Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BSidesLV] Fuck Tools

1 Comment Posted by on July 29, 2010

Fuck Tools – frank^2

Doing stuff on your own makes you learn stuff.

Tools Rule

  • They make things easier
  • They make things faster
  • They make it so that you don’t have to learn the deep details

but….

  • They make it so you don’t know the deep details
  • They also force you to think in a very controlled environment
  • Tools are sometimes too focused

At the end you end up with a bunch of tools that don’t do quite what you need unless you string them all together

Why write your own tool? You could be smarter, you could be cleverer, or the tool might not exist.

So you could write your own tool…

But that could be SLOW, maybe you don’t have the experience either… do you have the right resources to accomplish this?

So what do you do?

By developing a tool you’re learning things. Some things stay in memory after all.

This means next time you’ll be better, quicker!

plus you get to learn how the program, flaw and tool really works. Knowledge is power.

Knowing the ins and outs of how to exploit something will always be better than knowing how to use a tool.

Why?

Because you want to learn

A toolkit cluster fuck is much less elegant than a custom coded script to do the job

Other tools are buggy

Why wait for another sucker to write your tool?

Why shouldn’t you?

Because sometime reinventing the wheel isn’t worth it?

How will your tool be better? Maybe it won’t!

Do It Yourself vs riding that tool

OllyDBG vs PyDBG

Stuck in the boundaries of what the coder wants, vs doing what you want!

PyDBG lets you control what you want and how you want to do it.

PyDBG simple presents you with the tools by which to perform debugging, then expects YOU to write what you want next!

You get to learn how programs really run

You open your mind!

Fuzzers vs Peach v You

If you download a fuzzer you’re doing it wrong!

If you run another persons fuzzer, you’re finding the same bugs he found

Peach however lets you tailor what you want to fuzz and how you want to do it.

But Peach is still a tool, doing its things, its way

There are all sorts of bugs that fuzzers won’t find… Maybe it’s best to write your own fuzzer?

Fuzzers: Great for low hanging fruit

Peach: When you’re looking for fuzzable bugs

You: When you want to be a ninja

Metasploit

How does point-click-own make you a better tester!

Metasploit gives you a lot of other features… use them

Great framework for creating shellcode and creating PoC

Metasploit can help you become a ninja

The Bottom Line

There’s a fine line between using a tool and writing your own

When there’s no time and resources to learn or there’s nothing to learn, then just use a tool

When you have the time, want to learn and be a ninja, write your own tool

If you learn how a task is solved, instead of learning how a tool works you’ll be better for it!

Conference, Security , , , ,
%d bloggers like this: