SEC660 (GXPN-GIAC Exploit Researcher and Advanced Penetration Tester) Review-Nov 2024
In 2017, I had an opportunity to attend the SEC660 ( SANS Advanced Penetration Testing, Exploit Writing, and Ethical Hacking) course in Singapore. This six-day intensive training greatly enhanced my understanding of penetration testing. I could not take the GXPN exam right after completing the course for several reasons. After six years, I finally sat for and passed the GXPN (GIAC Exploit Researcher and Advanced Penetration Tester) exam in November 2024.
How do I prepare for the GXPN exam after six years of taking the SEC660 course?
I did extensive exercises in order to obtain the GXPN certification because I took the SEC660 course 7 years ago before sitting for the exam. Due to the time gap, I needed to catch up on modern techniques such as Vapp, and virtualization attacks, as well as modern Windows and Linux OS mitigation techniques. Additionally, I focused heavily on fuzzing to ensure I was well-prepared for the updated content in the exam.
Reviewing all notes from SEC660 was helpful but not sufficient. To enhance my understanding of advanced mitigations/bypassing techniques on Windows 11 /modern Linux kernel, various protocol bases, and binary fuzzing techniques. I review and enhance my studies with current resources since the GXPN exam heavily emphasizes modern operating system internals working and bypassing techniques, and various protocol-based and binary fuzzing types.
Here’s how I approached cryptography during my exam preparation:
One of the key focus areas of the GXPN is understanding cryptography in penetration testing. Since the course book “Crypto for Penetration Testers,” I ensured my preparation covered both theoretical concepts and practical applications. I set up related to the cryptography lab and followed the courseware and given labs files that I focused on analyzing cryptographic weaknesses in application-level authentication and authorization mechanisms. Insecure modes of operation, such as CBC, ECB, and Stream ciphers, as well as vulnerabilities like Padding Oracle Attacks to a better understanding of how these can expose sensitive data or enable attacks like padding Oracle exploits and weak implementation of CBC mode for authentication and authorization. I analyzed packet captures to identify weak cryptographic implementations in network traffic and collisions of the RC4 Stream Cipher.
During my preparation for the GXPN exam, I found the following two repositories helpful. They focused on various types of crypto attacks in applications, including the CBC Bit-Flipping Attack related to privilege escalation.
https://github.com/SpiderLabs/CryptOMG
https://github.com/masjadaan/TechSecurityArticles/tree/main/Cryptography
Here’s how I approached fuzzing techniques during my exam preparation:
Another key focus of the GXPN exam was well understanding of protocol bases and binary fuzzing techniques to uncover vulnerabilities in both closed-source and open-source applications. Using tools like DynamoRIO, AFL++, and Sulley.
I combined IDA with DynamoRIO Drcov to monitor, code coverage, and analyze vulnerabilities and for reverse engineering and vulnerability analysis. This allowed you to identify where you were missing and adjust your fuzzer to take alternative code paths. For protocol fuzzing, I used Sulley to simulate malformed requests (e.g., oversized headers, malformed payloads)
ChatGPT was especially helpful in providing a deeper understanding, particularly with the Sulley framework. These exercises provided me with the skills to identify and exploit vulnerabilities effectively, highlighting the GXPN’s focus on advanced fuzzing techniques.
While preparing for the GXPN exam on binary fuzzing, I found the following links helpful, especially since I hadn’t had an opportunity to explore binary fuzzing during my professional penetration testing experience. I recommend those pursuing GXPN to practice at your lab if you do not plan to attend SEC660 training, as it will give you a better understanding of binary fuzzing and code coverage.
· https://aflplus.plus/docs/fuzzing_in_depth/
· https://blog.quarkslab.com/android-greybox-fuzzing-with-afl-frida-mode.html
· https://research.checkpoint.com/2023/the-blitz-tutorial-lab-on-fuzzing-with-afl/
· https://www.sidechannel.blog/en/afl-and-an-introduction-to-feedback-based-fuzzing/
https://security.cs.pub.ro/summer-school/wiki/session/extra/stateless-fuzzing
The rest of the buffer overflow concepts for Windows and Linux were familiar to me since I completed OSCP and OSCE except for DEP, ASLR, SSP, and Propolice. For these advanced techniques, I followed the course materials and lab files to understand how to bypass these protections effectively. This was an essential part of my preparation and helped me strengthen my skills in modern exploitation
What Does the GXPN exam look like?
The GXPN exam is not about following a checklist or script. When it comes to hands-on penetration exam certifications such as OSCP and OSEP, We follow a checklist or script based on what we exercise. For example, we know what to do if we find Kerberos protocol within the network.
We know what to perform if we find the compromised workstation is configured with delegation permission. However, GXPN distinguishes itself by requiring candidates to fully comprehend the inner workings of protocols, mitigations, various types of protocol base and binary fuzzing, and advanced exploitation techniques rather than just a scripted or checklist-based approach.
I found that many questions could easily be confused despite thorough preparation. The GXPN exam was extremely challenging for me. The questions were designed to test not only technical knowledge but also the ability to think critically and apply a deep understanding of concepts. In the end, I passed the exam with a score of 69%, which was just above the required margin. Although I was well-prepared, the exam’s difficulty highlighted the importance of a solid understanding of theory and practical application to succeed.
Overall
The GXPN certification goes beyond scripts and lab notes like OSCP or OSEP. It’s about following a strategic, checklist-based approach. For example, if you identify the Kerberos protocol within the network, you’ll know exactly how to exploit it. Similarly, if you discover a compromised workstation with delegation permissions,
The SEC660 (GXPN) course helps structure your knowledge. It equips you withadvanced techniques to uncover hidden vulnerabilities, including fuzzing for both protocol and binary analysis and crypto attacks. However, unless sponsored by an employer, SANS courses are untouchable for enthusiasts making it a significant investment.
