Review: GPEN (GIAC Certified Penetration Tester)
Completing my Undergraduate Certificate program with the SANS Technology Institute I chose SEC560: Network Penetration Testing and Ethical Hacking as my final course. I picked this for a couple reasons; first, I wanted a fun course to cap off the program as a whole, but also because, knowing that I will be pursuing the Bachelors program, I knew that certs like GCIA and GCFA were already in my future. So SEC560 it was. Like my previous SANS course (GCIH), I wanted to write up my review and give some insights into the course. A couple disclaimers to start however, everything within this review is my personal opinion and should be seen as such. I used my GI Bill to pay for this course and so did not pay out-of-pocket. And finally, I took this course via the On-Demand version; meaning I did not have fellow classmates or colleagues nor did I compete in the CTF against anyone else. This I feel is important as I know that remote vs in-person learning can completely change the feel of a course. Also I have spoken at length with SANS PR Representatives about the rules regarding reviews and will be doing everything in my power to keep this review authorized — if I gloss over any piece of information I do so out of caution of not crossing any NDA boundaries. From here on out I will be referring to this course as a whole as GPEN, the associated GIAC certification.
The Course Materials
GPEN comes with five distinct books of material, six if you count the CTF book but that was nothing more than instructions on how to connect to the lab, and a workbook. I will walk through each book, what it covered, and what I thought about it. After that I will speak about the differences between GPEN and other certifications — to the best of my ability.
Book one, Comprehensive Pen Test Planning, Scoping, and Recon, was a high view picture on what it means to conduct a professional Penetration Test. It covered different types of tests, different ways to structure your pentest approach, and how to move through the different stages of a test. After that it covered initial reconnaissance techniques to get a basic understanding of a client. This course is not a “how do I hack a company” type deal. Instead this really is a “how can I professionally conduct a thorough penetration test and bring value to an organization”. Although this was not a very technical book it did an amazing job at walking me through how to think like a professional.
Book two, In-Depth Scanning and Initial Access, is pretty self-explanatory. You learn different scanning and enumeration tools, how to optimize them, and how to gain a foothold in an organization using that found information. I will speak about this a lot more later, but for now I want to note that GPEN does not flow like an external penetration testing course. Instead GPEN is much more focused on an internal assessment, and I think it’s like that because — at least from what I could guess — internal pentests might be the most beneficial tests that a client could ask for, initially. I’m going out on a limb in saying this as I am not a professional, but let’s face it; if an APT, a truly sophisticated APT, wanted to break into someone’s network it is probably just a matter of time — especially if you consider the high rate of social engineering success. An internal test to identify the attack vectors within an organization is probably the better choice if you had to choose between internal and external. That being said I will emphasize that if someone wanted to focus on attacking an organization from the outside there are probably better courses.
Book three, Exploitation, is all about the first steps to take when you gain a foothold. It hits on popular exploitation frameworks and how to use them, pivoting, evading AV/EDR, and introduction to command lines. This was a great book and extremely technical. I learned a lot about how exploitation frameworks work, how to utilize them, and got a lot of hands-on experience with the labs (I will speak about all the labs near the end).
Book four, Post Exploitation, was a lot of password attacks, more pivoting, and what you can do to move around a network while further exploiting it. Once again, this was a great book. I learned a LOT more about password attacks, and how to use some of the most popular password cracking tools — which was a weak spot for me (I’m looking at your hashcat).
Book five, Domain Domination and Azure Annihilation, was my personal least favorite book. Because in my opinion this was the most bulky, and hardest to follow book. Not because of the quality of information, but because there was an unbelievable amount of information and it was practically all brand new to me. This book as all about Active Directory, and Azure Active Directory. I am, or I guess was, a complete noob with these topics only really having exposure to them via TryHackMe and its rooms. But I have to say, listening to the literal creator of Kerberoasting, Tim Medin, describe how it works and how to do it was amazing. Tim is an all-around incredible instructor but something about the way he explains AD attacks is awesome. This book by far took the most time for me to get through and feel confident in.
Book six was the capstone ‘Capture the Flag’ challenge. I am not going to talk about this as I don’t think I can explain really anything about it without crossing a line somewhere. So I will just say that the CTF covers almost everything that you learn in the course in a full lab environment where you need to conduct an internal pentest. I’ll leave it at that.
Tied with the books as the best source of information comes the labs. There are over 30 labs in the course, and of course the CTF. I think it averaged to six or so labs per book. They all did a great job at giving some hands-on exposure to the topics covered. Some were pretty simple, 10–15 minutes max, but the majority took me 30+ minutes easily. Especially the book five labs! The labs were extremely valuable and made me more confident with the material, especially for the exam.
The Instructor and Exam
As I mentioned above the instructor, Tim Medin, was awesome. His insights were very valuable, and his teaching was high quality. 10/10 would recommend.
The exam is a touchy topic for me. In the world of offensive cybersecurity I still don’t understand how certification bodies continue to pedal multiple-choice exams. OSCP is famous for its grueling 24 hour exam, and eLearnSecurity’s eCPPT exam is becoming widely accepted as the most realistic pentesting exam. The GIAC body is beginning to incorporate more practical questions in their exams but at the heart of it GPEN was still multiple choice. The test was 75+ questions of multiple choice and then somewhere around 10 practical questions. Now, the multiple choice questions did require you to understand the material and think critically, guessing is not advisable. But the most difficult portion by far was the practical questions. They were very interesting, you get a screen that lists the question and answer choices, you read the question, and then you click on a “View VM” button to access the built-in virtual machine and complete the necessary objective(s) to achieve the answer. Some were fairly basic, no doubt only there to see if students could complete an easy step with a certain technology. Then some were much more in-depth requiring multiple steps and techniques in order to achieve the correct information. I wish that GIAC would revamp its GPEN exam to match more closely with the course ending CTF exercise. I think that if GPEN could begin to rival OSCP/eCPPT exam setups then it would be much more difficult for people to try to rank these certifications against each other. But until then I will just say that the GPEN exam could probably be passed with a good comprehension of the books, an index, and maybe a cheat sheet of some of the tools.
GPEN vs Other Certifications
So where does GPEN stack against these other certifications? I’ll hit on two specifically, the OSCP, and the eCPPT. However, please know that I DO NOT HOLD THOSE CERTIFICATIONS. I am just going to give my best analysis of the differences that I can see/hear about these certifications.
GPEN vs eCPPT
Although I do not hold eCPPT and have not taken the exam, I have actually gone through the course. I bought the course in 2020 and went through every slide, video and lab. I never got to take the exam due to a number of reasons but I do actually know what is within the material. So first off there is a major difference in these two courses. GPEN spends an entire book on dominating a domain, aggressively attacking Active Directory both on-premise and within the cloud, and striving for domain rights. eCPPT does not hit on any of these topics. eCPPT is much more focused on the exploitation of the network, and different services. I would consider eCPPT maybe more of an external or exploitation pentest, and GPEN more of an internal or business minded pentest. Both courses hit on report writing and bringing value to the client; GPEN goes much more in-depth but eCPPT actually requires a report which is read by an actual reviewer so there is a big differences in that too. eCPPT hits on different exploitation paths than GPEN, like buffer overflows and web apps. But GPEN touches on different password attacking methods than eCPPT. I think both courses are great professional pentesting courses but they are definitely different. In a short review I would say that eCPPT wins in terms of exploitation methods and quality of the test, while GPEN wins in the professional pentester mindset and domain attack vectors.
GPEN vs OSCP
So this is going to be hard as I have not taken the PWK/OSCP course/exam. But I will do my best. Like eCPPT, OSCP wins in the exam department. OSCP is probably the most famous pentesting exam and is definitely a gatekeeper in the field for a lot of people — GPEN can’t really beat that aspect of it. OSCP is also much more involved in the exploitation aspects of pentesting. If I had to guess it probably feels like an external approach during most of its lessons, which again is very different than GPEN’s internal assessment feel. Now with OSCP’s 2020 update they have added more active directory information and attacks but if I had to guess I bet Tim’s instructions were more in-depth, I know GPEN prides itself on domain dominance so I would have to guess it sneaks that win out. I’m not sure how much more I can accurately guess but here it goes: OSCP wins in exploitation skillsets, exam quality, and gatekeeping bypass, GPEN wins in professional pentesting approach and domain dominance skillsets. This comparison might be off, and I am sure I will hear about it, but it’s the best I can do.
Conclusion
All in all, GPEN was an awesome course. I’m very glad I took it as my elective, and I feel like I learned a ton. I would recommend to anyone who could take it to take it. Especially aspiring professional Penetration Testers!
I think this is going to be the last purely offensive course I take, at least for a little while. I am wanting to move more into Incident Response and Threat Hunting professionally so I am leaning more towards certifications like GCFE/GCFA from SANS, and eCIR/eCTHP from eLearnSecurity. For now though I am going to take a break after nine straight months of this program and get reenergized for the Bachelors!
