How to Pass the GPEN (GIAC Penetration Tester) Certification

GPEN: The Professional Penetration Tester's Exam

The GPEN (GIAC Penetration Tester) validates advanced penetration testing skills. Based on the SANS SEC560 course, it covers the full pentest lifecycle with deep technical detail. Unlike OSCP (which is purely practical), GPEN tests both knowledge and methodology through multiple-choice questions with an open-book format.

The exam has 82-115 questions in 3 hours with a passing score of 75%.

Core Knowledge Areas

Penetration Testing Planning and Scoping

Rules of engagement documentation. Scope definition and boundary enforcement. Legal considerations: authorization, liability, data handling. Testing types: network, web application, wireless, social engineering, physical. Methodology frameworks: PTES, OWASP Testing Guide, NIST SP 800-115.

Reconnaissance and OSINT

Passive reconnaissance: DNS records, WHOIS, certificate transparency, social media, job postings, Shodan, Censys. Active reconnaissance: port scanning, service enumeration, OS fingerprinting.

Technical details tested: DNS record types (A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV) and what each reveals. Zone transfer attacks. DNS brute-forcing. Subdomains discovery techniques.

Scanning and Vulnerability Discovery

Nmap mastery: all scan types, timing templates (-T0 through -T5), NSE scripts, output formats. Service-specific enumeration: SMB (enum4linux, smbclient, crackmapexec), SNMP (snmpwalk, onesixtyone), LDAP, NFS, Redis, databases.

Vulnerability scanning: Nessus, OpenVAS — understanding scan results, severity ratings, false positive identification.

Exploitation

Network exploitation: Metasploit framework (modules, payloads, encoders, post-exploitation modules), Responder for LLMNR/NBT-NS poisoning, relay attacks.

Web exploitation: SQL injection (manual and automated with sqlmap), XSS, command injection, file inclusion, file upload bypass, deserialization, SSRF. Burp Suite usage: Proxy, Repeater, Intruder, Scanner.

Password attacks: online (Hydra, Medusa) vs offline (Hashcat, John the Ripper). Hash types and cracking strategies. Password spraying methodology.

Active Directory attacks: Kerberoasting (Get-SPNTicket, Rubeus), AS-REP Roasting, NTLM relay, delegation abuse, DCSync, Golden/Silver tickets, BloodHound for attack path identification.

Post-Exploitation

Privilege escalation: Linux (SUID, sudo misconfigurations, kernel exploits, capabilities, cron jobs, writable PATH). Windows (unquoted service paths, DLL hijacking, token impersonation, UAC bypass, PrintNightmare, AlwaysInstallElevated).

Pivoting and lateral movement: SSH tunnels, SOCKS proxies, Chisel, Ligolo-ng, ProxyChains. PSExec, WMI, WinRM, RDP.

Persistence: Linux (cron, systemd services, SSH keys, LD_PRELOAD). Windows (registry run keys, scheduled tasks, services, WMI subscriptions, DLL hijacking).

Data exfiltration: DNS tunneling, HTTPS, encoded channels, staging.

Reporting

Professional pentest report structure. Finding severity ratings (CVSS-based). Evidence documentation requirements. Remediation recommendations: specific, actionable, prioritized.

Building Your GPEN Index

Structure your index by attack phase:

Recon → Scanning → Exploitation → Post-Exploitation → Reporting

Under each phase, list: technique name, tool(s), command syntax, common flags, and defense/detection.

Example:

"Kerberoasting → SEC560 Book 4, p.112

Study Plan (8 Weeks)

Weeks 1-2: Recon and scanning — build enumeration methodology.

Weeks 3-5: Exploitation (network, web, AD) — the bulk of the exam.

Week 6: Post-exploitation and pivoting.

Week 7: Reporting and methodology.

Week 8: Index refinement and practice exams.

Sharpen your pentest methodology with CyberCertPrep's GPEN practice questions covering all SEC560 objectives with detailed tool-specific scenarios.