SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
SEC660Offensive Operations
- 6 Days (Instructor-Led)
- 46 Hours (Self-Paced)
Course created by:
James Shewmaker & Stephen Sims
Course created by:James Shewmaker & Stephen Sims
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- 46 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 30 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn advanced penetration testing skills to develop custom exploits, perform network attacks, analyze cryptographic implementations, and master advanced exploitation techniques.
Featured Quote
The quality of the labs and coursework in SEC660 showcases the value SANS training has over other providers. It was an excellent, challenging, and rewarding course.
Course Overview
Learn advanced penetration testing skills and explore sophisticated attack vectors and exploit development. This course spans network infrastructure attacks, cryptographic implementation testing, advanced post-exploitation techniques, and custom exploit writing for both Windows and Linux environments. Hands-on labs provide practical experience with fuzzing, return-oriented programming, exploit mitigation bypasses, and real-world application exploitation.
What You’ll Learn
- Advanced network attack methodologies
- Custom exploit development techniques
- Exploit mitigation bypass strategies
- Modern fuzzing implementations
- Post-exploitation advancement tactics
- Return-oriented programming mastery
- Cryptographic weakness assessment
Business Takeaways
- Enhanced threat detection capabilities
- Improved security control validation
- Reduced enterprise attack surface
- Advanced risk assessment accuracy
- Stronger application security testing
Meet Your Authors
- Slide 1 of 2
James Shewmaker
Principal InstructorJames Shewmaker, founder of Bluenotch Corporation, has over two decades of technical experience in IT, primarily developing appliances for automation and security for broadcast radio, internet, and satellite devices.
Read more about James Shewmaker - Slide 2 of 2
Stephen Sims
FellowStephen Sims, an esteemed vulnerability researcher and exploit developer, has significantly advanced cybersecurity by authoring SANS's most advanced courses and co-authoring the "Gray Hat Hacking" series.
Read more about Stephen Sims
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking.
Section 1Network Attacks for Penetration Testers
Network infrastructure in cloud environments presents unique attack vectors. In the first section, security professionals explore access manipulation, protocol exploitation, and device compromise across IPv4 and IPv6. Modern cloud setups integrate legacy components, making these skills crucial for comprehensive security testing.
Topics covered
- Network access control evasion
- Custom protocol manipulation methods
- Advanced IPv6 security implications
- TLS/SSL security considerations
- OSPF routing attack vectors
Labs
- Captive Portal Bypass
- Credential Theft
- IPv6 Attacks
- HTTP Tampering
- Router Attacks
Section 2Crypto and Post-Exploitation
In this section, security professionals explore cryptographic exploitation and post-compromise techniques in cloud environments. Topics include cipher operations, implementation flaws, privilege escalation, and lateral movement. PowerShell plays a key role in both attack and defense, especially in hybrid clouds.
Topics covered
- Cryptographic implementation testing
- CBC vulnerability exploitation
- Hash-length extension attacks
- PowerShell offensive capabilities
- Software restriction bypasses
Labs
- Detecting Cryptography Implementations
- CBC Bitflipping Attacks
- Hash Extension Attacks
- Kiosk Escape
- Client-side Post Exploitation
Section 3Product Security Testing, Fuzzing, and Code Coverage
In section three, security professionals analyze cloud-native products, focusing on supply chain security, protocol manipulation, and fuzzing. Topics include custom fuzzing grammars, network protocols, file formats, and code coverage analysis for testing effectiveness.
Topics covered
- Protocol state manipulation
- Automated fuzzing optimization
- Binary analysis fundamentals
- Code coverage measurement
- Wireless data leakage testing
Labs
- Custom packet manipulation
- Framework-based fuzzing
- Binary instrumentation techniques
- Source code analysis methods
- AFL++ implementation strategies
Section 4Exploiting Linux for Penetration Testers
Linux exploitation is crucial in cloud security. In this section, professionals explore memory management, privilege escalation, SUID exploits, and advanced bypass techniques like ROP and ASLR evasion.
Topics covered
- Stack memory management
- Symbol resolution methods
- Code execution redirection
- Stack protection defeat
- Return-oriented programming
Labs
- Linux buffer overflow exploitation
- Return-to-libc implementation
- Stack canary analysis
- ASLR bypass techniques
- 64-bit binary exploitation
Section 5Exploiting Windows for Penetration Testers
Windows systems remain prevalent in hybrid cloud environments, necessitating deep understanding of Windows-specific security features. In this section, practitioners examine process structures, exception handling, and API interactions. Content covers stack-based attacks, DEP bypass, and ROP chains, with special attention given to client-side exploitation.
Topics covered
- Windows OS protection analysis
- Stack exploitation fundamentals
- ROP chain construction
- Client-side attack vectors
- Shellcode development
Labs
- Windows 11 vulnerability analysis
- SafeSEH bypass implementation
- ROP chain development
- DEP mitigation techniques
- Commercial application testing
Section 6Capture The Flag!
A comprehensive challenge environment integrates cloud and traditional infrastructure components. Students face escalating difficulties across Linux and Windows systems, network infrastructure, and cloud services. The scoring system provides immediate feedback on successful exploitation, with point values reflecting real-world complexity and impact.
Topics covered
- Multi-vector attack planning
- Escalation path identification
- Network attack implementation
- System compromise techniques
- Post-exploitation methods
Labs
- Local privilege escalation
- Remote system exploitation
- Network infrastructure attacks
- Protocol manipulation scenarios
- Cross-platform attack chains
Things You Need To Know
Relevant Job Roles
Vulnerability Researcher & Exploit Developer
Offensive OperationsIn this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!
Explore learning pathVulnerability Analysis (OPM 541)
NICE: Protection and DefenseResponsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense-in-depth architecture against known vulnerabilities.
Explore learning pathApplication Pen Tester
Offensive OperationsApplication penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
Explore learning pathRed Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Barrett DarnellDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Stephen SimsDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Michiel LemmensDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Sydney, NSW, AU & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Stephen SimsDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Munich, DE
Instructed by Michiel LemmensDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options - Location & instructor
San Diego, CA, US & Virtual (live)
Instructed by Douglas McKeeDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 13
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3Absolutely amazing stuff. I couldn't ask for more in SEC660. The wealth of knowledge is just mind-blowing. The extra materials presented in the course will definitely keep me going for the next couple of months.
- Slide 2 of 3SEC660 has been nothing less than excellent. Both the instructor and assistant are subject-matter experts who have extensive knowledge covering all aspects of the topics covered and then some.
- Slide 3 of 3No frills and goes right to the point. The first day alone is what other classes spend a full week on.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources