SANS Network, IT Penetration Testing, Ethical Hacking Training Courses

White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by penetration testing practitioners seeking certification. SANS attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Featured Papers

This featured paper includes some really useful techniques that penetration testers should master. Read it, learn it, and live it, as you extend your skills.

Using Windows Script Host and COM to Hack Windows

Penetration Testing Whitepapers

Paper	Author	Certification
0day targeted malware attack	Villatte, Nicolas	GCIH
0x333hate.c: Samba Remote Root Exploit	Embrich, Mark	GCIH
WU-FTPD Heap Corruption Vulnerability - HONORS	Allen, Jennifer	GCIH
A Buffer Overflow Exploit Against the DameWare Remote Control Software	Strubinger, Ray	GCIH
A Guide to Encrypted Storage Incident Handling	Shanks, Wylie	GCIH
A Heap o' Trouble: Heap-based flag insertion buffer overflow in CVS	Conrad, Eric	GCIH
A J0k3r Takes Over	Larrieu, Heather	GCIH
A Management Guide to Penetration Testing	Shinberg, David	GCIH
A Picture is Worth 500 Malicious Dwords	Hall, Timothy	GCIH
A Practical Application of SIM/SEM/SIEM Automating Threat Identification	Swift, David	GCIH
A Qradar Log Source Extension Walkthrough	Stanton, Michael	GCIH
A Study of the o_wks.c Exploit for MS03-049	Arnoth, Eric	GCIH
A Two Stage Attack Using One-Way Shellcode	Mathezer, Stephen	GCIH
A Weak Password And A Windows Rootkit: A Recipe For Trouble	Ives, John	GCIH
Accessing the inaccessible: Incident investigation in a world of embedded devices	Jodoin, Eric	GCIH
AIX for penetration testers	Panczel, Zoltan	GPEN
All Your Base Are Belong To Someone Else: An Analysis Of The Windows Messenger Service Buffer Overflow Vulnerability	Hewitt, Peter	GCIH
An Analysis of Meterpreter during Post-Exploitation	Wadner, Kiel	GCIH
An Analysis of the Remote Code Execution Vulnerability as Described in Microsoft's MS05-002 Security Bulletin	Rose, Jerome	GCIH
An approach to the ultimate in-depth security event management framework	Pachis, Nicolas	GCIH
An Attacker On RPC Compromised Remote VPN Host Runs Arbitrary Code on Microsoft Exchange Server 2000	Ho, Wai-Kit	GCIH
An Incident Handling Process for Small and Medium Businesses	Pokladnik, Mason	GCIH
An Overview Of The Casper RFI Bot	O'Connor, Dan	GCIH
Analysis and Reporting improvements with Notebooks	Knowles, Ben	GCIH
Animal Farm: Protection From Client-side Attacks by Rendering Content With Python and Squid.	OConnor, Terrence	GCIH
Anna Kournikova Worm	Ashworth, Robert	GCIH
Anomaly Detection, Alerting, and Incident Response for Containers	Borhani, Roozbeh	GCIH
Apache Web Server Chunk Handling Apache-nosejob.c	Sarrazyn, Dieter	GCIH
Applying Data Analytics on Vulnerability Data	Dhinwa, Yogesh	GCIH
Are there novel ways to mitigate credential theft attacks in Windows?	Foster, James	GCIH
Attack and Defend: Linux Privilege Escalation Techniques of 2016	Long II, Michael	GCIH
Attributes of Malicious Files	Yonts, Joel	GCIH
Author Intruder Alert: Why Internal Security must not take a back seat.	Hendrick, Jim	GCIH
Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation	Hainly, Jeremiah	GCIH
Automated Defense - Using Threat Intelligence to Augment	Poputa-Clean, Paul	GCIH
Automated Execution of Arbitrary Code Using Forged MIME Headers in Microsoft Internet Explorer	Winters, Scott	GCIH
Automated Security Testing of Oracle Forms Applications	Varga-Perke, Balint	GWAPT
Back-Door'ed by the Slammer	Hally, John	GCIH
BackGate Kit: The Joy of "Experts"	DePriest, Paul	GCIH
Bad ESMTP Verb Usage Equals Bad Times for Exchange	Smith, Aaron	GCIH
Baselines and Incident Handling	Christianson, Chris	GCIH
BGP Hijinks and Hijacks - Incident Response When Your Backbone Is Your Enemy	Collyer, Tim	GCIH
BIND 8.2 NXT Remote Buffer Overflow Exploit	Mcmahon, Robert	GCIH
Boiling the Ocean: Security Operations and Log Analysis	Chisholm, Colin	GCIH
Breaking Windows 2000 Passwords via LDAP Password Crackers	Hamby, Charles	GCIH
BruteSSH2 - 21st Century War Dialer	Thompson, Bill	GCIH
Buffer overflow in BIND 8.2 via NXT records	Talianek, Chris	GCIH
Burp Suite(up) with fancy scanning mechanisms	Panczel, Zoltan	GWAPT
Bypassing Malware Defenses	Christiansen, Morton	GPEN
Catch the culprit!	Perez, David	GCIH
Cisco IOS Type 7 Password Vulnerability	Massey, Lee	GCIH
Cisco Security Agent and Incident Handling	Farnham, Greg	GCIH
Combating the Nachia Worm in Enterprise Environments	Johnson, Brad	GCIH
Computer Security Education The Tool for Today	Burke, Ian	GCIH
Correctly Implementing Forward Secrecy	Schum, Chris	GCIH
Covering the Tracks on Mac OS X Leopard	Scott, Charles	GCIH
Covert Channels Over Social Networks	Selvi, Jose	GCIH
Creating a Threat Profile for Your Organization	Irwin, Stephen	GCIH
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools	Sweeny, Jonny	GCIH
Cyber Breach Coaching	Hoehl, Michael	GCIH
Demystifying Malware Traffic	Saxena, Sourabh	GCIH
Deployment of a Flexible Malware Sandbox Environment Using Open Source Software	Ortiz, Jose	GCIH
Detecting Crypto Currency Mining in Corporate Environments	D'Herdt, Jan	GCIH
Detecting Incidents Using McAfee Products	Andrei, Lucian	GCIH
Detecting Security Incidents Using Windows Workstation Event Logs	Anthony, Russell	GCIH
Differences between HTML5 or AJAX web applications	Thomassin, Sven	GWAPT
Digital Certificate Revocation	Vandeven, Sally	GCIH
Discovering a Local SUID Exploit	Pike, Jeff	GCIH
Discovering Rogue Wireless Access Points Using Kismet and Disposable Hardware	Pesce, Larry	GAWN
DNS Sinkhole	Bruneau, Guy	GCIH
Document Metadata, the Silent Killer...	Pesce, Larry	GCIH
Donald Dick 1.55 with Last Updated GUI Component from Version 1.53	Maglich, Ryan	GCIH
DreamFTP - The Nightmare Begins!	Sorensen, Robert Peter	GCIH
Dsniff and Switched Network Switching	Bowers, Brad	GCIH
Effectiveness of Antivirus in Detecting Metasploit Payloads	Baggett, Mark	GCIH
Employees Are Crackers Too	Stapleton, Curt	GCIH
Enterprise Survival Guide for Ransomware Attacks	Mehmood, Shafqat	GCIH
Eradicating the Masses & Round 1 with Phatbot?	Fulton, Lora	GCIH
Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider	Abdel-Aziz, Ahmed	GCIH
Event Monitoring and Incident Response	Boyle, Ryan	GCIH
Expanding Response: Deeper Analysis for Incident Handlers	McRee, Russ	GCIH
Exploit Analysis	Jenkinson, John	GCIH
Exploiting BlackICE When a Security Product has a Security Flaw	Gara-Tarnoczi, Peter	GCIH
Exploiting Internet Explorer via IFRAME	Becher, Jim	GCIH
