2019 Apr 8

Stylized, rainbow-colored text saying "GIAC CERTIFIED"

I’m a threat hunter. Previously, I was a SecOps analyst, and before that I helped companies use technology more securely. The entirety of my work experience in infosec has consisted of purely defensive, ‘blue team’ roles. I’ve never been a penetration tester, and any of the offensive, ‘red team’ skills I possess were developed through nothing but curiosity, reading, and experimenting (read: dabbling) in my free time. Like many other defensive infosec professionals, though, I understand how thinking like an attacker, knowing their methods, and being practiced in the offensive arts are all irreplaceable competencies that unquestioningly enhance the quality of my work.

Lately, I’ve been pursuing this knowledge more deliberately, so I decided to take the SANS SEC560 course on Network Penetration Testing and Ethical Hacking. As it turns out, the training was well worth the time and money. Moreover, I used what I learned to take the GIAC GPEN certification exam two weeks ago, and I passed! Here’s proof.

This post describes my personal experience taking SEC560, my methods for studying the course content, and the exam preparation methodology that worked for me.

  1. Take SANS SEC560
  2. Study the Courseware Iteratively
  3. Create a Simple Index
  4. Write Usable Notes
  5. Measure your Practice Exams
  6. Take the GPEN Exam

Take SANS SEC560

SANS SEC560 wasn’t the first offensive or penetration testing training I’ve taken, but it WAS my first ever SANS training. I have to say that this was easily the highest-quality infosec course I've taken to date. Not only were the instructors incredibly helpful, but the written content and hands-on lab exercises were very clear, useful, and obviously developed over many, many years of fine-tuning.

If you want to improve your pentesting skills, and you get the chance to take this course, you really should. I wouldn’t have passed the GPEN exam without such well-composed courseware, but I also learned a TON of ‘gotchas’ regarding the various tools (e.g. tcpdump command line flags), methods (UDP scanning response behaviors, hash dumping, etc.), and attack phases of which I, even as a recent student of other offensive training courses, was still blissfully unaware.

Preparing for the Course

In the course description, the SANS website lists knowledge of TCP/IP, cryptographic routines (DES, AES, and MD5), and Windows and Linux command line usage as prerequisites for SEC560, but I think that also having prior experience with netcat, nmap, and Metasploit aided me quite a bit, too. Make yourself very familiar with these programs BEFORE you start the course. You can do so by reading their manual pages, playing around with command options while running them, and/or reading other supplemental texts in anticipation for using them heavily during the course. My previous firsthand experience generating payloads with msfvenom and handling reverse shells in msfconsole saved me lots of time and frustration during the exploitation exercises. Consider taking a day or two to become acquainted with these tools in particular if you aren’t already.

Screenshot of Metasploit terminal window

For msfvenom, it’s difficult to know all the payload and encoding options that are available, because there are just so many from which to choose. I’ve found that outputting these lists to text files for grepping was a quicker solution than running the program each time. You can execute the following command to generate the files for yourself:

msfvenom --list payloads > venom-payloads.txt && msfvenom --list encoders > venom-encoders.txt

Once your have the lists stored as files you can run grep to find the payload or encoder you need. For example, you can search for a reverse Meterpreter payload for a Windows target that uses HTTPS for C2 via this grep command:

cat venom-payloads.txt | grep windows | grep meterpreter | grep "reverse_https"

Part of your output will look similar to the following:


If you need more details about a given payload you can copy/paste the outputted payload string into this command:

msfvenom --payload {STRING} --payload-options

For msfconsole, I recommend reviewing the Metasploit Fundamentals section of Offensive Security’s free, online Metasploit Unleashed course. This is by no means necessary, but going through these extra steps beforehand really worked to my advantage later on in SEC560.

Setting up a Lab

The SEC560 workbook gives you all the setup instructions you need, but I have my own tips that made the course less painful. SEC560 involves Windows quite a bit, so you’ll need to have an installation handy. I advise using a VM since snapshots are very useful for working on the system in a ‘known state’. This will reduce the chances that some random, unknown variable causes something to break. When in doubt, you can restore to a ‘clean’ snapshot before testing anything. Using snapshots will save you time especially later in the course when you execute malicious payloads.

Get a licensed copy of Windows, and install it in a VM. I like using VMware to create a ‘template VM’, make a snapshot of it, and generate linked clones from the snapshot, because it saves disk space and keeps me more organized.

VMware screenshot of shared folder setup

Take a second to set up shared folders, too. Make a folder containing the decompressed items from the USB drive that SANS gives you, and configure it to be accessible from both your Windows and Slingshot VMs. I set mine to allow both read AND write operations from both VMs so I could utilize it for simplified, bi-directional file transfer during the labs.

Lastly, pay attention to which networking mode your VM is using, and confirm that bridged networking is in effect for the network scanning lab exercises. If you don’t, your virtualization software’s NAT/PAT tables will fill up and interfere with your targets’ response packets and ruin the accuracy of your scan results.

Budgeting Time

Fortunately, my employer allowed me to take time away from my day-to-day job responsibilities to attend SEC560 in person at the SANS Pen Test HackFest Summit. If this is your first SANS training like it was for me, then you should consider taking an in-person class. It’s not that the difficulties of self study are insurmountable or anything, but there’s just so much value in meeting the instructors, chatting with fellow students, and participating in any other events (like SANS NetWars) that you’d miss. Don’t worry if you can’t attend an in-person training, though, because the course books are great and well-suited to self study, too.

Screenshot of spreadsheet calendar

Either way, it’s crucial to dedicate uninterpretable time to focus on the course. Consider taking time away from work or school if you can. Just ensure that any major, time-consuming responsibilities can be placed on hold for a few days. Tell your partner and/or colleagues and coworkers about your goals, too. Explain to them why stepping away from your usual routine to learn pentesting is important to your success. Knowing that you have their understanding and support might be a relief that strengthens your focus on the course.

Study the Courseware Iteratively

I decided to study the SEC560 courseware three times. The first time was in-person as presented by the course instructors. Afterwards, at home and back to my usual schedule, I reviewed everything in its entirety for a second time on my own, and I took a practice test. After seeing how I did, I studied the third and final time by prioritizing items based on the practice test results.

The First Iteration

My first time looking through all of the books was during the SANS Pen Test HackFest Summit. The course instructors taught a large, in-person class of students for six intense, full-length days. The course books and exercise workbook were used quite a lot, but the real value of this first iteration was hearing all of the verbal explanations of the concepts in the course and getting assistance with the hands-on lab exercises too. The instructors did a superb job clarifying many convoluted aspects of pentesting, and their communication skills were absolutely on point.

For me, the primary goal of this first study session was full comprehension of the big picture, maximizing conceptual clarity, and completing all of the lab exercises regardless of how inefficient or needy I was. On that point, don’t be afraid to ask questions. If you don’t want to interrupt the flow of the class, but you have a real need for assistance, you can write down your questions and ask the instructors at a later time.

Fountain at Bethesda Metro Station

Photo by Edward Johnson / CC BY 2.0

I tried my absolute best to leave the summit with no major, foundational knowledge gaps and with all labs completed. Certainly, there were concepts of which I had only a shallow understanding, and my confidence in using some of the tools covered in the course was far from absolute, but I ensured that, at the end of those six days, I knew enough of the material to deepen by knowledge on my own without the need for outside help. For the labs, I stayed very disciplined during the class, and I pushed myself to complete every exercise even if I felt that I was already confident with the related tools or fully capable of completing the task. I suggest you approach the hands-on labs this way for your first study iteration too, because you’ll be better able to identify the labs that you should revisit later, and you’ll know which labs you’ve mastered and don’t need to repeat.

Believe it or not, I didn’t take many notes during this first time studying. Instead, I focused on writing down the concepts which were completely novel to me. Remember, the courseware is awesome, and it can really stand on its own. There’s little need to rewrite a given book’s text verbatim or anything. My approach at this stage was to only write down the completely new ideas I encountered in the course, and I did so in my own words and in relation to my existing pentesting knowledge hierarchy.

