Explore the worlds best online cybersecurity training with OnDemand - view a Demo Today!

Virginia Beach 2018

Virginia Beach, VA | Mon, Aug 20 - Fri, Aug 31, 2018
This event is over,
but there are more training opportunities.

Due to a high demand for security training at SANS Virginia Beach 2018, courses will be held at both the Hilton Virginia Beach Oceanfront and Hilton Garden Inn Virginia Beach Oceanfront. The hotels are less than a five minute walk from one another, and are accessible from both the Boardwalk and Atlantic Avenue. SEC503, SEC555, SEC573, SEC575, MGT514, and DEV540 will be hosted at the Hilton Garden Inn Virginia Beach Oceanfront.

SEC573: Automating Information Security with Python

Mon, August 20 - Sat, August 25, 2018

Highly recommended. SEC573 truly gives you the power to forensicate at scale - or hunt adversaries.

Mark Osborn, SecureWorks

PyWars in SEC573 was a great parallel thread. I enjoyed the challenges and found it a great way to practice during downtime and when I finished early.

Eric Gillespie, Anonymous

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common. CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating Systems has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.

Or, perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.


Writing a tool is easier said than done, right? Not really. Python is a simple, user-friendly language that is designed to make automating tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573 Automating Information Security with Python will have you creating programs to make your job easier and make you more efficient. This self-paced class starts from the very beginning assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the class. The self-paced style of the class will meet you where you are to let you get the most out of the class you can. Beyond the essentials we discuss file analysis, packet analysis, forensics artifact carving, networking, database access, website access, process execution, exception handling, object oriented coding and more.

This course is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you in automating the daily routine of today's information security professional, achieving more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

You Will Learn:

  • How to leverage Python Scripting to maximize the effectiveness of your penetration tests.
  • How to use TCP Sockets to build network applications.
  • How to develop Web Application attack tools.
  • How to parse TCP Packets and PCAP data to extract valuable data.
  • How to use advanced application concepts, such as threading and message queueing.


Course Syllabus

Jonathan Thyer
Mon Aug 20th, 2018
9:00 AM - 5:00 PM


The course begins with a brief introduction to Python and the pyWars capture the flag game. We set the stage for students to learn at their own pace in the 100% hands-on pyWars lab environment. As more advanced students take on Python-based Capture The Flag challenges, students who are new to programming will start from the very beginning with Python essentials, including:

  • Python Syntax, Variables, Math Operators, Strings, Functions, Modules, Control Statements, Introspection

CPE/CMU Credits: 6

Jonathan Thyer
Tue Aug 21st, 2018
9:00 AM - 5:00 PM


You will never learn to program by staring at PowerPoint slides. The second day continues the hands-on, lab-centric approach established on day one. This section covers data structures and more detailed programming concepts. Next, we focus on invaluable tips and trick to make you a better Python programmer and how to debug your code. Day two includes topics such as:

  • Lists, Loops, Tuples, Dictionaries, The Python Debugger, Coding Tips, Tricks and Shortcuts, System Arguments, and the ArgParser Module

CPE/CMU Credits: 6

Jonathan Thyer
Wed Aug 22nd, 2018
9:00 AM - 5:00 PM

Day 3-5 Automating Information Security: The next three days are focused on expanding your Python skills, leveraging modules and performing important operations used by all information security professionals. You will learn about file operations, log analysis, database operations, low-level network operations such as Raw sockets and packet parsing, high-level network operations such as HTTP and authentication, object oriented coding, regular expressions, subprocess execution and automation and much more. We demonstrate that these skills are common to every security profession and useful to everyone regardless of your discipline by giving each of the three days their own theme.


Day three includes in-depth coverage about how defenders can use Python automation as we cover Python modules and techniques that everyone can use. Forensicators and offensive security professionals will also learn essential skills they will apply to their craft. We will play the role of a network defender who needs to find the attackers on their network. We will discuss how to analyses network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltration your data. Day 3 topics include:

  • File Operations, Python Sets, Regular Expressions, Log Parsing, Data Analysis tools and techniques, Long Tail/Short Tail Analysis, Geolocation acquisition, blacklists and whitelists, Packet Analysis, Packet reassembly, Payload extraction

CPE/CMU Credits: 6

Jonathan Thyer
Thu Aug 23rd, 2018
9:00 AM - 5:00 PM


On day four we will play the role of a forensics analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics you will find these skills covered on day four are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract that data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then we will discuss techniques for finding artifacts in other locations such as SQL databases and interacting with web pages. Day 4 subjects include:

  • Acquiring Images from disk, memory and the network, File Carving, the STRUCT module, Raw Network Sockets and protocols, Image Forensics and PIL, SQL Queries, HTTP Communications with Python built in Libraries, Web communications with the Requests module

CPE/CMU Credits: 6

Jonathan Thyer
Fri Aug 24th, 2018
9:00 AM - 5:00 PM


On day five we play the role of penetration tester whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.Today's subjects include:

  • Network Socket Operations, Exception Handling, Process execution, Blocking and Non-blocking Sockets, Asynchronous operations, the select module, Python objects, Argument packing and unpacking

CPE/CMU Credits: 6

Jonathan Thyer
Sat Aug 25th, 2018
9:00 AM - 5:00 PM


In this final section you will be placed on a team with other students. Working as a team, you will apply the skills you have mastered in a series of programming challenges. Participants will exercise the skills and code they have developed over the previous five days as they exploit vulnerable systems, break encryption cyphers, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.


You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate) or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 2.0 GHz CPU minimum or higher.
  • An available USB port.
  • 4 GB or higher recommended.
  • Ethernet adapter: A wired connection is required in class. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.
  • 15 GB available hard drive space.

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn - and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security professionals who benefit from automating routine tasks so they can focus on what's most important
  • Forensics Analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts
  • Network Defenders who sift through mountains of logs and packets to find evildoers in their networks
  • Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator
  • Security professionals who want to evolve from security tool consumer to security solution provider

A basic understanding of any programming or scripting language is highly recommended but not required for this class.

Other Courses People Have Taken

Courses that lead in to SEC573:

Courses that are good follow-ups to SEC573:

  • A virtual machine with sample code and working examples.
  • A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically-praised book that shows readers how to forge their own weapons using the Python programming language.
  • MP3 audio files of the complete course lecture.
  • Develop forensics tool to carve artifacts from forensics evidence for which no other tool exists or use third party modules for well-known artifacts to hidden evidence relevant to your investigations.
  • Create defensive tools to automate the analysis of log file and network packets using hunt team techniques to track down attackers in your network. Implement custom whitelisting, blacklisting, signature detection, long tail and short tail analysis, and other data analysis techniques to find attacks overlooked by conventional methods.
  • Write penetration testing tools including a several backdoors with features like process execution, upload and download payloads, port scanning and more. Build essential tools that evade antivirus software and allow you to establish that required foothold inside your target.
  • Understand Python coding fundamentals required to automate common information security tasks. Language essentials like variables, loops, if then else, logic, file operations, command line arguments, debugging are all covered assuming no prerequisite knowledge.
  • Tap into the wealth of existing Python modules to complete tasks using Regular Expressions, Database interactions with SQL, IP Networking, Exception handling, Interact with websites using Requests, Packet Analysis, Packet reassembly techniques and much more.

The Python Essentials Workshop labs - Variables, functions, modules, if/elif/else, for, while, list, dictionaries, sets and more

pyWars labs - An online programming competition that runs the first five days of class with additional hands on labs for beginners and expert challenges. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications and more.

Practical application labs - The application of coding concept are applied to build tools for defenders, forensicators and penetration testers. The labs cover Parsing logs files to identify hackers, Long Tail/Short Tail analysis of logs, Capturing and Parsing Network Packets, Carving forensics artifacts from binary data, Retrieving SQL data, Interacting with Websites, Process execution, Exception handling, synchronous and asynchronous network communications and more. The Python modules and concepts covered in these labs include: File Operations, Python Sets, Regular Expressions, gzip, collections module, freq.py, Geolite, scapy, reassembler.py, struct, sockets, select, Python Objects, argument packing and unpacking, sqlite3 , urllib,urllib2, cookielib, requests, StringIO, and more.

Capture the flag - Test your ability to apply your new tools and coding skills

"SEC573 is vital for anyone who considers themselves to be a pen tester." - Jeff Turner, Lexis Nexis Risk Solutions

"So far the content of Python for Penetration Testers has been great. I have learned several things, even as an advanced user." - Matthew Garfinkle, ManTech International Corporation

Author Statement

Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. But knowing how to build your own tools when the tools someone else wrote fail is what separates the great penetration testers from the good ones. This course is designed for security professionals who want to learn how to apply basic coding skills to do their job more efficiently. The course will help take your career to the next level by teaching you the essential skills needed to develop applications that interact with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests.

- Mark Baggett