Enterprise Penetration Testing Course | SEC560 (2024)

As a cybersecurity professional, you have a unique responsibility to identify and understand your organization's vulnerabilities and work diligently to mitigate them before the bad actors pounce. Are you ready? SEC560, the flagship SANS course for penetration testing, fully equips you to take this task head-on.

In SEC560, you will learn how to plan, prepare, and execute a penetration test in a modern enterprise. Using the latest penetration testing tools, you will undertake extensive hands-on lab exercises to learn the methodology of experienced attackers and practice your skills. You will then be able to take what you have learned in this course back to your office and apply it immediately.

This course is designed to strengthen penetration testers and further add to their skillset. The course is also designed to train system administrators, defenders, and others in security to understand the mindset and methodology of a modern attacker. Every organization needs skilled information security personnel who can find vulnerabilities and mitigate their effects, and this entire course is specially designed to get you ready for that role. Both the offensive teams and defenders have the same goal: keep the real bad guys out.

In SEC560, you will learn to:

  • Properly plan and prepare for an enterprise penetration test
  • Perform detailed reconnaissance to aid in social engineering, phishing, and making well-informed attack decisions
  • Scan target networks using best-of-breed tools to identify systems and targets that other tools and techniques may have missed
  • Perform safe and effective password guessing to gain initial access to the target environment, or to move deeper into the network
  • Exploit target systems in multiple ways to gain access and measure real business risk
  • Execute extensive post-exploitation to move further into the network
  • Use Privilege Escalation techniques to elevate access on Windows or Linux systems, or even the Microsoft Windows Domain
  • Perform internal reconnaissance and situational awareness tasks to identify additional targets and attack paths
  • Execute lateral movement and pivoting to further extend access to the organization and identify risks missed by surface scans
  • Crack passwords using modern tools and techniques to extend or escalate access
  • Use multiple Command and Control (C2, C&C) frameworks to manage and pillage compromised hosts
  • Attack the Microsoft Windows domain used by most organizations
  • Execute multiple Kerberos attacks, including Kerberoasting, Golden Ticket, and Silver Ticket attacks
  • Conduct Azure reconnaissance
  • Azure AD password spraying attacks
  • Execute commands in Azure using compromised credentials
  • Develop and deliver high-quality reports

SEC560 is designed to get you ready to conduct a full-scale, high-value penetration test, and at the end of the course you'll do just that. After building your skills in comprehensive and challenging labs, the course culminates with a final real-world penetration test scenario. Youll conduct an end-to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization.

Enterprise Penetration Testing Course | SEC560 (1)

What You Will Receive

  • Access to the in-class Virtual Training Lab with more than 30 in-depth labs
  • SANS Slingshot Linux Penetration Testing Environment and Windows 10 Virtual Machines loaded with numerous tools used for all labs
  • Access to the recorded course audio to help hammer home important network penetration testing lessons
  • Cheat sheets with details on professional use of Metasploit, Netcat, and more
  • Worksheets to streamline the formulation of scoping and rules of engagement for professional penetration tests

Download PDF

  • Overview

    In this course section, you'll develop the skills needed to conduct a best-of-breed, high-value penetration test. We'll go in-depth on how to build a penetration testing infrastructure that includes all the hardware, software, network infrastructure, and tools you will need to conduct great penetration tests, with specific low-cost recommendations for your arsenal. We'll then cover formulating a pen test scope and rules of engagement that will set you up for success, including a role-play exercise. We'll also dig deep into the reconnaissance portion of a penetration test, covering the latest tools and techniques. The course section features hands-on lab exercises to learn about a target environment, including a lab using Spiderfoot to automate the discovery of information about the target organization, network, infrastructure, and users.

    • Linux for Pen Testers
    • Formulating an Effective Scope and Rules of Engagement
    • Organizational Recon
    • Infrastructure Recon
    • User/Employee Recon
    • Automated Recon with Spiderfoot
    • The Mindset of the Professional Pen Tester
    • Building a World-Class Pen Test Infrastructure
    • Creating Effective Pen Test Scopes and Rules of Engagement
    • Detailed Recon Using the Latest Tools
    • Mining Search Engine Results
    • Reconnaissance of the Target Organization, Infrastructure, and Users
    • Automating Reconnaissance with Spiderfoot
  • Overview

    This course section focuses on the vital task of mapping the target environment's attack surface by creating a comprehensive inventory of machines, accounts, and potential vulnerabilities. We look at some of the most useful scanning tools freely available today and run them in numerous hands-on labs to help hammer home the most effective way to use each tool. We'll cover vital techniques for false-positive reduction so that you can focus your findings on meaningful results and avoid the sting of a false positive. And we'll examine the best ways to conduct your scans safely and efficiently. The section includes password guessing attacks, which are a common way for penetration testers and malicious attackers to gain initial access and pivot through the network. This action-packed section concludes with another common way to gain initial access: exploitation. We'll discuss many ways that exploits are used to gain access or escalate privileges, then examine how these exploits are packaged in frameworks like Metasploit and its mighty Meterpreter. You'll learn in-depth how to leverage Metasploit and Meterpreter to compromise target environments.

    • Getting the Most Out of Nmap
    • Faster Scanning with Masscan
    • OS Fingerprinting, Version Scanning In-Depth, Netcat for Penetration Testers, and EyeWitness
    • The Nmap Scripting Engine
    • Initial Access with Password Guessing with Hydra
    • Comprehensive Metasploit Coverage with Exploits, Stagers, and Stages
    • Strategies and Tactics for Anti-Virus Evasion and Application Control Bypass
    • Exploitation with Metasploit and the Meterpreter Shell
    • In-Depth Meterpreter Analysis, Hands-On
    • Tips for Awesome Scanning
    • Nmap In-Depth: The Nmap Scripting Engine
    • Version Scanning with Nmap
    • False-Positive Reduction
    • Netcat for the Pen Tester
    • Gaining Initial Access
    • Password Guessing, Spraying, and Credential Stuffing
    • Exploitation and Exploit Categories
    • Exploiting Network Services and Leveraging Meterpreter
  • Overview

    Once you've successfully exploited a target environment, penetration testing gets extra exciting as you perform post-exploitation, gathering information from compromised machines and pivoting to other systems in your scope. In this section we'll discuss a common modern penetration test style, the Assumed Breach, where initial access is ceded to the testers for speed and efficiency. Whether the testers gain access themselves or access is provided, the testers now identify risks that are not visible on the surface. You'll learn tools and techniques to perform privilege escalation attacks to gain elevated access on compromised hosts. Part of post-exploitation includes password dumping, and we'll perform cleartext password extraction with Mimikatz, and password cracking. You'll learn modern tools and techniques to perform better cracking attacks that will extend or upgrade your access in the target environment.

    • Identifying Insecurities in Windows with GhostPack Seatbelt
    • Privilege Escalation on Windows
    • Domain Mapping and Exploitation with Bloodhound
    • Metasploit Psexec, Hash Dumping, and Mimikatz Kiwi Credential Harvesting
    • Password Cracking with John the Ripper and Hashcat
    • Attacking Nearby Clients with Responder
    • Assumed Breach Testing
    • Post-Exploitation
    • Situational Awareness on Linux and Windows
    • GhostPack's Seatbelt
    • Password Attack Tips
    • Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems
    • Extracting Hashes and Passwords from Memory with Mimikatz Kiwi
    • Effective Password Cracking with John the Ripper and Hashcat
    • Poisoning Multicast Name Resolution with Responder
  • Overview

    This course sections zooms in on moving through the target environment. When attackers gain access to a network, they move, so you'll learn the same techniques used by modern attackers and penetration testers. You'll start by manually executing the techniques used for lateral movement, then move on to automation using a powerful toolset, Impacket, to exploit and abuse network protocols. We'll examine Windows network authentication, and you'll perform a pass-the-hash attack to move through the network without knowing the compromised accout'ss password. We'll examine C2 frameworks and use two widely known ones, [PowerShell] Empire and Sliver; discuss methods of evasion and application control bypasses; and use our access on one system as a pivot to access another system that is not directly from our attacker system.

