Register Now for Great Online Training Offer: Get a 12.9" iPad Pro, Surface Pro or $350 Off

Secure Europe 2014

Amsterdam, Netherlands | Sat, May 10 - Sat, May 24, 2014
This event is over,
but there are more training opportunities.

SEC561: Intense Hands-on Pen Testing Skill Development (with SANS NetWars) Waitlist

Mon, May 12 - Sat, May 17, 2014

SANS SEC561. To be a top pen test professional, you need fantastic hands-on skills for finding, exploiting, and resolving vulnerabilities.SANS top instructors engineered SANS SEC561: Intense Hands-on Pen Testing Skill Development from the ground up to help you get good fast. The course teaches in-depth security capabilities through 80%+ hands-on exercises and labs, maximizing keyboard time on in-class labs making this SANS' most hands-on course ever. With over 30 hours of intense labs, students experience a leap in their capabilities, as they come out equipped with the practical hands-on skills needed to address today's pen test and vulnerability assessment projects in enterprise environments.

To get the most out of this course, students should have some prior hands-on vulnerability assessment or penetration testing experience (minimum 6 months) or have taken at least one other penetration testing course (such as SANS SEC504, SEC560, or SEC542). The course will build on that background, helping participants ramp up their skills even further across a broad range of penetration testing disciplines.

Throughout the course, an expert instructor coaches students as they work their way through solving increasingly demanding real-world information security scenarios that they can apply the day that they get back to their jobs.


Topics addressed in the course include:

  • Applying network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation
  • Manipulating common network protocols to reconfigure internal network traffic patterns, as well as defenses against such attacks
  • Analyzing Windows and Linux systems for weaknesses using the latest enterprise management capabilities of the operating systems, including the super powerful Windows Remote Management (WinRM) tools
  • Applying cutting-edge password analysis tools to identify weak authentication controls leading to unauthorized server access
  • Scouring through web applications and mobile systems to identify and exploit devastating developer flaws
  • Evading Anti-Virus tools and bypassing Windows UAC to understand and defend against these advanced techniques
  • Honing phishing skills to evaluate the effectiveness of employee awareness initiatives and your organization's exposure to one of the most damaging attack vectors widely used today

A lot of people can talk about these concepts, but this course teaches you how to actually do them hands-on and in-depth. The SANS SEC 561 course shows security personnel including penetration testers, vulnerability assessment personnel, auditors, and operations personnel how to leverage in-depth techniques to get powerful results in every one of their projects. The course is overflowing with practical lessons and innovative tips, all with direct hands-on application. Throughout the course, students interact with brand new, custom-developed scenarios built just for this course on the innovative NetWars challenge infrastructure, which guides them through the numerous hands-on labs providing questions, hints, and lessons learned as they build their skills.


Course Syllabus

Tim Medin
Mon May 12th, 2014
9:00 AM - 5:00 PM


The first day of the course prepares students for real-world security challenges by giving them hands-on practice with essential Linux and Windows server and host management tools. First, students will leverage built-in and custom Linux tools to evaluate the security of host systems and servers, inspecting and extracting content from rich data sources such as image headers, browser cache content, and system logging resources. Next, students will turn their focus to performing similar analysis against remote Windows servers using built-in Windows system management tools to identify misconfigured services, scrutinize historical registry entries for USB devices, evaluate the impact of malware attacks, and analyze packet capture data. By completing these tasks, students build their skills in managing systems, applicable to post-compromise system host analysis, or defensive tasks such as defending targeted systems from persistent attack threats. By adding new tools and techniques to their arsenal, students are better prepared to complete the analysis of complex systems with greater accuracy in less time.

CPE/CMU Credits: 6


Linux Host and Server Analysis

  • Identifying users and permission exposure
  • File system data harvesting from common applications
  • Network traffic analysis and data extraction techniques
  • File and malware analysis tools

Windows Host and Server Analysis

  • Remote registry analysis for use analysis
  • Vulnerability targeting from system patch analysis and reporting
  • Client-side exploitation data artifact analysis
  • Windows malware executable analysis
  • Windows file system and permission management analysis

Tim Medin
Tue May 13th, 2014
9:00 AM - 5:00 PM


In this section of the class, students investigate the critical tasks for a high-quality penetration test. Weâll look at the safest, most efficient ways to map a network and discover target systems and services. Once the systems are discovered, we look for vulnerabilities and reduce false positives with manual vulnerability verification. Weâll also look at exploitation techniques including the use of the Metasploit Framework to exploit these vulnerabilities, accurately describing risk and further reducing false positives. Of course, exploits are not the only way to access systems, so we also leverage password related attacks including guessing and cracking techniques to extend our reach for a more effective and valuable penetration test.

