Penetration testing course: 0x02.4 Is programming important for hacking?

Long story short: yes, programming is important for being a good hacker or security professional.

computer programming

computer programming

I’m sure you already wondered about the importance of programming if you are a beginner and if you are a professional you’ll often  shrug your shoulders when you see this question a lot or hear the answers. It’s a question that has been asked a lot of times, you’ll find good answers and bad answers. You may get confused. IMHO the answer is clear but it isn’t trivial, so I decided to dedicate an article about this in my ethical hacking and pen testing course.

Not always you need a complex program in order to hack a system, sometimes you can achieve your result even with no coding at all. Ultimately getting the job done is what matters, not how you do it. Remember this, because I’ve seen some people who study the basics a lot but they never hacked anything just because they think it’s too difficult and they aren’t ready. That may oftentimes be the case, but remember that although the theory is fundamental, you can’t achieve your goals if you don’t practice a lot. Practice is very important and you shouldn’t avoid it. I’m not telling you to hack every system you come across (I wouldn’t recommend you to do it if you care about your life and your freedom) but there are a lot of ways to practice legally. Maybe I’ll write an article listing some valuable resources anyway as I always say, do your own research, that’s very important.

You need to be active, you need to be curious to learn new things every day, you have to see it as an investment and not as a waste of time. You can do many things with your computer, many people use it for playing games, checking Facebook, listening to music, using Microsoft Office (and they also write it in their resume..well, good for you :D). These things won’t let you have a job..if that’s what you want. Everyone needs a job and IT is a good field to be in. Imagine how many useful things you could learn if you used all this time for doing something more productive like studying computer science or picking up a programming language.

What do you need for hacking?

You need to know how the system you want to hack works and check if there is any logical or technical flaw that can be exploited in order to alter the flow of a program and as a consequence alter the result or gain access to a system. Sometimes you may have limited access (read only: information disclosure), sometimes you may have write access or be able to execute some commands, sometimes you may be able to impersonate a user with limited privileges or escalate your privileges to administrative level. All this depends on how the system is designed, its flaws and your skills. Some people think that experts can hack everything, well that’s not true. It depends.  And no, being able to hack a Facebook account doesn’t make you a hacker, this isn’t your ultimate goal and aspiration I hope. If you want to become a security professional then keep following my course, otherwise you may leave, I’m not offended.

If you are a security enthusiast (why not, even a good one) you may be able to read code, understand it and you may have extensive knowledge about operating systems, networking and the latest hacking techniques that are advertised everywhere online. You may be very skilled, be able to hack some systems, you may be a successful bug hunter in one of those fancy bug bounty programs, earn some money or a t-shirt. That’s all good. You may use a variety of programs, tools, scripts, as you want to call them. There are very good ones and even security professionals use them, that’s not a sin. If they are good, why not? Everyone uses programs like nmap for network scanning, sqlmap for database enumeration and exploitation, ettercap (now I suggest bettercap) for MITM and sniffing and so on. There’s no need to reinvent the wheel. If a tool works well, just use it. Anyway you need to know how the tool works and the technologies and vulnerabilities involved if you want to be successful and use the tool at its best. Still this may not be enough. Technologies change fast, systems get updated, configurations change. The available tools may not work out of the box, they may need some tweaking (many pen test tools are open source so you have access to the source code and you can edit it or extend it implementing new functions) or you may have to create your own tool.  It could also happen that you stumble upon a new vulnerability that wasn’t described before and no tool exists for testing it. Then do you just give up or try to build something your own? The latter would be a wiser answer.

You may have heard that scanning is bad (doesn’t work or provides many false positive results) and manual testing is better. Well, in part I agree anyway I don’t like absolute statements. A tool essentially is a piece of software that lets the computer execute a series of instructions (the same actions that perhaps you may perform manually, but potentially faster). A tool just does what it was programmed to do. It can be a dumb tool or a smart tool, that depends on the programmer. It is easier to code a specific tool for a specific function. If you want to broaden the scope, you may have to implement more checks in order to let the program understand the environment and act accordingly and it may not work fully as expected. A program usually can’t learn from its mistakes, but a developer can, so it’s important to develop a program well in advance, considering all the possible cases and all the problems that may occur during its execution and test the program before using it in production and distributing it to others. A person can (sometimes) understand if there is a problem and change his/her behavior, it is a lot more difficult for a program to do so. Recently there is a huge development of the AI and Machine Learning fields and it will be interesting to see these technologies applied to infosec, anyway the skills of the developer will always play a major role.

