Re: Programming skills for Pen Testers

From: Justin Ferguson (jnferguson@gmail.com)
Date: Fri Feb 10 2006 - 15:55:05 EST


Johnny,

Really, to be the best you can be, you should make an effort to learn
every language you can. That said, what you will actually need depends
a lot on the type of applications and operating systems you will be
attacking. If the application is written in Java or PHP, then knowing
those languages will help you a lot.

That said however, chances are the JVM the Java runs on is written in
C/C++, and the preprocessor for the PHP is probably written in C/C++.
Finally there is the catch that everyone seems to miss, *everything*
becomes assembly eventually.

A good understanding of assembly will not only help you write most
exploits, but will also provide you with a better understanding of
what exactly is going on inside of the computer.

So to answer your question more directly, you can probably get by, as
no doubt most of this list does, with little to no knowledge of
programming, using metasploit and the mass of vulnerability scanners
out there. With that method, you can at best be an 'Okay' pen-tester.
If you really want to be exceptional, learn every language you can.
Assembly and C will provide the framework of understanding that pretty
much all the rest of the languages build off of, and that said you may
want to start with those first. Eventually however, you will cross
paths with a piece of code written in C++, and there your knowledge of
C will be incredibly helpful, but C++ also brings with it, its own
insecurities (in addition to those present in C), so you should learn
C++ as well, and so on until you know to some degree most of languages
in use.

I hope that helped some.

Best Regards,

J. Ferguson

On 2/9/06, johnny Mnemonic <security4thefainthearted@hotmail.com> wrote:
> ok we all know that in addition to good network, host and application
> security skills, programming in C is a pre-requisite for a decent pen tester
> or at least one who wants to write their own security tools or simply audit
> the open source code they use. My question is, despite their similarities
> should a pen tester be concentrating on C or C++ ? That's it!
>
> Thanks.
>
> _________________________________________________________________
> Get MSN Hotmail alerts on your mobile.
> http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT