RE: Programming skills for Pen Testers

["Craig Wright" <cwright () bdosyd com au>]

If you are looking to customise the tools than the answer is simple, the
language that the tool is written in. C is the most common (esp. with
Linux) language for tools. Library code is nearly all in C.

M$ is another thing, and there is reason to even took at M$ coding - but
I personally hate GUI code (being an old fart).

LEXX and a few similar languages will also be of use for this purpose.

Craig


-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com]
Sent: 13 February 2006 1:27
To: Craig Wright; tuevsec () gmx net
Cc: pen-test () securityfocus com
Subject: RE: Programming skills for Pen Testers

Craig

Of course the assumption here is that any C coding is done prior to and
outside of billable time and not during the engagement itself. If as a
pen testing consultant I wish like to build a library of "good" exploits
over time I would like to at least have the skills to proof read and
possibly even fix publicly available but iffy exploit code or tweak my
favourite open source security tool to suit a variety of different
scenarios. Surely the reason we rely on customizable operating systems
like Linux for a lot of our tools is at least party for this reason of
customizability [sic].

So yes by all means use your perls and pythons during the engagement but
have the C/C++ skills available during your research time between
engagements. This is at least the feeling I'm getting from people who
have replied on and off list.

Thanks for the reply.

> From: "Craig Wright" <cwright () bdosyd com au>
> To: "thomas springer" <tuevsec () gmx net>,"johnny Mnemonic"
> <security4thefainthearted () hotmail com>
> CC: <pen-test () securityfocus com>
> Subject: RE: Programming skills for Pen Testers
> Date: Mon, 13 Feb 2006 09:45:56 +1100
>
>
> Hello
> First just to get this in C programming is a good skill. C++ is also
> not bad to have. This said, what the hell is this doing in a pen test
> discussion.
>
> /*
> **     start rant
> */
>
> How can anyone here honestly state that programming skills are needed
> for pen testing? An audit of source code is NOT a pen test. This does
> require coding skills - they are not the same thing and anyone who
> thinks they are is under a delusion.
>
> Are we talking "Vulnerability Research' or Pen. Tests? Do we all
> understand that they are NOT the same thing?
>
> If a business/organisation/etc is paying you for 20 hours of applied
> testing - I certainly hope that you are not going off on some ill
> conceived tangent and effectively taking their money without doing the
> service you have been commissioned for?
>
> Thomas is correct "Time is money - your customers money" - Do not
> forget this!
>
> Welcome to reality. There ARE time constraints. You are not paid to
> research every possible theoretical vulnerability or find a new buffer
> overflow in a Pen Test!
>
> No wonder businesses do not trust information security. No wonder the
> profession is not being taken as seriously as it should be.
>
> /*
> **     Rant complete
> */
>
>
> Regards
> Craig
>
>
>
> -----Original Message-----
> From: thomas springer [mailto:tuevsec () gmx net]
> Sent: 11 February 2006 3:30
> To: johnny Mnemonic
> Cc: pen-test () securityfocus com
> Subject: Re: Programming skills for Pen Testers
>
> johnny Mnemonic wrote:
>
> > ok we all know that in addition to good network, host and
> > application security skills, programming in C is a pre-requisite for

> > a decent pen tester or at least one who wants to write their own
> > security tools or simply audit the open source code they use. My
> > question is, despite their similarities should a pen tester be
concentrating on C or C++ ?
> > That's it!
>
> Time is money - your customers money. Most of my pentest-programming is

> quick and dirty and has to be highly adoptable - therefore it is
> usually done in high-level-languages like perl, python, vbscript, even
nessus'
> nasl-language using external tools (hping etc) where applicable.
> i won't even think of doing object-oriented c++-programming for a
> pentest.
>
> things get different if you think of creating a "big" product like
> nessus or iss-scanner - but if you code stuff like this you are
> probably more a coder than a pentester... :)
>
> tom
>
>
> -----------------------------------------------------------------------
> -
> ------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are futile against web application hacking. Check
> your website for vulnerabilities to SQL injection, Cross site scripting

> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -----------------------------------------------------------------------
> -
> -------
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is
> confidential. If you are not the intended recipient, you must not use
> or disclose the information. If you have received this email in error,
> please inform us promptly by reply email or by telephoning +61 2 9286
> 5555. Please delete the email and destroy any printed copy.
>
> Any views expressed in this message are those of the individual sender.

> You may not rely on this message as advice unless it has been
> electronically signed by a Partner of BDO or it is subsequently
> confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.

_________________________________________________________________
Find love on MSN Personals http://personals.msn.com.sg/


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------