The Second Iteration

I returned to the SEC560 books roughly six weeks after my in-person class. Since the summit was in November I had plenty of family and holiday-related obligations, so I waited until all of that had settled down and I could get back into my uninterrupted flow. The time away was a significant factor in my favor by giving my mind time to rest, but it also helped draw my attention to the concepts I had forgotten since November.

This time my goal was to produce reliable reference materials (more detailed notes and an index) for the real GPEN exam. Like before, I wrote my notes in my own words and with due relation to my existing mental context. But this time my notes contained much more information like command line examples and deeper (but still concise) technical explanations.

Tennis court with palm trees

After six weeks away from the books a few of the concepts and tools were unfamiliar again, so I had my work cut out for me. This time around I wrote my notes to include not just new ideas but the ideas I had heard of but hadn’t fully committed to memory or internalized quite yet.

I averaged approximately three days to revisit each book (and re-do the lab exercises with which I wanted more confidence) while also writing my notes. Personally, I think that I do my best work for projects like this when I’m completely isolated from distractions and all interruptions are eliminated. At the same time I have a demanding job and other adult responsibilities that have to come first, so I put in the effort to manage my time so that my studies weren’t relegated to obscurity indefinitely. Again, having supportive people in my life really made this quite less stressful. I was able to find stretches of continuous time in my schedule that were conducive to reading without distractions, and I simply got it done. Within a few days of completing this second round I took one of my two practice exams to measure my progress.

The Third & Final Iteration

This last time pouring over the course content was the quickest. I took almost four weeks off since completing the second study session and the first practice exam, and again, it was just the right amount of mental rest I needed. During this last iteration I basically only reviewed the notes I had taken, though I occasionally opened the course books to re-read a section here and there looking for the most unfamiliar items. This final round only concerned the most difficult-to-memorize aspects of pentesting that were covered in SEC560. I incorporated the practice exam results into my strategy by prioritizing the concepts, processes, and tools which had given me the most trouble. Fortunately, I didn’t need to revisit any of the lab exercises by this stage, because I felt very confident.

Books with colorful page markers

After just a few hours of reading my notes this way (over no more than two days) I took a second practice exam and compared the overall scores, category-specific scores, and the self-measurements I took during both. On the morning of my GPEN exam I utilized what I leaned from this comparison to skim through my notes before I headed to the testing center.

Create a Simple Index

Making an index for the GPEN exam doesn’t need to be an overly complicated or laborious affair. The index that worked extremely well for me was nothing more than a single piece of paper with a three-column table printed on both sides. The colorful, laminated, and spiral-bound indices I’ve seen online (for other GIAC exams) look as monstrously complex as they do beautiful. Other exams very well may warrant a seemingly exhaustive index, but I found that my concise single-pager did the job just fine for the GPEN exam.

Focusing on Tools

My index was essentially a list of all the software programs, online resources, and tools that SEC560 covers. Some examples are Empire, John the Ripper, and Veil. But don’t limit your index to software alone. I also created entries for other tool-like resources such as Exploit-DB, the Google Hacking Database (GHDB), and MITRE’s CVE Repository among others. My index was very reliable during the GPEN exam, and I found myself using it much more than my notes.

An index means an alphabetical list of items with references to where those items occur, and that’s exactly what I made. In addition to listing each tool or tool-like resource from SEC560 alphabetically I also entered the page numbers from each course book in which the item was mentioned as well as the workbook exercise numbers when the tool was part of a lab.

Blur-motion photo of printed index sheet

As I tackled the second iteration of studying the course books I entered this data into a simple, three-column spreadsheet. The first column contained the tool names, the second consisted of the book and page numbers (e.g. 4.16 means page 16 in the 4th book), and the third column referenced the workbook exercise numbers. Lastly, I alternated the cell color by row (light blue worked fine) to aid in visual distinction and to reduce erroneous tool-to-page associations when reading the index.

