Penetration testing is a multi-staged process by which an authorized consultant tests information systems and software for security vulnerabilities, and in turn demonstrates how they can be exploited. Penetration testing has become more and more challenging as vendors, developers and administrators become more aware of the threats and vulnerabilities to their information systems and software. As such, penetration testers have to stay abreast of the cutting-edge techniques used to compromise even the most modern information systems and associated mitigations. In this light, SANS Institute has developed their most technically intense course, SANS SEC 760 Advanced Exploit Development for Penetration Testers.
SANS SEC 760 Advanced Exploit Development for Penetration Testers is a six-day course that teaches the advanced techniques that are needed to compromise modern information systems. The course description states that, “Few security professionals have the skillset to discover let alone even understand at a fundamental level why the vulnerability exists and how to write an exploit to compromise it.” Therefore, topics such as threat modeling, IDA Pro, Heap Overflows, Return Oriented Shellcode, and Binary Diffing are just a few of the topics that are covered extensively. This article provides a day-to-day review of the live, in-person course which also happens to be taught by the courseware developer himself, Stephen Sims.
Special Offer for EH-Net Readers
5% OFF SANS SEC 760 as well as Any SANS Course in Any Format!
Use Coupon Code: EHN_SANS5
Who Should Take SANS SEC 760 Advanced Exploit Development for Penetration Testers?
Prerequisite knowledge of basic exploit development techniques is necessary before attending the class. Students should arrive having no problem navigating a debugger and should be able to read assembly language comfortably. Terms such as jmp esp, pop/pop/ret, return oriented programming, function pointers, vtables, and calling conventions should not be anything new and will be assumed knowledge.
Why Take SANS SEC 760?
As with penetration testing, there are times when you will hit certain plateaus in exploit development, and you would like to expand your knowledgebase; therefore, increasing the types of applications and attacks that you can pull off. Advanced Exploit Development for Penetration Testers will help you develop the skills to push beyond simple stack-based buffer overflows to reverse engineering, format string bugs, kernel exploitation, heap spraying, and heap overflows.
The Lab Setup!
As with most SANS courses, you are required to bring a laptop that contains at least 4+GB of Physical Memory, (8 – 16 GB is preferred), at least 50GB of free hard drive space, and three unpatched Windows virtual machines. A course DVD is provided that contains:
• Windows and Linux-based tools and scripts
• Working scripts and example exploits and fuzzers
• Demo and Free versions of IDA Pro
• Linux-based virtual machines
You will need administrative access to the three unpatched Windows virtual machines as various tools and programs will be installed that need administrative rights.
The course qualifies the students for 36 CPE/CMU credits and is currently only being offered in a live format. It is also considered to still in beta, as SANS is encouraging feedback on the course.
The instructor of the course was Stephen Sims, who is also the course author. Stephen is also the lead course author of SANS SEC660 – Advanced Penetration Testing, Exploits and Ethical Hacking. Stephen is a GIAC Security Expert (GSE) and holds many other recognized certifications. This is my first time having Stephen as an instructor, so it was a new experience in regards to his teaching style. Stephen has great ways of explaining the concepts, so the student can grasp them fairly easily.
Day 1 – SEC760.1: Threat Modeling, Reversing and Debugging with IDA
Day 1 was a great primer on the Microsoft Security Development Lifecycle (SDL) and how the student can not only use the process to help organizations realize their current security shortcomings in their software development practices, but also how, through a proper, well-developed SDL, organizations can achieve a solid, secure development process. Stephen gives examples of how this is typically implemented, and the students had an exercise that teaches how to think and identify a vulnerability in the current implementation of an SDL.
Day 1 continued with an intro to Hex-Rays’ IDA Pro, an interactive disassembler, debugger and simply overall powerful program. This gives students that haven’t used IDA Pro a great introduction and a chance to obtain hands-on skills with IDA. Stephen gave a great explanation on the capabilities of IDA, how IDA compares to other debuggers and disassemblers that are available, and how to navigate IDA and its various features. IDA is used throughout most of the course, so students should gain a level of comfort using IDA. If a student is not able to purchase a full, licensed copy of IDA Pro, a DVD is provided that has the free and demo versions of IDA. Day 1 ended with a module on remote debugging which is a way to debug programs, including the OS kernel, on a remote machine. Stephen covered the IDC and IDAPython extension of IDA Pro which extends the functionality of IDA using python and the C programming language.
