SEC760: Advanced Exploit Development for Penetration Testers

Provided by SANS
Qualification level
Study type
Distance learning
View Website
View Website

About the course

Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server 2012, and the latest Linux distributions are often very complex and subtle. Yet, when exploited by very skilled attackers, these vulnerabilities can undermine an organization's defenses and expose it to significant damage. Few security professionals have the skillset to discover, let alone even understand at a fundamental level, why the vulnerability exists and how to write an exploit to compromise it. Conversely, attackers must maintain this skillset regardless of the increased complexity. SANS SEC760: Advanced Exploit Development for Penetration Testers teaches the skills required to reverse-engineer 32-bit and 64-bit applications, perform remote user application and kernel debugging, analyze patches for 1-day exploits, and write complex exploit, such as use-after-free attacks against modern software and operating systems.


Course Syllabus

SEC760.1: Threat Modeling, Reversing and Debugging with IDA


Many penetration testers, incident handlers, developers, and other professionals lack reverse-engineering and debugging skills. This is a different skill than reverse-engineering malicious software. As part of the Security Development Lifecycle (SDL) and Secure-SDLC, developers and exploit writers should have experience using IDA Pro to debug and reverse their code when finding bugs or identifying potential risks after static code analysis or fuzzing. Failure to perform proper threat modeling and SDL tasks results in security gaps that can be exploited by attackers. During this section you will learn how to get started with implementing the Microsoft SDL, perform threat modeling, perform local and remote debugging with IDA, as well as how to write your own IDAPython scripts.

CPE/CMU Credits: 8


  • Security Development Lifecycle
  • Threat modeling
  • Why IDA is the #1 tool for reverse-engineering
  • IDA navigation
  • IDA Python and the IDA IDC
  • IDA plug-ins and extensibility
  • Local application debugging with IDA
  • Remote application debugging with IDA

SEC760.2: Advanced Linux Exploitation


The ability to progress into more advanced reversing and exploitation requires an expert-level understanding of basic software vulnerabilities, such as those covered in SEC660. Heap overflows serve as a rite of passage into modern exploitation techniques. This day is aimed at bridging this gap of knowledge in order to inspire thinking in a more abstract manner, necessary for continuing further with the course. Linux can sometimes be an easier operating system to learn these techniques, serving as a productive gateway into Windows.

CPE/CMU Credits: 8


  • Linux heap management, constructs, and environment
  • Navigating the heap
  • Abusing macros such as unlink() and frontlink()
  • Function pointer overwrites
  • Format string exploitation
  • Abusing custom doubly-linked lists
  • Defeating Linux exploit mitigation controls
  • Using IDA for Linux application exploitation
  • Using format string bugs for ASLR bypass

SEC760.3: Patch Diffing, One-Day Exploits, and Return-Oriented Shellcode


Attackers often download patches as soon as they are distributed by vendors such as Microsoft in order to find newly patched vulnerabilities. Vulnerabilities are usually disclosed privately, or even discovered in-house, allowing the vendor to more silently patch the vulnerability. This also allows the vendor to release limited or even no details at all about a patched vulnerability. Attackers are well aware of this and quickly work to find the patched vulnerability in order to take control of unpatched systems. This technique is also performed by incident handlers, IDS administrators and vendors, vulnerability and penetration testing framework companies, government entities, and others. You will use the material covered in this day to identify bugs patched by vendors and take them through to exploitation.

CPE/CMU Credits: 8


  • The Microsoft patch management process and Patch Tuesday
  • Obtaining patches and patch extraction
  • Binary diffing with BinDiff, patchdiff2, turbodiff, and DarunGrim4
  • Visualizing code changes and identifying fixes
  • Reversing 32-bit and 64-bit applications and modules
  • Triggering patched vulnerabilities
  • Writing one-day exploits
  • Handling modern exploit mitigation controls
  • Using ROP to compiled shellcode on the fly (Return-Oriented Shellcode)

SEC760.4: Windows Kernel Debugging and Exploitation


The Windows Kernel is complex and intimidating, so this day aims to help you understand the Windows kernel and the various exploit mitigations added into recent versions. You will perform kernel debugging on various versions of the Windows OS, such as Windows 7 and 8, and learn to deal with its inherent complexities. Exercises will be performed to analyze Ring 0 driver vulnerabilities, look at exploitation techniques, and get working exploits.

CPE/CMU Credits: 8


  • Understanding the Windows kernel
  • Navigating the Windows kernel
  • Modern kernel protections
  • Debugging the Windows 7/8 kernels and drivers
  • WinDbg
  • Analyzing kernel vulnerabilities and vulnerability types
  • Kernel exploitation techniques
  • Token stealing and HAL dispatch table overwrites

SEC760.5: Windows Heap Overflows and Client-Side Exploitation


The focus of this section is primarily on Windows browser and client-side exploitation. You will learn to analyze C++ vftable overflows, one of the most common mechanisms used to compromise a modern Windows system. Many of these vulnerabilities are discovered in the browser, so browser techniques will be taught, such as modern heap spraying to deal with IE 8/9/10/11 and other browsers such as FireFox and Chrome. You will work toward writing exploits in the Use-After-Free/Dangling Pointer vulnerability class, and bypass ASLR and DEP.

CPE/CMU Credits: 8


  • Windows heap management, constructs, and environment
  • Understanding the low fragmentation heap (LFH)
  • Browser-based and client-side exploitation
  • Remedial heap spraying
  • Understanding C++ vftable/vtable behavior
  • Modern heap spraying to determine address predictability
  • Use-After-Free attacks and dangling pointers
  • Using custom flash objects to bypass ASLR
  • Defeating ASLR, DEP, and other common exploit mitigation controls

SEC760.6: Capture the Flag Challenge


Day six will feature a Capture the Flag event employing different types of challenges from material taught throughout the week. Test your reverse-engineering, bug discovery, and exploit-writing skills in a full day of Capture the Flag exercises!

CPE/CMU Credits: 6

Who Should Attend

  • Senior Network and System Penetration Testers
  • Secure Application Developers (C and C++)
  • Reverse-Engineering Professionals
  • Senior Incident Handlers
  • Senior Threat Analysts
  • Vulnerability Researchers
  • Security Researchers


It is mandatory that students have previous exploit-writing experience using techniques such as those covered in SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking. This includes experience with stack-based buffer overflows on both Linux and Windows, as well as experience defeating modern exploit mitigation controls such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), canaries, and SafeSEH. Experience with or an understanding of fuzzing tools such as the Sulley Fuzzing Framework and Peach is required. Programming experience is important, preferably with C/C++. At a minimum, scripting experience in a language such as Python, Perl, Ruby, or LUA is mandatory. Programming fundamentals such as functions, pointers, calling conventions, structures, classes, etc. will be assumed knowledge. Experience with reverse-engineering vulnerable code is also required, as is the ability to read x86 disassembly from within a debugger or disassembler. Experience with both Linux and Windows navigation is required, as well as TCP/IP experience. If you do not meet these requirements you may not be able to keep up with the pace of the course.

Courses that lead in to SEC760:

  • SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
  • FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Courses that are prerequisites for SEC760:

  • SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC760 is a very challenging course covering topics such as remote debugging with IDA, writing IDA Python and IDC scripts, SDL and threat modeling, Linux heap overflows, patch diffing, use-after-free attacks, Windows Kernel debugging and exploitation, and much more. Please see the course syllabus for a detailed listing, and be sure to take a look at the recommended prerequisites and laptop requirements. You are expected to already know how to write exploits for Windows and Linux applications, bypass exploit mitigation controls such as DEP and ASLR, utilize return-oriented shellcode (ROP), etc.

SANS gets a lot of questions about this course. Am I ready for SEC760? Should I take SEC660 first? I have taken SEC660 but am I definitely ready for SEC760? I have taken SEC560, so can I jump right to SEC760 if I only want the exploit development material? I have not taken any SANS pen testing courses, so which one should I start with? I have taken a course through Offensive Security or Corelan, is the material the same?

There is no "one size fits all" reply to these types of questions, as everyone has a different level of experience. SANS's recommendation is to thoroughly read through the course syllabus and prerequisite statements for any course you are considering. The course author, Stephen Sims, is available to answer any questions you may have about the subject matter in order to help you make an informed decision. You can reach Stephen Sims at

SANS has prepared written a 10 question exam that will help you determine if you are better suited for SEC660 or SEC760. Remember that this is purely from an exploit development perspective. SEC660 includes two days of material on introduction to exploit development and bypassing exploit mitigation controls. Much of the other material in SEC660 is on a wide range of advanced penetration testing topics such as network device exploitation (routers, switches, network access control), pentesting cryptographic implementations, fuzzing, Python, network booting attacks, escaping Linux and Windows restricted environments, etc. Many students of SEC760 have taken training from Offensive Security, Exodus Intelligence, Corelan, and others. Though there will certainly be overlap in some sections, there are many unique sections without overlap.

What You Will Receive

  • Various preconfigured *NIX virtual machines; however, you are required to bring the Windows virtual machines discussed in the Laptop Requirements section.
  • Various tools on a course USB that are required for use in class.
  • Access to the in-class Virtual Training Lab with many in-depth labs.
  • Access to recorded course audio to help hammer home important network penetration testing lessons.

You Will Be Able To

  • Discover zero-day vulnerabilities in programs running on fully-patched modern operating systems.
  • Create exploits to take advantage of vulnerabilities through a detailed penetration testing process.
  • Use the advanced features of IDA Pro and write your own IDC and IDA Python scripts.
  • Perform remote debugging of Linux and Windows applications.
  • Understand and exploit Linux heap overflows.
  • Write Return-Oriented Shellcode.
  • Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities.
  • Perform Windows heap overflows and use-after-free attacks.
  • Use precision heap sprays to improve exploitability.
  • Perform Windows Kernel debugging up through Windows 8 64-bit.
  • Jump into Windows kernel exploitation.

Hands-on Training

  • Perform labs to reverse-engineer Microsoft patches from 2007-2014 to identify the patched vulnerability and take them through exploitation.
  • Perform use-after-free exploit labs against popular web browsers such as Internet Explorer.
  • Bypass ASLR through the creation of custom Flash objects and UAF bugs.
  • Remote-debug both Linux and Windows applications, and remote-debug the Windows 7 and 8 Kernels.
  • Exploit Linux heap overflows.
  • Perform threat modeling against applications.
  • Bypass modern exploit mitigations.
  • Write your own IDA Python scripts.
  • Navigate the Windows front-end (LFH) and back-end heap allocators.
  • Debug drivers.

Contact the course provider: