Two More Days to Get a $400 Amazon Gift Card with qualifying OnDemand course purchase! Don't Miss Out!

SANSFIRE 2020 - Live Online

Virtual, US Eastern | Sat, Jun 13 - Sat, Jun 20, 2020

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling New

Mon, June 15 - Sat, June 20, 2020

Associated Certification: GIAC Certified Incident Handler (GCIH)

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding security vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, the course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. The workshop will enable you to discover the holes in your system before the bad guys do!

This course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

You will learn:

  • How to best prepare for an eventual breach
  • The step-by-step approach used by many computer attackers
  • Proactive and reactive defenses for each stage of a computer attack
  • How to identify active attacks and compromises
  • The latest computer attack vectors and how you can stop them
  • How to properly contain attacks
  • How to ensure that attackers do not return
  • How to recover from computer attacks and restore systems for business
  • How to understand and use hacking tools and techniques
  • Strategies and tools for detecting each type of attack
  • Attacks and defenses for Windows, UNIX, switches, routers, and other systems
  • Application-level vulnerabilities, attacks, and defenses
  • How to develop an incident handling process and prepare a team for battle
  • Legal issues in incident handling

If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.

SEC504 vs. SEC560 FAQ

Course Syllabus

Michael Murr
Mon Jun 15th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 7:15 PM ET


Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new security vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place to get systems and services back online as quickly and securely as possible.

The first part of this course section looks at the invaluable Incident Handling Step-by-Step model, which was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes and has been proven effective in hundreds of organizations. This section is designed to provide students with a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this section examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

CPE/CMU Credits: 8



  • Building an incident response kit
  • Identifying your core incident response team
  • Instrumentation of the site and system


  • Signs of an incident
  • First steps
  • Chain of custody
  • Detecting and reacting to insider threats


  • Documentation strategies: video and audio
  • Containment and quarantine
  • Pull the network cable, switch and site
  • Identifying and isolating the trust model


  • Evaluating whether a backup is compromised
  • Total rebuild of the Operating System
  • Moving to a new architecture


  • Who makes the determination to return to production?
  • Monitoring to system
  • Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents

  • Espionage
  • Inappropriate use

Incident Record-keeping

  • Pre-built forms
  • Legal acceptability

Incident Follow-up

  • Lessons learned meeting
  • Changes in process for the future

Michael Murr
Tue Jun 16th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This course section covers the details associated with reconnaissance and scanning, which are the first two phases of many computer attacks.

Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage and open-source intelligence (OSINT), attackers also conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and turnkey platforms, unsecured modems, or vulnerable Wi-Fi and proprietary wireless systems. Attackers are increasingly employing devious scanning techniques to target publicly accessible and internal systems, seeking opportunities to manipulate otherwise benign security policies designed to protect systems. Another very hot area in computer attacks involves detailed scanning and interrogation of Windows Active Directory domains, identifying and manipulating configuration policies to their significant advantage.

If you do not have the skills needed to understand these critical phases of an attack in detail, you will not be able to protect your network. Students who take this course and master the material will understand these attacks and the associated defenses.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's systems. You also need to advise your network and computer operations teams of your testing schedule.


Hands-on Exercises with the Following Tools:

  • Using Open Source Intelligence (OSINT) for attack reconnaissance
  • Wi-Fi network scanning for rogue, malicious, and misconfigured access points
  • Server enumeration and analysis with Nmap
  • Vulnerability scanning and finding prioritization
  • Windows networking scan and enumeration techniques

CPE/CMU Credits: 6



  • What does your network reveal?
  • Are you leaking too much information?
  • Using forward and reverse Whois lookups, ARIN, RIPE, and APNIC
  • Domain Name System harvesting
  • Data gathering from job postings, websites, and government databases
  • Recon-ing
  • Pushpin
  • Identifying publicly compromised accounts
  • Maltego
  • FOCA for metadata analysis
  • Aggregate OSINT data collection with SpiderFoot


  • Locating and attacking personal and enterprise Wi-Fi
  • Identifying and exploiting proprietary wireless systems
  • Rubber Duckie attacks to steal Wi-Fi profiles
  • War dialing with War-VOX for renegade modems and unsecure phones
  • Port scanning: Traditional, stealth, and blind scanning
  • Active and passive operating system fingerprinting
  • Determining firewall filtering rules
  • Vulnerability scanning using Nessus and other tools
  • Distributing scanning using cloud agents for blacklist evasion

