Cатсн²² (in)sесuяitу / ChrisJohnRiley

The nice folks at Syngress were kind enough to let me review the new “Coding for Penetration Testers” book by Jason Andress and Ryan Linn.

It’s becoming more and more important for penetration testers (and all types of InfoSec professionals really) to know the ins and outs of scripting and programming. Automation is a key requirement of efficient and repeatable testing. Those that can’t grasp even the simplest principles of scripting are doomed to failure as testing becomes more and more complex.

With that said, everybody has to learn somewhere, and for those afraid to dive head-long into a dry book on the basics of Python, Ruby, <insert your chosen language here> , then there are various books that will take you from zero to scripting in a few easy hours. Books like “Gray Hat Python” and “Ruby by example” are a great start, but are sometimes a little too focused on specifics, or have no connection to security.

Coding for penetration testers crossed covers the space between. Not taking itself too seriously and wasting time and space discussing coding standards and whether or not to use hard tabs or spaces, but instead diving in and discussing the ins and outs of each language.

The first section of the book covers the basics of shell scripting, Python, Perl, Ruby, PHP and finishing up with the new kid on the block, Powershell. Each chapter takes the reader through some simply syntax of the language and then talks about how to use the language to achieve a simple task. The examples are sometimes a little on the basic side, but they cover enough to let the reader experiment further without needing the book.

The section portion of the book is dedicated to achieving tasks using your new-found skills. This is split up into sections on scanner scripting, information gathering, exploitation and post exploitation. These sections flow well enough, but seems to lose some focus towards the end with sections of the post exploitation section dedicated more to SQL Injection than to scripting IMHO.

Conclusion

I feel strongly that every penetration tester needs to know the basics of scripting. You don’t have to be the best coder in the world to achieve great things. All it takes is a little time and desire.

This book doesn’t

• … cover every aspect of every language
• … teach you the coding standards
• … make you a master coder overnight

This book does

• … give you a good grounding in scripting basics
• … help you get a kick-start into coding
• … give you real world examples and scripts

For penetration testers that are already coding some parts of this book will be covering old ground. That said, there’s a lot of interesting parts to this book and enough variety in the languages to interest most readers. I read the book from cover to cover and don’t feel that this book really lends itself to that kind of reading style. Those that want to get the post out of their time should really take time to write out the examples and experiment to get the hands-on experience that I think brings the most out of this book.