Network Penetration Testing Training | Ethical Hacking

What You Will Learn

As a cybersecurity professional, you have a unique responsibility to find and understand your organization's vulnerabilities and to work diligently to mitigate them before the bad guys pounce. Are you ready? SEC560, the flagship SANS course for enterprise penetration testing, fully arms you to address this duty head-on.

SEC560 IS THE MUST-HAVE COURSE FOR EVERY WELL-ROUNDED SECURITY PROFESSIONAL

With comprehensive coverage of tools, techniques, and methodologies for network penetration testing, SEC560 truly prepares you to conduct high-value penetration testing projects step by step and end to end. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. The course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks, web app manipulation, and attacking the Windows domain, with over 30 detailed hands-on labs throughout. The course is chock full of practical, real-world tips from some of the world's best penetration testers to help you do your job safely, efficiently...and with great skill.

LEARN THE BEST WAYS TO TEST YOUR OWN SYSTEMS BEFORE THE BAD GUYS ATTACK

You'll learn how to perform detailed reconnaissance, studying a target's infrastructure by mining blogs, search engines, social networking sites, and other Internet and intranet infrastructures. Our hands-on labs will equip you to scan target networks using best-of-breed tools. We won't just cover run-of-the-mill options and configurations, we'll also go over the lesser known but super-useful capabilities of the best pen test toolsets available today. After scanning, you'll learn dozens of methods for exploiting target systems to gain access and measure real business risk. You'll dive deep into post-exploitation, password attacks, and web apps, pivoting through the target environment to model the attacks of real-world bad guys to emphasize the importance of defense in depth. Finally, we focus deep on the technological heart of most organizations, the Windows Domain. We'll cover the technical details of Kerberos and Active Directory and use that for Domain Dominance!

EQUIPPING SECURITY ORGANIZATIONS WITH COMPREHENSIVE PENETRATION TESTING AND ETHICAL HACKING KNOW-HOW

SEC560 is designed to get you ready to conduct a full-scale, high-value enterprise penetration test and at the end of the course you'll do just that. After building your skills in comprehensive and challenging labs, the course culminates with a final real-world penetration test scenario. You'll conduct an end-to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization, demonstrating the skills you've gained in this course.

You Will Be Able To

Develop tailored scoping and rules of engagement for penetration testing projects to ensure the work is focused, well defined, and conducted in a safe manner
Conduct detailed reconnaissance using document metadata, search engines, and other publicly available information sources to build a technical and organizational understanding of the target environment
Utilize the Nmap scanning tool to conduct comprehensive network sweeps, port scans, Operating System fingerprinting, and version scanning to develop a map of target environments
Choose and properly execute Nmap Scripting Engine scripts to extract detailed information from target systems
Configure and launch the Nessus vulnerability scanner so that it discovers vulnerabilities through both authenticated and unauthenticated scans in a safe manner, and customize the output from such tools to represent the business risk to the organization
Analyze the output of scanning tools to manually verify findings and perform false positive reduction using Netcat and the Scapy packet crafting tools
Utilize the Windows and Linux command lines to plunder target systems for vital information that can further overall penetration test progress, establish pivots for deeper compromise, and help determine business risks
Configure the Metasploit exploitation tool to scan, exploit, and then pivot through a target environment in-depth
Conduct comprehensive password attacks against an environment, including automated password guessing (while avoiding account lockout), traditional password cracking, rainbow table password cracking, and pass-the-hash attacks
Launch web application vulnerability scanners such as ZAP and then manually exploit Cross-Site Request Forgery, Cross-Site Scripting, Command Injection, and SQL injection attacks to determine the business risks faced by an organization

This SANS course differs from other penetration testing and ethical hacking courses in several important ways:

It offers in-depth technical excellence along with industry-leading methodologies to conduct high-value penetration tests.
We get deep into the arsenal of tools with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are useful for professional penetration testers and ethical hackers.
It discusses how the tools interrelate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
We focus on the workflow of professional penetration testers and ethical hackers, proceeding step by step and discussing the most effective means for carrying out projects.
The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
We cover several time-saving tactics based on years of in-the-trenches experience of real penetration testers and ethical hackers -- tasks that might take hours or days unless you know the little secrets we'll be covering that will enable you to surmount a problem in minutes.
This course stresses the mindset of successful penetration testers and ethical hackers, which involves balancing often contravening forces of thinking outside the box, methodically trouble-shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high-quality final report that gets management and technical buy-in.
We analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.