I had always wanted to learn about IDA Pro. I have experience using other debuggers such as Ollydbg and Immunitydbg, but this course allowed me to obtain hands-on experience with IDA Pro and its very powerful features. I’m quite certain that for now on, my preferred debugging and disassembling application of choice, will be IDA Pro.
Day 2 – SEC760.2: Advanced Linux Exploitation
Day 2 covered advanced Linux exploitation, which heavily focused on the heap, how the heap works and how to exploit heap-based overflows. Stephen goes into a great deal of detail of the heap and how the free(), unlink() etc functions works. This is a great primer for those who haven’t taken the SANS SEC 660 course, and you will end up digging deeply into the content and find yourself well on your way to exploiting multiple heap-based vulnerabilities. Another interesting topic that was covered is the exploitation of the BSS Segment through the use of function pointer overwrites which is then followed by a lab that reinforces all of the concepts.
Day 2 ends with coverage of format string attacks and exploitation techniques, which is something that I have always wanted to learn and something that I feel is covered pretty well. Stephen covers the concepts in great detail, and afterwards students are given the chance to exploit a format string vulnerability in your Linux VM lab environment.
Day 2 was a real important day for me, as I don’t often practice writing exploits on Linux based systems. I have some experience writing stack-based buffer overflow exploit code for Linux vulnerabilities and bypassing exploit mitigations, but no prior heap exposure whatsoever.
Day 3 – SEC760.3: Patch Diffing, One-Day Exploits, and Return Oriented Shellcode
Day 3 was the day when students really started feeling the heat of an advanced SANS course. Class started out by briefly talking about return oriented programming (which is a prerequisite of the course) and return oriented shellcode (ROP), which is like shellcode without shellcode!!!!
One of the most interesting parts of Day 3 is the Binary Diffing / Patch Diffing in which Stephen showed us how to go about extracting the Microsoft patches, so we can diff the changes and discover the patched vulnerability. Sometimes Microsoft patches vulnerabilities without disclosing the details to the public, which is why patch diffing is such a great technique. Patch Diffing was ground-breaking for me, as I knew of the high level concept but never really understood the details of the technique. The diffing labs and exercises were geared around the professional versions of IDA, but some exercises were still available for the free and demo versions. Students will be using the binary diffing tool in conjunction with IDA like Bindiff,Patchdiff2, and others. I personally preferred the Bindiff software over the others and was willing to shell over the ~$200 for it.
Day 3 ended with exercises and labs that showed the student the process of Microsoft patch diffing and discovering 1-day vulnerabilities. The rest of the day was spent diffing different versions of Microsoft patches, which definitely helped reinforce the concepts.
I would have to say that day three was a ton of fun but also mentally exhausting for me. Patch / binary diffing opens up a whole new world not only for the discovered of 1-day vulnerabilities in Microsoft products, but also for third-party applications and software for the Windows Operating System.
Day 4 – SEC760.4: Windows Kernel Debugging and Exploitation
Day 4 was spent on another mind-numbing topic, kernel debugging. Let me take a step back and say that I have limited exposure to Windbg and have spent most of my personal time in Immunity Debugger and Ollydbg. This day, Stephen gives a great intro to Windbg, its layout, and various commands, which was just in time due to my lack of exposure to the debugger. Windbg is the best Ring0 debugger for the Windows OS, which is why it is both introduced and used for the kernel debugging for this day. We were instructed prior to attending the class, to bring various 64-bit and 32-bit version of the Windows 7 and Windows 8 operating systems which were involved in most of exercises and labs, and a Windows XP SP3 VM for some additional remote debugging. I ran into some challenges with my setup (Macbook Pro with VMware Fusion), but not only were the challenges worked through, but I believe that we came out with some additional content for those running a similar setup. Stephen provided an introduction to the kernel, its inner workings, and the relationship between Ring 3 and Ring 0 applications in a bit of detail. We were also provided some background details of how exploit techniques worked in times past and how modern-day kernel attacks are approached. This day ended with Stephen leading the labs and exercises in kernel debugging using the remote Kernel Debugging techniques that we had learned about during Day 1.
