Pen testing and python discussion!

HirobradHirobrad PGCEPosts: 7Member ■■□□□□□□□□
In context I am studying for an MSc in Computer Science in Cyber Security. My background is Game design to start then 12 years in education teaching GCSE and A-Level Computing.

I keep finding lots and lots of conflicting information on the internet (no really its true) and I know that asking the internet may only make the problem worst. 

What level of python do you need to become a pen tester, I have seen people say you need to be master level and others say that it is not that important and you spend majority of your time writing reports.

What would people recommend I spend my time on the most: networking (studying for CCENT) / Linux / Python. 

Or just split my time evenly over all three. My current level of Python is low intermediate I would say. OOP / Classes / Regex experience.

What would the pen testers on here say? 

Cheers guys.

Comments

  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 393Member ■■■■■□□□□□
    None of those answers are patently wrong. I think many pen testers will say that the more you know about Python and become quickly functional with it, the better asset you are. But to get into pen testing, or even stay there, you don't need to be a master. It just certainly helps quite a bit.

    I would honestly say "pass" on candidates that don't know programming, scripting, or are absolute beginners with Python or PowerShell to the point that they can't self-start or need heavy guidance. Someone coming in the door that is comfortable with Python/scripting is a good thing.

    That said, you could work for a pentesting firm that just mainly does scans, runs some tools off Kali, and that's it. Write reports and go to bed. In that case, you don't need to know much, but it will help your career to be comfortable and workable with Python.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
  • yoba222yoba222 Posts: 1,055Member ■■■■■■■□□□
    You don't need any Python technically. It comes down to whatever language gets the job done. Maybe there's an existing exploit written in C or Ruby, but strong Python fundamentals and you'd be able to work out the syntax to get the exploit working the way you want.

     I spent probably about evenly over all three before getting into pentesting and in retrospection I think that was a good balance and would repeat. I also feel like I've spent more time than the average coworker growing Python skills and don't regret it.
    2017: GCIH | LFCS
    2018: CySA+ | PenTest+ |CCNA CyberOps
    2019: VHL 20 boxes
    2020: OSCP | CISSP
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 393Member ■■■■■□□□□□
    yoba222 said:
    ...growing Python skills and don't regret it.
    I think that's maybe the best point. I can't say anyone in the industry will truly regret spending some time learning some programming/scripting.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
  • HirobradHirobrad PGCE Posts: 7Member ■■□□□□□□□□
    @LonerVamp @yoba222  thank you both the input. It is at least good to know I am on the right track following the study pattern I am on.

    I am just trying to stay focused one on thing at a time. Which is hard when there is so much conflicting information. It also doesn't help for someone trying to get started with all the different certs and some people saying that CREST isn't good any more and compTIA isn't as good as Cisco and others saying its better. 

    Both you guys have really helped me. Thank you! 
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 393Member ■■■■■□□□□□
    This is security for ya! Not only is this a lifetime of choosing what to learn and not learn, but if you ask 20 security folks any sort of question, you're going to:
    • get 24 answers
    • 8 of which are patently wrong
    • only 4 people in that group knows which ones are wrong
    • 9 of those people aren't really in security, but think they are
    • 12 answers are right, but again only 5 people know how to pick those out
    And so on... :)

    If you're in the US, Crest isn't a thing.
    If you're relatively inexperienced, CompTia (and most any certification) is a step up and into the field.


    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
  • HirobradHirobrad PGCE Posts: 7Member ■■□□□□□□□□
    @LonerVamp oh my days thank you for this, honestly this had made me feel so much better, the hard part from me right now with the absolute lack of industry knowledge is to work out which are the 8 people that are wrong :smile:

    Again, thank you for the help, it has made me feel better. 
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Posts: 337Member ■■■□□□□□□□
    In my experience so far, I haven't needed any programming knowledge, however it is most certainly useful and will likely be required as I move forward in my career.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,886Member ■■■■■■■■□□
    edited May 8
    Put it this way, if you were a master at python, you shouldn’t be waisting  your time on cyber security. You should be building multi million, multi billion dollar software ideas, solving the world’s problems.



    2019 Goals:
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
    2020 Goals:
    Certs: AZ-500, MS-500, Pentester Academy - PACES, Varonis Certified Admin (in-progress)
  • sil3nt_n1njasil3nt_n1nja OSCP, OSCE TurkeyPosts: 9Member ■■■□□□□□□□
    Python will be useful either during exploit development or when you start developing your own tools or even custom C2. It is definitely a nice skill to have and it could also help you secure IT sec positions, during an interview.
Sign In or Register to comment.