Train at Home with Top Cybersecurity Experts - SANS OnDemand

Pen Test Hackfest Summit & Training

Alexandria, VA | Mon, Nov 16 - Mon, Nov 23, 2015
This event is over,
but there are more training opportunities.

SEC560: Network Penetration Testing and Ethical Hacking

Wed, November 18 - Mon, November 23, 2015

As someone new to offense, SEC560 is an amazing introduction to the tactics and capabilities of an attacker.

John Hubbard, GlaxoSmithKline

SEC560 has some of the best labs I have taken at SANS. The slingshot environment is really beneficial. It was a solid learning environment!

Michael McDonald, Eli Lilly and Company

As a cyber security professional, you have a unique responsibility to find and understand your organization's vulnerabilities, and to work diligently to mitigate them before the bad guys pounce. Are you ready? SANS SEC560, our flagship course for penetration testing, fully arms you to address this duty head-on.

SEC560 is the must-have course for every well-rounded security professional.

This course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks and wireless and web apps, with over 30 detailed hands-on labs throughout.

Learn the best ways to test your own systems before the bad guys attack.

Chock full of practical, real-world tips from some of the world's best penetration testers, SEC560 prepares you to perform detailed reconnaissance by examining a target's infrastructure and mining blogs, search engines, social networking sites and other Internet and intranet infrastructure. You will be equipped to scan target networks using best-of-breed tools. We will not just cover run-of-the-mill options and configurations, we will also go over the less-known but highly useful capabilities of the best pen test toolsets available today. After scanning, you will learn dozens of methods for exploiting target systems to gain access and measure real business risk, then examine post-exploitation, password attacks, wireless and web apps, pivoting through the target environment to model the attacks of real-world bad guys.

You will bring comprehensive penetration testing and ethical hacking know-how back to your organization.

After building your skills in challenging labs over five days, the course culminates with a full-day, real-world network penetration test scenario. You will conduct an end-to-end penetration test, applying the knowledge, tools and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization.


You Will Learn:

  • How to perform a detailed, end-to-end professional penetration test using the best methodologies in the industry
  • Hands-on skills to use the most powerful ethical hacking tools, including Nmap, Nessus, Metasploit, John the Ripper, Rainbow Tables, web application attack tools and more
  • How to utilize built-in operating system tools on Windows and Linux in a weaponized fashion so that you can pen test while living off the land, avoiding the risk of installing third-party tools
  • How to provide true business value through in-depth technical excellence in network penetration testing and ethical hacking
  • How to structure and conduct a network penetration testing project with maximum efficiency and appropriate safety


Course Syllabus

Ed Skoudis ,
Erik Van Buggenhout
Wed Nov 18th, 2015
9:00 AM - 7:15 PM


In this section of the course, you will develop the skills needed to conduct a best-of-breed, high-value penetration test. We will go in-depth on how to build penetration testing infrastructure that includes all the hardware, software, network infrastructure and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We will then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques, including hands-on document metadata analysis to pull sensitive information about a target environment.

CPE/CMU Credits: 7

  • The Mindset of the Professional Pen Tester
  • Building a World-Class Pen Test Infrastructure
  • Creating Effective Pen Test Scopes and Rules of Engagement
  • Detailed Recon Using the Latest Tools
  • Effective Pen Test Reporting to Maximize Impact
  • Mining Search Engine Results
  • Document Metadata Extraction and Analysis

Ed Skoudis ,
Erik Van Buggenhout
Thu Nov 19th, 2015
9:00 AM - 5:00 PM


We next focus on the vital task of mapping the attack surface by creating a comprehensive inventory of machines, accounts and potential vulnerabilities. We will look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We will also conduct a deep dive into some of the most useful tools available to pen testers today for formulating packets: Scapy and Netcat. We finish the day covering vital techniques for false-positive reduction so you can focus your findings on meaningful results and avoid the sting of a false positive. And we will examine the best ways to conduct your scans safely and efficiently.

CPE/CMU Credits: 6

  • Tips for Awesome Scanning
  • Tcpdump for the Pen Tester
  • Nmap In-Depth: The Nmap Scripting Engine
  • Version Scanning with Nmap and Amap
  • Vulnerability Scanning with Nessus and Retina
  • False-Positive Reduction
  • Packet Manipulation with Scapy
  • Enumerating Users
  • Netcat for the Pen Tester
  • Monitoring Services during a Scan

Ed Skoudis ,
Erik Van Buggenhout
Fri Nov 20th, 2015
9:00 AM - 5:00 PM


This section looks at the many kinds of exploits that penetration testers use to compromise target machines, including client-side exploits, service-side exploits and local privilege escalation. We will see how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You will learn in-depth how to leverage Metasploit and the Meterpreter to compromise target environments, search them for information to advance the penetration test and pivot to other systems, all with a focus on determining the true business risk of the target organization. We will also look at post-exploitation analysis of machines and pivoting to find new targets, finishing the section with a lively discussion of how to leverage the Windows shell to dominate target environments.

