Thursday, August 9, 2012

Passed GIAC GXPN Exam

As with most of my previous GIAC exams, I did a self-study for GXPN as well. SANS / GIAC categorizes this exam / course as 'Advanced' so keep that in mind when preparing.

Exam objective break up list is available on GIAC GXPN site and must be the first place to prioritize study plan. As I see it, there are 2 sections to plan for.

First, you got to study, practice hands-on and should have good prior experience primarily in Penetration Testing. An experienced pen tester carries knowledge & skills in a variety of domains - systems, networks, applications, architecture, etc., - & how to break each using tools or manually by hand; and that is what this section demands. At a high level, relate the topics from objective lists of SANS GIAC 401, 504, 505, 506, 542, and 560. Anything and everything except exploit development.

Second, is Exploit Development on Windows & Linux platforms. So, your priority reading ought to be, x86, Assembly, Memory management, Stacks, Heaps, Processes, Threads, SEH, DEP, ASLR, Shellcode, Debugging, Disassembling, and various exploitation techniques on Windows & *nix. Unless you have hands-on experience in these areas, plan to spend at least 6-10 months to learn & practice.

Following are resources that helped me prepare for the SANS 660 GXPN exam:
  1. - Peter (corelanc0d3r) has written Excellent articles on exploit development from Basics to Advanced exploitation scenarios. Highly recommended resource. Period.
  2. Security Tube - Another excellent resource for learning variety of topics. Vivek has created series of video tutorials on Linux assembly, Windows assembly, Format String vulnerabilities, Buffer Overflows, Exploit research, Metasploit and many more. His way of teaching is pretty good. I highly recommend studying his primers for preparation to GIAC GXPN.
  3. Shellcoder's handbook 2nd edition - Thorough coverage of *nix exploitation. Windows and other OS are covered as well. A good resource. Get it here.
  4. Microsoft MSDN / Technet - This is required reading for various topics, such as Windows memory management, process, threads, heaps, SEH, DEP, etc.
  5. Exploit-db (Papers) - Formerly milw0rm, there are some really good papers that detail various exploitation techniques. This is required reading, folks.
In addition to all the above resources, the essential, final element is hands-on experience. There is no alternative to it. Build a virtual lab, go to, download vulnerable applications and their corresponding exploit codes and test them out in your virtual machines. Learn to use Immunity Debugger / Ollydbg, IDA pro / gdb disassembler. Spend time, make notes and follow along the topics one by one. Always start it one step at a time and trust me, you'll be sprinting in no time.

My views on exam are mixed. Most questions were pretty straight and some really twisted. Apparently, pretty straight to me, cos I have decent EEE (education, exposure, experience) in pen testing, and work on exploit dev every once in a while. Twisted ones especially on the exploit development domain. I feel exam can be further improved in 2 aspects:
  1. More screen cap based questions should be there in exam which will test a candidate's ability to read through registers, memory locations and identify issues, and solutions in making an exploit work.
  2. For any incorrect questions, I hope SANS GIAC starts to show a hint for why the chosen answer was not correct. Currently, you answer incorrectly and you get no freaking idea why it was so. The objective of exam needs to be to enforce the learning and not only to get a certificate.
Overall, it has been a long process to prepare and become confident of completing this expensive challenge (~1000$). It took far greater effort than earlier GIAC exams I completed - GPEN, GCIH, GREM, and GWAPT.

For those who are preparing for GIAC GXPN, feel free to comment, and ask questions. I will be glad to help.


  1. Thanks for blogging your experience about the exam and the resources that were helpful for you. I am currently working towards challenging the GXPN exam.

    What resources were helpful for the following topics?
    - Bypass network access control systems
    - Attacking the Windows Domain - Restricted Desktops

  2. Got to start off by saying congrats! That is a big cert.I have a quesion I want to take this cert I just got the GPEN 2 weeks ago and wondering if I should take the GREM first? Do you have any ideas what I should do? Thanks!

  3. @Anonymous: Thanks.

    GREM & GXPN cover two unique, different subjects. Both GREM & GXPN are good to study areas. But IMO, you don't really need GREM to prepare for GXPN, if that's what you intend to ask.

    To prepare for GXPN, I would recommend you read & refer to study resources I mentioned in my post above. And practice.

    Give thorough time to study & practice GXPN related topics - 6-10 months at least.


  4. Hi!

    Wonder if you did take SANS 6 day training prior your exam?

    1. @Jon: I did hope my company will do that. But just wishful thinking. Self-study, for me.

  5. HI Karn,
    Does the GXPN exam includes web application and wifi pentesting also

  6. Hi Anonymous, it's been a while I finished this. I am pretty confident this would have covered questions from web app testing. I am not sure about wifi though. As the name suggests, 'advanced' - it would be good to prepare for breadth of pentesting and exploit dev related topics. All the best.



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.