What You Will Receive

Access to the in-class Virtual Training Lab for over 30 in-depth labs
A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all labs
Access to recorded course audio to help hammer home important network penetration testing lessons
Cheat sheets with details on professional use of Metasploit, Netcat, and more
Worksheets to streamline the formulation of scope and rules of engagement for professional penetration tests

SANS Video

Syllabus (37 CPEs)

Download PDF

Overview
In this course section, you'll develop the skills needed to conduct a best-of-breed, high-value penetration test. We'll go in-depth on how to build a penetration testing infrastructure that includes all the hardware, software, network infrastructure, and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We'll then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We'll also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques, including hands-on document metadata analysis to pull sensitive information about a target environment, as well as a lab using Recon-ng to plunder a target's DNS infrastructure for information such as which anti-virus tools the target organization uses.
Exercises
- Tour of the SANS Slingshot Penetration Testing Virtual Machine
- Formulating an Effective Scope and Rules of Engagement
- Document Metadata Treasure Hunt
- Utilizing Recon-ng to Plunder DNS for Useful Information
Topics
- The Mindset of the Professional Pen Tester
- Building a World-Class Pen Test Infrastructure
- Creating Effective Pen Test Scopes and Rules of Engagement
- Detailed Recon Using the Latest Tools
- Effective Pen Test Reporting to Maximize Impact
- Mining Search Engine Results
- Document Metadata Extraction and Analysis
Overview
This course section focuses on the vital task of mapping the target environment's attack surface by creating a comprehensive inventory of machines, accounts, and potential vulnerabilities. We look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We finish the module covering vital techniques for false-positive reduction, so you can focus your findings on meaningful results and avoid the sting of a false positive. And we examine the best ways to conduct your scans safely and efficiently.
Exercises
- Getting the Most Out of Nmap
- OS Fingerprinting and Version Scanning In-Depth
- The Nmap Scripting Engine
- The Nessus Vulnerability Scanner
- Netcat for the Pen Tester
- PowerShell for the Pen Tester
Topics
- Tips for Awesome Scanning
- Tcpdump for the Pen Tester
- Nmap In-Depth: The Nmap Scripting Engine
- Version Scanning with Nmap
- Vulnerability Scanning with Nessus
- False-Positive Reduction
- Enumerating Users
- Netcat for the Pen Tester
- Monitoring Services during a Scan
Overview
In this course section we look at the many kinds of exploits that penetration testers use to compromise target machines, including client-side exploits, service-side exploits, and local privilege escalation. We'll see how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You'll learn in-depth how to leverage Metasploit and the Meterpreter to compromise target environments. You'll also analyze the topic of anti-virus evasion to bypass the target organization's security measures, as well as methods for pivoting through target environments, all with a focus on determining the true business risk of the target organization.
Exercises
- Client-Side Attacks with Metasploit
- Exploiting Network Services and Leveraging the Meterpreter
- Evading Anti-Virus Tools with the Veil Framework
- Metasploit Databases and Tool Integration
- Port Pivoting Relays
- Leveraging PowerShell Empire for Post Exploitation
- Creating Malicious Services and Leveraging the Wonderful WMIC Toolset
Topics
- Comprehensive Metasploit Coverage with Exploits, Stagers, and Stages
- Strategies and Tactics for Anti-Virus Evasion
- In-Depth Meterpreter Analysis, Hands-On
- Implementing Port Forwarding Relays for Merciless Pivots
- How to Leverage PowerShell Empire to Plunder a Target Environment
Overview
Once you've successfully exploited a target environment, penetration testing gets extra exciting as you perform post-exploitation, gathering information from compromised machines and pivoting to other systems in your scope. This course section zooms in on pillaging target environments and building formidable hands-on command line skills. We'll cover Windows command line skills in-depth, including PowerShell's awesome abilities for post-exploitation. We'll see how we can leverage malicious services and the incredible WMIC toolset to access and pivot through a target organization. We'll then turn our attention to password guessing attacks, discussing how to avoid account lockout, as well as numerous options for plundering password hashes from target machines including the great Mimikatz Kiwi tool. Finally, we'll look at Metasploit's fantastic features for pivoting, including the msfconsole route command.
Exercises
- Password Guessing and Spraying with THC-Hydra
- Metasploit Psexec, Hash Dumping and Mimikatz Kiwi Credential Harvesting
- Pivoting with Metasploit and SSH
- Password Cracking with John the Ripper and Hashcat
- Sniffing and Cracking Windows Authentication Exchanges
- Metasploit Pivoting and Mimikatz Kiwi for Credential Harvesting
Topics
- Windows Command Line Kung Fu for Penetration Testers
- PowerShell's Amazing Post-Exploitation Capabilities
- Password Attack Tips
- Account Lockout and Strategies for Avoiding It
- Automated Password Guessing with THC-Hydra
- Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
- Pivoting through Target Environments
- Extracting Hashes and Passwords from Memory with Mimikatz Kiwi
Overview
In this course section, we'll zoom in on typical AD (Active Directory) lateral movement strategies. You'll obtain an in-depth understanding of how Kerberos works and what possible attack vectors are available. You'll look at typical local privilege escalation techniques and UAC (User Account Control) bypasses. We map the internal domain structure using BloodHound to identify feasible attack paths. We'll use Mimikatz to perform domain dominance attacks where domain replication is used to fully compromise the domain. We then turn our attention to web application pen testing, covering the most powerful and common web app attack techniques, including hands-on labs for every topic we address. We'll cover finding and exploiting command injection and SQL injection flaws in applications such as online banking, blog sites, and more.
Exercises
- Kerberos Attacks
- Attacking Nearby Clients with Responder
- Domain Mapping and Exploitation with Bloodhound
- Effective Domain Privilege Escalation
- Domain Dominance
- Using the ZAP Proxy to Manipulate Custom Web Applications
- Leveraging Command Injection Flaws
- Exploiting SQL Injection Flaws to Gain Shell Access of Web Targets
Topics
- Kerberos authentication protocol
- Poisoning multicast name resolution with Responder
- Domain Mapping and Exploitation with Bloodhound
- Effective Domain Privilege Escalation
- Persisting administrative domain access
- Using the ZAP Proxy to Manipulate Custom Web Applications
- Maximizing Effectiveness of Command Injection Testing
- Data Plundering with SQL Injection
- Leveraging SQL Injection to Perform Command Injection
Overview
This lively session represents the culmination of the network penetration testing and ethical hacking course. You'll apply all of the skills mastered in the course in a comprehensive, hands-on workshop during which you'll conduct an actual penetration test of a sample target environment. We'll provide the scope and rules of engagement, and you'll need to achieve your goal of finding out whether the target organization's Personally Identifiable Information (PII) is at risk. As a final step in preparing you for conducting penetration tests, you'll make recommendations about remediating the risks you identify.
Exercises
- A Comprehensive Lab Applying What You Have Learned Throughout the Course
- Modeling a Penetration Test Against a Target Environment
Topics
- Applying Penetration Testing and Ethical Hacking Practices End-to-End
- Detailed Scanning to find Vulnerabilities and Avenues to Entry
- Exploitation to Gain Control of Target Systems
- Post-Exploitation to Determine Business Risk
- Merciless Pivoting
- Analyzing Results to Understand Business Risk and Devise Corrective Actions

GIAC Penetration Tester

The GIAC Penetration Tester certification validates a practitioner’s ability to properly conduct a penetration test, using best practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits and engage in detailed reconnaissance, as well as utilize a process-oriented approach to penetration testing projects.

