Passed GPEN

So, GPEN is finally over with!

I arrived at the testing center 10 minutes before my scheduled appointment only to find out there was no one there, and there were people already waiting. So, after patiently waiting for another 10 minutes someone finally shows up. To make the story short, I started the exam about 40-50 minutes after my scheduled appointment, which was surprising to me as I had recently taken the GCFW exam there without any problems at all. Now that I've gotten that out of the way, let's move on to the good stuff - my GPEN review.

If you have previously taken SANS Security 504 (GCIH), then you are probably familiar with the course instructor: Ed Skoudis. Ed is also the author of SANS Security 560 (GPEN) and one of the greatest instructors SANS has to offer, at least in my opinion.

As someone who has taken multiple SANS courses, I felt the GPEN is unique in its own way. At the same time, I also believe there are certain sections where the course content overlaps with other courses, such as GCIH, GCIA, and GSEC in that order. What I liked about GPEN the most was definitely the number of hands-on exercises. Ed Skoudis would cover a given topic and then students would do a hands-on exercise on it. There are a lot of hands-on exercises throughout the entire course, so those of you looking for hands-on experience will have a blast with it. The 50% theory 50% hands-on approach far surpassed my expectations, so I am extremely pleased with my decision on course selection. Would I do it again? You bet!

For those of you that have never taken a SANS course before, I believe you can definitely challenge this course and GCIH. For the latter, I would recommend that you guy 'Counter Hack Reloaded' by Ed Skoudis, and for the former I believe Offensive-Security's OSCP would be a great supplement. Do not get me wrong, these books will definitely fall short on certain areas and it will be up to you to do further research so you can build the foundation that is needed to pass the exams.

Now on to the exam - I found it to be more challenging than the practice exams. I ought to confess that the practice exam gave me a false sense of security and it caused me to slack during the last couple of days prior to the exam. With that said, I got 88% on the practice exam without referencing printed materials and 92% on the real exam. I am happy with the score and with all of the new tricks learned.

In summary, I would highly recommend the GPEN to anyone. I truly enjoyed the course and I believe you will too! For the record, I don't have any affiliation with SANS - just in case you are wondering. This course will conclude my SANS training for this year as I give my wallet some time to heal. I would like to take GREM next year, so we will see how it goes. As for the remainder of the year, I will try to squeeze OSWP in as I already paid for the training, so it would only make sense to take the corresponding exam. Aside from OSWP, I have my first CISSP attempt coming up in November, and that will be it for me this year.

Find more posts tagged with

Comments

Bl8ckr0uter

Awesome job man! You are really killing those certs! GSE soon?

I noticed you said you could challenge GCIH and GPEN. Do you not think the same thing about GCIA and GCFW?

ipchain

Bl8ckr0uter wrote: »

Awesome job man! You are really killing those certs! GSE soon?

I noticed you said you could challenge GCIH and GPEN. Do you not think the same thing about GCIA and GCFW?

Thanks man. I had originally planned to tackle GSE next year, but after giving it some thought it won't happen until 2014. As you may know, GSE automatically reviews all of your SANS certifications and mine won't expire until 2015, so it would only make sense for me to take it the year before they expire. This will allow me to concentrate on gold papers and wrapping up my masters degree. In addition, I will have time to re-read all of the course material for GSEC, GCIH, GCIH and GPEN a few times to ensure I've got my weakest areas fully covered.

I believe I should be able to play with all of the tools covered on the aforementioned courses before my GSE attempt - I've got a little over two years to go after all. What about you? Are you still planning to challenge GCIA? Best of luck!

Edit: I just noticed you had a question, so I will try my best to answer it.

Quite frankly, I believe GCIA and GCFW can also be challenged. For GCIA you need to have a solid understanding of many different protocols such as TCP, UDP, ICMP, IGMP, IP, etc. In addition, you need to be extremely familiar with TCPDUMP and SNORT, and that includes command-line switches, rules, pre-processors, etc. Having an understanding of many different attacks and how to detect them is equally important.

As for GCFW, you need a solid understanding of firewall technologies and the type of filtering they can do. You also need to be familiar with the protocols I mentioned above, Cisco IOS, access-lists, etc.

GCIA is not an exam I would personally challenge, but if some people can challenge GREM, I guess GCIA can also be knocked down through self-study. I would recommend the following book for GCIA: http://www.amazon.com/Network-Intrusion-Detection-Stephen-Northcutt/dp/0735712654/ref=sr_1_1?ie=UTF8&qid=1310266129&sr=8-1

Good luck again.

Bl8ckr0uter

ipchain wrote: »

Thanks man. I had originally planned to tackle GSE next year, but after giving it some thought it won't happen until 2014. As you may know, GSE automatically reviews all of your SANS certifications and mine won't expire until 2015, so it would only make sense for me to take it the year before they expire. This will allow me to concentrate on gold papers and wrapping up my masters degree. In addition, I will have time to re-read all of the course material for GSEC, GCIH, GCIH and GPEN a few times to ensure I've got my weakest areas fully covered.