Exploiting the LSASS Buffer Overflow	Wohlberg, Jon	GCIH
Exploiting the Microsoft Internet Explorer Malformed IFRAME Vulnerability	Tu, Alan	GCIH
Exploiting the SSH CRC32 Compensation Attack Detector Vulnerability	Williams, R. Michael	GCIH
Exploiting Vulnerabilities in Squirrelmail	Bong, Kevin	GCIH
False Alarm...Or Was It? Lessons Learned from a Badly Handled Incident	Graesser Williams, Dana	GCIH
First Response: An incident handling team learns a few lessons the hard way	Cragg, David	GCIH
Following Incidents into the Cloud	Reed, Jeffrey	GCIH
Forensic Analysis On Android: A Practical Case	Alonso-Parrizas, Angel	GMOB
FreeBSD 4.x local root vulnerability -- exec() of shared signal handler	Durkee, Ralph	GCIH
Freezing Icecast in its Tracks	McLaren, Jared	GCIH
From Security Perspective, the Quickest Way to Assess Your Web Application	Alduhaymi, Mohammed	GWAPT
FTP Port 21 "Friend or Foe" Support for the Cyber Defense Initiative	Karrick, Stephen	GCIH
FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability	Webb, Warwick	GCIH
Fun with Batch Files: The Muma Worm	Mackey, David	GCIH
Getting Started with the Internet Storm Center Webhoneypot	Pokladnik, Mason	GWAPT
Getting Started with the Internet Storm Center Webhoneypot	Pokladnik, Mason	GWAPT
GIAC Certified Incident Handling Practical	Yachera, Stanley	GCIH
GIAC GCIH Assignment - Pass	Harrison, Daniel	GCIH
H.O.T. \| Security	Rocha, Luis	GCIH
Hacker Techniques, Exploits, and Incident Handling	Brooker, Denis	GCIH
Hijacked Server Serves Up Foreign Bootlegged Pornography	Meyer, Russell	GCIH
Home Field Advantage: Employing Active Detection Techniques	Jackson, Benjamin	GCIH
How to Gain Control of a Windows 2000 Server Using the In-Process Table Privilege Escalation Exploit	Stidham, Jonathan	GCIH
How to identify malicious HTTP Requests	Sarokaari, Niklas	GWAPT
Human Being Firewall	Elharmeel, Muhammad	GCIH
Hunting through Log Data with Excel	Lalla, Greg	GCIH
IBM AIX invscout Local Command Execution Vulnerability - HONORS	Horwath, Jim	GCIH
ICQ URL Remote Exploitable Buffer Overflow	de Beaupre, Adrien	GCIH
Identifying and Handling a PHP Exploit	Edelson, Eve	GCIH
Identifying Vulnerable Network Protocols with PowerShell	Fletcher, David	GCIH
Identity Theft Made Easy	Huber, Eric	GCIH
IIS 5 In-Process Table Privilege Escalation Vulnerability	Fatnani, Kishin	GCIH
Illustration of VS.SST@mm Virus Incident	Smith, Kevin	GCIH
Importance of a Minor Incident: W32/Goner@MM	Legary, Michael	GCIH
In-house Penetration Testing for PCI DSS	Koster, Jeremy	GPEN
Incident Analysis in a Mid-Sized Company	Garvin, Pete	GCIH
Incident Handler Case File: A New Twist to Social Engineering	Hawkins, Ray	GCIH
Incident Handling Annual Testing and Training	Holland, Kurtis	GCIH
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management	Filkins, Barbara	GCIH
Incident Handling Preparation: Learning Normal with the Kansa PowerShell Incident Response Framework	Simsay, Jason	GCIH
Incident Handling Without Guidelines	McKellar, Neil	GCIH
Incident Illustration - Corporate Compromise	Hall, Russell	GCIH
Incident Illustration - Firewall Attack	Reed, Bill	GCIH
Incident Illustration - HTTP Services Vulnerabilities	Modelo Howard, Gaspar	GCIH
Incident Illustration - Missing Files	White, Scott	GCIH
