Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: scripting

{Book Review} Coding for Penetration Testers

The nice folks at Syngress were kind enough to let me review the new “Coding for Penetration Testers” book by Jason Andress and Ryan Linn.

It’s becoming more and more important for penetration testers (and all types of InfoSec professionals really) to know the ins and outs of scripting and programming. Automation is a key requirement of efficient and repeatable testing. Those that can’t grasp even the simplest principles of scripting are doomed to failure as testing becomes more and more complex.

With that said, everybody has to learn somewhere, and for those afraid to dive head-long into a dry book on the basics of Python, Ruby, <insert your chosen language here> , then there are various books that will take you from zero to scripting in a few easy hours. Books like “Gray Hat Python” and “Ruby by example” are a great start, but are sometimes a little too focused on specifics, or have no connection to security.

Coding for penetration testers crossed covers the space between. Not taking itself too seriously and wasting time and space discussing coding standards and whether or not to use hard tabs or spaces, but instead diving in and discussing the ins and outs of each language.

The first section of the book covers the basics of shell scripting, Python, Perl, Ruby, PHP and finishing up with the new kid on the block, Powershell. Each chapter takes the reader through some simply syntax of the language and then talks about how to use the language to achieve a simple task. The examples are sometimes a little on the basic side, but they cover enough to let the reader experiment further without needing the book.

The section portion of the book is dedicated to achieving tasks using your new-found skills. This is split up into sections on scanner scripting, information gathering, exploitation and post exploitation. These sections flow well enough, but seems to lose some focus towards the end with sections of the post exploitation section dedicated more to SQL Injection than to scripting IMHO.

Conclusion

I feel strongly that every penetration tester needs to know the basics of scripting. You don’t have to be the best coder in the world to achieve great things. All it takes is a little time and desire.

This book doesn’t

  • … cover every aspect of every language
  • … teach you the coding standards
  • … make you a master coder overnight

This book does

  • … give you a good grounding in scripting basics
  • … help you get a kick-start into coding
  • … give you real world examples and scripts

For penetration testers that are already coding some parts of this book will be covering old ground. That said, there’s a lot of interesting parts to this book and enough variety in the languages to interest most readers. I read the book from cover to cover and don’t feel that this book really lends itself to that kind of reading style. Those that want to get the post out of their time should really take time to write out the examples and experiment to get the hands-on experience that I think brings the most out of this book.

Projects are like buses

Photo by by angelocesare (CC)I know, I know, what a strange title for a blog post. Then again, I’ve never really been known for  being the most normal of people bloggers. Then again projects really are like buses. There’s none for ages then 2 come along at once ;) Things have been a little quiet on the blog for several reasons. The first was my nagging neck problem, which I’m hoping is back under control. The second is the start of a few projects that have been in the works for a while now.

  • €urotrash security podcast
  • PenTester Scripting

The €urotrash security Podcast has been in the planning phase for a while now, with the initial meeting to discuss particulars at the recent BruCON conference in Brussels. Episode 1 has just been released, so head over to http://www.eurotrashsecurity.eu and grab a copy. Let us know what you think. As with any new Podcast we’re looking for feedback on how to make things better and cover what you want us to cover. You can load up your favourite RSS reader HERE for updates on the next Podcast release..

The second project I’m involved with came out of a simple remark on Twitter. I’m not much of a scripter, but it’s something I’m looking at improving. When I commented that a SANS course cover scripting for Penetration Testers would be a good thing, Kevin Johnson agreed and the project was born. PenTesterScripting is still in it’s early phases, but we hope it will turn into a place for Penetration Testers to come and find useful scripts to help automate some of the more tedious and long-winded parts of penetration testing. Head over to the site and vote on our logo competition, and feel free to email us scripts you want us to host on the site.

For updates to both projects, follow me on twitter as @ChrisJohnRiley, or follow the projects directly, @PenTesterScript and @EurotrashSec

Follow

Get every new post delivered to your Inbox.

Join 127 other followers