SANS SEC760: Advanced Exploit Development for Penetration Testers – Review
In July 2022, I took the SANS SEC 760 class in Berlin. I always promised myself and some close friends to write a review, but I didn’t have the time until the Christmas break.
This blog post aims to be a day-by-day review of the SANS SEC760 course content and its CTF, NetWars tournament and on-demand package.
Table of Contents
Looking at SANS’s website, SEC 760 should teach skills required to reverse-engineer applications in order to find vulnerabilities, perform fuzzing and write complex exploits against targets such as the Windows Kernel and the modern Linux Heap, all while circumventing cutting-edge exploit mitigations.
Unfortunately, sometimes between premises and delivery, there’s a huge discrepancy.
Day 1 – Exploit Mitigations and Reversing with IDA
- Exploit mitigations
- Windows Defender Exploit Guard
These sections were explained at an encyclopaedic and theoretical level only. These sections contained all public and easily gatherable information found on the web with a simple search. The mitigations were not contextualised, and most of the time bypasses options consisted of only 1/2 phrases. No added value more than having a single organised source containing an introductory “Wikipedia”-style paragraph of those mitigations. On top of that, these two sections took the entire morning: boring!
- Windows Kernel Mitigations
This section does not fit at all on this day, both from context and time perspective. It should be moved to day 5, even if just as a reference (without the instructor explaining it).
- Introduction to IDA Pro
- Debugging with IDA Pro
Why on earth are these topics on SEC760!? These sections are nothing more than a showcase of well-known and pretty basic IDA features (e.g., proximity view, dark mode theme… really!?). Among 760s listed prerequisites, there’s the following phrase: “Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86/x64 disassembly from within a debugger or disassembler.”; basic IDA knowledge should be listed among those prerequisites. It is supposed to be an advanced course, after all.
- FLIRT & FLAIR
That’s a good topic that I’ve enjoyed, especially since the documentation about these two tools is scarce. It also contained an excellent exercise to “solidify” the newly acquired knowledge.
- Scripting with IDAPython
That’s probably the only real “meat” of the first day. Unfortunately, the content is too little (~30/274 pages). This section should be significantly extended with more IDA’s API documentation and usage. It should at least explain how to set up a proper IDA scripting debugging environment; using the notepad/IDA command line to test if a single line of code works before glueing all the pieces together is definitely not enough and a bit on the “cheap” side for a paid training course.
Some exercises, like “display_tool”, are way too basic, and they should not be in SEC760 but instead put in SEC660. The included solution for some of the exercises didn’t work.
Day 1 content score: 1/5
Day 2 – Linux Application Exploitation
- Linux heap management, constructs, and environment
- Navigating the heap
- Abusing macros such as unlink() and frontline()
- Function pointer overwrites
- Off by One bugs
- TCache Poisoning
All the above sections, heap-related content, and exercises were excellent, well-explained, and documented. Keep in mind that I’m a Windows guy, and I was able to follow through the content without any problem. These sections contained valuable information with some actionable exercises.
Keep in mind that out of the 200 pages companion book, the heap-related section only took 124 pages (~60%), too little to justify the “Advanced” adjective in the name of the course. I would have expected more heap-related exploitation techniques (e.g. “House of…” series).
- Format string exploitation
- Using format string bugs for ASLR bypass
The Format String sections should be replaced with more heap exploitation techniques and exercises. Specifically, since the format string concept is already present in SEC660 and there is described on a more advanced level. I do not know why it should also be present on SEC760, perhaps in a chapter focusing on advanced Linux exploitation.
Day 2 content score: 3/5
Day 3 – Advanced Fuzzing
- Fuzzing overview and review of basic fuzzing concepts from SEC660
- Advanced fuzzing theory
- Fuzzing challenges and how to overcome them
- Gathering and viewing code coverage
The fuzzing content was exciting and up to date; the content shines as every section holds valuable information and blends well with each other. Frida’s instrumentation instructions and the building instructions for WinAFL/Dinamorio are excellent references, and I’ve found myself returning to them when needed.
- Building a fuzzing harness
- Using WinAFL to perform grey box fuzzing on a complex, closed-source Windows application
- Overview of full-system and snapshot fuzzing
The exercises were on the spot, with a lot of actionable information that I was able to employ in my daily routine from the week after the course. I appreciated (a lot) that the target software for the fuzzing harness was not a demo but complex real-world software with a vast code base (it was a well-known PDF reader). Building a harness from scratch and gradually going through all the pitfalls and different ways to improve it showcased the reasoning behind each design choice. It provided an insight into the thought process and methodology it should be adopted when developing a harness.
