Pen testing and python discussion!

Hirobrad

In context I am studying for an MSc in Computer Science in Cyber Security. My background is Game design to start then 12 years in education teaching GCSE and A-Level Computing.

I keep finding lots and lots of conflicting information on the internet (no really its true) and I know that asking the internet may only make the problem worst. 

What level of python do you need to become a pen tester, I have seen people say you need to be master level and others say that it is not that important and you spend majority of your time writing reports.

What would people recommend I spend my time on the most: networking (studying for CCENT) / Linux / Python. 

Or just split my time evenly over all three. My current level of Python is low intermediate I would say. OOP / Classes / Regex experience.

What would the pen testers on here say? 

Cheers guys.

LonerVamp

None of those answers are patently wrong. I think many pen testers will say that the more you know about Python and become quickly functional with it, the better asset you are. But to get into pen testing, or even stay there, you don't need to be a master. It just certainly helps quite a bit.

I would honestly say "pass" on candidates that don't know programming, scripting, or are absolute beginners with Python or PowerShell to the point that they can't self-start or need heavy guidance. Someone coming in the door that is comfortable with Python/scripting is a good thing.

That said, you could work for a pentesting firm that just mainly does scans, runs some tools off Kali, and that's it. Write reports and go to bed. In that case, you don't need to know much, but it will help your career to be comfortable and workable with Python.

yoba222

You don't need any Python technically. It comes down to whatever language gets the job done. Maybe there's an existing exploit written in C or Ruby, but strong Python fundamentals and you'd be able to work out the syntax to get the exploit working the way you want.

 I spent probably about evenly over all three before getting into pentesting and in retrospection I think that was a good balance and would repeat. I also feel like I've spent more time than the average coworker growing Python skills and don't regret it.

LonerVamp

yoba222 said:

...growing Python skills and don't regret it.

I think that's maybe the best point. I can't say anyone in the industry will truly regret spending some time learning some programming/scripting.

Hirobrad

@LonerVamp @yoba222  thank you both the input. It is at least good to know I am on the right track following the study pattern I am on.

I am just trying to stay focused one on thing at a time. Which is hard when there is so much conflicting information. It also doesn't help for someone trying to get started with all the different certs and some people saying that CREST isn't good any more and compTIA isn't as good as Cisco and others saying its better. 

Both you guys have really helped me. Thank you! 

LonerVamp

This is security for ya! Not only is this a lifetime of choosing what to learn and not learn, but if you ask 20 security folks any sort of question, you're going to:

• get 24 answers
• 8 of which are patently wrong
• only 4 people in that group knows which ones are wrong
• 9 of those people aren't really in security, but think they are
• 12 answers are right, but again only 5 people know how to pick those out

And so on...

If you're in the US, Crest isn't a thing.

If you're relatively inexperienced, CompTia (and most any certification) is a step up and into the field.

Hirobrad

@LonerVamp oh my days thank you for this, honestly this had made me feel so much better, the hard part from me right now with the absolute lack of industry knowledge is to work out which are the 8 people that are wrong

Again, thank you for the help, it has made me feel better. 

SaSkiller

In my experience so far, I haven't needed any programming knowledge, however it is most certainly useful and will likely be required as I move forward in my career.

chrisone

Put it this way, if you were a master at python, you shouldn’t be waisting  your time on cyber security. You should be building multi million, multi billion dollar software ideas, solving the world’s problems.

sil3nt_n1nja

Python will be useful either during exploit development or when you start developing your own tools or even custom C2. It is definitely a nice skill to have and it could also help you secure IT sec positions, during an interview.