GXPN Passed.

Background: CEH GCIH GCIA GPEN, currently doing engineering/blue team work, never had a red team job, company gets access to SANS and I can take whatever I want so I take pentest classes.


Took SEC660, I really thought this class was phenomenal. I'm not a pentester and sitting in the class surrounded by redteam guys from various 3 letter agency places was really cool for me, nerded out and tried to chat up as many people as I could.


Day 1 was all about network attacks ettercap MITM and evading NAC environments, some neat labs where you escape from restricted kiosk type enviorments etc etc. Somewhat of a refresh from GPEN a tad, easy day, felt good.


Day 2 was all about crypto implementations, really getting into the weeds of stream and block ciphers breaking them down into pieces and identifying "good" vs "poor" implementations of crypto. Back half of the day was some powershell, still feeling good day 2.


Day 3 Python scapy and fuzzing. Python section was short but to the point explaining useful modules and whatnot, no big deal. Scapy was expanding on what I already knew from GCIA and GPEN. Fuzzing was fun used sulley taof and whatnot, again all good up to this point.


Day 4. Punch me in the face at 8am. Stack and memory allocation and management in Linux. This was where the class became very difficult for me. Stack overflows, memory leaks, ROP, stack protections ASLR, all 100% new information to me. Books 4 and 5 were probably 80% of the studying I did for this exam. You need to do the labs during class, and then do them again at bootcamp and then again at home and then again studying. I cannot stress this enough, you cannot robot your way though these. An Index will not help you when you are provided screenshots in immunity and then asked which area you need to modify to get an exploit working. Rough day but tons of good info.


Day 5. Same as day 4 but using Windows instead, ASLR, DEP, structured exception handling. Again 100% new information for me. More than half the book is labbing which really re-enforces the ideas you are supposed to learn. At the very end there is a small portion on metasploit, kinda info that was already in GPEN.


Exam, standard multiple choice like all other SANS exams until the final 5 questions, you have to fully complete the multiple choice answers before it "unlocks" the simulation questions. The simulations are similar to the practice exams, you are given a question and then provided a VM, the VM gives no clues as to what program is required, you need to know what tool to run and then what commands to run within the tool. Multi step questions that require knowledge of multiple tools within the VMs, it reminds me of the Cisco exams where you are dropped into a router and it would just say "fix BGP". While taking the exam I didnt feel super confident in my multiple choice section but I nailed all of the simulations. I felt like the simulations are heavily weighted, like if I got a 50% on the multiple choice but got 5-5 on exams I feel like you'd get like a 25% or more bump. I have no data to actually back this up but I didnt feel like I did fantastic on the multiple choice but was still able to get a pretty decent score.


Overall the test felt great, as I've said before with some of the easier SANS courses I feel like someone could make a ridiculous index and pass an exam without retaining any information, this exam was not the case, there is no index that will help you navigate through simulation questions or allow you to pick out the point in memory where a person has misconfigured an exploit. Very challenging yet very rewarding exam.


Next up for me, OSCP and I'm thinking about GPYC Python SANS course.