In SEC560, you will learn how to plan, prepare, and execute a penetration test in a modern enterprise. Using the latest penetration testing tools, you will undertake extensive hands-on lab exercises to learn the methodology of experienced attackers and practice your skills. You will then be able to take what you have learned in this course back to your office and apply it immediately.

This course is designed to strengthen penetration testers and further add to their skillset. The course is also designed to train system administrators, defenders, and others in security to understand the mindset and methodology of a modern attacker. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. Both the offensive teams and defenders have the same goal: keep the real bad guys out.

In SEC560, you will learn to

  • Properly plan and prepare for an enterprise penetration test
  • Perform detailed reconnaissance to aid in social engineering, phishing, and making well-informed attack decisions
  • Scan target networks using best-of-breed tools to identify systems and targets that other tools and techniques may have missed
  • Perform safe and effective password guessing to gain initial access to the target environment, or to move deeper into the network
  • Exploit target systems in multiple ways to gain access and measure real business risk
  • Execute extensive post-exploitation to move further into the network
  • Use privilege escalation techniques to elevate access on Windows or Linux systems, or the Microsoft Windows domain
  • Perform internal reconnaissance and situational awareness tasks to identify additional targets and attack paths
  • Execute lateral movement and pivoting to further extend access to the organization and identify risks missed by surface scans
  • Crack passwords using modern tools and techniques to extend or escalate access
  • Use multiple Command and Control (C2, C&C) frameworks to manage and pillage compromised hosts
  • Attack the Microsoft Windows domain used by most organizations
  • Execute multiple Kerberos attacks, including Kerberoasting, Golden Ticket, and Silver Ticket attacks
  • Conduct Azure reconnaissance
  • Execute Azure Active Directory (AD) password spray attacks
  • Execute commands in Azure using compromised credentials
  • Develop and deliver high-quality reports

SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test, and at the end of the course you will do just that. After building your skills in comprehensive and challenging labs, the course culminates with a final real-world penetration test scenario. You will conduct an end-to-end penetration test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization.

You Will Be Able To

  • Develop tailored scoping and rules of engagement for penetration testing projects to ensure the work is focused, well defined, and conducted in a safe manner
  • Conduct detailed reconnaissance using document metadata, search engines, and other publicly available information sources to build a technical and organizational understanding of the target environment
  • Utilize the Nmap scanning tool to conduct comprehensive network sweeps, port scans, Operating System fingerprinting, and version scanning to develop a map of target environments
  • Choose and properly execute Nmap Scripting Engine scripts to extract detailed information from target systems
  • Analyze the output of scanning tools to manually verify findings and perform false positive reduction using Netcat and the Scapy packet crafting tools
  • Utilize the Windows and Linux command lines to plunder target systems for vital information that can further overall penetration test progress, establish pivots for deeper compromise, and help determine business risks
  • Configure the Metasploit exploitation tool to scan, exploit, and then pivot through a target environment in-depth
  • Perform Kerberos attacks including Kerberoasting, Golden Ticket, and Silver Ticket attacks
  • Use Mimikatz to perform domain domination attacks, such as Golden Ticket abuse, DCSync, and others
  • Go from an unauthenticated network position to authenticated domain access and map an attack path throughout the domain
  • Attack Azure AD and use your domain domination to target the on-premise integration

Business Takeaways

SEC560 differs from other penetration testing courses in several important ways -

  • It offers in-depth technical excellence along with industry-leading methodologies to conduct high-value penetration tests.
  • We drill deep into the arsenal of tools with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are useful for professional penetration testers and ethical hackers.
  • We discuss how the tools interrelate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the biggest bang out of the next tool.
  • We focus on the workflow of professional penetration testers, proceeding step by step and discussing the most effective means for carrying out projects.
  • The course sections address common pitfalls that arise in penetration tests, providing real-world strategies and tactics to avoid these problems and maximize the quality of test results.
  • We cover several time-saving tactics based on years of in-the-trenches experience of real penetration testers and hackers. There are tasks that might take hours or days unless you know the little secrets we cover that enable you to surmount a problem in minutes.
  • The course stresses the mindset of successful penetration testers and hackers, which involves balancing the often-contravening forces of thinking outside the box, methodically troubleshooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high-quality final report that gets management and technical buy-in.
  • We analyze how penetration testing should fit into a comprehensive enterprise information security program.
  • We focus on pen testing modern organizations, many of which are using Azure AD for identity management.

What You Will Receive

  • Access to the in-class Virtual Training Lab with more than 30 in-depth labs
  • SANS Slingshot Linux Penetration Testing Environment and Windows 10 Virtual Machines loaded with numerous tools used for all labs
  • Access to the recorded course audio to help hammer home important network penetration testing lessons
  • Cheat sheets with details on professional use of Metasploit, Netcat, and more
  • Worksheets to streamline the formulation of scoping and rules of engagement for professional penetration tests

Syllabus (36 CPEs)

Download PDF
  • Overview

    In this course section, you will develop the skills needed to conduct a best-of-breed, high-value penetration test. We’ll go in-depth on how to build a penetration testing infrastructure that includes all the hardware, software, network infrastructure, and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We’ll then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We’ll also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques.