    • Lateral Movement and Running Commands Remotely with WMIC and by Creating Malicious Services
    • The Impacket Framework
    • Pass-the-Hash
    • Command and Control Sliver and Teammates
    • Leveraging [PowerShell] Empire for Post-Exploitation
    • Bypassing Application Control Technology Using Built-in Windows Features
    • Pivoting through SSH and an Existing Meterpreter Session
    • Lateral Movement
    • Running Commands Remotely
    • Attacking and Abusing Network Protocols with Impacket
    • Command and Control (C2) Frameworks and Selecting the One for You
    • Using the Adversary Emulation and Red Team Framework, Sliver
    • Post-Exploitation with [PowerShell] Empire
    • Anti-Virus and Evasion of Defensive Tools
    • Application Control Bypasses Using Built-In Windows Features
    • Implementing Port Forwarding Relays via SSH for Merciless Pivots
    • Pivoting through Target Environments with C2
  • Overview

    This course section will zoom in on typical Active Directory (AD) lateral movement strategies. You'll gain an in-depth understanding of how Kerberos works and what the possible attack vectors are, including Kerberoasting, Golden Ticket, and Silver Ticket attacks. You'll use credentials found during the penetration test of the target environment to extract all the hashes from a compromised Domain Controller. With full privileges over the on-premise domain, we'll then turn our attention to the cloud and have a look at Azure principles and attack strategies. The integration of Azure AD with the on-premise domain provides interesting attack options, which will be linked to the domain dominance attacks we saw earlier during the course section. We'll wrap up with a discussion on effective reporting and communication with the business.

    • Kerberoast Attack for Domain Privilege Escalation
    • Domain Dominance and Password Hash Extraction from a Compromised Domain Controller
    • Silver Tickets for Persistence and Evasion
    • Golden Ticket attacks for Persistence
    • Azure Reconnaissance and Password Spraying
    • Running Commands in Azure Using Compromised Credentials
    • Kerberos Authentication Protocol
    • Kerberoasting for Domain Privilege Escalation and Credential Compromise
    • Persistent Administrative Domain Access
    • Obtaining NTDS.dit and Extracting Domain Hashes
    • Golden and Silver Ticket Attacks for Persistence
    • Additional Kerberos Attacks including Skeleton Key, Over-Pass-the-Hash, and Pass-the-Ticket
    • Effective Domain Privilege Escalation
    • Azure and Azure AD Reconnaissance
    • Azure Password Attacks and Spraying
    • Understanding Azure Permissions
    • Running Commands on Azure Hosts
    • Tunneling with Ngrok
    • Lateral Movement in Azure
    • Effective Reporting and Business Communication
  • Overview

    This lively session represents the culmination of the network penetration testing and ethical hacking course. You'll apply all of the skills mastered in the course in a comprehensive, hands-on exercise during which you'll conduct an actual penetration test of a sample target environment. We'll provide the scope and rules of engagement, and you'll work to achieve your goal to determine whether the target organization's Personally Identifiable Information is at risk. As a final step in preparing you for conducting penetration tests, you'll make recommendations about remediating the risks you identify.

    • A Comprehensive Lab Applying What You Have Learned Throughout the Course
    • Modeling a Penetration Test Against a Target Environment
    • Applying Penetration Testing and Ethical Hacking Practices End-to-End
    • Detailed Scanning to Find Vulnerabilities and Avenues to Entry
    • Exploitation to Gain Control of Target Systems
    • Post-Exploitation to Determine Business Risk
    • Merciless Pivoting
    • Analyzing Results to Understand Business Risk and Devise Corrective Actions

The GIAC Penetration Tester certification validates a practitioner's ability to properly conduct a penetration test, using best practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits and engage in detailed reconnaissance, as well as utilize a process-oriented approach to penetration testing projects.

