Last Day to Save $300 on Cyber Security Training at SANS Seattle Spring 2020! 7 Courses Available.

SANS 2015

Orlando, FL | Sat, Apr 11 - Sat, Apr 18, 2015
This event is over,
but there are more training opportunities.

SEC573: Python for Penetration Testers

Mon, April 13 - Fri, April 17, 2015

SEC573 is a well-laid-out course. It's flexible for all students, and a wide range of tools and techniques are taught.

J Morrison, Aegon

I am new to programming, and I studied Python via 'Learn Python the Hard Way' before coming to class. SEC573 gave me a deeper understanding of general concepts, as well as where to continue going with a focus on security.

Brian Martin, ICANN

Your target has been well hardened. So far, your every attempt to compromise their network has failed. You did find evidence of vulnerability, a break in their defensive posture. Unfortunately, all of your tools have failed to successfully exploit it. Your employers demand results. You want to model the actions of an advanced adversary and take advantage of that discovered flaw your tools can't seem to address. What do you do when off-the-shelf tools fall short? You write your own tool!

SEC573: Python for Penetration Testers will teach you the skills needed not only to tweak or customize tools, but to even develop your own tools from scratch. The course is designed to meet you at your current skill level and appeal to a wide variety of backgrounds. Whether you have absolutely no coding experience or are a skilled Python developer looking to apply your coding skills to penetration testing, this course has something for you.

You cannot become a world-class tool builder by merely listening to lectures, so this course is chock full of hands-on labs. Every day we will teach you the skills you need to develop serious Python programs and show you how to apply those skills in penetration testing engagements.

The course begins with an introduction to SANS pyWars, which is a four-day Capture the Flag competition that runs parallel to the course material. It will challenge your existing programming skills and help you develop new skills at your own pace. Experienced programmers can quickly progress to more advanced concepts while novice programmers spend time building a strong foundation.


We then cover the essential skills required to get the most out of the Python language. The essentials workshop labs will teach you the concepts and techniques required to develop your own tools. The workshop focuses on essential programming skills and how to apply them in real-world scenarios, but it also shows you shortcuts that will make even experienced developers more deadly. Once everyone understands the essentials, we apply those skills by developing tools to help you in your next penetration test. You will develop a port-scanning, anti-virus-evading, client-infecting backdoor for placement on target systems, as well as a SQL injection tool to extract data from websites that are immune to off-the-shelf tools. You will learn the concepts required to build a multi-threaded password guessing tool and a packet assembling network reconnaissance tool. The course concludes with a capstone one-day Capture the Flag event that complements the pyWars challenge and tests your ability to apply your new tools and coding skills in a penetration testing challenge.

The ability to read, write, and customize software is what distinguishes the good penetration tester from the great one. The best penetration testers can customize existing open-source tools or develop their own tools. Unfortunately, even though organizations serious about security continually emphasize their need for skilled tool builders, many testers do not have these skills. Developing these skills is not beyond your reach. So when you are ready to fully weaponize your penetration testing skillset and build and use your own tools to automate your penetration testing skills, join us for SEC573: Python for Penetration Testers.

In-depth Python...fully weaponized.

You Will Learn:

  • How to leverage Python Scripting to maximize the effectiveness of your penetration tests.
  • How to use TCP Sockets to build network applications.
  • How to develop Web Application attack tools.
  • How to parse TCP Packets and PCAP data to extract valuable data.
  • How to use advanced application concepts, such as threading and message queueing.


Course Syllabus

Mark Baggett
Mon Apr 13th, 2015
9:00 AM - 5:00 PM


The course begins with a brief introduction to Python and the pyWars Capture the Flag challenge. We set the stage for students to learn at their own pace in the 100 percent hands-on pyWars lab environment. While more advanced students take on Python-based Capture the Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including variables, math operators, strings, functions, modules, compound statements, and introspection.

CPE/CMU Credits: 6

Mark Baggett
Tue Apr 14th, 2015
9:00 AM - 5:00 PM


The second day continues the hands-on and lab-centric approach established on day one. This section covers the essentials of the language, including data structures and programming concepts. With the essentials of the language under your belt, the pyWars challenges and the in-class labs start to cover more complex subjects, such as lists, loops, tuples, dictionaries, the Python Debugger, System Arguments & ArgParser, and file operations.

