SANS Penetration Testing

Got What It Takes for SEC760? Check Out this Short Quiz

[Editor's Note: SEC760 is our most intense, advanced, and challenging penetration testing course and it's amazing! To help people determine whether they have the background skill set to prepare them for the course, Steve Sims (author of the course) wrote a pretty cool little quiz. The brief, 10-question quiz will give you an idea of what you need to know to take the course, and it'll also help you measure your own skills. Check out Steve's description of the course below, take the quiz, and then see how you stack up in preparedness for the course! -Ed.]

I wanted to provide some information about "SANS SEC760: Advanced Exploit Development for Penetration Testers". The course was written as a follow-on to "SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking," for those wanting more knowledge and experience in exploit development. There has been a lot of growth in this area and many organizations are looking for professionals with this skill set in order to perform bug hunting, determine bug exploitability, and possess the ability to write exploits against applications running on modern operating systems. Even if your current position does not have you spending your days writing exploits, the subject matter covered is very relevant for:

  • Senior Penetration Testers
  • Senior Incident Handlers and Forensics Experts
  • Senior Windows Security Professionals (especially those responsible for patch management and selecting tools such as EMET to deploy.)
  • Senior Intrusion Analysts (IDS/IPS/AV/Linux/Windows/OSX)
  • C & C++ Developers
  • Professionals responsible for a Secure-SDLC & SDL process
  • Your future position in exploit research!

SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDAPython & IDC scripts, SDL & threat modeling, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to take a look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, utilize return oriented programming (ROP), etc?

As the author of the course, I get a lot of questions, including:

  • Am I ready for SEC760?
  • Should I take SEC660 first?
  • I've taken SEC660. Am I definitely ready for SEC760?
  • I've taken SEC560. Can I jump right to SEC760 if I only want the exploit dev material?
  • I have not taken any SANS pen testing courses, which one should I start with?
  • I've taken a course through Offensive Security, is the material the same?

There is no "one size fits all" reply to these types of questions, as everyone has a different level of experience. My personal recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. I am happy to answer any questions you may have about this subject matter to help you make an informed decision. You can reach me, Stephen Sims, at stephen@deadlisting.com.

I have written a ten question exam which will hopefully help you with determining if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes two days of material on introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, NAC), pentesting cryptographic implementations, fuzzing, Python, network booting attacks, PowerShell for post-exploitation, etc?
Please take the exam without any help. Do not use Google or other search engines to look up answers, ask a peer, or seek the answers by any means other than using your brain and experience. The answers along with explanations are also available in a separate link below. See how you measure up!
You can use the following as a rough guide based on the number of correct answers you achieve on your test.

  • 7/10 Correct: You are likely ready to take SEC760, given that you have exploit development experience as listed in the SEC760 course prerequisite section, such as that covered in SEC660.
  • 5/10 or 6/10 Correct: This I would consider a grey area where you may require some additional preparation to be successful in the SEC760 class, and again, you must have the exploit development experience as listed in the SEC760 course prerequisite section, such as that covered in SEC660.
  • 4/10 Correct or Lower: You are very likely not ready for SEC760 and will really benefit in taking SEC660 first. If you have already taken SEC660 and still scored below a 5/10, it is highly recommended that you work back through 660.4 and 660.5 for a refresh and try again.

Grab a pen and some paper and write down your answers to each of the ten questions below. When you are done, click on the link at the bottom to go through the answers.

Good luck with the quiz, and see you in SEC760!
Thanks!

-Stephen Sims
stephen@deadlisting.com

 

SEC760 10 Question Exam:

 

1. Which of the following functions is most commonly used to disable Data Execution Prevention (DEP) inside of a Windows 7 or Windows 8 process?
a) VirtualAlloc()
b) WriteProcessMemory()
c) VirtualProtect()
d) NtSetInformationProcess()

 

2. Windows 8 is a ____ ring processor access mode operating system?
a) 1
b) 2
c) 3
d) 4

 

3. Which of the following is the only native Ring 0 debugger?
a) WinDbg
b) GDB
c) OllyDbg
d) Immunity Debugger

 

4. Which of the following Windows 32-bit virtual addresses can a Ring 3 debugger never access?
a) 0x00000000
b) 0xFFFFFFFF
c) 0x7FFD0000
d) 0x13371337

 

5. True or False: A "return-to-libc" style of attack can be Turing-complete without the need to load external code?

 

6. In a 64-bit Windows application, the RBP register is most commonly used for which of the following purpose?
a) General Purpose Register
b) Base Pointer on the Stack
c) Pointer to Driver I/O
d) Extension of the Stack Pointer

 

7. Which of the following would properly result in C++ function overloading? (Choose Two)
a) Same function name, different data types
b) Same function name, different number of arguments
c) Same function name, different buffer size
d) Same function name, different number of virtual functions

 

8. Which of the following stack pivot gadgets would not preserve a pointer to the original stack frame in eax?
a) push eax
mov eax, esp
pop esp
retn
b) xchg esp, eax
pop eax
push esp
retn
c) mov ebp, eax
mov eax, esp
mov esp, ebp
retn
d) xchg esp, eax
retn

 

9. Consider the following code:
int x_value = 99;
int* x = &x_value;
Which of the following lines of code would properly dereference "x" to get the value of "x_value?"
a) cout << &x;
b) cout << *x;
c) cout << **x;
d) cout << *&x;

 

10. Consider the following ASM:
mov eax, cr3
mov cr3, eax
Which of the following is the result of the above execution?
a) Nothing at all
b) The page directory is simply copied
c) Timing operation
d) Translation Lookaside Buffers are flushed

 

For the answers and a brief explanation of each, please click here.

 

SANS Note:

For a listing of upcoming opportunities to take "SANS SEC760: Advanced Exploit Development for Penetration Testers,

Visit: https://www.sans.org/sec760

760_StephenSims9

 

SANS OnDemand - Online Training:

OnDemand

  • 4-months of access to course materials, taught by authors of the course
  • Pause | Play | Rewind
  • Hands-on labs
  • Support from subject-matter-experts in case of questions
  • Checkpoint quizzes to help you better grasp the material
  • Learn more about SANS OnDemand Training: https://www.sans.org/ondemand/

4 Comments

Posted September 5, 2013 at 6:52 PM | Permalink | Reply

Andrew C

Question 4 is ambiguous. Answer C is in the 64KB reserved region at the boundary of usermode and the kernel and a debugger would not be able to access (read) at that region.
This page has some discussion with references: http://forum.sysinternals.com/0x7ffe0000-what-is-in-it_topic10012.html

Posted September 5, 2013 at 6:54 PM | Permalink | Reply

Andrew C

As a follow up to my previous comment, the address in answer C is accessible when the "/3GB" switch is given as well.

Posted September 5, 2013 at 8:40 PM | Permalink | Reply

Stephen Sims

Hello Andrew.
Great catch about the ambiguity with Question 4. It's definitely one of those questions that could cause someone to struggle between it and another answer. I'll work on changing that option.
Thanks!
Steve

Posted September 5, 2013 at 9:19 PM | Permalink | Reply

Stephen Sims

Okay, question 4 has been updated.
Thanks!
Steve

Post a Comment






Captcha


* Indicates a required field.