I believe I should be able to play with all of the tools covered on the aforementioned courses before my GSE attempt - I've got a little over two years to go after all. What about you? Are you still planning to challenge GCIA? Best of luck!

I am planning to do GCIA but it won't happen until some point next year (after CCNP:security and CWSP).

docrice

Awesome job! Funny thing about the GPEN - a while ago, my near-term ambitions were GAWN or GWAPT, but I'm itching for the GPEN instead. Must be a mood swing or something.

How did you feel about the web app coverage in 560? This is one of my really weak areas that I need to get up to speed on and the reason why 542 strongly interests me. If I do 560, I hope to eventually complement it with the OSCP. You'll find the OSWP relatively trivial.

Do the hands-on exercises overlap a lot with the material from 401 / 503 / 504? How does the course's last day's capture-the-flag work? Over a VPN like in 504?

ipchain

docrice wrote: »

Awesome job! Funny thing about the GPEN - a while ago, my near-term ambitions were GAWN or GWAPT, but I'm itching for the GPEN instead. Must be a mood swing or something.

How did you feel about the web app coverage in 560? This is one of my really weak areas that I need to get up to speed on and the reason why 542 strongly interests me. If I do 560, I hope to eventually complement it with the OSCP. You'll find the OSWP relatively trivial.

Do the hands-on exercises overlap a lot with the material from 401 / 503 / 504? How does the course's last day's capture-the-flag work? Over a VPN like in 504?

Thanks! The last book covers wireless and web app pen testing. To be completely honest with you they only scratch the surface on these subjects - that is why they have other courses that deal strictly with Wireless & Web App Pen Testing. Having OSWP I doubt you'd learn anything new on wireless, and most of the web app stuff was covered on 504.

I felt the coverage on XSRF, XSS, and SQL injection was decent, and so was the section on OWASP Zap. It's funny that you mention 542 as I was torn between that one and 508 before I settled on GPEN. My advice would be to look at 542 if you're really interested in web app pen testing.

As for the hands-on exercises, I would say there is approximately a 15-20% overlap with 401 / 503 / 504. I particularly enjoyed the section on metasploit and meterpreter.

Last day's capture-the-flag works over VPN, just like 504. Not sure if you have heard about NetWars, but they are currently beta testing the new release and I've been given access to the virtual network. If you're interested in another capture-the-flag type of game, check it out: NetWars - Cyber Hacking Challenge. They have an IRC channel that is called #netwars on irc.freenode.net and I can be found in that channel.

idr0p

CONGRATS!, I am going to be taking my GPEN later this month, any words of advise? anything to focus on that you think you should have looked more into during studying?

pragmatic6983

Hi ipchain,
I want to thank you as well as everyone here for their immensely helpful posts.
I am embarrasesd to say that I took the VLIVE GPEN class back in AUG 2010. It expired in Feb 2011, but i have been purchasing extensions for the last 6months, largely because of a job that takes up all my time during the week and weekends. I just finished practice exam and scored a 90.67. I was amazed and did better than i thought I would, but noticed several questions on OWASP ZAP. hate mentioning this, but it is not mentioned anywhere in my coursebook is this a new topic? I had no idea why it was showing up on my practice exam.

ipchain

pragmatic6983 wrote: »

Hi ipchain,
I want to thank you as well as everyone here for their immensely helpful posts.
I am embarrasesd to say that I took the VLIVE GPEN class back in AUG 2010. It expired in Feb 2011, but i have been purchasing extensions for the last 6months, largely because of a job that takes up all my time during the week and weekends. I just finished practice exam and scored a 90.67. I was amazed and did better than i thought I would, but noticed several questions on OWASP ZAP. hate mentioning this, but it is not mentioned anywhere in my coursebook is this a new topic? I had no idea why it was showing up on my practice exam.

I'm glad you were able to find some of the posts here at TE helpful. There is no reason to be embarrassed about postponing your test date - we all have very busy and complicated lives.

That being said, you got a great score on the practice exam, so that should give you an indication that you're ready for it. For OWASP ZAP, you might want to check this out. Let me know if I can be of any further assistance.

Good Luck!

pragmatic6983

Thanks ipchain so much for your quick response.
I think I am going to contact SANS and see if they can provide me with an update since I have invested quite a bit of money worth of extension fees. However, the link you provided is extremely helpful as well. I want to make sure there is not anything else that could be a throw me a curve ball, especially when I take the real thing in about 2-3 weeks.
I also might just pay for an additional test. I know 90 is good but I dont want to be overconfident. Once I get done with it I have the GCIH to do.

anways... I have to say this is the best certification site I have come across. Job well done by all the valuable contributors. Thanks so much.

iVictor

Congrats on your GPEN! And All the best for your CISSP.

SephStorm

IPChain,

any advice for someone considering the GCIH? (my first GIAC exam.) I am taking the 504 course through VLive, but at this point I am playing catch-up.

ipchain

idr0p wrote: »

CONGRATS!, I am going to be taking my GPEN later this month, any words of advise? anything to focus on that you think you should have looked more into during studying?

Apologies for the late reply, but I have been extremely busy and things are not getting any easier for me. Since you already have GCIA and GCIH, I don't anticipate you'll have any difficulties with GPEN.

I personally felt the questions were distributed equally across all domains, but if I had to do it again I would probably read book 3 a couple of times.

Good luck!

ipchain

pragmatic6983 wrote: »

Thanks ipchain so much for your quick response.
I think I am going to contact SANS and see if they can provide me with an update since I have invested quite a bit of money worth of extension fees. However, the link you provided is extremely helpful as well. I want to make sure there is not anything else that could be a throw me a curve ball, especially when I take the real thing in about 2-3 weeks.
I also might just pay for an additional test. I know 90 is good but I dont want to be overconfident. Once I get done with it I have the GCIH to do.

anways... I have to say this is the best certification site I have come across. Job well done by all the valuable contributors. Thanks so much.

It's my pleasure to be able to assist. I sincerely hope you've been able to contact SANS by now and that they don't throw any curve balls your way.

Good luck on your GPEN and GCIH. Let us know if we can be of any further assistance.

ipchain

iVictor wrote: »

Congrats on your GPEN! And All the best for your CISSP.

Thanks buddy. All the best to you as well!

ipchain

SephStorm wrote: »

IPChain,

any advice for someone considering the GCIH? (my first GIAC exam.) I am taking the 504 course through VLive, but at this point I am playing catch-up.

SephStorm,

I would not worry too much about playing catch-up. As long as you read the books a couple of times you should be OK.

I would recommend creating an index for this particular exam. I felt that by re-writing what I read in the book you are actually re-enforcing the knowledge.

How do you like vLive so far? How many people are taking the class with you?

pragmatic6983

I probably should have started another thread, but I wanted to pay my thanks to ipchain and the other contributors here. It's a great feeling to finally win the race. I got my GPEN today after sitting int the exam for 3 hours and 56 minutes with only having 2 hours of sleep. I found it to be a good bit more difficult than the practice exams although the practice exams that SANS offers with the course are legendary in the way that they get you ready for the real thing. What other vendor even does that?? I have to say all in all that it was a great experience. I found the SANS SEC560 courseware to be AMAZING. My only complaint is that I was given misinformation by SANS staff saying that ONLY material in the courseware that I took at the time would show up on the exam. In other words I wouldn't be tested against updated material - completely FALSE information. However that being said, seeing new material show up on the practice exam certainly got me thinking but there was a small blind element to it - not having completely updated courseware to use.

That being said - I found the comments by ipchain and the other guys here to be on the money. I scored 89.33% and my two included practice scores were 90% and 93%. My experience was that I did find the exam to be considerably more difficult but when the rubber meets the road and you are testing, you will find that you apply yourself more and you should score fairly close to what you have done on the practice exams. Obviously there's no guarantee - but I would say that SANS has really worked out a great system to get their candidates ready. I left feeling like I did when I took the CISSP - run over. However at least I know that I passed right away. I felt there was as much technical information to comb through as the CISSP was broad. At any rate I am very appreciative to everyone here for the great feedback. I encourage anyone who is preparing to do the exercises and make a GREAT index. I wish I would have had a better index. Anyways best of luck... Thanks ipchain and the rest of you. Your info here was an immense encouragement and help.

docrice

It's interesting that you got tested on things that weren't in your particular courseware. I guess it depends on old your books are. That said, I've heard that GIAC doesn't necessarily have to base the questions on the respective SANS training material, although the folks who help write the questions tend to pull ideas from the course books.

Another thing to consider is that SANS 560 is supposed to be rather leading-edge and changes frequently. I know they're also revising the exam setup so some of them are going from the 150 questions / 4 hour to a 75 questions / 2 hour format, and the questions are no longer ones you can answer by simply looking up the correct straight answer from the book, but instead more analytical where the examinee would have to already understand the material well-enough to be able to get it right. Sure, it's still possible to quickly skim through the relevant book section during the exam, but if you don't know the material decently already, then you're screwed. This is a good thing as far as I'm concerned. I've always felt that some of the questions that I've gotten weren't worthy of the SANS reputation.

