SANS OnDemand - 45+ Courses Available Today - View a Demo for an Hour of Free Content

Zurich 2017

Zurich, Switzerland | Mon, May 15 - Sat, May 20, 2017
This event is over,
but there are more training opportunities.

SEC560: Network Penetration Testing and Ethical Hacking

Mon, May 15 - Sat, May 20, 2017

SEC560 is one of the best SANS courses I've taken. Extremely knowledgeable instructor with a great way of relating topics to students so they understand!

Ryan Gurr, NuScale Power

This is one of the most complete technical courses I have ever taken. The Capture The Flag event really helped pull it all together.

Thomas Hart, Hart Consulting

As a cybersecurity professional, you have a unique responsibility to find and understand your organization's vulnerabilities and to work diligently to mitigate them before the bad guys pounce. Are you ready? SEC560, the flagship SANS course for penetration testing, fully arms you to address this duty head-on.


With comprehensive coverage of tools, techniques, and methodologies for network penetration testing, SEC560 truly prepares you to conduct high-value penetration testing projects step-by-step and end-to-end. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. The course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks, and web app manipulation, with over 30 detailed hands-on labs throughout. The course is chock full of practical, real-world tips from some of the world's best penetration testers to help you do your job safely, efficiently...and masterfully.


SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test - and on the last day of the course you'll do just that. After building your skills in comprehensive and challenging labs over five days, the course culminates with a final full-day, real-world penetration test scenario. You'll conduct an end-to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization, demonstrating the knowledge you've mastered in this course.


You will learn how to perform detailed reconnaissance, studying a target's infrastructure by mining blogs, search engines, social networking sites, and other Internet and intranet infrastructures. Our hands-on labs will equip you to scan target networks using best-of-breed tools. We won't just cover run-of-the-mill options and configurations, we'll also go over the lesser known but super-useful capabilities of the best pen test toolsets available today. After scanning, you'll learn dozens of methods for exploiting target systems to gain access and measure real business risk. You'll dive deep into post-exploitation, password attacks, and web apps, pivoting through the target environment to model the attacks of real-world bad guys to emphasize the importance of defense in depth.

Course Syllabus

George Bakos
Mon May 15th, 2017
9:00 AM - 7:15 PM


In this section of the course, you will develop the skills needed to conduct a best-of-breed, high-value penetration test. We will go in-depth on how to build penetration testing infrastructure that includes all the hardware, software, network infrastructure, and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We will then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We'll also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques, including hands-on document metadata analysis to pull sensitive information about a target environment, as well as a lab using Recon-ng to plunder a target's DNS infrastructure for information such as the anti-virus tools the organization relies on.

  • A Tour of the SANS Slingshot Penetration Testing Virtual Machine
  • Formulating an Effective Scope and Rules of Engagement
  • Document Metadata Treasure Hunt
  • Utilizing Recon-ng to Plunder DNS for Useful Information

CPE/CMU Credits: 7

  • The Mindset of the Professional Pen Tester
  • Building a World-Class Pen Test Infrastructure
  • Creating Effective Pen Test Scopes and Rules of Engagement
  • Detailed Recon Using the Latest Tools
  • Effective Pen Test Reporting to Maximize Impact
  • Mining Search Engine Results
  • Document Metadata Extraction and Analysis

George Bakos
Tue May 16th, 2017
9:00 AM - 5:00 PM


We next focus on the vital task of mapping the target environment's attack surface by creating a comprehensive inventory of machines, accounts, and potential vulnerabilities. We will look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We will also conduct a deep dive into some of the most useful tools available to pen testers today for formulating packets: Scapy and Netcat. We finish the day covering vital techniques for false-positive reduction so you can focus your findings on meaningful results and avoid the sting of a false positive. And we will examine the best ways to conduct your scans safely and efficiently.

  • Getting the Most Out of Nmap
  • OS Fingerprinting and Version Scanning In-Depth
  • The Spectacular Scapy Packet Manipulation Suite
  • The Nmap Scripting Engine
  • The Nessus Vulnerability Scanner
  • Enumerating User Accounts
  • Netcat for the Pen Tester

CPE/CMU Credits: 6

  • Tips for Awesome Scanning
  • Tcpdump for the Pen Tester
  • Nmap In-Depth: The Nmap Scripting Engine
  • Version Scanning with Nmap
  • Vulnerability Scanning with Nessus
  • False-Positive Reduction
  • Packet Manipulation with Scapy
  • Enumerating Users
  • Netcat for the Pen Tester
  • Monitoring Services during a Scan

George Bakos
Wed May 17th, 2017
9:00 AM - 5:00 PM


In this section, we look at the many kinds of exploits that penetration testers use to compromise target machines, including client-side exploits, service-side exploits, and local privilege escalation. We'll see how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You'll learn in-depth how to leverage Metasploit and the Meterpreter to compromise target environments. We'll also analyze the topic of anti-virus evasion to bypass the target organization's security measures, as well as methods for pivoting through target environments, all with a focus on determining the true business risk of the target organization.

  • Client-Side Attacks with Metasploit
  • Exploiting Network Services and Leveraging the Meterpreter
  • Evading Anti-Virus Tools with the Veil Framework
  • Metasploit Databases and Tool Integration
  • The Dilemma of Shell versus Terminal Access Illustrated
  • Bypassing the Dilemma with Pivoting Relays

CPE/CMU Credits: 6

  • Comprehensive Metasploit Coverage with Exploits/Stagers/Stages
  • Strategies and Tactics for Anti-Virus Evasion
  • In-Depth Meterpreter Analysis, Hands-On
  • Implementing Port Forwarding Relays for Merciless Pivots
  • How to Leverage Shell Access of a Target Environment

George Bakos
Thu May 18th, 2017
9:00 AM - 5:00 PM


Once you've successfully exploited a target environment, penetration testing gets extra exciting as you perform post-exploitation, gathering information from compromised machines and pivoting to other systems in your scope. This section of the course zooms in on pillaging target environments and building formidable hands-on command line skills. We'll cover Windows command line skills in-depth, including PowerShell's awesome abilities for post-exploitation. We'll see how we can leverage malicious services and the incredible WMIC toolset to access and pivot through a target organization. We'll then turn our attention to password guessing attacks, discussing how to avoid account lockout, as well as numerous options for plundering password hashes from target machines including the great Mimikatz Kiwi tool. Finally, we'll look at Metasploit's fantastic features for pivoting, including the msfconsole route command.

  • Windows Command Line Challenges
  • Creating Malicious Services and Leveraging the Wonderful WMIC Toolset
  • PowerShell for Post-Exploitation
  • Password Guessing with THC-Hydra
  • Metasploit Psexec and Hash Dumping
  • Metasploit Pivoting and Mimikatz Kiwi for Credential Harvesting

CPE/CMU Credits: 6

  • Windows Command Line Kung Fu for Penetration Testers
  • PowerShell's Amazing Post-Exploitation Capabilities
  • Password Attack Tips
  • Account Lockout and Strategies for Avoiding It
  • Automated Password Guessing with THC-Hydra
  • Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
  • Pivoting through Target Environments
  • Extracting Hashes and Passwords from Memory with Mimikatz Kiwi

George Bakos
Fri May 19th, 2017
9:00 AM - 5:00 PM


In this section of the course, we'll go even deeper in exploiting one of the weakest aspects of most computing environments: passwords. You'll custom-compile John the Ripper to optimize its performance in cracking passwords. You'll look at the amazingly full-featured Cain tool, running it to crack sniffed Windows authentication messages. We'll see how Rainbow Tables really work to make password cracking much more efficient, all hands-on. And we'll cover powerful "pass-the-hash" attacks, leveraging Metasploit, the Meterpreter, and more. We then turn our attention to web application pen testing, covering the most powerful and common web app attack techniques with hands-on labs for every topic we address. We'll cover finding and exploiting cross-site scripting (XSS), cross-site request forgery (XSRF), command injection, and SQL injection flaws in applications such as online banking, blog sites, and more.

  • Custom Compiling and Leveraging John the Ripper to Crack Passwords
  • Sniffing Windows NTLM Authentication and Cracking It with Cain
  • Rainbow Table Attacks with Ophcrack
  • Pass-the-Hash Attacks with Metasploit and the Meterpreter
  • Scanning Web Servers with Nikto
  • Using the ZAP Proxy to Manipulate Custom Web Applications
  • Exploiting Cross-Site Request Forgery Vulnerabilities
  • Attacking Cross-Site Scripting Flaws
  • Leveraging Command Injection Flaws
  • Exploiting SQL Injection Flaws to Gain Shell Access of Web Targets

CPE/CMU Credits: 6

  • Password Cracking with John the Ripper
  • Sniffing and Cracking Windows Authentication Exchanges Using Cain
  • Using Rainbow Tables to Maximum Effectiveness
  • Pass-the-Hash Attacks with Metasploit and More
  • Finding and Exploiting Cross-Site Scripting
  • Cross-Site Request Forgery
  • SQL Injection
  • Leveraging SQL Injection to Perform Command Injection
  • Maximizing Effectiveness of Command Injection Testing

George Bakos
Sat May 20th, 2017
9:00 AM - 5:00 PM


This lively session represents the culmination of the network penetration testing and ethical hacking course. You'll apply all of the skills mastered in the course so far in a full-day, hands-on workshop during which you'll conduct an actual penetration test of a sample target environment. We'll provide the scope and rules of engagement, and you'll work with a team to achieve your goal of finding out whether the target organization's Personally Identifiable Information (PII) is at risk. As a final step in preparing you for conducting penetration tests, you'll make recommendations about remediating the risks you identify.

  • A Full-Day Exercise Applying What We've Learned Throughout the Course
  • Modeling a Penetration Test Against a Target Environment

CPE/CMU Credits: 6

  • Applying Penetration Testing and Ethical Hacking Practices End-to-End
  • Scanning
  • Exploitation
  • Post-Exploitation
  • Merciless Pivoting
  • Analyzing Results

Additional Information


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 10, 8 or 8.1 (Professional, Enterprise, or Ultimate), Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate) or Windows 2008/2012 Server, either a real system or a virtual machine.

The course includes a VMware image file of a guest Linux system that is larger than 3 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on their website. No license number is required for VMware Player.

We will give you a USB full of attack tools to experiment with during the class and to take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation,VMware Player or VMware Fusion. The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 10 GB available hard-drive space
  • Any Service Pack level is acceptable for Windows 10, 8, Windows 7 or Windows Vista

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Security personnel whose job involves assessing networks and systems to find and remediate vulnerabilities
  • Penetration testers
  • Ethical hackers
  • Defenders who want to better understand offensive methodologies, tools, and techniques
  • Auditors who need to build deeper technical skills
  • Red team members
  • Blue team members
  • Forensics specialists who want to better understand offensive tactics

SANS Security 560 is the flagship penetration test course offered by the SANS Institute. Attendees are expected to have a working knowledge of TCP/IP, understand the differences between cryptographic routines such as DES, AES, and MD5, and have a basic knowledge of the Windows and Linux command lines before they step into class. While 560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course. For more information on the differences between SEC560 and SEC504, see the SEC560 and SEC504 FAQS.

Why Choose Our Course?

This SANS course differs from other penetration testing and ethical hacking courses in several important ways:

  • It offers in-depth technical excellence along with industry-leading methodologies to conduct high-value penetration tests.
  • We get deep into the tools arsenal with numerous hands-on exercises that show subtle, less well-known and undocumented features that are useful for professional penetration testers and ethical hackers.
  • It discusses how the tools interrelate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
  • We focus on the workflow of professional penetration testers and ethical hackers, proceeding step by step and discussing the most effective means for conducting projects.
  • The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
  • We cover several time-saving tactics based on years of in-the-trenches experience of real penetration testers and ethical hacker - tasks that might take hours or days unless you know the little secrets we will cover that will let you surmount a problem in minutes.
  • The course stresses the mindset of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of thinking outside the box, methodically trouble-shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results and creating a high-quality final report that achieves management and technical buy-in.
  • We analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.

Other Courses People Have Taken

Courses that lead in to SEC560:

Courses that are good follow-ups to SEC560:

  • Access to the in-class Virtual Training Lab for over 30 in-depth labs
  • A course USB with the SANS Slingshot Linux Penetration Testing Environment loaded with numerous tools used for all labs
  • Access to recorded course audio to help hammer home important network penetration testing lessons
  • Cheat sheets with details on professional use of Metasploit, Netcat, and more
  • Worksheets to streamline the formulation of scope and rules of engagement for professional penetration tests
  • Develop tailored scoping and rules of engagement for penetration testing projects to ensure the work is focused, well defined and conducted in a safe manner
  • Conduct detailed reconnaissance using document metadata, search engines and other publicly available information sources to build a technical and organizational understanding of the target environment
  • Utilize the Nmap scanning tool to conduct comprehensive network sweeps, port scans, Operating System fingerprinting and version scanning to develop a map of target environments
  • Choose and properly execute Nmap Scripting Engine scripts to extract detailed information from target systems
  • Configure and launch the Nessus vulnerability scanner so that it discovers vulnerabilities through both authenticated and unauthenticated scans in a safe manner, and customize the output from such tools to represent the business risk to the organization
  • Analyze the output of scanning tools to manually verify findings and perform false positive reduction using Netcat and the Scapy packet crafting tools
  • Utilize the Windows and Linux command lines to plunder target systems for vital information that can further overall penetration test progress, establish pivots for deeper compromise and help determine business risks
  • Configure the Metasploit exploitation tool to scan, exploit and then pivot through a target environment in-depth
  • Conduct comprehensive password attacks against an environment, including automated password guessing (while avoiding account lockout), traditional password cracking, rainbow table password cracking and pass-the-hash attacks
  • Launch web application vulnerability scanners such as ZAP and then manually exploit Cross-Site Request Forgery, Cross-Site Scripting, Command Injection and SQL injection attacks to determine the business risks faced by an organization

"SANS is really the only information security training available and is therefore valuable on its own. The wide subject areas, relating to pen-testing, are what makes SEC560 particularly valuable." - Nicholas Capalbo, Federal Reserve of New York

"I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend." - Mark Hamilton, McAfee

Author Statement

I love teaching this course because it provides a comprehensive dive into the methodologies used to attack target environments. Our focus is always on understanding the attacks in depth while maximizing the business value of a penetration test through technical excellence with a business understanding. Successful penetration testers don't just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in depth, and conduct their test in a careful, professional manner. This course explains the inner workings of numerous tools and their use in effective network penetration testing projects. When teaching the class, I particularly enjoy the numerous hands-on exercises culminating with a final pen-testing extravaganza lab.

- Ed Skoudis