CPE/CMU Credits: 6

  • Comprehensive Metasploit Coverage with Exploits/Stagers/Stages
  • In-Depth Meterpreter Hands-On Labs
  • Implementing Port Forwarding Relays for Merciless Pivots
  • Bypassing the Shell vs. Terminal Dilemma
  • Installing VNC/RDP/SSH with Only Shell Access
  • Windows Command Line Kung Fu for Penetration Testers

Ed Skoudis ,
Erik Van Buggenhout
Sat Nov 21st, 2015
9:00 AM - 5:00 PM


This component of the course turns our attention to password attacks, analyzing password guessing, password cracking, and pass-the-hash techniques in depth. We will go over numerous tips based on real-world experience to help penetration testers and ethical hackers maximize the effectiveness of their password attacks. You will patch and custom-compile John the Ripper to optimize its performance in cracking passwords. You will look at the amazingly full-featured Cain tool, running it to crack sniffed Windows authentication messages. You will also perform multiple types of pivots to move laterally through our target lab environment, and pluck hashes and cleartext passwords from memory using the Mimikatz tool. We will see how Rainbow Tables really work to make password cracking much more efficient, all hands-on. And we will finish the day with an exciting discussion of powerful pass-the-hash attacks, leveraging Metasploit, the Meterpreter, and SAMBA client software.

CPE/CMU Credits: 6

  • Password Attack Tips
  • Account Lockout and Strategies for Avoiding It
  • Automated Password Guessing with THC-Hydra
  • Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
  • Massive Pivoting through Target Environments
  • Extracting Hashes and Passwords from Memory with Mimikatz
  • Password Cracking with John the Ripper and Cain
  • Using Rainbow Tables to Maximum Effectiveness
  • Pass-the-Hash Attacks with Metasploit and More

Ed Skoudis ,
Erik Van Buggenhout
Sun Nov 22nd, 2015
9:00 AM - 5:00 PM


This in-depth section of the course focuses on helping you become a well-rounded penetration tester. Augmenting your network penetration testing abilities, we turn our attention to methods for finding and exploiting wireless weaknesses, including identifying misconfigured access points, cracking weak wireless protocols and exploiting wireless clients. We then turn our attention to web application pen testing, with detailed hands-on exercises that involve finding and exploiting cross-site scripting (XSS), cross-site request forgery (XSRF), command injection and SQL injection flaws in applications such as online banking, blog sites and more.

CPE/CMU Credits: 6

  • Wireless Attacks
  • Discovering Access
  • Attacking Wireless Crypto Flaws
  • Client-Side Wireless Attacks
  • Finding and Exploiting Cross-Site Scripting
  • Cross-Site Request Forgery
  • SQL Injection
  • Leveraging SQL Injection to Perform Command Injection
  • Maximizing Effectiveness of Command Injection Testing

Ed Skoudis ,
Erik Van Buggenhout
Mon Nov 23rd, 2015
9:00 AM - 5:00 PM


This lively session represents the culmination of the network penetration testing and ethical hacking course, where you will apply all of the skills mastered in the course in a full-day, hands-on workshop. You will conduct an actual penetration test of a sample target environment. We will provide the scope and rules of engagement, and you will work with a team to achieve your goal of finding out whether the target organization's Personally Identifiable Information is at risk. As a final step to prepare you for conducting penetration tests, you will make recommendations about remediating the risks you identify.

CPE/CMU Credits: 6

  • Applying Penetration Testing and Ethical Hacking Practices End-to-End
  • Scanning
  • Exploitation
  • Post-Exploitation
  • Pivoting and Analyzing Results

Additional Information


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 8 or 8.1 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate) or Windows 2008/2012 Server, either a real system or a virtual machine.

The course includes a VMware image file of a guest Linux system that is larger than 3 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

We will give you a DVD full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation,VMware Player or VMware Fusion. The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • DVD drive
  • 4 GB RAM minimum with 8 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 10 GB available hard-drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7 or Windows Vista

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Security personnel whose job involves assessing networks and systems to find and remediate vulnerabilities
  • Penetration testers
  • Ethical hackers
  • Auditors who need to build deeper technical skills
  • Red team members
  • Blue team members

SANS Security 560 attendees are expected to have a working knowledge of TCP/IP, cryptographic concepts (including one-way hashing, symmetric key cryptography and public key cryptography), and the Windows and Linux command lines before they step into class. Although SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling is not a prerequisite for SEC560, that course covers the groundwork that all SEC560 attendees are expected to know. While SEC560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course. For more information on the differences between SEC560 and SEC504, see the SEC560 and SEC504 FAQS.

Why Choose Our Course?

This SANS course differs from other penetration testing and ethical hacking courses in several important ways:

  • It offers in-depth technical excellence along with industry-leading methodologies to conduct high-value penetration tests.
  • We get deep into the tools arsenal with numerous hands-on exercises that show subtle, less well-known and undocumented features that are useful for professional penetration testers and ethical hackers.
  • It discusses how the tools interrelate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
  • We focus on the workflow of professional penetration testers and ethical hackers, proceeding step by step and discussing the most effective means for conducting projects.
  • The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
  • We cover several time-saving tactics based on years of in-the-trenches experience of real penetration testers and ethical hacker - tasks that might take hours or days unless you know the little secrets we will cover that will let you surmount a problem in minutes.
  • The course stresses the mindset of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of thinking outside the box, methodically trouble-shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results and creating a high-quality final report that achieves management and technical buy-in.
  • We analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.