CPE/CMU Credits: 6

Mark Baggett
Wed Apr 15th, 2015
9:00 AM - 5:00 PM


With a core set of skills established, we shift gears on day three. You will begin developing penetration testing tools to use in your next engagement. You will develop a backdoor command shell that evades antivirus software and provides you with that critical initial foothold in the target environment. You will then develop a customizable SQL injection tool that you can use to extract all the data from a vulnerable database when off-the-shelf tools fail. Finally, we will discuss how to speed up your code with multi-threading.

CPE/CMU Credits: 6

  • Python Backdoor Topics: Network Sockets, Exception Handling, Process Execution, Metasploit Integration, Antivirus, and IDS Evasion.
  • SQL Injection Attack Tool Topics: Introduction to SQL, Blind SQL Injection Techniques, Developing Web Clients, Multi-Threaded Applications, Mutexes and Semaphores, Message Queues, and Thread Communications.

Mark Baggett
Thu Apr 16th, 2015
9:00 AM - 5:00 PM


In this section you will develop more tools to make you a more lethal penetration tester. First, you will develop a custom web-based password guesser. This will teach you how to get the most out of Python's web-based libraries and interact with websites using cookies, proxies, and other features in order to attack and exploit the most difficult web-based authentication systems. Then you will write a network reconnaissance tool that will demonstrate the power of Python's third-party libraries.

CPE/CMU Credits: 6

  • Password Attack Topics: HTTP Form Password Guessing, Advanced Web Client Techniques, HTTP Proxies/HTTP Cookies, and Session Hijacking.
  • Network Reconnaissance Topics: TCP Packet Reassembly with Scapy, Extracting Images from TCP Streams, and Analyzing Image Metadata.

Mark Baggett
Fri Apr 17th, 2015
9:00 AM - 5:00 PM


The Capture the Flag event on the final day complements the pyWars challenge and tests your ability to apply your new penetration testing tools and coding skills. Working in teams, students apply the skills they have mastered in a series of penetration testing challenges. Participants will exercise the skills and code they have developed over the previous four days as they exploit vulnerable systems, break encryption cyphers, and remotely execute code on target systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at


You are required to bring Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 10 GB. Therefore, you need a file system with the ability to read and write files that are larger than 10 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will give you a DVD full of tools to use during the class (which is yours to keep). You will need a DVD drive to read the tools on that DVD for the course. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU minimum or higher.
  • DVD drive (not a CD drive).
  • 2 GB RAM minimum, with 4 GB or higher recommended
  • Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.
  • 10 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact

  • Security professionals who want to learn how to develop Python applications.
  • Penetration testers who want to move from being a consumer of security tools to being a creator and customizer of security tools.
  • Technologists who need custom tools to test their infrastructure and want to create those tools themselves.

A basic understanding of any programming or scripting language is highly recommended but not required for this class.

Other Courses People Have Taken

Courses that lead in to SEC573:

Courses that are good follow-ups to SEC573:

  • A virtual machine with sample code and working examples.
  • A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.
  • Write a backdoor that uses Exception Handling, Sockets, Process execution, and encryption to provide you with your initial foothold in a target environment. The backdoor will include features such as a port scanner to find an open outbound port, techniques for evading antivirus software and network monitoring, and the ability to embed payload from tools such as Metasploit.
  • Write a SQL injection tool that uses standard Python libraries to interact with target websites. You will be able to use different SQL attack techniques for extracting data from a vulnerable target system.
  • Develop a password-guessing attack tool with features like multi-threading, cookie handlers, support for application proxies such as Burp, and much more.
  • Write a network reconnaissance tool that uses SCAPY, StringsIO, and PIL to reassemble TCP packet streams, extract data payloads such as images, display images, extract metadata such as GPS coordinates, and link those images with GPS coordinates to Google maps.
  • File Input and Output
  • The Backdoor Shell - Write your own backdoor!
  • SQL Injection Utility - When SQLMAP just won't do the job.
  • Threading Concepts - When and how to use threading capabilities.
  • Password Guessing - That customized CAPTCHA cannot stop me
  • Advanced Network Recon - There is nowhere to hide.
  • pyWars - An online hacking competition for the first four days of class with challenges for beginner and advanced programmers.
  • Capture the Flag - Test your ability to apply your new tools and coding skills in a penetration testing challenge.

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation

Author Statement

Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.

- Mark Baggett