  • Comprehensive Pen Test Planning, Scoping, and Recon
  • In-Depth Scanning and Exploitation, Post-Exploitation, and Pivoting
  • In-Depth Password Attacks and Web App Pen Testing

More Certification Details

SEC560 is the flagship penetration test course offered by the SANS Institute. Attendees are expected to have a working knowledge of TCP/IP and a basic knowledge of the Windows and Linux command lines before they come to class. While SEC560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course.

Course Lead-Ins and Follow-Ups

Courses that lead in to SEC560:

  • SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
  • SEC542: Web App Penetration Testing and Ethical Hacking
  • SEC580: Metasploit Kung Fu for Enterprise Pen Testing

Courses that are good follow-ups to SEC560:

  • SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
  • SEC575: Mobile Device Security and Ethical Hacking
  • SEC542: Web App Penetration Testing and Ethical Hacking
  • SEC588: Cloud Penetration Testing

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player VMware Workstation is required for the class. If you plan to use a Mac, please make sure you bring VMware Fusion. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Disc Space Requirements

The course includes two VMware image files: a Windows 10 VM, and Slingshot Linux. You will need at least 60GB free on your system for these virtual machintes (VMs).


You will use VMware to run Windows 10 and Slingshot Linux VMs simultaneously when performing exercises in the course. The VMs come with all the tools you will need to complete the lab exercises.

We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware.

Windows and Native Linux Users: You must have either the free VMware Workstation Player 16 or later or the commercial VMware Workstation 16 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Mac users: You will need VMware Fusion 12 (or later) or the free VMware Fusion Player 12 or later installed on your Mac prior to class. You can download the free VMware Fusion Player here.

Virtualbox and other virtualization products: While this may work in the course, it is not officially supported. If you choose to use this software you will be responsible for configuring the virtual machines to work on the target range. Also, installation of both VMware and Virtualbox can sometimes cause network issues. We recommend only installing one virtualization technology.

Mandatory Laptop Hardware Requirements

  • x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended
  • 50 GB available hard-drive space
  • Any patch level is acceptable for Windows 10

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

"All security professionals need to understand modern attack tactics and principles. As a defender, incident responder, or forensic analyst, it is important to understand the latest attacks and the mindset of the attacker. In this course, penetration testers, red teamers, and other offensive security professionals will learn tools and techniques to increase the impact and effectiveness of their work. As the lead author for this course, I'm proud to bring my years of security experience (both offensive and defensive) as well as network/system administration experience to the course. We aim to provide a valuable, high-impact penetration testing course designed to teach experienced pen testers new tips, help prepare new penetration testers, and provide background to anyone dealing with penetration testers, Red Teams, or even malicious attackers. I personally enjoy teaching this course and sharing my experience and real-life examples with you." - Tim Medin

"Tim is an excellent SANS instructor. He's knowledgable, and he kept the course funny and interesting." - Thomas Rogers, Chevron

Enterprise Penetration Testing Course | SEC560 (2024)


Which certification is best for penetration testing? ›

Top 10 penetration testing certifications for security professionals [updated 2022]
  • EC-Council Certified Ethical Hacker (CEH)
  • EC-Council Licensed Penetration Tester (LPT) Master.
  • Infosec Institute Certified Penetration Tester (CPT)
  • Certified Expert Penetration Tester (CEPT)

What is enterprise penetration testing? ›

Applying Penetration Testing and Ethical Hacking Practices End-to-End. Detailed Scanning to Find Vulnerabilities and Avenues to Entry. Exploitation to Gain Control of Target Systems. Post-Exploitation to Determine Business Risk.

What qualifications do I need to become a penetration tester? ›

Entry-level penetration tester requirements include both education and experience. A bachelor's degree increasingly serves as the minimum necessary level of schooling. Candidates then build penetration tester skills by working in entry-level IT positions, including system or network security and administration roles.