Comprehensive Pen Test Planning, Scoping, and Recon
In-Depth Scanning and Exploitation, Post-Exploitation, and Pivoting
In-Depth Password Attacks and Web App Pen Testing

Prerequisites

SEC560 is the flagship penetration test course offered by the SANS Institute. Attendees are expected to have a working knowledge of TCP/IP, understand the differences between cryptographic routines such as DES, AES, and MD5, and have a basic knowledge of the Windows and Linux command lines before they come to class. While SEC560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course. For more information on the differences between SEC560 and SEC504, see the SEC560 and SEC504 FAQS.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

Baseline Hardware Requirements

CPU
- 64-bit Intel i5/i7 2.0+ GHz processor
BIOS
- Enabled "Intel-VT"
USB
- USB 3.0 Type-A port
RAM
- 16 GB RAM
Hard Drive Free Space
- 100 GB Free space
Operating System
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wired Connection

A wired connection is required in class. A wired network adapter is one that you plug a cable into. They are typically on the back or the side of your system. If your system supports only wireless, you can purchase a USB wired Ethernet adapter. This will allow you to plug the adapter into a USB Laptop Requirements for SEC560 port on your system and plug the network cable into the adapter.

VMware Player

Install VMware Player 15, VMware Fusion 11, or VMware Workstation 15. Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

Credential Guard

If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMWare prior to class and confirm that virtual machines can run. It is required that Credential Guard is turned off prior to coming to class.

System Configuration Settings

Disable VPN

Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"A key requirement for top security people is to understand the mind of the attacker. Both offense (red) and defense (blue) need to understand the tools and techniques used by real world attackers. A defender needs to understand attacks and how they work to properly design defenses and, just as importantly, configure detections. Offense needs to understand the tools, as well as the process, to deliver a high-value penetration test, focusing on the risks of the target. This course walks you through the process of a penetration test which is invaluable for penetration testers, those working with penetration testers, and those designing, implementing, and monitoring the defenses. This is a unique course, focusing holistically on penetration testing, not just the tools. I love sharing my passion for offense and sharing my experiences in this field. I hope to see you in class!"

- Tim Medin

"A thorough understanding of security assessment / penetration testing techniques is a key asset for any cyber security professional. In order to become a better defender, you must understand offense. Likewise, the course provides fundamental skills for people who want to establish themselves as penetration testers. Throughout my 10+ years of penetration testing experience, I am very proud to further develop and maintain SANS SEC560 as SANS' flagship penetration testing course. The class provides a balanced mix between lecture and hands-on activities, to make sure students go home, equipped to immediately put their skills to use. I personally enjoy modeling the lecture and labs towards real-life scenarios that I have encountered, and I look forward sharing my stories with you!"

- Erik Van Buggenhout

"Tim is an excellent SANS instructor. He's knowledgable, and he kept the course funny and interesting." - Thomas Rogers, Chevron

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (6 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC560?

Security personnel whose job involves assessing networks and systems to find and remediate vulnerabilities
Penetration testers
Ethical hackers
Defenders who want to better understand offensive methodologies, tools, and techniques
Auditors who need to build deeper technical skills
Red Team members
Blue Team members
Forensics specialists who want to better understand offensive tactics

"There are tools and mindsets taught in SEC560 that will shape an IT professional's approach to security. It's an essential class." - Mario Velazquez, American Access Casualty

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Reviews

I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend SEC560.

Marc Hamilton

McAfee

Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!

Robert Adams

Microsoft

SEC560 introduces the whole process of penetration testing from the start of engagement to the end.

Barry Tsang

Deloitte

SEC560: Network Penetration Testing and Ethical Hacking

GIAC Penetration Tester (GPEN)

Course Authors:

Ed Skoudis

Tim Medin

Erik Van Buggenhout

What You Will Learn

Syllabus (37 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Penetration Tester

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend SEC560?

Need to justify a training request to your manager?

Reviews

Find ways to take this course

SEC560: Network Penetration Testing and Ethical Hacking

GIAC Penetration Tester (GPEN)

Course Authors:

Ed Skoudis

Tim Medin

Erik Van Buggenhout

What You Will Learn

Syllabus (37 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

GIAC Penetration Tester

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend SEC560?

Need to justify a training request to your manager?

Related Programs

Reviews

Find ways to take this course