Incident Illustration - Mstream	Gallo, Kenneth	GCIH
Incident Report for a Rootkit attack on a Fedora workstation	Norman, Bonita	GCIH
Incident Tracking In The Enterprise	Hall, Justin	GCIH
InfiniBand Fabric and Userland Attacks	Warren, Aron	GCIH
Inside-Out Vulnerabilities, Reverse Shells	Hammer, Richard	GCIH
Internet Explorer HTML Elements BoF Vulnerability	Sims, Stephen	GCIH
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment	Druin, Jeremy	GWAPT
Investigative Tree Models	Caudle, Rodney	GCIH
IOScat - a Port of Netcat's TCP functions to Cisco IOS	Vandenbrink, Robert	GCIH
IOSTrojan: Who really owns your router?	Santander Pelaez, Manuel Humberto	GCIH
IP Masquerading Vulnerability for Linux 2.2.x - CVE-2000-0289	Baccam, Tanya	GCIH
iPhone Backup Files. A Penetration Tester's Treasure	Manners, Darren	GPEN
iPwn Apps: Pentesting iOS Applications	Kliarsky, Adam	GPEN
Jolt2 or "IP Fragment Re-assembly	Beciragic, Jasmir	GCIH
KaZaA Media Desktop Virus: W32/kwbot	Will, Rita	GCIH
Knitting SOCs	Imbert, Courtney	GCIH
Let's face it, you are probably compromised. What next?	Thyer, Jonathan	GPEN
Linux NTPD Buffer Overflow	Stadler, Philipp	GCIH
Local Exploit: dtprintinfo for Solaris 2.6 and 7	Sipes, Steven	GCIH
Local Privilege Escalation in Solaris 8 and Solaris 9 via Buffer Overflow in passwd(1)	McAdams, Shaun	GCIH
Lotus Notes Penetration	Rademacher, Karl	GCIH
M@STER@GENTS: Masters of "SPAM"	Ashland, Joanne	GCIH
Malicious Android Applications: Risks and Exploitation	Boutet, Joany	GPEN
Microsoft RPC-DCOM Buffer Overflow Attack using Dcom.c	Farrington, Dean	GCIH
Microsoft Windows Cursor and Icon Format Handling Vulnerability	Perkins, Matthew	GCIH
MS IIS CGI Filename Decode Error Vulnerability	Shenk, Jerry	GCIH
Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit	Bandukwala, Jamal	GCIH
Mutated Code	Kopczynski, Tyson	GCIH
My First Incident Handling Experience	Kohli, Karmendra	GCIH
Nachi to the Rescue?	Griffith, Russ	GCIH
Neptune.c the Birth of SYN Flood Attacks	Cardinal, Steven	GCIH
Netscape Enterprise Server Denial of Service Exploit	Smith, Tony	GCIH
Network Covert Channels: Subversive Secrecy	Sbrusch, Raymond	GCIH
Nimda - Surviving the Hydra	Schmelzel, Paul	GCIH
Node Router Sensors: What just happened?	Cary, Kim	GCIH
Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense	Hosburgh, Matthew	GCIH
Once Bitten Twice Sly - Common Exploits Fueled by Common Mishap	Melvin, John	GCIH
One Admin's Documentation is their Hacker's Pentest	Vandenbrink, Robert	GPEN
Open Shares Vulnerability	Hill, Siegfried	GCIH
Pass - Questions	Schultz, Tim	GCIH
Pass-the-hash attacks: Tools and Mitigation	Ewaida, Bashar	GCIH
PCI DSS and Incident Handling: What is required before, during and after an incident	Moldes, Christian	GCIH
PDF Obfuscation - A Primer	Robertson, Chad	GPEN
Penetration Testing of a Secure Network	Pakala, Sangita	GCIH
Penetration Testing Of A Web Application Using Dangerous HTTP Methods	Kim, Issac	GWAPT
Penetration Testing: Alternative to Password Cracking	Catanoi, Maxim	GPEN
Phising Attack in Organizations: Incident Handlers Perspective	Ong, Leonard	GCIH
Phone Phreaking and Social Engineering	Tuey, Richard	GCIH
PHP-Nuke: From SQL Injection to System Compromise	Paynter, Eric	GCIH
phpMyAdmin 2.5.7 - Input Validation Vulnerability	Thurston, Tracy	GCIH
Polymorphic, multi-lingual websites: A theoretical approach for improved website security	Risto, Jonathan	GWAPT
Port 1433	Georgas, Mark	GCIH
Port 443 and Openssl-too-open	Lee, Chia-Ling	GCIH
Post Exploitation using Metasploit pivot & port forward	Dodd, David	GPEN
Practical El Jefe	Vedaa, Charles	GCIH
Practical OSSEC	Robertson, Chad	GCIH
Preparing to withstand a DDoS Attack	Pandya, Gaurang	GCIH
Preventing Incidents with a Hardened Web Browser	Crowley, Chris	GCIH
Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics	Smith, Ricky	GCIH
Psychology and the hacker - Psychological Incident Handling	Atkinson, Sean	GCIH
Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response	Fuller, Kevin	GCIH
Ramen Worm	Ives, Millie	GCIH
Rapid Triage: Automated System Intrusion Discovery with Python	Bond, Trenton	GCIH
Real Network's Remote Server Remote Root Exploit	Lastor, Michael	GCIH
Real World ARP Spoofing	Siles, Raul	GCIH
Relative Shell Path Vulnerability	Evans, Earl	GCIH
Remote Access Point/IDS	Kee, Jared	GCIH
Remote Exploitation of Icecast 2.0.1 Server	Pittner, Jakub	GCIH
Responding to Zero Day Threats	Kliarsky, Adam	GCIH
Reverse Engineering Srvcp.exe	Zeltser, Lenny	GCIH
Revisiting the Code Red Worm	White, Ravila	GCIH
rLogin Buffer Overflow Vulnerability - Solaris	Corredor, Juan	GCIH
Robbing the Bank with ITS/MHTML Protocol Handler	Balcik, James	GCIH
Robots.txt	Lehman, Jim	GWAPT
Scareware Traversing the World via a Web App Exploit	Hillick, Mark	GCIH
Secure Design with Exploit Infusion	Yew, Wen Chinn	GCIH
Securely deploying Android devices	Alonso-Parrizas, Angel	GCIH
Securing Aviation Avionics	Panet-Raymond, Marc	GCIH
Security Incident Handling in High Availability Environments	Kibirkstis, Algis	GCIH
Session stealing with WebMin	Murdoch, Don	GCIH
Shedding Light on Security Incidents Using Network Flows	Gennuso, Kevin	GCIH
Simple Network Management Protocol: Now More than a "Default" Vulnerability	Fluharty, Daniel	GCIH
Small devices needs a large Firewall	Mastad, Paul	GCIH
SMBdie'em All - Kill That Server	Kirby, Craig	GCIH
SMS, iMessage and FaceTime security	Khalil, George	GCIH
SMTP - Always a victim of a good time	Lock, James	GCIH
SMTP Loop Moderate Denial of Service: InterScan VirusWall NT & Lotus Domino Environment	Roberts, Brian	GCIH
Solaris in.lpd Remote Command Execution Vulnerability	Seah, Meng Kuang	GCIH
Solution Architecture for Cyber Deterrence	Mowbray, Thomas	GPEN
SQL Server Resolution Service Exploit in Action	Hoover, James	GCIH
SQL Slammer and Other UDP Port 1434 Threats In support of the Cyber Defense Initiative	Ray, Edward	GCIH
Stack Based Overflows: Detect & Exploit	Christiansen, Morton	GCIH
Stay Alert While Browsing the Internet	LaValley, Jim	GCIH
Sub Seven: A Risk to Your Internet Security	Ostrowski, Paul	GCIH
Success Rates for Client Side Vulnerabilities	Risto, Jonathan	GCIH
Sun snmpXdmi Overflow	Miller, Kevin	GCIH
Support for the Cyber Defense Initiative	Fresen, Lars	GCIH
System infiltration through Mercur Mail Server 4.2	Ben Alluch Ben Amar, Jamil	GCIH
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor	More, Josh	GCIH
Testing stateful web application workflows	Veres-Szentkiralyi, Andras	GWAPT