WTF and snapshot fuzzing extended-hour exercises were terrific.
Day 3 content score: 5/5
Day 4 – Patch Diffing, One-Day Exploits and Windows Kernel Internals
- The Microsoft patch management process and Patch Tuesday
- Obtaining patches and patch extraction
Windows patch diffing is a fascinating topic that always delivers. Jaime Geiger, one of the two authors and instructors of the course, is also the developer and maintainer of the tools used to extract Microsoft patches. With that said, he was a nice added value to the course content as he was able to go deep into some of MS’s patch internals and explain his tools.
- Binary diffing with BinDiff 5
For the sake of completeness, it would have been good to have a section on Diaphora detailing its configurability and settings in order to tweak them and obtain the most out of it. Another section that, in my opinion, is missing is a comparison of the state-of-art tools (BinDiff vs Diaphora), their differences, key points and weaknesses.
- Visualising code changes and identifying fixes
- Reversing 32-bit and 64-bit applications and modules
- Triggering patched vulnerabilities
- Writing one-day exploits
The patches to diff in these sections were pretty old (2016-2017) and sometimes not really interesting (e.g. a patch for a DLL Injection). The labs were pretty good, even if a bit redundant; I’m not entirely sure that, in this state, an entire day is needed on these topics.
I would have preferred starting with smaller patch diffing and, later on, moving towards more complex and up-to-date vulnerabilities, from patch diffing to the actual exploit writing and weaponisation.
- An introduction to Windows Kernel internals
This section does not fit at all on this day. It should be moved to day five or merged with the “Windows Kernel Mitigations” from day 1.
Day 4 content score: 3/5
Day 5 – Windows Kernel Debugging and Exploitation
- Understanding the Windows kernel
- Navigating the Windows kernel
- Modern kernel protections
- Debugging the Windows 10 kernel and drivers with WinDbg
- Analysing kernel vulnerabilities and vulnerability types
- Kernel exploitation techniques
- Token stealing and information disclosure vulnerabilities
The content was lovely. The first half of the day was spent setting up the Windows Kernel debugging environment, doing some exercises on WinDbg and on an introductory part on the Windows’ driver model and their role in the Windows Kernel. This section was very detailed and can be used as a future reference. I suggest adding the “Windows Kernel Mitigations” and “Introduction to Windows Kernel internals” sections, respectively, from day one and day four.
The remaining of the day was spent on “Kernel Exploitation Goals and Techniques” and relative exercises. The exercises were on the spot and very good because they guided the students, step by step, toward more complex exercises and helped them build knowledge. Among the different kernel attacks showcased, there was one I had never heard of and never performed. It was good discovering it and having something new to learn and practice.
Unfortunately, no heap/pool, UAF, or type confusion exploitation content was present.
Day 5 content score: 5/5
Day 6 – CTF
The CTF infrastructure wasn’t ready or didn’t start; we ended up playing the old version of the SEC760 CTF. Most challenges were repurposed from SEC660 out of context (UAF exploitation in Internet Explorer). The old SEC760 challenges were impossible to exploit by most of the students (the focus of the course changed a lot from the past version). We deliberately decided to skip those challenges even if we knew how to exploit some UAFs. In addition, the interface was painstakingly slow (internet connection from the Cloud VM) and without being able to copy & paste across VMs or from the host PC to the cloud VM. Performing remote debugging in this state was a daunting task.
The format of the flags was too ambiguous and without boundaries. One loses a lot of time figuring out the proper format for the flag.
We won, but the experience was not enjoyable at all. As an apology for the CTF platform not working, all the participants won the coin, which practically nullified the sense of the competition/challenge.
If you have never experienced a NetWars Tournament, let me explain how it works. It is structured in a way where pretty much anyone with any skill level can participate. You compete across different categories of challenges (jeopardy-style), from basic to high-value tasks.
The good thing is that, if you’ve just started working in the IT field, you can approach a simpler challenge and, in order to solve it, you’ll build general knowledge and knowledge you’ll need to solve more complex challenges in that category.
Unfortunately, if you already know some stuff, you must go through simple challenges to unlock more complex tasks. I would have preferred to be free to choose specific difficulties without going through basic challenges, especially because some categories were:
- basic bash scripting
- regex challenges
- PCAP challenges and such.