Including Non-tools

Although my index was primarily tool-oriented I DID include a handful of non-tool items, too. For example, I added the algorithms which are used for password hashing on Windows and Linux (DES, MD5, LANMAN, NT, etc.), pentesting methodology-related resources (OSSTMM, OWASP, PTES, etc.), and other concepts where I felt they were needed.

Don’t obsess over perfection here. Just exercise good judgment to identify what you’ll need to look up at exam time. When you take the practice exams you will indirectly validate that your index contains all of the tools AND non-tools that matter. Definitely feel free to modify the first version of your index after learning any lessons from taking the practice exams.

Special Cases

Certain tools feature very heavily in SEC560, and so they appear through multiple books on dozens of pages, page ranges, and many more lab exercises than most of the other tools in the course. I fashioned my index to note EVERY page and exercise in which a tool is mentioned. In hindsight this was not really necessary, so my advice is to evaluate the substance or meaningfulness of the tool in the context of the given chapter topic or lab.

For example, according to my index, tcpdump is referenced in three different course books within six distinct sets of pages, and the student is instructed to run this tool in seven separate lab exercises. Having such an exhaustive list of references in your index might seem like the best, most thorough thing to do, but it actually ended up being somewhat counterproductive since not every reference was substantive. At exam time looking up tcpdump-related details or command line usage examples was less time-efficient than I had hoped.

Screenshot of tcpdump man page

Similarly, Metasploit appears in five books within eight page ranges and five labs, and Netcat was mentioned in four books across seven sets of pages and eight exercises. I ended up creating multiple entries for these ‘super-tools’ so I could fully capture all the page and exercise numbers without reworking my spreadsheet’s format too much. Again, just use your best judgment when putting references in your index. You might not need a notation for absolutely every reference.

Other tools require careful consideration too. For example, although Meterpreter is logically a sub-component of the Metasploit framework I decided to compose a separate index entry for Meterpreter-specific references. The same was true for Metasploit database usage as well. My index also had distinct entries for nmap and the nmap scripting engine (NSE), too.

Write Usable Notes

The final draft of my notes, the only other reference materials I took to the GPEN exam aside from my index and the course books, consisted of nine pieces of paper. Like the index, it doesn’t have to be complicated or require a lot of time to develop this resource. If you take notes as you iterate over the courseware then this step is mostly about formatting your text wisely.

Ordering & Organizing

My notes followed the order of the SEC560 course books, and I took notes for every section from each book with only a few exceptions. The first page of my notes was a table of contents, and it listed the five main topics each book represented and the subsections of each. I enabled page numbers at the bottom of each page, and once the formatting and text styling were both finalized, I went back to the table of contents and typed in the page ranges for the five primary topics and the page numbers for each subsection.

Angled photo of a table of contents

Pay attention when you’re reading the course books, especially in the later topics, for concepts that are best thought of as lists. For example, in the Post-exploitation & Pivoting topic, the course describes a number of methods to execute commands or programs on remote Windows machines. I decided to organize this in my notes as a numbered list with a brief description of each method. Furthermore, each of these lateral movement methods involves a series of steps that must be completed in a certain order (first establish an SMB connection, then create a new service, then start the service, etc.), and so this was also easier to visually parse as a list in my notes as opposed to a stream of sentences. Be on the lookout for listable aspects throughout the whole course, and format them this way (even if they aren’t presented to you in list format in the books) when making your notes.

Maximizing Readability

The easier it is for you to quickly read your notes the more productively you’ll use them to answer challenging questions during the exam. Therefore, when formatting your notes in preparation for your real GPEN attempt (and even the practice exams, too) DO NOT fail to adequately distinguish text that conveys ideas and technical descriptions from instructive text that demonstrates command line values. Consider using an entirely different font or style, and/or utilize spacing to markedly separate the command text from your prose.

Paper with scribbles

“Pen-testing Scrap” by Quinn Dombrowski / CC BY-SA 2.0

I was good to myself by clearly indicating the beginning of new topics and subsections by using appropriate font sizes, styles (bold and underlined text) and newline-based spacing. I paid mind to the requirement that all reference materials be in printed form during the GPEN exam, and so I entered in more newlines to start topics and subsections on the next page so that navigating my papers was more straightforward.