CPE/CMU Credits: 6


Network Mapping and Discovery

  • Active host scanning and IDS evasion techniques
  • Passive discovery and system analysis
  • Scanning and mapping IPv6 targets and services
  • Advanced enumeration with interactive and automated interrogation tools

Enterprise Vulnerability Assessment

  • Data harvesting for effective vulnerability assessment
  • Manual and automated vulnerability correlation
  • Vulnerability prioritization for remediation
  • Open-source and commercial tools for effective vulnerability assessment
  • Assessing network infrastructure as part of a vulnerability assessment

Network Penetration Testing

  • False positive reduction through exploitation
  • Exploitation via Metasploit for an effective penetration test
  • Using Meterpreter for pillaging and pivoting
  • Effective use of netcat for network communication

Password and Authentication Exploitation

  • Effective password guessing techniques
  • Exploiting weaknesses in common cryptographic password storage
  • Evaluating Windows and critical network infrastructure authentication weaknesses
  • Manipulating Windows Directory Authentication

Tim Medin
Wed May 14th, 2014
9:00 AM - 5:00 PM


This section of the course will look at the variety of flaws present in web applications and how each of them is exploited. Students will solve challenges presented to them by exploiting web applications hands-on with the tools used by professional web application penetration testers every day. The websites students attack mirror real-world vulnerabilities including Cross-Site Scripting (XSS), SQL Injection, Command Injection, Directory Traversal, Session Manipulation and more. Students will need to exploit the present flaws and answer questions based on the level of compromise they are able to achieve.

CPE/CMU Credits: 6


Recon and Mapping

  • Identification of target web applications
  • Directory brute-forcing
  • Manual creations of web requests
  • Web application scanning and exploitation tools

Server-side Web Application Attacks

  • SQL injection
  • Command injection
  • Directory traversal

Client-side Web Application Attacks

  • Cross-site scripting
  • Cross-site request forgery
  • Cookie and session manipulation

Web Application Vulnerability Exploitation

  • Evaluating logic flaws in popular web applications
  • Leveraging public exploits against web application infrastructure

Tim Medin
Thu May 15th, 2014
9:00 AM - 5:00 PM


With the accelerated growth of mobile device use in enterprise networks, organizations find an increasing need to identify expertise in the security assessment and penetration testing of mobile devices and the supporting infrastructure. In this component of the course, we examine the practical vulnerabilities introduced by mobile devices and applications, and how they relate to the security of the enterprise. Students will look at the common vulnerabilities and attack opportunities against Android and Apple iOS devices, examining data remnants from lost or stolen mobile devices, the exposure introduced by common weak application developer practices, and the threat introduced by popular cloud-based mobile applications found in many networks today.

CPE/CMU Credits: 6


Mobile Device Assessment

  • Extracting data from mobile application network activity
  • Passive mobile device identification and fingerprinting
  • Mobile device wireless behavior analysis
  • Exploiting Mobile Device Management (MDM) system controls

Mobile Device Data Harvesting

  • Bypassing passcode authentication on mobile devices
  • Leveraging compromised hosts for mobile device backup data recovery
  • Extracting GPS and cell tower history from mobile devices for location tracking
  • Exploiting common password disclosure data sources

Mobile Application Analysis

  • Reverse-engineering Android applications
  • De-obfuscating mobile application malware
  • Static and dynamic automated application analysis systems

Tim Medin
Fri May 16th, 2014
9:00 AM - 5:00 PM


This portion of the class is designed to teach the advanced skills required in an effective penetration test to extend our reach and move through the target network. This extended reach will provide a broader and more in-depth look at the security of the enterprise. Weâll utilize techniques to pivot through compromised systems using various tunneling/pivoting techniques, bypass anti-virus, and built-in commands to extend our influence over the target environment and find issues that lesser testers may have missed. Weâll also look at some of the common mistakes surrounding poorly or incorrectly implemented cryptography and ways to take advantage of those weaknesses to access systems and data that are improperly secured.

