Monday, October 22, 2012

GXPN Review

I recently passed the SANS "GIAC Exploit Researcher and Advanced Penetration Tester" (GXPN) exam. This was the first SANS certification I have attempted. It was a completely different cert for me since all of mine are of the Offensive Security or ISC2 flavor. Offsec is completely hands on and the CISSP is well, the CISSP. I did the OnDemand version of GXPN which meant I had ondemand access to the narrated slides + video demonstrations. If the topics in the syllabus are fairly new to you, the OnDemand might be the right option. It was pretty nice to see the actual video demonstrations that the instructor was showing the students in the real class.

This course (SEC 660) covers a ton of topics. A lot of them I have hands on experience with, especially Windows exploit development and network attacks. The areas I was most interested in was Linux Exploitation and Windows ROP gadgets. I was pleasantly surprised by a number of other topics as well.

I've taken the OSCE, which was significantly harder than this exam, but there was no *nix exploitation in that course. In fact, you can't really compare the two courses at all. I've done a detailed review of the OSCE here, and as you see here, the GXPN covers many more topics. OSCE is far more focused Windows exploitation.

However, I do think the two courses compliment each other. Where the OSCE lacks in descriptions and theory the GXPN picks up. In fact, the GXPN prides itself on filling the gaps of where industry papers and publications lacked details. Rather than assuming the reader knows that the FS:00 in the TIB is the SEH frame for example. I do appreciate the details and it certainly helps with a more holistic view of each topic. While mundane and boring at times, it's mostly good stuff.

A surprise benefit was the escaping restricted desktops and crypto sections. I wasn't expecting to enjoy the crypto but they (SANS) do have a valid point discussing it in an "advanced" course. You're not necessarily attacking crypto itself, rather its implementation. A broken implementation could lead to total domination. There were a number of real examples given which really opened my eyes.

I was pretty familiar with all the MITM attacks and think that the only thing they need to add is NBNS attacks to that section. That attack is such a gold mine. I'm not really so sure any of the MITM attacks are "advanced," I mean if you're not pulling those attacks off on internal networks, you're doing your clients a big disservice.

I took the first practice test before studying and scored a 75%, the second practice test the day before my exam was 85%. I finished the final exam with an 85%. I probably could have studied studied a little more :) If the topics seem foreign to you, you should really allow yourself time to get used to them all before diving into the exams. It seems like the practice tests were a pretty good gauge for me. I have heard people signing up and passing SANS exams in a week or weekend, I don't think that is possible with this one. The concepts tested are related to many aspects of the course, so it's not like you can look everything up like you might be have done in the other SANS exams.

All in all, the GXPN is pretty solid. However, if I had to pay for it personally, I might have a different opinion. You will get out of this course what you put into it. If you diligently go through each lab, you'll likely walk out of the exam +90%.