I would have expected more Windows-related challenges and binary exploitation/reverse engineering/malware analysis/forensic challenges, given that SANS has courses in these categories. Still, unfortunately, not many of those were present.
Apart from a bumpy start, where we lost ~1-2 hours waiting for the platform to start, and one of the most valuable challenges was broken, the platform was good. It was very nice to complete the challenges and compete from a browser.
We ended up in the 2nd place
Sans OnDemand content was not updated with the latest version of the course, but it was still presenting the previous iteration of the SEC760; all sections from “Advanced Fuzzing” were missing.
The OnDemand lab is a rip-off; students are provided on day 1 with VMs containing the environment needed for the exercises. There’s no need to justify a remote lab, given that it doesn’t include any new exercises or anything different from the VMs (especially since it’s an ~800€ add-on).
Full disclosure: SANS agreed, post-sales, to refund the OnDemand add-ons on the days after the course.
I did the course with Jaime Geiger; I didn’t feel he added much value to the lessons compared to reading the companion books and doing the exercises independently.
During the “Linux Exploitation” day, he was “unprepared” because he hadn’t taught the course for a long time, and he was out of his element; that was completely visible. I think he was uncomfortable with the Linux exploitation topic, and the fact he wasn’t the author of the section reflected back on the quality of the teaching.
Overall, the whole SANS SEC760 experience is, at best, 2.7/5. Considering that SEC760 is the flagship course of SANS, I would have expected a lot more from it.
Unfortunately, apart from the Fuzzing and the Kernel exploitation days, the rest of the course was not that good. It’s called “Advanced Exploit Development”, but there’s no that much exploit development content and the one presented, apart from the kernel section, is not that advanced.
There’s no advanced exploitation content; there’s no heap/pool exploitation, heap grooming/massaging, and browser exploitation. The kernel exploits are limited to data-only attacks.
On a general note: I’m not sure that the “Linux Exploitation” chapter fits well with the rest of the course, which main focus is Windows and Windows exploitation. The same could be said for the “Fuzzing” content; it should be an exploitation course, not a fuzzing one. I would have liked to see some content regarding vulnerability research/discovery:
- Showcasing vulnerability samples will help the students build “patterns” that can be used to find the vulnerabilities in the first place.
- Crash Triaging. I know this topic could be an entirely different course per se, but finding crashes is hardly a problem; triaging them and determining their exploitability/root cause is.
It was the first iteration of the new course, like a beta version where the paying students were the guinea pigs. That’s unacceptable as it wasn’t advertised as a beta, nor the price reflected that; it was marketed instead at full price.
At no point did I feel challenged. SANS has lowered the bar and the course’s difficulty to reach more user base. Still, two days (kernel exploitation, fuzzing) and a half (patch diffing) of good content aren’t enough to justify the high price of the course (~10k€).
I know that SANS’ courses are not aimed at individuals, but when you spend that money, you will expect to extract a lot more from a course. I wouldn’t recommend it to anyone looking for advanced exploitation content.
Ok, you’ve managed to reach the end of my review/rant, and you’re wondering what you should do if you’re interested in the content mentioned above. Let me give you some advice:
IDA & IDA Scripting Environment
Some free resources that will help you set up IPYIDA (a bridge between IDA and the Pycharm IDE) to have a neat IDA plugin development environment.
If you’re into properly learning IDA, nothing is better than learning it from its authors. They aren’t cheap (4k€-6k€, depending on the course):
Linux Heap Exploitation
These resources are almost free (~15€ each) by Max Kamper. He is an excellent instructor and author of the ROP Emporium website. I can assure you that you wouldn’t feel let down by his content.
If you’re into fuzzing, I’ve heard great things about the “Advanced Fuzzing and Crash Analysis” course by Richard Johnson (~4000€). I didn’t take it yet, but it’s on my TODO list.
Patch Diffing and One-Day Exploits
The following free resources will guide you in the process:
Extracting Microsoft Windows Patches
The following are the now-defunct blog post of Jaime Geiger; he is one of the two SANS SEC760 authors and instructors. He is also the developer and maintainer of the tools used to extract Microsoft patches. The second link is a live streaming of Stephen Sims doing patch diffing:
Windows Kernel Exploitation
If you’re interested in this topic, I recommend taking the “Windows Kernel Exploitation Advanced” course by Ashfaq Ansari (~3-4k€).
Windows Heap Exploitation
I can’t recommend this enough: “Windows Heap Exploitation (Advanced)” by Peter Van Eeckhoutte (~3-4k€). You can read my review of the course here.