Two weeks of training and 14 courses available in San Francisco - Mar. 16-27. Save $300 thru 1/22!

SANS 2017

Orlando, FL | Fri, Apr 7 - Fri, Apr 14, 2017
This event is over,
but there are more training opportunities.

SEC573: Automating Information Security with Python New

Sun, April 9 - Fri, April 14, 2017

I really like how Mark Baggett designed SEC573 for both rookies and advanced professionals--I can multitask, which I love.

Greg B, Anonymous

SEC573 is a course every cyber analyst needs! The instruction and course material is the best I have seen in the 500+ hours of training I have received.

Jonathan C., U.S. Federal Government Department

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common. CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating Systems has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.

Or, perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.


Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly language that is designed to make automating tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573 Automating Information Security with Python will have you creating programs to make your job easier and make you more efficient. This self-paced class starts from the very beginning assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the class. The self-paced style of the class will meet you where you are to let you get the most out of the class you can. Beyond the essentials we discuss file analysis, packet analysis, forensics artifact carving, networking, database access, website access, process execution, exception handling, object oriented coding and more.

This course is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you in automating the daily routine of today's information security professional, achieving more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

You Will Learn:

  • How to leverage Python Scripting to maximize the effectiveness of your penetration tests.
  • How to use TCP Sockets to build network applications.
  • How to develop Web Application attack tools.
  • How to parse TCP Packets and PCAP data to extract valuable data.
  • How to use advanced application concepts, such as threading and message queueing.


Course Syllabus

Mark Baggett
Sun Apr 9th, 2017
9:00 AM - 5:00 PM


The course begins with a brief introduction to Python and the pyWars capture the flag game. We set the stage for students to learn at their own pace in the 100% hands-on pyWars lab environment. As more advanced students take on Python-based Capture The Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including:

  • Python Syntax, Variables, Math Operators, Strings, Functions, Modules, Control Statements, Introspection

CPE/CMU Credits: 6

Mark Baggett
Mon Apr 10th, 2017
9:00 AM - 5:00 PM


You will never learn to program by staring at PowerPoint slides. The second day continues the hands-on, lab-centric approach established on day one. This section covers data structures and more detailed programming concepts. Next, we focus on invaluable tips and trick to make you a better Python programmer and how to debug your code. Day two includes topics such as:

  • Lists, Loops, Tuples, Dictionaries, The Python Debugger, Coding Tips, Tricks and Shortcuts, System Arguments, and the ArgParser Module

CPE/CMU Credits: 6

Mark Baggett
Tue Apr 11th, 2017
9:00 AM - 5:00 PM

Day 3-5 Automating Information Security: The next three days are focused on expanding your Python skills, leveraging modules and performing important operations used by all information security professionals. You will learn about file operations, log analysis, database operations, low-level network operations such as Raw sockets and packet parsing, high-level network operations such as HTTP and authentication, object oriented coding, regular expressions, subprocess execution and automation and much more. We demonstrate that these skills are common to every security profession and useful to everyone regardless of your discipline by giving each of the three days their own theme.


Day three includes in-depth coverage about how defenders can use Python automation as we cover Python modules and techniques that everyone can use. Forensicators and offensive security professionals will also learn essential skills they will apply to their craft. We will play the role of a network defender who needs to find the attackers on their network. We will discuss how to analyses network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltration your data. Day 3 topics include:

  • File Operations, Python Sets, Regular Expressions, Log Parsing, Data Analysis tools and techniques, Long Tail/Short Tail Analysis, Geolocation acquisition, blacklists and whitelists, Packet Analysis, Packet reassembly, Payload extraction

CPE/CMU Credits: 6

Mark Baggett
Wed Apr 12th, 2017
9:00 AM - 5:00 PM


On day four we will play the role of a forensics analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics you will find these skills covered on day four are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract that data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then we will discuss techniques for finding artifacts in other locations such as SQL databases and interacting with web pages. Day 4 subjects include:

  • Acquiring Images from disk, memory and the network, File Carving, the STRUCT module, Raw Network Sockets and protocols, Image Forensics and PIL, SQL Queries, HTTP Communications with Python built in Libraries, Web communications with the Requests module

CPE/CMU Credits: 6

Mark Baggett
Thu Apr 13th, 2017
9:00 AM - 5:00 PM


On day five we play the role of penetration tester whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.Today's subjects include:

  • Network Socket Operations, Exception Handling, Process execution, Blocking and Non-blocking Sockets, Asynchronous operations, the select module, Python objects, Argument packing and unpacking

CPE/CMU Credits: 6

Mark Baggett
Fri Apr 14th, 2017
9:00 AM - 5:00 PM


In this final section you will be placed on a team with other students. Working as a team, you will apply the skills you have mastered in a series of programming challenges. Participants will exercise the skills and code they have developed over the previous five days as they exploit vulnerable systems, break encryption cyphers, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at


You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will give you a DVD full of tools to use during the class (which is yours to keep). You will need a DVD drive to read the tools on that DVD for the course. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 2.0 GHz CPU minimum or higher.
  • An available USB port.
  • 4 GB or higher recommended.
  • Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.
  • 15 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact

  • Security professionals who want to learn how to develop Python applications.
  • Penetration testers who want to move from being a consumer of security tools to being a creator and customizer of security tools.
  • Technologists who need custom tools to test their infrastructure and want to create those tools themselves.

A basic understanding of any programming or scripting language is highly recommended but not required for this class.

Other Courses People Have Taken

Courses that lead in to SEC573:

Courses that are good follow-ups to SEC573:

  • A virtual machine with sample code and working examples.
  • A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.
  • MP3 audio files of the complete course lecture.
  • Write a backdoor that uses Exception Handling, Sockets, Process execution, and encryption to provide you with your initial foothold in a target environment. The backdoor will include features such as a port scanner to find an open outbound port, techniques for evading antivirus software and network monitoring, and the ability to embed payload from tools such as Metasploit.
  • Write a SQL injection tool that uses standard Python libraries to interact with target websites. You will be able to use different SQL attack techniques for extracting data from a vulnerable target system.
  • Develop a password-guessing attack tool with features like multi-threading, cookie handlers, support for application proxies such as Burp, and much more.
  • Write a network reconnaissance tool that uses SCAPY, StringsIO, and PIL to reassemble TCP packet streams, extract data payloads such as images, display images, extract metadata such as GPS coordinates, and link those images with GPS coordinates to Google maps.

The Python Essentials Workshop labs - Variables, functions, modules, if/elif/else, for, while, list, dictionaries, sets and more

pyWars labs - An online programming competition that runs the first five days of class with additional hands on labs for beginners and expert challenges. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications and more.

Practical application labs - The application of coding concept are applied to build tools for defenders, forensicators and penetration testers. The labs cover Parsing logs files to identify hackers, Long Tail/Short Tail analysis of logs, Capturing and Parsing Network Packets, Carving forensics artifacts from binary data, Retrieving SQL data, Interacting with Websites, Process execution, Exception handling, synchronous and asynchronous network communications and more. The Python modules and concepts covered in these labs include: File Operations, Python Sets, Regular Expressions, gzip, collections module,, Geolite, scapy,, struct, sockets, select, Python Objects, argument packing and unpacking, sqlite3 , urllib,urllib2, cookielib, requests, StringIO, and more.

Capture the flag - Test your ability to apply your new tools and coding skills

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation

Author Statement

Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.

- Mark Baggett