Monday, October 22, 2012

GXPN Review

I recently passed the SANS "GIAC Exploit Researcher and Advanced Penetration Tester" (GXPN) exam. This was the first SANS certification I have attempted. It was a completely different cert for me since all of mine are of the Offensive Security or ISC2 flavor. Offsec is completely hands on and the CISSP is well, the CISSP. I did the OnDemand version of GXPN which meant I had ondemand access to the narrated slides + video demonstrations. If the topics in the syllabus are fairly new to you, the OnDemand might be the right option. It was pretty nice to see the actual video demonstrations that the instructor was showing the students in the real class.

This course (SEC 660) covers a ton of topics. A lot of them I have hands on experience with, especially Windows exploit development and network attacks. The areas I was most interested in was Linux Exploitation and Windows ROP gadgets. I was pleasantly surprised by a number of other topics as well.

I've taken the OSCE, which was significantly harder than this exam, but there was no *nix exploitation in that course. In fact, you can't really compare the two courses at all. I've done a detailed review of the OSCE here, and as you see here, the GXPN covers many more topics. OSCE is far more focused Windows exploitation.

However, I do think the two courses compliment each other. Where the OSCE lacks in descriptions and theory the GXPN picks up. In fact, the GXPN prides itself on filling the gaps of where industry papers and publications lacked details. Rather than assuming the reader knows that the FS:00 in the TIB is the SEH frame for example. I do appreciate the details and it certainly helps with a more holistic view of each topic. While mundane and boring at times, it's mostly good stuff.

A surprise benefit was the escaping restricted desktops and crypto sections. I wasn't expecting to enjoy the crypto but they (SANS) do have a valid point discussing it in an "advanced" course. You're not necessarily attacking crypto itself, rather its implementation. A broken implementation could lead to total domination. There were a number of real examples given which really opened my eyes.

I was pretty familiar with all the MITM attacks and think that the only thing they need to add is NBNS attacks to that section. That attack is such a gold mine. I'm not really so sure any of the MITM attacks are "advanced," I mean if you're not pulling those attacks off on internal networks, you're doing your clients a big disservice.

I took the first practice test before studying and scored a 75%, the second practice test the day before my exam was 85%. I finished the final exam with an 85%. I probably could have studied studied a little more :) If the topics seem foreign to you, you should really allow yourself time to get used to them all before diving into the exams. It seems like the practice tests were a pretty good gauge for me. I have heard people signing up and passing SANS exams in a week or weekend, I don't think that is possible with this one. The concepts tested are related to many aspects of the course, so it's not like you can look everything up like you might be have done in the other SANS exams.

All in all, the GXPN is pretty solid. However, if I had to pay for it personally, I might have a different opinion. You will get out of this course what you put into it. If you diligently go through each lab, you'll likely walk out of the exam +90%.



Μαρκοσ said...

Started this one today. It looks like it has a lot of great material so far.

Display name said...

I'd appreciate your advice on which I should do next between OSCE and GXPN. I have the OSCP, and I'm going through the hiring process for a contracting job. They said I need one more cert from the list which includes OSCE, OSEE, and GXPN. I'd have six months from date of hire to complete the cert. I'd also be paying for it, although they would give me up to 2k of the cost as part of my benefits.

Initially I would think that since the course for GXPN lists the GPEN class as a prerequisite, that would be expensive as hell to get GPEN then GXPN certified. Although the OCSE route would be much less expensive, as we both know they don't hold your hand and as it is I'm underqualified for the job and would be absorbing a lot of new things to learn from day one, so I'm concerned that OSCE would be overload considering that they don't fill in the gaps or hold your hand.

In your opinion, should I do GPEN/GXPN, or OSCE? I know that the SANS certs would be more expensive, but I don't know if I want to tackle OSCE while simultaneously having to get up to speed on a new job as a pentester with little prior experience. From what I've read, the SANS courses would provide more complete coverage of the subjects and the final exams would be much easier.