CPE/CMU Credits: 6


Anti-Virus Evasion Techniques

  • Manipulating exploits to bypass signature-based anti-virus tools
  • Leveraging packers and obfuscators
  • Altering tools to evade heuristic analysis engines

Advanced Network Pivoting Techniques

  • Protected network infrastructure tunneling with SSH
  • Remote proxy exploits with proxychains
  • Host redirection with Meterpreter host routing

Exploiting Network Infrastructure Components

  • Routing infrastructure manipulation attacks
  • Manipulating hosts through network management interfaces

Exploiting Cryptographic Weaknesses

  • Applying oracle padding attacks against web applications
  • Using entropy analysis to identify weak cryptography
  • Decrypting stream cipher data without key knowledge

Tim Medin
Sat May 17th, 2014
9:00 AM - 5:00 PM


This lively session represents the culmination of the course, where attendees will apply the skills they have mastered throughout all the other sessions in a hands-on workshop. Attendees will participate in a larger version of the exercises present in the class to independently reinforce skills learned throughout the course.

Attendees will apply their newly developed skills to scan for flaws, use exploits, unravel technical challenges, and dodge firewalls, all while guided by the challenges presented to you by the NetWars Scoring Server. By practicing the skills in a combination workshop where multiple focus areas are combined, participants will have the opportunity to explore, exploit, pillage, and continue to reinforce skills against a realistic target environment.

CPE/CMU Credits: 6

Additional Information

Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.


Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation, however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from .

Administrative Windows Access

For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.


Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.

While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.

Hardware Requirements

Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:

  • Minimum 2 GB RAM, 4 GB recommended
  • Ethernet (RJ45) network interface; students will not be able to complete lab exercises with systems that only have a wireless card, such as the Mac Book Air
  • 1.5 GHz processor minimum
  • 30 GB free hard disk space
  • DVD drive (not a CD drive)
  • Minimum screen resolution 1024x768, larger screen resolution will reduce scrolling in for several applications and a more pleasant end-user experience

If you have additional questions about the laptop specifications, please contact

  • Security professionals who want to expand their hands-on technical skills in new analysis areas such as packet analysis, digital forensics, vulnerability assessment, system hardening, and penetration testing
  • Systems and network administrators who want to gain hands-on experience in information security skills to become better administrators
  • Incident response analysts who want to better understand system attack and defense techniques
  • Forensic analysts who need to improve their analysis through experience with real-world attacks
  • Penetration testers seeking to gain practical hands-on experience for use in their own assessments

To get the most out of this course, students should have some prior hands-on vulnerability assessment or penetration testing experience (minimum 6 months) or have taken at least one other penetration testing course (such as SANS SEC504, SEC560, or SEC542). The course will build on that background, helping participants ramp up their skills even further across a broad range of penetration testing disciplines.

  • Course book
  • Daily lab answer books detailing all the course challenge exercises
  • Course DVD and associated software, files, and analysis resources

  • Use network scanning and vulnerability assessment tools to effectively map out networks and prioritize discovered vulnerabilities for effective remediation
  • Use password analysis tools to identify weak authentication controls leading to unauthorized server access
  • Evaluate web applications for common developer flaws leading to significant data loss conditions
  • Manipulating common network protocols to maliciously reconfigure internal network traffic patterns
  • Identify weaknesses in modern anti-virus signature and heuristic analysis systems
  • Inspect the configuration deficiencies and information disclosure threats present on Windows and Linux servers
  • Bypass authentication systems for common web application implementations
  • Exploit deficiencies in common cryptographic systems
  • Bypass monitoring systems by leveraging IPv6 scanning and exploitation tools
  • Harvest sensitive mobile device data from iOS and Android targets

Author Statement

In creating this course, we focused on getting as much practical, hands-on skill building into the classroom as possible. Each day begins with a short briefing on the technical topics students will work on throughout the day. Then, students build their skills analyzing real-world target systems in the classroom. When students walk out of the class, they'll have mastered over 100 new techniques for finding, exploiting, and then fixing security flaws. Just as aircraft pilots needs more "stick" time learning how to fly, this course provides penetration testers and other security professionals real-world hands-on experience they need to excel in their work. -Josh Wright