pragmatic6983

Thx Docrice. I appreciate your response and I agree. However.. that being said... my problem was that I paid 6 months worth of extensions at $200 a pop and saw material about something that I had not exercises on no courseware material for that subject, etc. Granted... i knew to study up on it ahead of time and don't believe I missed any questions on the subject. I'll be vague since I signed a non-disclosure. However.... the point of the course is to test you on material that you have and is in the courseware. If it is going to be updated and I am paying for extensions give me the courseware updates to point me on a level playing field. I do agree with you however on the questions you can just look up... but that being said there were several of ambiguous questions with more than one correct answer. Perhaps it balances itself all out. What I just found out though is an 89 score kinda sucks, because it means you just missed honors by one point. Oh well.... Oh another thing I meant to ask. I got an email stating I was going to be sent a paper cert. My understanding (based on their site) was that I was going to receive a very nice framed cert that is supposed to look top notch. Am I missing something. The email with a paper cert being sent kinda threw me for a loop.
http://www.giac.org/certifications/faq#663

pragmatic6983

I do want to say that this is clearly the best site around SANS GIAC encouragement/support - as far as preparing for GIAC certs. The contributors here on this site are a step above all the other sites that are out there. Now to get ready for the GCIH. Like ipchain mentioned.... the best advice is to read the books twice and put together a very good index. Thanks again.

docrice

A paper cert = wood framed cert / plaque. I've never finished an exam where they mentioned otherwise. I'm not into displaying such things, but I put my GCIA and GCIH up on a shelf. On the other hand, these exams aren't cheap. Might as well show them off. It usually took me anywhere from a few weeks to a month and a half to get mine sent to me.

As for not getting updated material when buying extension periods, I think your situation is one of those rare instances since signing up / starting a course is designed to encourage you to pass a given curricula within a given time frame. I'm assuming an extension isn't designed to allow you to "spill over" into the next updated curricula since I'd guess in SANS' eyes it's technically a separate program. Just thinking out loud.

Getting 90 percent or above gets you on the SANS Advisory Board mailing list. You're already above 85 which allows you to be a SANS mentor if you want. I'm sure for the GCIH you can easily get that 90 percent mark. Many of us here have.

Your name should pop up on this list within a week or so:

http://www.giac.org/certified-professionals/directory/gpen

pragmatic6983

Thanks Docrice,
Yes I agree. This is certainly a rare situation to have almost went a year. I will not do it again- it certainly hurts the wallet... lol. The position I just left consumed all my time. There was never time to be able to prepare and get in a consistent rhythm to work towards setting a date and scheduling the exam. I was contending with having to do changes in the evenings several times a week as well as week over most weekends. I am sure many can relate though. All of us can get burn out in certain job situations and that can suck the life out of you when you want to add certs to your career development. Thanks for the encouragement... time to focus on the GCIH and then I think I will consider Offensive Security's program. I hear it's very good and even more hands-on then SANS. Thanks again.

ipchain

pragmatic6983 wrote: »

It's a great feeling to finally win the race. I got my GPEN today after sitting int the exam for 3 hours and 56 minutes with only having 2 hours of sleep.

Congratulations on passing GPEN - I had no doubt you were going to breeze through it. I am sorry to hear about your experience with SANS' staff, they are normally quite sharp.

Given the circumstances, I would say you scored really well. A friend of mine took the GPEN before I did, and he scored in the low 80s even with the latest course material. On a different note, I agree with you in that the GPEN was an incredible course, one that I will be referring back to for years to come.

Like you, I also found the advice from others who had taken the exams before I did to be invaluable, so stick around and share your experience as you go through other courses.

Best of luck on your GCIH!

ITforyears

I know this is an old thread but very useful. I just finished the GCIA and now onto GPEN. I know the book content is different now compared to 2011 in regards to book locations and I am looking forward on learning the material. I need this cert to graduate from my course.

ITforyears

Interesting reading this whole thread. I work for the DoD and they pay for our training and certification exam but they just give us two weeks from start to finish to learn the material and to pass the exam. I cannot believe I have passed four exams thus far on that short time frame window but indexing is very important.

ITforyears

I passed the exam and glad its over with. I been realizing that my book tabs have been more imperative than the index. I wish anyone the best who embarks on this course.

docrice

Two weeks to get through the training and the exam sounds painful. I don't think I could ever manage it. Congratulations though. Passing the exam like that is an accomplishment indeed. Did you have any prior experience which helped or did you go into 560 all new to the subject?

LionelTeo

Let's go for GSE together! Dorice and ITforYears

cyberbug

ITforyears wrote: »

I passed the exam and glad its over with. I been realizing that my book tabs have been more i imperative than the index. I wish anyone the best who embarks on this course.

I need help on this please pm me email or skype.

Thanks

cyberbug

please advise your skype or email

thisisjon

Hey, just wanted to ask, how it compared with the GCIH. I'm getting that last minute test anxiety. I did well on the GCIH (2 yrs ago), but i know the content goes more indepth with GPEN especially exploitation/business. Any advice would be greatly appreciated!

thank you for your time