Programming in Cybersecurity
Newcomers to cybersecurity often ask, “Do I need to code to be able to work in cybersecurity?” The short answer is no, but it helps. If you decide to pursue a cybersecurity career, your ability to code will play a critical role in whether or not you can successfully detect an adversary, compromise a client domain, or discover and exploit a vulnerability in a product.
If you are undecided about learning programming, Python stands out as an approachable and effective tool for the cybersecurity practitioner. If you’re still on the fence about learning Python, this article explains the capabilities it adds to your arsenal as a cybersecurity professional, empowering you to take control of your tasks and projects.
Automating Everything
Scripting is often the gateway to programming. If you have a repetitive, time-consuming task that needs to be performed regularly, you have likely wondered if there is a more efficient solution. I’m here to tell you that there is, and that solution involves leveraging Python.
Al Sweigart wrote an excellent beginner’s crash course in Python programming, aptly titled Automate the Boring Stuff with Python. It is published and sold by No Starch Press but is free to read under a Creative Commons license! I universally recommend this resource to beginners as a free, practical approach to learning Python.
For those who find learning to program intimidating, Al’s approach is to teach just enough theory to get your hands dirty. Even better, the title delivers. Almost immediately, you can learn how to automate boring stuff with Python.
Why is the skill of automating tasks with Python important? Because we all have the same 24 hours in a day. Understanding Python automation allows individuals to reclaim precious time to focus on more creative and novel work. With the ubiquity of APIs, a skilled Python developer can write scripts to interact with various tools and technologies. With the right script, a cybersecurity professional can execute a command and move on to another task that requires creativity.
Writing Custom Tools
Beyond scripting, cybersecurity professionals may encounter situations where existing tools are insufficient or non-existent for their needs. In these instances, they can leverage Python to create a custom tool, showcasing their resourcefulness and innovation in the field. Additionally, if the script could benefit others, it can be shared with the community.
The main difference between a script and a tool is generally productization. A script typically performs one task or a series of functions linearly. These are often quick-and-dirty solutions to specific internal problems. On the other hand, a tool can solve many problems depending on the command line options the user passes to it.
Writing custom tools in Python offers several significant benefits. Firstly, you can avoid costly product licenses if you can develop a tool. Another benefit is that custom tools developed in Python may be able to evade signature-based Endpoint Detection and Response (EDR) systems as they are unlikely to be widely known and used.
Joe Helle developed a guide to writing a Python3 Command and Control (C2) server and client. This is a great, practical example of tool development in Python.
If you’re looking for inspiration when it comes to tool development, a large number of open-source Python tools exist in the hacker community. A few examples include sqlmap, Impacket, CrackMapExec, Responder, and Scapy.
Fixing Broken Exploits
After performing reconnaissance, hackers research the enumerated services running in an environment and see if exploits exist. Resources like Exploit Database simplify this process, similar to a web search. Unfortunately, exploits often become outdated and unmaintained over time. This is the end of the road for hackers who don’t know how to read and write code. However, hackers who can program are just getting started.
If you can read and write code, you can troubleshoot, debug, and possibly fix stale exploits. This capability enables you to exploit vulnerabilities that less experienced hackers may overlook. For pentesters, this means delivering higher value to your clients. For bug bounty hunters, it can significantly increase the likelihood of finding an exploit and getting paid.
One caveat to this is when the problem lies specifically within the shellcode. Programming in Python and writing shellcode are entirely different. But, if you know how to generate or can otherwise create or find a working shellcode, Python programming experience will often be enough to leverage that shellcode against a vulnerable service.
Emulating Adversarial Network Traffic
When zero-days drop, one of the first things researchers do is identify indicators of compromise (IOCs). A mature SOC analyst can write detections for an IOC. To ensure the detection works, they must emulate the adversarial network traffic. How do they test this? Often with Python!
Python’s ease of use allows an analyst to prototype a script rapidly. When combined with a granular network library, like Scapy, the analyst can create network traffic that looks precisely like adversarial traffic. They can even leverage Scapy to fire this traffic across the wire in real time–an invaluable capability for testing detections.
Practically, an organization will combine this capability with threat modeling using a framework like MITRE ATT&K. This allows the organization to sharpen its monitoring tools against the tactics, techniques, and procedures (TTPs) of real adversaries that target organizations like theirs.
Extending Existing Projects
The hacker community traditionally values the free flow of information. As a result, many projects are free and open source. This means you can fork the project and extend the functionality of it. What language are many projects written in? You guessed it–Python.
If you find an existing Python tool that you like but feel is missing a feature, could be improved, or has a broken feature, you can extend it. This is one of the many advantages of knowing how to program in Python. It’s not just about using existing tools but also about contributing to the cybersecurity community by improving and expanding on what’s already available.
There are several methods for extending a project. One is to write an extension for a pluggable project. Pluggable projects are written with extensibility in mind. This means that the developers wrote the project as a framework with the ability for the community to create features asynchronously. You’re already familiar with this concept if you’ve ever modded or played a modded video game.
Sometimes, you might want to extend a project that isn’t pluggable. In Python, this can quickly be done by wrapping a project. This is done by importing the project’s functions or classes and writing code that encapsulates the project’s code. A fantastic example of code wrapping is David Kennedy’s Magic Unicorn. Note that the Magic Unicorn project uses Python to wrap non-Python code. You can do this with Python!
Finally, since Python is an interpreted language, you can modify a project’s code directly. This is generally done by forking a repository on GitHub and editing the code, but you can also clone a repository and modify the code locally. The only drawback to the latter approach is that you cannot create a Pull Request (a request to merge your code with the parent project) or persist your changes in Git.
Exploit Development
Finally, you can use Python to aid in exploit development. Sulley and Boofuzz, two popular fuzzing libraries, are written in Python. The hacker must create a fuzzing grammar to use these tools. Fuzzing grammar is a configuration file instructing the fuzzer on what data to manipulate to force the program into an unexpected state. Since Sulley and Boofuzz are Python projects, Python programmers can easily understand the grammar creation process.
Furthermore, tools like Immunity Debugger and IDA are extensible with Python. If you skipped the Extending Existing Projects section, it has first-party support for community-developed tools that make reverse engineering and exploit development more approachable.
Once you identify a vulnerability that might be exploitable, you can prototype an exploit using pwntools (a Python library designed for CTFs and exploit development).
Great! How Can I Learn Python?
The best way to learn Python is by building practical projects. Naturally, you’ll need to learn some fundamentals of programming and the Python language before you’ll be able to tackle some of these tasks. The TCM Academy just launched a FREE Programming 100: Fundamentals course that uses Python as the building block to learn programming. We also have two Python courses: Python 101 for Hackers and Python 201 for Hackers, both by Riley Kidd.
Suppose you fall in love with Python and want to dive deeper into the programming language and software engineering discipline. In that case, I highly recommend Code With Mosh. Mosh Hamedani has authored courses in various programming languages, frameworks, and standard programming tools like Docker and Git.
About the Author: Evan Ottinger
Evan is a cross-discipline software engineer with a strong cybersecurity background. He developed the exam platform for TCM Security. He’s also the co-organizer of the Fredericksburg Hackers Association, a meetup in Fredericksburg, VA that gathers monthly. Outside of work, he likes to read, pick up heavy things, bypass physical security controls, play video games, and spend time with his children.
Evan holds a number of industry certifications, including CISSP, CASP, PNPT, and GXPN. He received a B.S. in Computer Information Systems from the Austin Peay State University in Clarksville, TN and is currently in his final term for the M.S. in Information Security Engineering at the SANS Institute.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.