What are the 3 types of penetration testing? ›

3 Types of Penetration Testing – What You Need to Know
  • #1. Black Box Penetration Testing. A black box test is one where the tester is provided the bare minimum amount of information, such as just the company name. ...
  • #2. Grey Box Penetration Testing. ...
  • #3. White Box Penetration Testing.

What is the salary of a penetration tester? ›

Average salary for a Penetration Tester in India is 7 Lakhs per year (₹58.3k per month). Salary estimates are based on 105 salaries received from various Penetration Testers across industries.

Are penetration testers in demand? ›

The US Bureau of Labor Statistics projects 33 percent job growth for information security analysts, including penetration testers, between 2020 and 2030 [2]. This is much faster than the average for all occupations in the US.

What are the 5 stages of penetration testing? ›

There are five penetration testing phases: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting.

How important is penetration testing in enterprise? ›

The main reason penetration tests are crucial to an organization's security is that they help personnel learn how to handle any type of break-in from a malicious entity. Pen tests serve as a way to examine whether an organization's security policies are genuinely effective.

How much is GPEN certification? ›

To register for a GPEN certification attempt, you need to submit an online application and pay a $1,699 fee.

What is ethical hacker salary? ›

According to Payscale, those with a Certified Ethical Hacker (CEH) credential earn a median base pay of $82,966—more than $3,000 more than the average for all ethical hackers [3].

Is penetration testing hard? ›

It takes 48 hours to complete, but it shows that you know how to tackle the security issues that less advanced ethical hackers can't handle. It's one of the industry's most difficult tests. If you've passed it, companies know that you can take on the toughest problems out there.

Does penetration testing require coding? ›

No, you need never code in python or SQL or perform any hands on coding whatsoever to have a reknowned career in penetration testing.

Who can perform penetration testing? ›

A penetration test is performed by a security expert trained to identify and document issues that are present in an environment. The resulting report can give you the opportunity to remediate the issues before they have been exploited by a real attacker.

What is black-box Pentesting? ›


What is black-box in cyber security? ›

A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network. This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network.

Can penetration testers work from home? ›

Freelance pentesters have the liberty of working from wherever they want, unless they get subcontracted to work on on-site jobs that require them to travel. Otherwise, they can work from the comfort of their homes if they have reliable Internet connections, or from cafes or malls.

Is penetration testing worth it? ›

Is penetration testing a good career? Penetration testing can be an excellent career choice for individuals with strong computer, IT, and problem-solving skills. The BLS projects much-faster-than-average growth for information security analysts, including penetration testers, from 2020-2030.

How long does it take to learn penetration testing? ›

4 Years. Most often, you'll need at least a bachelor's degree to become a penetration tester. At many universities that takes around 4 years. However, at WGU many students finish coursework more quickly and earn their degrees sooner.

What is OSCE certification? ›

Students who complete the course and pass the exam earn the Offensive Security Certified Expert (OSCE) certification. This cert proves mastery of advanced penetration testing skills. OSCEs have also demonstrated they can think laterally and perform under pressure. Course includes a 48-hour exam.

How much does the CEH exam cost? ›

CEH costs USD $1,199 retail (non-member) and does not include performance-based questions. Don't just take our word for it.

What is LPT certification? ›

The LPT (Master) certification is the culmination of EC Council's penetration testing track, following Certified Ethical Hacker (CEH) and EC Council Certified Security Analyst (ECSA). The LPT (Master) exam is hands-on only. There is no course or written exam to take prior to this hands-on exam.

How much is the Oscp? ›

Offensive Security certification exam cost is $800 for OSCP, $1,200 for OSCE, $1,400 for OSWE, and $450 for OSWP.

Top Articles
Latest Posts
Article information

Author: Margart Wisoky

Last Updated:

Views: 6071

Rating: 4.8 / 5 (78 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.