    This course section features a hands-on lab exercise to learn about a target environment, the organization, network, infrastructure, and users. This course section also looks at the vital task of mapping the target environment’s attack surface by creating a comprehensive inventory of machines, accounts, and potential vulnerabilities. We’ll look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We’ll cover vital techniques for false-positive reduction so you can focus your findings on meaningful results and avoid the sting of a false positive. And we’ll examine the best ways to conduct your scans safely and efficiently.

    • Formulating an Effective Scope and Rules of Engagement
    • Linux for Pen Testers
    • Reconnaissance and OSINT
    • Nmap
    • Masscan
    • Advanced Nmap Usage, EyeWitness, and Netcat for Pen Testers
    • The Mindset of the Professional Pen Tester
    • Building a World-Class Pen Test Infrastructure
    • Creating Effective Pen Test Scopes and Rules of Engagement
    • Reconnaissance of the Target Organization, Infrastructure, and Users
    • Tips for Awesome Scanning
    • Version Scanning with Nmap
    • False-Positive Reduction
    • Netcat for the Pen TesterGetting the Most Out of Nmap
    • Faster Scanning with Masscan
    • OS Fingerprinting, Version Scanning In-Depth, Netcat for Penetration Testers, and EyeWitness
    • Nmap In-Depth: The Nmap Scripting Engine
  • Overview

    This course section includes password guessing attacks, which are a common way for penetration testers and malicious attackers to gain initial access and pivot through the network. This action-packed section concludes with another common way to gain initial access: exploitation. We’ll discuss many ways that exploits are used to gain access or escalate privileges, then examine how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You’ll learn in-depth how to leverage Metasploit and Meterpreter to compromise target environments. Once you’ve successfully exploited a target environment, penetration testing gets extra exciting as you perform post-exploitation, gathering information from compromised machines and pivoting to other systems in your scope. In this section, we’ll discuss a common modern penetration test style, the Assumed Breach, where initial access is ceded to the testers for speed and efficiency. Whether the testers gain access themselves or access is provided, the testers now identify risks that are not visible on the surface. We’ll examine C2 frameworks and how to select the right one for you. As part of this, we’ll use Sliver and Empire and explore their capabilities for use in an effective penetration test. We’ll discuss the next stage of a penetration test and situational awareness on both Windows and Linux.

    • Initial Access with Password Guessing and Spraying with Hydra
    • Exploitation with Metasploit and the Meterpreter Shell
    • Command and Control Sliver and Teammates
    • Leveraging [PowerShell] Empire for Post-Exploitation
    • Developing Payloads in Multiple C2 Frameworks
    • GhostPack’s Seatbelt
    • Gaining Initial Access
    • Password Guessing, Spraying, and Credential Stuffing
    • Exploitation and Exploit Categories
    • Exploiting Network Services and Leveraging Meterpreter
    • Command and Control Frameworks and Selecting the One for You
    • Using the Adversary Emulation and Red Team Framework, Sliver
    • Post-Exploitation with [PowerShell] Empire
    • Payload Generation in Metasploit and Sliver
    • Post-Exploitation
    • Assumed Breach Testing
    • Situational Awareness on Linux and Windows
    • Extracting Useful Information from a Compromised Windows Host with Seatbelt
  • Overview

    In this section, you’ll learn tools and techniques to perform privilege escalation attacks to gain elevated access on compromised hosts to further pillage compromised hosts for an even more high-impact penetration test. Part of post-exploitation includes password dumping, where we’ll perform cleartext password extraction with Mimikatz and password cracking. We’ll also cover persistence to help you maintain access to compromised hosts that survive a reboot or a user logoff. You’ll learn modern tools and techniques to perform better cracking attacks that will extend or upgrade your access in the target environment. We’ll take a look at the powerful BloodHound to allow us to map attack paths to get to high-value targets. This section concludes with Responder, a tool to obtain password hashes and for relaying.

    • Privilege Escalation on Windows
    • Domain Mapping and Exploitation with BloodHound
    • Practical Persistence
    • Metasploit PsExec, Hash Dumping, and Mimikatz Kiwi Credential Harvesting
    • Password Cracking with John the Ripper and Hashcat
    • Attacking Nearby Clients with Responder
    • Privilege Escalation Methods and Techniques on Windows and Linux
    • Identifying Attack Paths with BloodHound
    • Persistence and Maintaining Access
    • Password Attack Tips
    • Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
    • Extracting Hashes and Passwords from Memory with Mimikatz Kiwi
    • Effective Password Cracking with John the Ripper and Hashcat
    • Poisoning Multicast Name Resolution with Responder
  • Overview

    This course sections zooms in on moving through the target environment. When attackers gain access to a network, they move, so you'll learn the same techniques used by modern attackers and penetration testers. You'll start by manually executing techniques used for lateral movement, then move on to automation using the powerful toolset, Impacket, to exploit and abuse network protocols. We'll examine Windows network authentication, and you'll perform a pass-the-hash attack to move through the network without knowing the compromised account's password.