Intrusion Detection System (IDS) Evasion

  • Foiling IDS at the network level
  • Foiling IDS at the application level: Exploiting the rich syntax of computer languages
  • Web Attack IDS evasion tactics
  • Bypassing IDS/IPS with TCP obfuscation techniques

Enumerating Windows Active Directory Targets

  • Windows Active Directory domain enumeration with BloodHound, SharpView
  • Windows Command and Control with PowerShell Empire
  • Operating system bridging from Linux to Windows targets
  • Defending against SMB attacks with sophisticated Windows networking features

Michael Murr
Wed Jun 17th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This course section covers the third step of many hacker attacks: gaining access.

Attackers employ a variety of strategies to take over systems from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and common software flaw exploitation techniques to the latest in session hijacking of supposedly secure protocols. Additionally, you will get hands-on experience in running sniffers, exploiting common Windows networking vulnerabilities, using common tools for effective data shoveling, and bypassing host platform security endpoint tools.

Administrators need to get into the nitty-gritty of how the attacks and their associated defenses work if they want to effectively defend against these invasions. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a USB drive containing the attack tools examined in class.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.


Hands-on Exercises with the Following Tools:

  • Manipulating DNS and Windows networking for credential harvesting
  • Using Netcat for transferring files, creating backdoors, and setting up relays
  • Metasploit, Metasploit, Metasploit lots of Metasploit
  • ARP and MAC analysis for ARP cache poisoning attack detection

CPE/CMU Credits: 6


Physical-layer Attacks

  • Clandestine exploitation of exposed USB ports
  • Simple network impersonation for credential recovery
  • Hijacking password libraries with cold boot recovery tools

Gathering and Parsing Packets

  • Active sniffing: ARP cache poisoning and DNS injection
  • Bettercap
  • Responder
  • LLMNR poisoning
  • WPAD attacks
  • DNS cache poisoning: Redirecting traffic on the Internet
  • Using and abusing Netcat, including backdoors and insidious relays
  • IP address spoofing variations
  • Encryption dodging and downgrade attacks

Operating System and Application-level Attacks

  • Buffer overflows in-depth
  • The Metasploit exploitation framework
  • AV and application whitelisting bypass techniques

Netcat: The Attacker's Best Friend

  • Transferring files, creating backdoors, and shoveling shell
  • Netcat relays to obscure the source of an attack
  • Replay attacks

Endpoint Security Bypass

  • How attackers use creative office document macro attacks
  • Detection bypass with Veil, Magic Unicorn
  • Putting PowerShell to work as an attack tool
  • AV evasion with Ghostwriting
  • Attack tool transfiguration with native binaries

Michael Murr
Thu Jun 18th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


This course section starts out by covering one of the attackers' favorite techniques for compromising systems: password attacks. We will analyze multiple attack techniques applied against password storage and selection, including password guessing and spray attacks, password cracking, and modern password mask recovery techniques. Then the course turns to another vital area often exploited by attackers: web applications. Because most organizations' homegrown web applications do not get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.

The course also presents a taxonomy of bots and malware attacks, including modern-day cryptomining and cryptolocker attacks. We conclude the day with a look at nasty denial-of-service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.

Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence. To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms. To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers' maintaining access and covering their tracks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.


Hands-on Exercises with the Following Tools and Topics:

  • Password cracking using John the Ripper
  • Informed password cracking mask attacks with Hashcat
  • Malicious browser takeover attacks using the Browser Exploitation Framework
  • Cross-site scripting and SQL injection web application attacks
  • Detecting DoS attacks

CPE/CMU Credits: 6


Password Cracking

  • Password cracking with John the Ripper
  • Hashcat mask attacks
  • Modern Windows Pass-the-Hash attacks
  • Rainbow Tables
  • Password guessing and spraying attacks

Web Application Attacks

  • Account harvesting
  • SQL Injection: Manipulating back-end databases
  • Session cloning: Grabbing other users' web sessions
  • Cross-site scripting

Denial-of-Service Attacks

  • Distributed Denial of Service: Pulsing zombies and reflected attacks
  • Local Denial of Service

Michael Murr
Fri Jun 19th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


This course section covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. Computer attackers install backdoors, apply rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. In this course, we will analyze the most commonly used malicious code specimens and explore future trends in malware designed to obscure ab attacker's presence and disguise attribution.

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes. Additionally, they manipulate sophisticated network protocols to evade threat hunting systems and thwart investigations. Finally, attackers often alter system logs on UNIX and Windows systems, all in an attempt to make the compromised system appear normal. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization-s system. You also need to advise your network and computer operations teams of your testing schedule.


Hands-on Exercises with the Following Tools:

  • RootKits and detection
  • Detecting backdoors with Netstat, lsof
  • Manipulating Windows Event Logs for attack hiding
  • Hidden file detection with LADS
  • Analyzing memory dumps for attack identification
  • Covert channels using Covert_TCP

CPE/CMU Credits: 6


Maintaining Access

  • Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other popular beasts
  • Trojan horse backdoors: A nasty combo
  • Rootkits: Substituting binary executables with nasty variations
  • Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks

  • File and directory camouflage and hiding
  • Log file editing on Windows and Unix
  • Accounting entry editing: UTMP, WTMP, shell histories, etc.
  • Covert channels over HTTP, ICMP, TCP, and other protocols
  • Sniffing backdoors and how they can really mess up your investigations unless you are aware of them
  • Steganography: Hiding data in images, music, binaries, or any other file type
  • Memory analysis of an attack

Putting It All Together

  • Specific scenarios showing how attackers use a variety of tools together
  • Analyzing scenarios based on real-world attacks
  • Learning from the mistakes of other organizations
  • Where to go for the latest attack info and trends

Michael Murr
Sat Jun 20th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Over the years, the security industry has become smarter and more effective in stopping hackers. Unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods to stop the enemy is to actually test the environment with the same tools and tactics an attacker might use against you.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. The workshop will supplement the classroom training that students have already received and give them flight time with the attack tools to better understand how they work. The instructor will provide guidance on exactly what is happening as exploits and defensive measures are running. As students work on various exploits and master them, the environment will become increasingly difficult, so students will have to master additional skills in order to successfully complete the exercises.

Additionally, students can participate in the workshop's Capture-the-Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you have built over the week in this engaging contest. The Capture-the-Flag victors will win the coveted SEC504 challenge coin.

CPE/CMU Credits: 6


Hands-on Analysis

  • Nmap port scanner
  • Nessus vulnerability scanner
  • Network mapping
  • Netcat: File transfer, backdoors, and relays
  • Microsoft Windows network enumeration and attack
  • More Metasploit
  • Exploitation using built in OS commands
  • Privilege escalation
  • Advanced pivoting techniques

Additional Information

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • USB 3.0 Type-A port
  • At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.


  • 8 GB RAM (4 GB min)
  • 8 GB RAM (4 GB min) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB Free space
  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Windows 10 or macOS 10.12+
  • Your system must be running either Windows 10 or macOS 10.12 or higher.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wired Connection

  • A wired network connection. One that you can plug a cable into it.
  • A wired connection is required in class. A wired network adapter is one that you plug a cable into. They are typically on the back or the side of your system. If your system supports only wireless, you can purchase a USB wired Ethernet adapter. This will allow you to plug the adapter into a USB port on your system and plug the network cable into the adapter.

Network, Wi-Fi Adapter

  • A USB Wi-Fi adapter
  • A USB Wi-FI network adapter is required. This USB Wi-Fi network adapter provides the virtual machine access to the wireless network directly. Your internal Wi-Fi adapter will not meet this requirement. We recommend this one.

Additional Software Requirements

VMware Player Install

  • VMware Workstation Player 15, VMware Fusion 11, or VMware Workstation 15
  • Install VMware Player 15, VMware Fusion 11, or VMware Workstation 15. Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

If you have additional questions about the laptop specifications, please contact

  • Incident handlers
  • Leaders of incident handling teams
  • System administrators who are on the front lines defending their systems and responding to attacks
  • Other security personnel who are first responders when systems come under attack
  • General security practitioners and security architects who want to design, build, and operate their systems to prevent, detect, and respond to attacks

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

  • A USB with all of the tools for class ready to go
  • Over 1,000 slides of instruction with detailed notes
  • Step-by-step instructions in self-contained labs showing you how to employ these hacker tools and techniques
  • MP3 audio files of the complete course lecture

Author Statement

"When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.

In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We'll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you'll be better prepared to identify attacks and protect your network from sophisticated adversaries."

-Joshua Wright