Exploit code

Take one coding noob + X = Not so much of a coding noob

Though which language (X) should one look at first.

I have a small understanding of C, Basic and Java but its not very much.

So, what do you recommend?

*waits paitently for Keatron or JD*

Find more posts tagged with

Comments

Webmaster

I know you asked for Keatron or JD, but I'll take a shot if you don't mind:

There's not really one particular 'hacking' language. You don't need to be able to 'speak' them all, but you should be able to make some sense of pretty much any piece of code you read.

Python, Perl, C (any flavor), Java, VB, vbscript, javascript, are just a couple of example you'll probably want to become familiar with.

As for which one to start with, I think the one that you find fun would be a good choice.

Sie

Thank you for your reply i'll start having a look tonight.

And you werent left out on purpose!!

Thought you deserved a rest from creating such a great site

Webmaster

Thanks Sie, and no offense taken.

JDMurray

Because there is no single "best" computer programming language for all purposes, you really need to ask yourself, "What are the types of programs I want to write and for what operating system(s)?" Here are some considerations:

Both the Java and C++ languages are good choices for a language that is found on all types of platforms and OSes. There is lots of available sample code for helping you learn to write programs. You can also learn about Object-Oriented Programming using these languages. However, writing a program on one platform does not automatically make it work on another. There are rules and exception of program portability to learn.

Many specialty languages have jumped over from Unix/Linux to Mac and Windows, including Perl, Python, and Ruby. Each of these languages have their specific uses, their user communities, and "fan boys." You'll have to read up on each language and see what they are used for and what programmers love/hate about them.

If you want to write Windows-only, client-side or server-side applications, the .NET Framework is the way to go. With Visual Studio.NET 2005, you have a choice of over 30 .NET object-oriented programming languages to use, but you'll most likely end up going with either C# or Visual Basic 2005 (the Express editions of VS.NET are free).

The best way to learn the internal architecture of a CPU is to learn its assembly language. The Intel x86 processor is dominate right now, so x86 assembly language would be a good one to learn. Assembly is necessary to learn to truly understand how hardware and software really work together.

So what's it gonna be? Writing Web browser applications for Windows using C# or PHP, or server-side scripting using VBScript or Perl? Writing Windows-only, client-side applications using Visual Basic.NET, or Windows/Mac/Linux applications using Java? Or maybe just some low-level hacking using assembly and C++ together.

There's just too much software to write and so little time to do it.

And to boggle you even further:

Wikipedia: Programming Languages

Wikipedia: Categorical list of programming languages

Slowhand

I can insert my two cents here, since I'm (and have been) on this road for quite a while. As jdmurray said, you're looking at a lot of options, a lot of different languages that do a lot of different things. The only thing I'm going to add here is some good advice. I was always a fan of VB and VB.NET, but I have to say that I don't regret making the move to C#. The reason for that is, almost all the classes I'm taking and all the work I'll be doing as a programmer will be done in a C-based language, such as C++, Java, C#, or C, itself. The C family of languages is very predominant in the working world, and you'll do yourself a favor by being proficient in at least one of the variants.

That being said, I'm also a big proponent of learning assembly language, as well as a scripting language or two. Take a look at some of the job listings in your area, see if there is a lot of call for Perl, Python, Javascript, whatever, and look into learning what seems to be the most useful and enjoyable to you. Depending on if you're doing systems programming, web programming, etc, your needs will change. Things like ASP.NET, PHP, Ruby, JSP, and the like are web programming languages, whereas I've seen Python, Perl, VB Script, and shell script move towards systems administration. Then, of course, there are things like SQL, for example, that you'll inevitably come across. All good things to learn, but you'll have to find areas to focus on.

One very important thing I can stress is this: pick an area or a small group of areas to focus on and really learn them. This is especially important for learning a new programming language. For all their differences, programming languages end up doing a lot of the same things; if you're going to learn how to be a programmer, pick a language and learn it to the point you could write code in your sleep. Once you have a 'preferred' language in the C family, moving to a similar language is only a matter of syntax and extended features.

Between all of that, the things that jdmurray laid you, and Webmaster's advice, you should have a good idea of where you're headed. Going and checking out the computer science program at your local college might not be a bad idea. You'll get, even at a community college, a couple of good courses: An intro to programming course, a course in assembler, a data structures and algorithms course, and a couple of courses in linear algebra and discrete math. There'll probably be the option to take some more advanced classes in particular languages, as well as fun things like LISP. All will help you on your way.

JDMurray

The only thing I can add to what Slowhand wrote is that programming is a very complex activity. To learn it really well, you must find a way to enjoy programming. You do this by working on small projects that you find very interesting. The projects must be small so you'll actually have a chance to feel the satisfaction of completing them--although you will also learn a lot from the projects that you never finish, or end up scrapping and rewriting from scratch.

When you find that a programming project has become a chore, switch to another project to change your pace. After a while (days, weeks), switch back to the previous project and you'll have a fresh perspective to continue. This is a primary reason why a programmer always has (at least) three projects going at once.

Slowhand

Yup, I agree with jdmurray 100% on the fact that enjoying programming is the absolute most important key to being a successful programmer. One of the main reasons I still struggle to learn and am still working my way through school, (along with a procrastination,) is that I burnt myself out trying to do too much of one thing early on. I got neck-deep in C++, tried to muscle my way through a lot of work in a single semester, and ended up resenting the experience. It's been a few years, a whole lot of math and G.E. classes later, and now I'm ready to jump back into my software development education again.

One of the things that helped me get back in the game was picking up C#, specifically getting a good book on the subject, as well as some fun projects from the Events page on Microsoft's website. The fun project helped, the change of pace from systems programming to doing more web-oriented stuff helped, and now I'm ready to go back and pick up where I left off with my classes. And this time, I'm going to break up the assignments and "recommended projects" with some more side projects, like doing some experimenting with video game programming and the like.

keatron

I agree with all the above advice, and I have three words.... Assembly Assembly Assembly. The C's will certainly be helpful. Also, learn Perl. If you learn these three, then you can consider yourself to have a pretty solid coding core as far as security is concerned. But you'll still need to learn as many others as you can. We can't forget that there's an entire field of study devoted to securing applications. So if you don't know Java, you certainly can't secure it....at least not really.

Sie

wow!

Thank you all for taking the time to reply and with such indepth answers!

They have all been a great help and im certainly better placed to start looking into this now.

Thank you all again im off to start some in-depth reading. (Aslong as no one breaks anything important today!

)

Sie

I know you've all helped lots already but can someone suggest a good book for learning assembly?

Cheers in advance.

(found lots of site just wondering if any came with a recommendation)

JDMurray

Sie wrote:

I know you've all helped lots already but can someone suggest a good book for learning assembly?

I'd like to know this myself. It's been a long time since I've shopped for books on assembly. The one good thing about x86 is that it never changes; it just gets added on to by each new generation of Intel processors.

Slowhand

I'm not sure about how "good" it's guaranteed to be, but you could check out a college bookstore, given that they teach computer science, and see what they use for their assembly class. (Classes like that usually fall under the name "Hardware Perspectives", or something of the like, if they're not simply called "Assembly Language".)

Sie

I came across: The Art Of Assembly while searching this afternoon.

I plan to have a look at it tonight (though if this headache keeps up)

I'll try and up date later or tomorrow on what its like and if i come accross anything else.

Do most people code and compile on *nix or Windows?

And is there a reason for your choice?

Slowhand

Sie wrote:

Do most people code and compile on *nix or Windows?

And is there a reason for your choice?

It really depends on your choice of operating system, in general. If you're using Windows most of the time, you're probably going to be programming on it as well. If you're on Unix or Linux, you're probably more comfortable in that environment. Of course, a lot of people really get introduced to assembly language, and most other programming, in school and will end up compiling in whatever environment the school uses.

Incidentally, I believe that Assembly Language for Intel-Based Computers (5th Edition) is what my school uses for its class.