    • Lateral Movement and Running Commands Remotely with WMIC and by Creating Malicious Services
    • The Impacket Framework
    • Pass-the-Hash
    • Bypassing Application Control Technology Using Built In Windows Features
    • Pivoting through SSH and an Existing Meterpreter Session
    • Lateral Movement
    • Running Commands Remotely
    • Attacking and Abusing Network Protocols with Impacket
    • Anti-Virus and Evasion of Defensive Tools
    • Application Control Bypasses Using Built-In Windows Features
    • Implementing Port Forwarding Relays via SSH for Merciless Pivots
    • Pivoting through Target Environments with C2
    • Effective Reporting and Business Communication
  • Overview

    This course section focuses on typical AD lateral movement strategies. You’ll gain an in-depth understanding of how Kerberos works and what the possible attack vectors are, including Kerberoasting, Golden Ticket, and Silver Ticket attacks. You’ll use credentials found during the penetration test of the target environment to extract all the hashes from a compromised Domain Controller. We’ll cover one of the most useful new techniques for privilege escalation due to vulnerabilities in Active Directory Certificate Services (AD CS). With full privileges over the on-premise domain, we’ll then turn our attention to the cloud and have a look at Azure principles and attack strategies. The integration of Azure AD with the on-premise domain provides interesting attack options, which will be linked to the domain dominance attacks we saw earlier during the course section.

    • Kerberoast Attack for Domain Privilege Escalation
    • Domain Dominance and Password Hash Extraction from a Compromised Domain Controller
    • Identifying Vulnerabilities and Attacking Active Directory Certificate Services (AD CS)
    • Silver Tickets for Persistence and Evasion
    • Golden Ticket Attacks for Persistence
    • Azure Reconnaissance and Password Spraying
    • Running Commands in Azure Using Compromised Credentials
    • Kerberos Authentication Protocol
    • Kerberoasting for Domain Privilege Escalation and Credential Compromise
    • Persistent Administrative Domain Access
    • Evaluating and Attacking AD CS
    • Obtaining NTDS.dit and Extracting Domain Hashes
    • Golden and Silver Ticket Attacks for Persistence
    • Additional Kerberos Attacks Including Skeleton Key, Over-Pass-the-Hash, and Pass-the-Ticket
    • Effective Domain Privilege Escalation
    • Azure and Azure AD Reconnaissance
    • Azure Password Attacks and Spraying
    • Understanding Azure Permissions
    • Running Commands on Azure Hosts
    • Tunneling with Ngrok
    • Lateral Movement in Azure
  • Overview

    This lively section represents the culmination of the enterprise penetration testing course. You will apply all the skills mastered in the course in a comprehensive, hands-on exercise during which you'll conduct an actual penetration test of a sample target environment. We'll provide the scope and rules of engagement, and you'll work to achieve your goal to determine whether the target organization's Personally Identifiable Information is at risk. As a final step in preparing you for conducting penetration tests, you'll make recommendations about remediating the risks you identify.

    • A Comprehensive Lab Applying What You Have Learned Throughout the Course
    • Modeling a Penetration Test Against a Target Environment
    • Applying Penetration Testing and Ethical Hacking Practices End-to-End
    • Detailed Scanning to Find Vulnerabilities and Avenues to Entry
    • Exploitation to Gain Control of Target Systems
    • Post-Exploitation to Determine Business Risk
    • Merciless Pivoting
    • Analyzing Results to Understand Business Risk and Devise Corrective Actions

GIAC Penetration Tester

The GIAC Penetration Tester (GPEN) certification validates a practitioner's ability to properly conduct a penetration test using best-practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits, engage in detailed environmental reconnaissance, and utilize a process-oriented approach to penetration testing projects

  • Comprehensive Pen Test Planning, Scoping, and Recon
  • In-Depth Scanning and Exploitation, Post-Exploitation, and Pivoting
  • Azure Overview, Integration, and Attacks, and In-Depth Password Attacks
More Certification Details


SEC560 is the flagship penetration test course offered by the SANS Institute. Attendees are expected to have a working knowledge of TCP/IP and a basic knowledge of the Windows and Linux command lines before they come to class. While SEC560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course.

Courses that lead in to SEC560:

Courses that are good follow-ups to SEC560:

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"All security professionals need to understand how companies are being breached, from modern attack tactics and including the underlying principles. As a defender, incident responder, or forensic analyst, it is important to understand the latest attacks and the mindset of the attacker. In this course, penetration testers, red teamers, and other offensive security professionals will learn tools and techniques to increase the impact and effectiveness of their work. As the lead author for this course, I'm proud to bring my years of security experience (both offensive and defensive) as well as network/system administration experience to the course. We aim to provide a valuable, high-impact penetration testing course designed to teach experienced pen testers new tips, help prepare new penetration testers, and provide background to anyone dealing with penetration testers, red teams, or even malicious attackers. I personally enjoy teaching this course and sharing my experience and real-life examples with you."

Jeff McJunkin


SEC560 introduces the whole process of penetration testing from the start of engagement to the end.
Barry Tsang
I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend SEC560.
Marc Hamilton
Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!
Robert Adams

    Register for SEC560

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.