Other Courses People Have Taken

Courses that lead in to SEC560:

Courses that are good follow-ups to SEC560:

  • Access to the in-class Virtual Training Lab for over 30 in-depth labs
  • A course DVD with numerous tools used for all in-house labs
  • A virtual machine full of network penetration testing tools especially calibrated and tested to work with all our labs and optimized for use in your own penetration tests
  • Access to recorded course audio to help hammer home important network penetration testing lessons
  • Develop tailored scoping and rules of engagement for penetration testing projects to ensure the work is focused, well defined and conducted in a safe manner
  • Conduct detailed reconnaissance using document metadata, search engines and other publicly available information sources to build a technical and organizational understanding of the target environment
  • Utilize the Nmap scanning tool to conduct comprehensive network sweeps, port scans, Operating System fingerprinting and version scanning to develop a map of target environments
  • Choose and properly execute Nmap Scripting Engine scripts to extract detailed information from target systems
  • Configure and launch the Nessus vulnerability scanner so that it discovers vulnerabilities through both authenticated and unauthenticated scans in a safe manner, and customize the output from such tools to represent the business risk to the organization
  • Analyze the output of scanning tools to manually verify findings and perform false positive reduction using Netcat and the Scapy packet crafting tools
  • Utilize the Windows and Linux command lines to plunder target systems for vital information that can further overall penetration test progress, establish pivots for deeper compromise and help determine business risks
  • Configure the Metasploit exploitation tool to scan, exploit and then pivot through a target environment in-depth
  • Conduct comprehensive password attacks against an environment, including automated password guessing (while avoiding account lockout), traditional password cracking, rainbow table password cracking and pass-the-hash attacks
  • Utilize wireless attack tools for Wifi networks to discover access points and clients (actively and passively), crack WEP/WPA/WPA2 keys and exploit client machines included within a project's scope
  • Launch web application vulnerability scanners such as ZAP and then manually exploit Cross-Site Request Forgery, Cross-Site Scripting, Command Injection and SQL injection attacks to determine the business risks faced by an organization
  • Merciless pivoting through a target network
  • Mighty Metasploit and its magnificent Meterpreter
  • Document metadata analysis with ExifTool and Strings
  • Nmap in-depth, including the Nmap Scripting Engine
  • Operating System fingerprinting, version scanning and false-positive reduction
  • Enumerating users and vulnerabilities
  • Intense Scapy packet crafting for pen testers
  • Windows command line kung fu
  • Password cracking with Cain, John the Ripper and Rainbow Tables
  • Pass-the-hash to make Windows wimper
  • Metasploit psexec and Mimikatz to exploit and plunder Windows targets for the win
  • Weaponizing the built-in Windows wmic and sc commands
  • Automated password guessing to get a foot in the door
  • Cracking wireless security protocols, including WPA
  • Exploiting plentiful XSRF flaws in vulnerable web apps
  • In-depth XSS attacks and command injection
  • Leveraging web app SQL injection to extract data and gain shell on a target
  • In addition to daily labs on all these techniques, experience an end-to-end, full-day penetration test lab that covers an integrated penetration test

"SANS is really the only information security training available and is therefore valuable on its own. The wide subject areas, relating to penetration testing, are what makes SEC560 particularly valuable." - Nicholas Capalbo, Federal Reserve of New York

"I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend." - Mark Hamilton, McAfee

"SEC560 is getting better and better. You understand more as the day goes on. Most of these tools I will able to use in my organization." - Rayen Rai, Godo

"SEC560 helped to take the stew of ideas and techniques in my head and organize them in a 'professionally' usable way." - Richard Tafoya, Redflex Traffic Systems

"I had a great time. SEC560 has tons of useful material and techniques. As with all SANS training, I leave knowing that I can apply this as soon as I am back at work." - Benjamin Bagby, XE.Com

"This type of training is fantastic, all new penetration testers and personnel who interact with testers or set up assessments should take SEC560." - Christopher Duffy, Knowledge Consulting Group

"This will help me determine how safe my work environment is. SEC560 is very fun, I do not feel burnt out at the end of the day." - David Neilson, Western Family Foods

"This is one of the most complete technical courses I have ever taken. The Capture The Flag event really helped pull it all together." - Thomas Hart, Hart Consulting

"This training will have a direct impact on my current and future duties. Also having this resource as an outlet to understand new concepts/tools and better understand tools/concepts I was familiar with." - Marcus Knox, DST

Author Statement

Successful penetration testers do not just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in-depth and conduct their test in a careful, professional manner. This course explains the inner workings of numerous tools and their use in effective network penetration testing and ethical hacking projects. When teaching the class, I particularly enjoy the numerous hands-on exercises culminating with a final pen testing extravaganza lab.

- Ed Skoudis, SANS Pen Test Curriculum Lead and Faculty Fellow