artificial intelligence

artificial intelligence

As I said programs are typically faster than humans at performing simple tasks anyway it’s not only a matter of speed. Humans often don’t interact directly with a computer but use some programs that run on the operating system that represents the essential interface between hardware and software. Humans are complex, computers are “simple”, they can only do some additions under the hood, so functions need to be programmed at a low level or use frameworks that provide several layers of abstraction to make things more human-friendly. Every program takes some data as input and returns some data as output. You can write a program to provide data to another program or use its output as an input, elaborate it and generate more information. Sometimes that information you need isn’t immediately available to you as a human and you need a program to fetch it. For example you may want to get information from a website. A normal user would browse the website, copy and paste the information and then use it. It requires manual intervention and it may be time-consuming. Besides not all the information you need may be directly accessible by you but may be accessible by a program. Did you ever hear about APIs? API stands for Application Programming Interface. They are commonly used by web services that can be queried by your program in order to retrieve information or you can use them to feed information into the server that will elaborate it and return some other data. This data has to be understandable at server and client side, so normally open standards are used ( json, xml, yaml, csv etc.)  For a big list of APIs you can play with, you can take a look at http://www.programmableweb.com/ or https://www.mashape.com/ for example. Still speaking about web technologies, if you want to perform a web application penetration test I’m afraid a web browser may not be enough, then you need a tool that is able to interact with the HTTP protocol at a deeper level, you may need to sniff traffic, parse some data, eventually alter the data and send it back to the server. There are some programs that do that for you, for example ZAP proxy or Burp proxy. It may be interesting for you to code a tool that has the same basic functionalities. It will give you more control and you’ll also be forced to learn the protocol and how to interact with it, create requests and receive raw responses that you can elaborate. Also if you want to scan a web server for vulnerabilities, you may not find scanners that include the vulnerabilities you target or the program may be expensive or complex, instead you may want to code a simple tool yourself that just does well what you need. If you want to interact with an operating system again you may want to learn its APIs. If you want to do something more hardcore and create an exploit that gives you access to a system or lets you execute some code, you will obviously need a program to exploit the vulnerability, you can’t just do it manually.

software development

software development

So you see, developing a pen test tool doesn’t just require learning a programming language’s syntax, you need to use it a lot and you also need to learn libraries, APIs and other technologies involved and often it’s also a trial and error work. After you think you program works you need to test it manually and through automated tests ideally.

Systems Development Life Cycle (SDLC)

Systems Development Life Cycle (SDLC)

You may get stuck, then you need to persist and try harder. Skilled hackers often aren’t just smarter but have put a lot of efforts in learning new things. They may be better than you, but they may have failed before even more times than you ever tried. Do yourself a favor and learn some programming instead of just relying on available tools. You’ll avoid being called a script kiddie and you’ll get better results. If you still think that learning programming is optional it’s okay as long as you are just a security enthusiast, but if your goal is working in security you’ll soon realize that programming is a fundamental skill used much more than you think. If you think you are good enough, you should think that there are people better than you and you should be ambitious and raise your goals. Don’t believe me? Instead of talking to your friends, why don’t you go to a good conference and see with your eyes the difference between you and those who do infosec for a living?

defcon

defcon

blackhat

blackhat

 

 

 

 

derbycon

derbycon

BSides

BSides

 

 

 

 

 

 

Infosecurity Europe

Infosecurity Europe

RSA

RSA

 

 

 

 

 

 

 

SANS

SANS

 

HITB

HITB

 

 

 

 

 

 

ShmooCon

ShmooCon

AppSec EU, USA and Asia

AppSec EU, USA and Asia

 

 

 

 

 

 

 

I don’t mean to discourage you, but I want you to be realistic, guide you and motivate you to do better. I’m sure you can if you really want.

Now you may wonder: Which is the best programming language for hacking?

You’ll have your question answered in the next article.

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.

Author: Fabio Baroni   Date: 2016-08-19 00:36:19

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *