🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GPEN
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GPEN GIAC Certifications Coming Soon

GPEN

The GPEN course teaches penetration testers systematic planning, reconnaissance, scanning, exploitation, and password attack techniques, emphasizing real‑world methodology and clear communication of findings to technical and executive audiences.

180
Minutes
115
Questions
74/100
Passing Score
$979
Exam Cost

Who Should Take This

Mid‑level security analysts, penetration testers, or network engineers with at least two years of experience and solid networking fundamentals benefit from this training. They aim to master intermediate‑level testing methods, produce actionable reports, and confidently present results to both technical teams and senior management.

What's Covered

1 Penetration Testing Planning and Methodology
2 Reconnaissance and OSINT
3 Scanning and Vulnerability Assessment
4 Exploitation Techniques
5 Password Attacks
6 Post-Exploitation and Pivoting
7 Reporting and Remediation

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

61 learning goals
1 Penetration Testing Planning and Methodology
2 topics

Test Planning and Scoping

  • Describe the phases of a penetration testing methodology including pre-engagement, reconnaissance, scanning, exploitation, post-exploitation, and reporting, and explain the objectives and deliverables of each phase.
  • Identify the key elements of a penetration test rules of engagement document including scope boundaries, authorized IP ranges, testing windows, emergency contacts, data handling requirements, and out-of-scope systems.
  • Implement a penetration test project plan that defines scope, timeline, resource allocation, communication procedures, and risk mitigation strategies for potential service disruptions during active testing.
  • Evaluate a proposed penetration test scope to determine whether it adequately covers the organization's critical assets, identify gaps in test coverage, and recommend scope adjustments that maximize security assessment value.

Legal and Ethical Considerations

  • Describe the legal framework governing penetration testing including the Computer Fraud and Abuse Act, authorization requirements, liability considerations, and the distinction between authorized testing and unauthorized access.
  • Implement proper authorization documentation workflows including signed statements of work, get-out-of-jail letters, and scope limitation acknowledgments that protect both the tester and the client organization.
2 Reconnaissance and OSINT
2 topics

Passive Reconnaissance

  • Describe open source intelligence collection techniques including DNS enumeration, WHOIS lookups, certificate transparency logs, search engine dorking, and social media profiling for target organization mapping.
  • Implement passive DNS reconnaissance using zone transfers, subdomain enumeration tools, certificate transparency log queries, and DNS record analysis to map the target organization's external attack surface.
  • Configure OSINT collection workflows using Maltego, theHarvester, Recon-ng, and Shodan to systematically discover email addresses, employee names, technology stacks, and exposed services for the target organization.
  • Analyze passive reconnaissance results to develop a comprehensive target profile, prioritize likely attack vectors based on discovered services and technologies, and identify the most promising entry points for active testing.

Active Reconnaissance

  • Describe active reconnaissance techniques including ping sweeps, port scanning, banner grabbing, and service fingerprinting, and explain the network traffic signatures each technique generates that may trigger security alerts.
  • Configure Nmap scan profiles optimized for different scenarios including stealth scanning with SYN scans and timing controls, comprehensive service detection with version probes, and OS fingerprinting for target characterization.
  • Implement large-scale network discovery using Masscan for initial host enumeration combined with targeted Nmap scans for detailed service identification, optimizing scan speed and accuracy for enterprise-scale assessments.
  • Analyze port scan and service enumeration results to identify high-value targets, correlate discovered services with known vulnerabilities, and develop a prioritized exploitation plan based on service exposure and criticality.
3 Scanning and Vulnerability Assessment
2 topics

Vulnerability Scanning

  • Describe vulnerability scanner operation including plugin-based detection, authenticated versus unauthenticated scanning, CVSS scoring, and the differences between vulnerability scanners and exploitation frameworks.
  • Configure Nessus vulnerability scans with appropriate scan policies, credential sets, and plugin selections targeting the in-scope network segments while minimizing scan impact on production services.
  • Analyze vulnerability scan results to validate findings, eliminate false positives through manual verification, prioritize vulnerabilities by exploitability and business impact, and correlate scan data with reconnaissance discoveries.

