Online Training Summer Special: Get a 12.9" iPad Pro, Surface Pro, or $350 Off with OnDemand or vLive

Network Security 2013

Las Vegas, NV | Sat, Sep 14 - Mon, Sep 23, 2013
This event is over,
but there are more training opportunities.

SEC561: Intense Hands-on Pen Testing Skill Development (with SANS NetWars) New

Mon, September 16 - Sat, September 21, 2013

Today, many information security practitioners are expected to leverage cross-disciplinary skills in complex areas. Analysts are no longer able to specialize in just a single skill area, such as vulnerability assessment, network penetration testing, or web app assessment. To face todayâs threats, organizations need employees that add value to the team across varying focus areas, contributing to both operations and security teams.

Few practitioners have the time to build broad skills across many different security areas. The best way to pick up new skills quickly is to practice them in hands-on, real-world scenarios designed to challenge and guide a participant. The Hands-On Security Practitioner course creates a learning environment where participants can quickly build and reinforce skills in multiple focus areas, including:

  • Network security assessment, identifying architecture weaknesses in network deployments
  • Host-based security assessment, protecting against privilege escalation attacks
  • Web application penetration testing, exploiting common flaws in complex systems
  • Advanced system attacks, leveraging pivoting and tunneling techniques to identify exposure areas deep within an organization


The Hands-On Security Practitioner course departs from most lecture-based training models to help practitioners quickly build skills in many different information security focus areas. Using the NetWars challenge platform, participants engage in practical and real-world defensive and offensive Capture the Flag (CtF) exercises that are fun and exciting. By maximizing hands-on time in exercises, participants build valuable skills that are directly applicable as soon as they return to the office.

Participants who complete the Hands-On Security Practitioner participate in realistic scenarios to quickly build skills that are difficult to achieve independently. After completing the course, participants will be able to apply these skills to various areas within their own organizations, significantly increasing their ability to take on cross-disciplinary projects and tasks.


Course Syllabus

Joshua Wright
Mon Sep 16th, 2013
9:00 AM - 5:00 PM


The first day of the course prepares students for real-world security challenges by giving them hands-on practice with essential Linux and Windows server and host management tools. First, students will leverage built-in and custom Linux tools to evaluate the security of host systems and servers, inspecting and extracting content from rich data sources such as image headers, browser cache content, and system logging resources. Next, students will turn their focus to performing similar analysis against remote Windows servers using built-in Windows system management tools to identify misconfigured services, scrutinize historical registry entries for USB devices, evaluate the impact of malware attacks, and analyze packet capture data. By completing these tasks, students build their skills in managing systems, applicable to post-compromise system host analysis, or defensive tasks such as defending targeted systems from persistent attack threats. By adding new tools and techniques to their arsenal, students are better prepared to complete the analysis of complex systems with greater accuracy in less time.

CPE/CMU Credits: 6


Linux Host and Server Analysis

  • Identifying users and permission exposure
  • File system data harvesting from common applications
  • Network traffic analysis and data extraction techniques
  • File and malware analysis tools

Windows Host and Server Analysis

  • Remote registry analysis for use analysis
  • Vulnerability targeting from system patch analysis and reporting
  • Client-side exploitation data artifact analysis
  • Windows malware executable analysis
  • Windows file system and permission management analysis

Joshua Wright
Tue Sep 17th, 2013
9:00 AM - 5:00 PM


In this section of the class, students investigate the critical tasks for a high-quality penetration test. Weâll look at the safest, most efficient ways to map a network and discover target systems and services. Once the systems are discovered, we look for vulnerabilities and reduce false positives with manual vulnerability verification. Weâll also look at exploitation techniques including the use of the Metasploit Framework to exploit these vulnerabilities, accurately describing risk and further reducing false positives. Of course, exploits are not the only way to access systems, so we also leverage password related attacks including guessing and cracking techniques to extend our reach for a more effective and valuable penetration test.

CPE/CMU Credits: 6


Network Mapping and Discovery

  • Active host scanning and IDS evasion techniques
  • Passive discovery and system analysis
  • Scanning and mapping IPv6 targets and services
  • Advanced enumeration with interactive and automated interrogation tools

Enterprise Vulnerability Assessment

  • Data harvesting for effective vulnerability assessment
  • Manual and automated vulnerability correlation
  • Vulnerability prioritization for remediation
  • Open-source and commercial tools for effective vulnerability assessment
  • Assessing network infrastructure as part of a vulnerability assessment

Network Penetration Testing

  • False positive reduction through exploitation
  • Exploitation via Metasploit for an effective penetration test
  • Using Meterpreter for pillaging and pivoting
  • Effective use of netcat for network communication

Password and Authentication Exploitation

  • Effective password guessing techniques
  • Exploiting weaknesses in common cryptographic password storage
  • Evaluating Windows and critical network infrastructure authentication weaknesses
  • Manipulating Windows Directory Authentication

Joshua Wright
Wed Sep 18th, 2013
9:00 AM - 5:00 PM


This section of the course will look at the variety of flaws present in web applications and how each of them is exploited. Students will solve challenges presented to them by exploiting web applications hands-on with the tools used by professional web application penetration testers every day. The websites students attack mirror real-world vulnerabilities including Cross-Site Scripting (XSS), SQL Injection, Command Injection, Directory Traversal, Session Manipulation and more. Students will need to exploit the present flaws and answer questions based on the level of compromise they are able to achieve.