Slowhand

Getting back to the original topic of learning languages, I felt the need to make a shameless plug of a book that comes highly recommended by a lot of people, for learning C++: C++ Primer Plus (5th Edition)

Of course, the fact that I go to College of Marin, and that's where Stephen Prata teaches, has nothing to do with this shameless plug. . .

On a serious note, though, this is an excellent book for anyone looking to jump right in with both feet and learn C++ or C.

JDMurray

Speaking of fun programming projects, this book looks like something I'd like to tackle.

Slowhand

jdmurray wrote:

Speaking of fun programming projects, this book looks like something I'd like to tackle.

Oh, yes. I've seen that one around. That and The Art of Computer Programming are on my 'to do' list for after my undergraduate classes are done.

And, since we're on the subject of things to do, how about some compilers to do it with?

A list of tools for Windows:

Borland's Free and Trial Compilers

Microsoft Visual Studio Express

And you can get help and more information from places like Dev Shed and Dream in Code.

There are tons and tons of pages, communities, discussion boards, etc. for developers, students, and hobbyists alike. I'm sure that we'll get more people mentioning what tools are available for Unix/Linux, Mac, and different tools for different programming languages. (Hint, hint, guys. . .)

Webmaster

Although you mentioned it already, I'm going to mention it again because I think it deserves it. Not necessarily the best one for hacking, but you got to start somewhere and in my opinion this is the best one to start with:

Microsoft Visual Studio Express editions.

I've been a MS Exchange 5.5 consultant for a couple of years and I always said it was the greatest product MS ever created. Until JD suggested me to download VB Express almost a year ago. It's really an amazing product (free). I have some Basic, some pascal, some MS Access 2.0 Basic, some php, and some java experience. Basically what I referred to as copy-and-paste coding. Using example projects, snippets, etc etc. I was able to create functional apps, but honestly I didn't really know what I was doing. I created the online TechSims (see CCNA section) in Java some years ago, but after a couple of months I wasn't able to understand 'my own' code anymore.

VB Express is a very different experience for me than Java, the IntelliSense feature for example, really makes it almost 'easy'. Not only writing the code, but also managing it, lots of it. Imo the word 'basic' applies more to VB.NET/VS than any previous 'Basic'. One of the applications I'm working on and spent already over 8 months on, is something 9 months ago I wouldn't even have believed I could create using a free Microsoft product. And it keeps amazing me almost every single time I use it. For example, yesterday I was able to serialize and deserialize a class to and from and XML file within a minute by using the 'Snippets' feature in VB Express. (took me 8 months to try out the basic snippets feature... so imagine how much other amazing stuff is in it

)

I also think VB (or C#) Express is a good way to find out if you enjoy programming in the first place because it's so accessible for beginners.

Another additional benefit is that you could try to pick up the MCTS certification from Microsoft (for example 70-526 and 70-536 exam) which should look good on a resume for a security pro.

keatron

And as JD passed this on to Johan, he did the same to me and I haven't looked back either. I use a combination of Express, Flash, Authorware, and Illustrator to create some rather nice animations and illustrations for teaching security.

As for the question about assembly books, here's my 3 best recommendations.

1. Assembly Language Step-by-Step by Jeff Duntemann
2. Exploiting Software by Greg Hogland and Gary McGraw
3. Rootkits by Greg Hoglund and James Butler

I think I should note that the first book might at first seem like it's way to beginner, but trust me, it starts to get deep fast around chapter 4. The first three chapters are A+ level dealing with registers and things of that nature. But it's a good place to start if you've never seen assembly before. The second and third books are very very security focused in regards to assembly. If you don't have at least the knowledge of the first book, the books 2 and 3 will simply will seem like greek most of the time. So always start with the fundamentals.

Sie

keatron wrote:

As for the question about assembly books, here's my 3 best recommendations.

1. Assembly Language Step-by-Step by Jeff Duntemann

Purchased and awaiting its arrival!

keatron

Good luck.

bcairns

The BEST language is the one you enjoy working with the most.

It would be best to learn to program - after you learn that, the language you use is just another tool i your belt.

keatron

bcairns wrote:

The BEST language is the one you enjoy working with the most.

It would be best to learn to program - after you learn that, the language you use is just another tool i your belt.

There's certainly truth to that statement. As I always say, what helped me was the fact that any time I started to learn a language (even when I learned my first language), it was because I had a certain task that needed to be accomplished.

seuss_ssues

Wow, i cant beleive i missed this post when it originated.

Here are my 2 cents from a network analsyt / security hobbyist point of view:

I learned to program on C++ and i am very grateful for that. I can look at any c based language and pick it up very quickly. Additionally if you are intereset in security a large portion of the tools and code you will try to attack will be written in c/c++.

Learn to script like keatron mentioned. I know he indicated perl and its definately worth learning. Additionally dont overlook simple BASH scripting. There are a lot of tasks at my job that were some what time consuming at first. I spent my down time creating scripts and a large portion is now automated. Granted the same things could have been accomplished in perl, but i was more familiar with bash.

I additionally understand that you are showing your interest in assembly. I would almost hesitate for someone to learn it as their first language. Its going to be a cumbersome and long road without the joys more easily experienced with higher-end languages. That being said it is definately and invaluable tool in security. It is definately another area i need to look further into.

keatron

seuss_ssues wrote:

Wow, i cant beleive i missed this post when it originated.

Here are my 2 cents from a network analsyt / security hobbyist point of view:

I learned to program on C++ and i am very grateful for that. I can look at any c based language and pick it up very quickly. Additionally if you are intereset in security a large portion of the tools and code you will try to attack will be written in c/c++.

Learn to script like keatron mentioned. I know he indicated perl and its definitely worth learning. Additionally dont overlook simple BASH scripting. There are a lot of tasks at my job that were some what time consuming at first. I spent my down time creating scripts and a large portion is now automated. Granted the same things could have been accomplished in perl, but i was more familiar with bash.

I additionally understand that you are showing your interest in assembly. I would almost hesitate for someone to learn it as their first language. Its going to be a cumbersome and long road without the joys more easily experienced with higher-end languages. That being said it is definitely and invaluable tool in security. It is definitely another area i need to look further into.

Very good points. I should have mentioned bash since a lot of my research and exploit writing I'm doing via Solaris right now. Also I'm digging into Python currently, and it's swiftly replacing perl in several areas for me.

Tesl

keatron wrote:

Also I'm digging into Python currently, and it's swiftly replacing perl in several areas for me.

Same here, I really think that Python is just beautiful, and I was able to create some very functional apps really really quickly using it.

Assembly is good to know, and is pretty much a necessity when it comes to coding exploits or reverse engineering. I'm not sure I'd like to advise it to anyone as a first language though.

My gut feeling is that you might get fed up with it quite quickly, as its a long road to being able to build anything useful in assembly (and quite tedious). I'd check out Python first to understand the high level structures (Loops/Objects etc) and then move onto something like C/C++ to really start getting into manual memory management (pointers and stuff).

For x86 asm, I've been able to pick up most of it by reading "Hacking" books that focus on writing exploits, free resources such as Paul Carter's asm book (Just Google that name) and through reverse engineering software for fun (Mostly crackme's from crackme.de). It would still take me forever to code anything very useful in it though =/

Good luck

JDMurray

keatron wrote:

Also I'm digging into Python currently, and it's swiftly replacing perl in several areas for me.

Anything that replaces using all those dollar signs is a benefit in my book.

JDMurray

Paul Carter's asm book would make a nice O'Reilly book. I wonder if he ever tried to get it published properly.

Tesl

JDMurray wrote:

Paul Carter's asm book would make a nice O'Reilly book. I wonder if he ever tried to get it published properly.

I think he mentions it on his website somewhere that he tried to get it published but nobody took him up on it. Quite suprisingly really, I rate it quite highly (Perhaps a bit dry for my tastes though, but then I've never had fun studying asm really)