Measure your Practice Exams

I received two practice exams with my purchase of a GPEN certification attempt. I took them both, and I strongly recommend that you do the same. You are not permitted to copy or retain the questions or related practice exam content, but they DO provide detailed, articulate guidance regarding each question, which answer is correct, and how to arrive at the correct answer. I greatly benefited from this guidance for both the questions I answered incorrectly and the ones I got right but with which I still didn’t feel confident.

When you complete a practice exam you will receive a summary report that displays your pass/fail status, your score, the amount of time you took to finish, your performance rating for 16 categories (Reconnaissance, Vulnerability Scanning, Exploitation Fundamentals, etc.) out of five stars, and more. This report is nice to have, but I found that measuring my results in a more granular way was far more helpful. In fact, there are certain details regarding your level of comprehension and test performance that a website alone simply can’t capture. I’ll discuss how I took and capitalized on these measurements too.

What & How to Measure

There are three aspects on the practice exams that I noted for each response I gave:

  1. Lookups: Did I have to look up the answer using my index, notes, or the SEC560 books?
  2. Confidence: Was I confident in my answer before I finalized it, or was it more of a guess?
  3. Correctness: Did I answer correctly?

Before I began each practice exam, I opened a basic, three-column spreadsheet and created a heading row for each aspect. Once the exam started, and I provided my answers, I utilized the spreadsheet to keep track of how many responses I had to look up, how many were I provided without full confidence, and how many I got wrong. Since I didn’t want to waste any of my limited exam time I recorded these measurements as quickly as possible. A simple one or zero in each column was enough for me to work with later.

Screenshot of a three-column spreadsheet

Once each exam ended I read over the table of contents in my notes and contrived a list of the course topics I felt I should revisit to improve my performance. If you try this approach for yourself please take care to not copy or retain any exam data whatsoever. Doing so is not allowed, and you’d be shortchanging yourself by not actually learning anyway. So don’t copy and paste any text from the practice exams, don’t take any screenshots, and don’t rewrite parts of the questions, the guidance, or the actual answer you gave. Focus on remembering the general topics to which your incorrect or not-so-confident answers corresponded, and review these areas as needed.

The First Practice Exam

After completing my second iteration through the SEC560 course books I attempted my first practice exam. I didn’t wait more than a few days between when I finished studying and when I took this exam, because I wanted to see how well I did with everything still fresh in my mind.

Before the exam started, I freed my workspace from any and all distractions. I printed out my index on paper, but I decided to keep my notes in digital form at this stage since I hadn’t finished formatting the text yet. I placed the stack of the six topic-specific course books to one side of my laptop and I put the workbook and index on the other.

A laptop with spiral-bound books to both sides

When I took this first practice exam I recorded my self-measurements as I answered each question. I used my index, I flipped through the coursebooks, and I jumped from screen to screen when switching focus from the exam question, my digital notes, and my spreadsheet of self-measurements.

The Second Practice Exam

A few weeks after the first practice exam (the day before I attempted the real GPEN) I took my second practice exam, and it was a nearly identical experience in terms of my approach and process. The main difference is that I completed this second exam after my third and final study session, I changed a few of my index entries and notes based on results from the first practice exam, and I printed both my index and my notes on paper. I wanted this final practice to be as realistic and similar to the actual GPEN exam as possible.

Like before I kept my own measurements of how readily I answered each question, how confident I was, and whether or not each response was correct. But, after the final practice, I now had two sets of measurements, and I could compare them to understand my performance over time. In my case I noticed a sharp reduction in lookups and a significant increase in the number of correct answers provided confidently.

Two line charts showing data

Funny enough I got the exact same score on both practice exams (96%), but if I hadn’t recorded my self-measurements I would have only had a vague feeling of superiority without any numbers or data to back it up. Either way, I think my experience shows the value of the practice exams AND how the iterative approach to studying the courseware (in my case the third iteration in particular) can have a profoundly positive impact on testing performance.

