🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GXPN
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GXPN GIAC Certifications Coming Soon

GXPN

The GXPN certification program teaches expert-level techniques for network protocol exploitation, cryptographic attacks, fuzzing, Python exploit development, and shellcode/ROP, enabling practitioners to design and execute advanced offensive security operations.

180
Minutes
68
Questions
67/100
Passing Score
$979
Exam Cost

Who Should Take This

It is intended for seasoned penetration testers, exploit researchers, or red‑team engineers with at least four years of offensive security experience, proficient in Python and C, and familiar with x86/x64 assembly. Candidates seeking to validate and deepen their ability to craft sophisticated exploits and bypass modern defenses will benefit.

What's Covered

1 Domain 1: Network Attacks and Protocol Exploitation
2 Domain 2: Cryptographic Attacks
3 Domain 3: Fuzzing and Application Testing
4 Domain 4: Python Exploit Development
5 Domain 5: Shellcode and Return-Oriented Programming
6 Domain 6: Memory Corruption Exploits

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Domain 1: Network Attacks and Protocol Exploitation
3 topics

Network protocol vulnerabilities and MITM attacks

  • Identify common network protocol vulnerabilities in TCP/IP, DNS, BGP, ARP, and DHCP including spoofing, hijacking, and injection attack surfaces at the packet level
  • Describe VLAN hopping techniques including switch spoofing, double tagging, and DTP manipulation for bypassing layer-2 network segmentation controls
  • Implement man-in-the-middle attacks using ARP poisoning, DNS spoofing, and LLMNR/NBT-NS poisoning with Responder and Bettercap for credential interception on local networks
  • Execute IPv6 attack techniques including router advertisement spoofing, SLAAC attacks, and IPv6-to-IPv4 relay abuse using mitm6 and THC-IPv6 toolkit
  • Analyze captured network traffic to identify indicators of successful MITM attacks, DNS poisoning, and ARP spoofing using Wireshark display filters and tshark scripting

Advanced scanning and network exploitation

  • Implement advanced port scanning and firewall evasion techniques including fragmented packets, source routing, idle scanning, and decoy scans with Nmap and hping3
  • Execute network-level exploitation against routing protocols including BGP hijacking simulation, OSPF route injection, and VRRP/HSRP takeover attacks in lab environments
  • Implement covert channel and tunneling techniques using DNS tunneling with dnscat2, ICMP tunneling with ptunnel, and HTTP/S encapsulation for data exfiltration
  • Analyze network packet captures to identify exploitation artifacts, detect covert channel indicators, and evaluate the effectiveness of network-level attack techniques

Authentication protocol exploitation

  • Execute Kerberos exploitation techniques including AS-REP roasting, Kerberoasting, golden ticket, silver ticket, and constrained delegation attacks using Rubeus and Impacket
  • Implement NTLM relay attacks including SMB relay, LDAP relay, and HTTP-to-LDAP relay chains using ntlmrelayx and PetitPotam for privilege escalation in Active Directory
  • Analyze Active Directory attack paths using BloodHound to identify shortest privilege escalation routes, ACL abuse chains, and delegation misconfigurations in enterprise environments
2 Domain 2: Cryptographic Attacks
2 topics

Cryptographic primitive vulnerabilities

  • Identify cryptographic primitives including symmetric ciphers AES and ChaCha20, asymmetric algorithms RSA and ECC, hash functions SHA-256 and MD5, and their known vulnerability classes
  • Describe padding oracle attack mechanics including CBC mode byte-at-a-time decryption, PKCS#7 validation timing leaks, and Bleichenbacher RSA PKCS#1 v1.5 attacks
  • List common cryptographic implementation failures including ECB mode pattern leakage, IV reuse in CTR mode, insufficient key derivation, and predictable random number generation
  • Implement padding oracle attacks against vulnerable CBC-mode implementations to decrypt ciphertext block-by-block without the encryption key using custom Python tooling
  • Execute hash collision and length extension attacks against MD5 and SHA-1 based message authentication schemes using HashClash and custom extension scripts

TLS/SSL and certificate attacks

  • Implement TLS/SSL downgrade attacks and exploit known vulnerabilities including BEAST, POODLE, CRIME, and Heartbleed against misconfigured servers using custom scripts
  • Execute certificate-based attacks including CA impersonation, certificate pinning bypass, and TLS interception using mitmproxy with custom CA certificate infrastructure
  • Analyze cryptographic implementations to identify weaknesses in key management, initialization vector reuse, weak PRNGs, and protocol-level downgrade opportunities
  • Evaluate the residual attack surface of modern TLS 1.3 configurations compared with legacy TLS 1.0/1.1/1.2 and assess the effectiveness of cryptographic attack mitigations
3 Domain 3: Fuzzing and Application Testing
2 topics

Fuzzing methodologies and tools

  • Describe fuzzing methodologies including mutation-based, generation-based, and coverage-guided approaches with their respective strengths for different target application types
  • Identify key fuzzing infrastructure components including corpus management, crash deduplication, coverage instrumentation, and harness development for efficient vulnerability discovery
  • Implement coverage-guided fuzzing campaigns using AFL++ and libFuzzer to discover memory corruption bugs in C/C++ applications with persistent mode and dictionary support
  • Execute protocol fuzzing against network services using Boofuzz and Peach Fuzzer to identify parsing vulnerabilities, buffer overflows, and denial-of-service conditions
  • Analyze fuzzer crash output using AddressSanitizer, Valgrind, and GDB to classify discovered bugs by severity, exploitability, and root cause for triage prioritization

Application and protocol fuzzing

  • Implement web application fuzzing using Burp Suite Intruder, ffuf, and custom Python scripts to discover injection, SSTI, and path traversal vulnerabilities in modern web applications
  • Execute file format fuzzing against document parsers and media codecs to discover heap corruption, integer overflow, and use-after-free vulnerabilities using mutational techniques
  • Apply binary instrumentation using DynamoRIO and Intel Pin to achieve code coverage feedback during fuzzing campaigns targeting closed-source applications
  • Evaluate fuzzing campaign effectiveness by analyzing code coverage metrics, crash uniqueness ratios, and vulnerability discovery rates to optimize fuzzer configuration
4 Domain 4: Python Exploit Development
2 topics

Python network exploit development

  • Implement network exploit scripts in Python using socket, struct, and ctypes libraries for crafting protocol-specific payloads targeting overflow and format string vulnerabilities
  • Execute Python-based exploit automation using pwntools for remote exploitation including payload generation, ROP chain construction, and interactive shell management
  • Implement custom Scapy scripts for packet crafting, protocol dissection, and network-level exploit delivery with fragmentation evasion and encoding support
  • Apply Python multiprocessing and async patterns to build distributed exploit scanners that test multiple targets concurrently with rate limiting and result aggregation

Advanced Python exploitation tools

  • Implement Python-based reverse engineering utilities using Capstone for disassembly, Keystone for assembly, and Unicorn for CPU emulation of exploit payload components
  • Execute Python exploit development for web application vulnerabilities including custom deserialization exploit chains, SSRF payload generators, and blind injection automators
  • Implement shellcode encoders and decoders in Python to bypass character filtering, bad byte restrictions, and basic signature-based detection in target exploit payloads
  • Analyze exploit reliability across target environments by implementing version detection, offset calculation, and target fingerprinting logic in modular Python exploit frameworks
5 Domain 5: Shellcode and Return-Oriented Programming
2 topics

Shellcode development and encoding

  • Describe x86 and x86-64 shellcode structure including system call conventions, null-byte avoidance, position-independent code requirements, and staged vs stageless payload architectures
  • Identify common shellcode categories including egg hunters, staged payloads, reverse shells, bind shells, and download-execute stagers with their respective size and reliability tradeoffs
  • Implement custom Linux shellcode for execve, reverse shell, and bind shell payloads using NASM assembly with null-byte elimination and size optimization techniques
  • Implement Windows shellcode using PEB traversal for dynamic API resolution including kernel32.dll base address location and function hash resolution for LoadLibrary and GetProcAddress
  • Execute shellcode encoding and polymorphic techniques including XOR encoding, alphanumeric encoding, and metamorphic engines to evade static signature detection mechanisms

Return-oriented programming and code reuse

  • Identify return-oriented programming fundamentals including ROP gadget semantics, gadget discovery methodology, stack pivoting, and the role of ROP in DEP/NX bypass
  • Implement ROP chains using ROPgadget and ropper to construct functional payloads that call mprotect or VirtualProtect for marking memory executable and transferring to shellcode
  • Execute JOP and COP (Jump-Oriented and Call-Oriented Programming) techniques as alternative code-reuse strategies for bypassing hardware-enforced control-flow integrity protections
  • Implement SROP (Sigreturn-Oriented Programming) attacks to forge signal frame structures on the stack for setting arbitrary register values and pivoting execution flow
  • Analyze the effectiveness of code-reuse attack techniques against modern mitigations including Intel CET, ARM PAC, shadow stacks, and CFI on contemporary operating systems
6 Domain 6: Memory Corruption Exploits
3 topics

Stack-based exploitation

  • Describe stack buffer overflow mechanics including stack frame layout, return address overwrite, saved base pointer manipulation, and SEH-based exploitation on Windows platforms
  • Implement classic stack buffer overflow exploits with precise offset calculation using pattern generation, payload placement in buffer space, and NOP sled techniques
  • Execute stack overflow exploitation with ASLR bypass using information leaks, partial pointer overwrites, and return-to-PLT strategies on position-independent executables
  • Implement format string vulnerability exploitation for arbitrary read and write primitives using %n, %x, and direct parameter access on both 32-bit and 64-bit targets
  • Implement Windows SEH-based buffer overflow exploitation including SEH chain overwrite, SafeSEH bypass, and SEHOP evasion techniques using Mona.py and Immunity Debugger

Heap-based exploitation

  • Describe heap memory management internals including glibc malloc chunk structure, fastbin, tcache, unsorted bin, small bin, and large bin allocation and deallocation mechanics
  • Implement heap overflow exploitation techniques including chunk header corruption, unlink macro abuse, and fastbin dup for achieving arbitrary write primitives in glibc
  • Execute use-after-free exploitation by manipulating heap allocation patterns to achieve type confusion and controlled function pointer overwrites in C/C++ applications
  • Implement tcache poisoning, house-of-force, and house-of-spirit techniques on modern glibc versions to bypass safe-linking and other heap integrity protections
  • Analyze heap exploitation techniques to determine required heap state preconditions, evaluate reliability across glibc versions, and assess mitigation bypass complexity

Advanced memory corruption techniques

  • Implement integer overflow and signedness exploitation to trigger secondary memory corruption in size calculations, array index computations, and allocation size parameters
  • Execute exploitation against full mitigation stacks combining ASLR, DEP, stack canaries, RELRO, and PIE using multi-stage information leak chaining and ROP techniques
  • Analyze memory corruption vulnerability classes to evaluate exploitability, determine required information leaks, and prioritize findings by exploitation complexity and impact
  • Compare exploitation techniques across Linux and Windows platforms including differences in heap implementations, mitigation stacks, and shellcode delivery requirements

Scope

Included Topics

  • All domains covered by the GIAC GXPN certification aligned with SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking, including advanced network attacks, cryptographic attacks, fuzzing, Python exploit development, shellcode and ROP, and memory corruption exploitation.
  • Advanced offensive techniques requiring deep understanding of operating system internals, memory management, CPU architecture, network protocol implementation, and cryptographic algorithm mechanics.
  • Exploit development toolchain including Python with pwntools, Scapy, and ctypes; assembly language (x86/x64 NASM); fuzzing frameworks (AFL++, Boofuzz, libFuzzer); debuggers (GDB, WinDbg); and reverse engineering tools (Ghidra, IDA Pro, Capstone, Keystone, Unicorn).
  • Modern exploitation techniques against hardened targets including ASLR bypass, DEP/NX bypass via ROP, stack canary leakage, heap exploitation on modern glibc, and control-flow integrity evasion.

Not Covered

  • Basic penetration testing methodology and tools covered by entry-level certifications such as CompTIA PenTest+ or GIAC GPEN.
  • Defensive security operations including incident response, SOC monitoring, and malware analysis workflows covered by GIAC GCIH or GREM.
  • Web application security testing at the foundational level covered by GIAC GWAPT without the exploit development and memory corruption focus of GXPN.
  • Mobile application exploitation and IoT-specific attack surfaces not covered in the SEC660 curriculum.
  • Cloud-specific penetration testing methodologies covered by GIAC GCPN.

Official Exam Page

Learn more at GIAC Certifications

Visit

GXPN is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.