Testing Web Applications for Malicious Input Attack Vulnerabilities	Grill, Robert	GCIH
The Cisco IPv4 Blocked Interface Exploit	Johnson, Cortez	GCIH
The December Storm of WMF: Preparation, Identification, and Containment of Exploits	Voorhees, James	GCIH
The enemy within: Handling the Insider Threat posed by Shatter Attacks	Layton, Meg	GCIH
The fascinating tale of a lame hacker, a Linux Box, and how I received permission to deploy my IDS	Markham, George	GCIH
The Information We Seek	Ramos, Jose	GCIH
The Integration of Information Security to FDA and GAMP 5 Validation Processes	Young, Jason	GCIH
The Microsoft IIS 5.0 Internet Printing ISAPI Extension Buffer Overflow	Clemenson, Christopher	GCIH
The Not-So Vicious Attacker	Mossholder, Matt	GCIH
The Search for "Kozirog"	Weaver, Greg	GCIH
The SirEG Toolkit	Begin, Francois	GCIH
The t0rn Rootkit	Craveiro, Paulo	GCIH
The Tactical Use of Rainbow Crack to Exploit Windows Authentication in a Hybrid Physical-Electronic Attack	Mahurin, Mike	GCIH
Tracking the Back Orifice Trojan on a University Network	Knudsen, Kent	GCIH
Traveling Through the OpenSSL Door	Murphy, Keven	GCIH
Tunneling, Pivoting, and Web Application Penetration Testing	Fraser, Gordon	GWAPT
Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement	McCullough, Shaun	GXPN
Using DomainKeys Identified Mail (DKIM) to Protect your Email Reputation	Murphy, Christopher	GCIH
Using GUPI to Create A Null Box	Comella, Robert	GCIH
Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment	Young, Sue	GCIH
Using OSSEC with NETinVM	Allen, Jon Mark	GCIH
Using Software Defined Radio to attack "Smart Home" systems	Eichelberger, Florian	GCIH
Using Sulley to Protocol Fuzz for Linux Software Vulnerabilities	Warren, Aron	GXPN
Using windows crash dumps for remote incident identification	Chua, Zong Fu	GCIH
Using Windows Script Host and COM to Hack Windows	Ginos, Alexander	GPEN
Utilizing "AutoRuns" To Catch Malware	McMillan, Jim	GCIH
Valentine's Surprise Firedragging in Action	de Nie, Paula	GCIH
Virtual Rapid Response Systems	Mohan, Chris	GCIH
Visualizing the Hosting Patterns of Modern Cybercriminals	Hunt, Drew	GCIH
War Pi	Christie, Scott	GCIH
Web Application File Upload Vulnerabilities	Koch, Matthew	GWAPT
Web Application Injection Vulnerabilities: A Web App's Security Nemesis?	Couture, Erik	GWAPT
Web Application Penetration Testing for PCI	Hoehl, Michael	GWAPT
Web Log Analysis and Defense with Mod_Rewrite	Wanner, Rick	GCIH
Website Security for Mobile	Ho, Alan	GWAPT
What is Santy bringing you this year? HONORS	Danhieux, Pieter	GCIH
What to do when you break WEP Wireless Security and the LAN	Poer, Geoffrey	GCIH
Which Disney© Princess are YOU?	Brower, Joshua	GCIH
Widespread SNMP Vulnerabilities	Brooks, Greg	GCIH
Windows Shell Document Viewer shdocvw.dll Feature or Trojan Horse?	Fenwick, Wynn	GCIH
Windows Media Services NSIISLOG.DLL Remote Buffer Overflow	Smith, Steve	GCIH
Winquisitor: Windows Information Gathering Tool	Cardosa, Michael	GCIH
Wireless LAN Honeypots to Catch IEEE 802.11 Intrusions	Mitchell, Gordon	GCIH
Wireless Networks and the Windows Registry - Just where has your computer been?	Risto, Jonathan	GAWN

Top

Resources: Whitepapers

Featured Papers

Latest Blog Posts

Latest Tweets @SANSPenTest

Latest Papers