Take the GPEN Exam

I can’t and won’t provide any specific details about the GPEN or its content, so in this section I’ll describe how I prepared for the exam in the hours and minutes leading up to it. I’ll also mention my general tips and advice for success while seated in front of a real, ‘live-fire’ test with a ticking clock.

I’ve taken over a dozen other IT and security-related certification exams prior to the GPEN, and for nearly every one I was lucky to be able to go to the same testing center near my home each time. Whether or not this is true for you, consider arriving roughly 15 minutes ahead of your scheduled appointment. You don’t want to rush getting to the testing site, because this could be a safety hazard, you could forget a vital reference material at home, and honestly it just causes unnecessary stress for yourself.

Getting Adequate Rest

Earlier, I mentioned that I took my second practice exam the day before my real GPEN attempt. Ultimately, I think this was the right call, but I should also clarify that I didn’t ignore my need to mentally rest and recharge. If you decide to also do a practice exam the day before the GPEN don’t neglect the number of hours of rest you’re allotting for yourself. This is a three-hour exam, and it can easily drain you of your limited energy and ability to focus. I gave myself close to 14 hours from when I finished the practice exam until my GPEN attempt was scheduled to start. You might need more or less than that.

Two dogs in one dog bed

Also, take a moment to do something not security related. Get some fresh air. Eat a good meal. Get away from screens. But whatever you do I strongly advise getting enough sleep the night before. The amount that constitutes ‘enough’ might be different for you than others, but no matter what, don’t go into your exam tired or groggy. If you’re a coffee drinker like me, and you want to have a cup before your exam that’s totally fine, but make sure you’re doing so because you want to enjoy a cup of coffee and not simply as a crude way to temporarily combat a lack of sleep.

Using Reference Materials

I relied on my index, notes, and course books A TON during the GPEN exam, and that’s totally okay. When crafting your reference materials along the way do so with quickness of lookups in mind. I probably performed over a dozen lookups for the more advanced exam questions. As long as you keep your materials readable and navigable then the number of times you need to perform a lookup isn’t so important, because each lookup could consume less than 30 seconds.

Japanese furniture assembly manuals

Photo by Travis Wise (modified) / CC BY 2.0

At the same time don’t rush to give an answer without specific reasons to worry about time. Perform any needed lookups as quickly as you can, but avoid answering questions speedily if you aren’t confident in your response. On the GPEN exam, once you submit an answer it is immutable. You can’t go back and change your answer later, so don’t guess unless you’re absolutely out of time. Even if you think you’re spending ‘too much’ time on a tough question you should still do everything you can think of to find the answer before moving ahead.

Proper Pacing

You’re allowed to take a 15 minute break if you don’t have any outstanding skipped questions. I admit that it felt a little awkward to just stop and step away from the computer, but having a few minutes to go to the restroom, clear my mind, and rest my eyes was worth it. I can’t provide any specific exam details, so I’ll just say that I chose to take the break near the end of my exam at what I consider an interesting turning point. Taking a short break really allowed me to stay focused and give the remaining challenges my re-energized and most determined effort.

A 20 mph speed limit sign

Photo by Tony Webster / CC BY-SA 2.0

Feedback & Next Steps

Call me whatever names you want to, but I actually had fun taking the GPEN exam! My experience with SANS SEC560 and attempting my first GIAC certification reaffirmed my prior belief in the quality and usefulness of the training and professional advancement opportunities provided by these organizations. I genuinely and wholeheartedly recommend SANS training to any infosec professionals looking to sharpen their skills, and I’ll definitely be taking more of their courses as soon as I can.

Do you agree or disagree with my approach? Have you also tried these tactics yourself to prepare for a GIAC exam like the GPEN? Or did you do something drastically unlike my routine that made you successful? I’m always interested in discussing best practices in anticipation for the next adventure, so let me know what you think. Thanks for reading!

Mike Iacovacci
Mike Iacovacci is an information security professional specializing in endpoint security, intrusion investigation, and security research. His efforts have prevented serious security incidents and continue to disrupt cybercrime operations and sophisticated threat actors.