CPE/CMU Credits: 6


Recon and Mapping

  • Identification of target web applications
  • Directory brute-forcing
  • Manual creations of web requests
  • Web application scanning and exploitation tools

Server-side Web Application Attacks

  • SQL injection
  • Command injection
  • Directory traversal

Client-side Web Application Attacks

  • Cross-site scripting
  • Cross-site request forgery
  • Cookie and session manipulation

Web Application Vulnerability Exploitation

  • Evaluating logic flaws in popular web applications
  • Leveraging public exploits against web application infrastructure

Joshua Wright
Thu Sep 19th, 2013
9:00 AM - 5:00 PM


With the accelerated growth of mobile device use in enterprise networks, organizations find an increasing need to identify expertise in the security assessment and penetration testing of mobile devices and the supporting infrastructure. In this component of the course, we examine the practical vulnerabilities introduced by mobile devices and applications, and how they relate to the security of the enterprise. Students will look at the common vulnerabilities and attack opportunities against Android and Apple iOS devices, examining data remnants from lost or stolen mobile devices, the exposure introduced by common weak application developer practices, and the threat introduced by popular cloud-based mobile applications found in many networks today.

CPE/CMU Credits: 6


Mobile Device Assessment

  • Extracting data from mobile application network activity
  • Passive mobile device identification and fingerprinting
  • Mobile device wireless behavior analysis
  • Exploiting Mobile Device Management (MDM) system controls

Mobile Device Data Harvesting

  • Bypassing passcode authentication on mobile devices
  • Leveraging compromised hosts for mobile device backup data recovery
  • Extracting GPS and cell tower history from mobile devices for location tracking
  • Exploiting common password disclosure data sources

Mobile Application Analysis

  • Reverse-engineering Android applications
  • De-obfuscating mobile application malware
  • Static and dynamic automated application analysis systems

Joshua Wright
Fri Sep 20th, 2013
9:00 AM - 5:00 PM


This portion of the class is designed to teach the advanced skills required in an effective penetration test to extend our reach and move through the target network. This extended reach will provide a broader and more in-depth look at the security of the enterprise. Weâll utilize techniques to pivot through compromised systems using various tunneling/pivoting techniques, bypass anti-virus, and built-in commands to extend our influence over the target environment and find issues that lesser testers may have missed. Weâll also look at some of the common mistakes surrounding poorly or incorrectly implemented cryptography and ways to take advantage of those weaknesses to access systems and data that are improperly secured.

CPE/CMU Credits: 6


Anti-Virus Evasion Techniques

  • Manipulating exploits to bypass signature-based anti-virus tools
  • Leveraging packers and obfuscators
  • Altering tools to evade heuristic analysis engines

Advanced Network Pivoting Techniques

  • Protected network infrastructure tunneling with SSH
  • Remote proxy exploits with proxychains
  • Host redirection with Meterpreter host routing

Exploiting Network Infrastructure Components

  • Routing infrastructure manipulation attacks
  • Manipulating hosts through network management interfaces

Exploiting Cryptographic Weaknesses

  • Applying oracle padding attacks against web applications
  • Using entropy analysis to identify weak cryptography
  • Decrypting stream cipher data without key knowledge

Joshua Wright
Sat Sep 21st, 2013
9:00 AM - 5:00 PM


This lively session represents the culmination of the course, where attendees will apply the skills they have mastered throughout all the other sessions in a hands-on workshop. Attendees will participate in a larger version of the exercises present in the class to independently reinforce skills learned throughout the course.

Attendees will apply their newly developed skills to scan for flaws, use exploits, unravel technical challenges, and dodge firewalls, all while guided by the challenges presented to you by the NetWars Scoring Server. By practicing the skills in a combination workshop where multiple focus areas are combined, participants will have the opportunity to explore, exploit, pillage, and continue to reinforce skills against a realistic target environment.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.


Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from .

Administrative Windows Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.


Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM, 4 GB recommended
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card, such as the Mac Book Air
  • 1.5 GHz processor minimum
  • 30 GB free hard disk space
  • DVD drive (not a CD drive)
  • Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

If you have additional questions about the laptop specifications, please contact

  • Security professionals that want to expand their hands-on technical skills in new analysis areas such as packet analysis, digital forensics, vulnerability assessment, system hardening, and penetration testing
  • Systems and network administrators that want to gain hands-on experience in information security skills to become better administrators
  • Incident response analysts who want to better understand system attack and defense techniques
  • Forensic analysts who need to improve their analysis through experience with real-world attacks
  • Penetration testers seeking to gain practical hands-on experience for use in their own assessments

Participants must have introductory-level experience with information security. (SEC401)

  • Course book
  • Daily lab answer books detailing all the course challenge exercises
  • Course DVD and associated software, files, and analysis resources

  • Use network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation
  • Use password analysis tools to identify weak authentication controls leading to unauthorized server access
  • Evaluate web applications for common developer flaws leading to significant data loss conditions
  • Manipulating common network protocols to maliciously reconfigure internal network traffic patterns
  • Identify weaknesses in modern anti-virus signature and heuristic analysis systems
  • Inspect the configuration deficiencies and information disclosure threats present on Windows and Linux servers
  • Bypass authentication systems for common web application implementations
  • Exploit deficiencies in common cryptographic systems
  • Bypass monitoring systems by leveraging IPv6 scanning and exploitation tools
  • Harvest sensitive mobile device data from iOS and Android targets

Author Statement

Hands-on security skills are what employers and security practitioners really need today to fight off increasingly sophisticated attacks. This course teaches in-depth security analysis capabilities through 80% hands-on exercises and labs, the most ever for a SANS course. Students work together with a master instructor to learn how to solve increasingly demanding information security challenges that they can apply the day that they get back to their jobs. -Josh Wright