Day 4 was probably the most difficult day for me, but I’m always open for a good challenge. Well that challenge came and was conquered, but Stephen was there all of the time to help reinforce the concepts and ensure that the students were on the right track.
Day 5 – SEC760.5: Windows Heap Overflows and Client-Side Exploitation
Day 5 was all about the Windows heap. Since we had gotten a grasp of the heap on Day 2 with advanced Linux heap exploitation, it was a little easier to digest the barrage of information that Stephen teaches you during this day. My most memorable section of this day was the Use-After-Free explanations and walkthrough where you get to grasp the concepts behind Use-After-Free vulnerabilities and how to exploit these flaws.
There was little instruction on this day, since it was very heavy on the labs and exercises, which require a bit more time to complete. Stephen also covered heap spraying techniques and how they used to work on older systems and software as well as modern-day protections and attacks against the heap, such as heap Feng Shui from Alexander Sotirov. The labs and exercises were really helpful and extremely detailed in order to reinforce the concepts and get you through to successful exploitation. I really enjoy how the labs are laid out, because you are there to learn and be able to perform full exploitation even after class is over. Stephen first walked through the Windows heap using Windbg, as he helped explain some important portions of the Windows heap structures and objects. We then observed what the Use-After-Free vulnerability mentioned above would look like and why they are dangerous. The labs helped reinforce all of the information that Stephen had walked us through and are reproducible, not simply something expected to be memorized for the duration of the class. Towards the end of this day, I was mentally exhausted, and I barely had the mental fortitude to do anything of value the rest of the day. That’s what you pay for, so all is good.
Day 5 is the day that helped me understand how attackers are exploiting modern-day browser issues that aren’t so easy to find using the Use-After-Free vulnerability condition. These vulnerabilities are very subtle and takes a trained eye to discover. You won’t be able to write a trivial fuzzer to find these issues, that’s why Stephen’s explanations and walkthroughs were so helpful.
Day 6 – SEC760.6: Capture the Flag
Day 6 is all about Capture the Flag (CtF). This entire day was dedicated to putting everything that you could grasp during the previous 5 days and putting them into practice. There were a mixture of both trivia and hands-on exploitation challenges. The challenges were appropriately difficult; some were just totally out of my league (for now ). Stephen starts out the day explaining what the Capture the Flag event is all about and the rules that each student has to follow. The rest of the day was spent by students developing exploits, debugging, reverse engineering and getting frustrated. Stephen explained that frustration was part of the process and was indeed felt by the class on this day.
SANS SEC 760: Advanced Exploit Development for Penetration Testers has brought my skillset to the next level. From all of the material, explanations, labs and frustration, I’ve learned a great deal that I wouldn’t have been exposed to otherwise by any other exploit development course I’ve been to. SANS SEC 760 has taken my stack-based exploitation skillset to new heights, and my understanding of other vulnerability classes has been solidified. The explanations of heap-based and client-side exploitation was a real eye opener. I have been to many classes, read tons of papers, article, and tutorials, none of which came close to the value of this class.
There is no certification for this course as of yet. I’m hoping to see one created that would require a practical portion. SANS courses are top quality, and I’ve never left a SANS course feeling as if I wasted my time. This course was no different. If you are looking to push your skillset to the cutting edge, put “SANS SEC 760: Advanced Exploit Development for Penetration Testers” on the top of your list. You won’t be disappointed.
Victor Westbrook (CISSP, C|EH, GXPN, GPEN, GWAPT, GAWN, GREM, GCIH, GCFA, GSEC, MCSA, MCP, CCNA, CCNP-FW2, CCNP-SNRS, OSCP, OSWP, NSA-IAM, NSA-IEM), is the Founder of Offensive Logic LLC and a U.S. Army veteran. Victor has over 13+ years of experience in information security with a focus on Exploit Development, Ethical Hacking, Vulnerability Research, and Vulnerability Management. Victor regularly performs penetration testing and ethical hacking assessments for very large organization in the State, Federal and private sector and is currently a SANS mentor. Victor enjoys spending time with his Wife, reading and playing console based RPGs.