Service Enumeration

  • Describe enumeration techniques for common services including SMB share enumeration, SNMP community string discovery, LDAP queries, NFS export listing, and RPC endpoint mapping and their value in penetration tests.
  • Implement SMB enumeration to discover shared folders, user accounts, group memberships, and password policies using tools such as CrackMapExec, enum4linux, and Nmap SMB scripts against Windows domain environments.
  • Configure Active Directory enumeration using LDAP queries and BloodHound to map trust relationships, identify privileged accounts, discover Kerberoastable service accounts, and visualize attack paths to domain administrator access.
  • Analyze enumeration data to identify the most efficient attack paths through the Active Directory environment, assess which misconfigured services provide the highest-value initial access, and prioritize exploitation targets accordingly.
4 Exploitation Techniques
3 topics

Network Service Exploitation

  • Describe common network exploitation categories including remote code execution, authentication bypass, buffer overflow, and deserialization attacks, and identify the service types most commonly vulnerable to each category.
  • Configure Metasploit Framework exploitation workflows including module selection, payload configuration, handler setup, and session management to exploit identified vulnerabilities on target network services.
  • Implement exploitation of common misconfigurations including default credentials, unpatched services, insecure file shares, and overly permissive service accounts to gain initial access to target systems.
  • Evaluate exploitation success probability for identified vulnerabilities by considering patch levels, compensating controls, network segmentation, and detection capability to determine the safest and most reliable attack approach.

Network Protocol Attacks

  • Describe man-in-the-middle and relay attack techniques including ARP poisoning, LLMNR/NBT-NS poisoning, NTLM relay, and IPv6 DNS takeover, and explain the network conditions required for each attack to succeed.
  • Implement LLMNR and NBT-NS poisoning using Responder to capture Net-NTLMv2 hashes from Windows systems on the local network, and configure Responder with appropriate protocol handlers for the target environment.
  • Configure NTLM relay attacks using Impacket ntlmrelayx to relay captured authentication to SMB, LDAP, and HTTP services, exploiting the absence of SMB signing and LDAP signing to gain unauthorized access to target systems.
  • Assess the network's susceptibility to protocol-level attacks by evaluating LLMNR and NBT-NS broadcast behavior, SMB signing enforcement, LDAP signing requirements, and IPv6 configuration to determine attack feasibility.

Active Directory Exploitation

  • Describe Active Directory attack techniques including Kerberoasting, AS-REP roasting, DCSync, DCShadow, Golden Ticket, and Silver Ticket attacks, and explain the prerequisites and impact of each technique.
  • Implement Kerberoasting attacks using Impacket GetUserSPNs or Rubeus to extract service account ticket-granting service tickets and crack them offline to obtain service account plaintext passwords.
  • Configure DCSync attacks using Mimikatz or Impacket secretsdump to replicate password hashes from domain controllers when domain admin or replication privileges have been obtained through the attack chain.
  • Analyze BloodHound attack path data to identify the shortest path to domain administrator access, evaluate multiple attack chains for stealth and reliability, and select the approach most likely to succeed without triggering security alerts.
5 Password Attacks
2 topics

Password Cracking

  • Describe password hash types encountered in penetration testing including NTLM, Net-NTLMv2, Kerberos TGS, bcrypt, SHA-512 crypt, and application-specific hashes, and identify the cracking difficulty of each type.
  • Configure Hashcat with appropriate attack modes including dictionary attacks, rule-based mutations, mask attacks, and combinator attacks to crack captured password hashes using GPU-accelerated processing.
  • Implement custom Hashcat rule files and wordlist generation strategies using password policy analysis, organizational naming conventions, and previously cracked passwords to maximize cracking success rates.
  • Analyze password cracking results to assess organizational password policy effectiveness, identify patterns in user password creation behavior, and provide actionable recommendations for improving credential security.

Online Password Attacks

  • Describe online password attack techniques including brute force, credential stuffing, and password spraying, and explain the detection risks and account lockout considerations for each attack type.
  • Implement password spraying attacks against Active Directory using carefully timed authentication attempts that stay below account lockout thresholds while testing commonly used passwords across all domain accounts.
  • Evaluate the risk-reward tradeoff of online password attacks by analyzing account lockout policies, monitoring alert thresholds, and authentication rate limiting to determine safe attack parameters within the rules of engagement.
6 Post-Exploitation and Pivoting
3 topics

Post-Exploitation Activities

  • Describe post-exploitation objectives including situational awareness, credential harvesting, persistence establishment, privilege escalation, and lateral movement, and explain how each supports the overall penetration test objectives.
  • Implement local privilege escalation on Windows systems by identifying misconfigured services, unquoted service paths, DLL hijacking opportunities, and missing patches using tools such as PowerUp and winPEAS.
  • Implement local privilege escalation on Linux systems by exploiting SUID binaries, misconfigured sudo permissions, writable cron jobs, kernel vulnerabilities, and capabilities abuse using tools such as LinPEAS and GTFOBins.
  • Configure credential harvesting from compromised systems using Mimikatz for Windows LSASS memory extraction, dumping SAM and NTDS.dit databases, and extracting credentials from configuration files, browser stores, and SSH keys.
  • Implement persistence mechanisms on compromised Windows and Linux hosts including scheduled tasks, registry run keys, cron jobs, and SSH authorized keys to maintain access across system reboots during extended penetration test engagements.
  • Assess the value of compromised credentials and access by determining which additional systems, data stores, and administrative functions can be reached, and prioritize the next exploitation steps for maximum impact demonstration.

Lateral Movement

  • Describe lateral movement techniques including pass-the-hash, pass-the-ticket, overpass-the-hash, Windows Remote Management, PsExec, and RDP, and identify the artifacts each technique leaves for defenders to detect.
  • Implement lateral movement using Impacket tools including psexec, wmiexec, smbexec, and atexec to execute commands on remote Windows systems using captured credentials without requiring interactive GUI access.
  • Configure pass-the-hash and overpass-the-hash attacks using Mimikatz or CrackMapExec to authenticate to remote systems using NTLM hashes without knowing the plaintext password.
  • Evaluate lateral movement options by comparing the stealth characteristics, reliability, and prerequisite access levels of different techniques, selecting the approach that balances operational security with test objective achievement.

Pivoting and Tunneling

  • Describe pivoting techniques including SSH port forwarding, SOCKS proxy tunneling, Meterpreter routing, and chisel tunnels, and explain how each enables access to network segments not directly reachable from the attacker's position.
  • Implement SSH dynamic port forwarding with proxychains to route penetration testing tools through a compromised host, enabling scanning and exploitation of internal network segments accessible only from the pivot point.
  • Configure multi-hop pivoting through chained compromised hosts to access deeply segmented network zones, managing tunnel stability and tool compatibility across multiple proxy layers.
  • Analyze network segmentation effectiveness from an attacker's perspective by mapping which internal networks were accessible through pivoting, identifying segmentation controls that were bypassed, and documenting the full attack path traversed.
7 Reporting and Remediation
2 topics

Penetration Test Reporting

  • Describe the standard components of a penetration test report including executive summary, methodology description, finding details with evidence, risk ratings, remediation recommendations, and technical appendices.
  • Implement vulnerability documentation with reproducible proof-of-concept evidence, clear attack chain narratives, business impact assessments, and risk-prioritized remediation guidance appropriate for both technical and executive audiences.
  • Configure evidence collection procedures during testing including screenshot capture, command output logging, network traffic recording, and timestamp documentation to support reproducible and defensible report findings.
  • Evaluate finding severity by assessing technical exploitability, business impact, data exposure risk, and compensating control effectiveness to assign accurate risk ratings that guide remediation prioritization.

Remediation Guidance

  • Implement remediation recommendations that provide specific, actionable steps for addressing each finding, including configuration changes, patch applications, architecture modifications, and compensating controls for unfixable vulnerabilities.
  • Implement post-engagement cleanup procedures to remove all persistence mechanisms, uploaded tools, created accounts, and modified configurations from target systems, verifying complete artifact removal before engagement closure.
  • Assess the overall security posture of the tested environment by synthesizing individual findings into systemic risk themes, identifying root causes that span multiple vulnerabilities, and recommending strategic security improvements beyond tactical fixes.

Scope

Included Topics

  • All domains covered by the GIAC Penetration Tester (GPEN) certification aligned with SANS SEC560: Penetration Testing Planning and Scoping, Reconnaissance and OSINT, Scanning and Enumeration, Exploitation Techniques, Password Attacks, Post-Exploitation and Pivoting, and Penetration Test Reporting.
  • Intermediate-level penetration testing methodology and execution including network reconnaissance, vulnerability scanning, service enumeration, exploitation of common vulnerabilities, password cracking, privilege escalation, lateral movement, pivoting through compromised hosts, and professional reporting of findings.
  • Key tools and frameworks: Nmap, Masscan, Nessus, Metasploit Framework, Cobalt Strike concepts, Hashcat, John the Ripper, Burp Suite, Responder, Impacket, CrackMapExec, BloodHound, PowerView, Mimikatz, SSH tunneling, proxychains, MITRE ATT&CK framework, and PTES (Penetration Testing Execution Standard).
  • Scenario-driven penetration testing decisions requiring balancing thoroughness of testing, operational safety, time constraints, and rules of engagement compliance across enterprise network environments.

Not Covered

  • Advanced exploit development, binary exploitation, and custom shellcode writing beyond using existing exploit frameworks and payloads.
  • Web application penetration testing in depth (covered separately by GWAPT) except basic web service enumeration during network penetration tests.
  • Mobile application security testing and IoT device exploitation beyond network-accessible service testing.
  • Advanced malware development and evasion techniques beyond basic payload encoding and antivirus bypass concepts covered in SEC560.
  • Social engineering campaign execution and physical security testing except as components of penetration test scoping discussions.

Official Exam Page

Learn more at GIAC Certifications

Visit

GPEN is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.