It's All Code
It’s all code at the end of the day. That’s the realization I’ve come to lately.
When I began my journey in offensive security, I was sure I wanted to get into red teaming. Staying under the radar, evading defenses, being as quiet as a mouse while navigating through someone else’s network sounded like the coolest thing ever. Binary exploitation, code review, web application pentesting, etc. If it involved a degree of coding, it just didn’t appeal to me. Ironic because my first foray into the tech world, my first love, was software development.
So, I began learning everything I needed to know. I went through eLearnSecurity’s Penetration Tester Xtreme (PTX) course and was quickly overwhelmed. I loved every slide, and every video, but it was clear there was going to be a lot of late nights doing more research.
At this point, I began diving deeper into custom malware development, eventually going through a couple of Sektor7’s courses. Understanding how to circumvent endpoint protection also meant understanding how these defenses worked. It also meant relearning how to code.
14 year old me was heavily into web development (mainly due to having a very old and underpowered Dell Inspiron laptop that originally came with Windows Vista), but throughout this journey I have become familiar with C/C++, Python, Nim, Golang, C#, and even Assembly. At least to some degree. I think I was a much more capable developer at 14, but now I can at least apply concepts across languages and am aware of data structures and algorithms.
This was the beginning of my realization. Custom malware development, a core component of both network pentesting and red teaming, requires some familiarity with coding. More recently, I went through eLearnSecurity’s Web Application Penetration Tester course. While I still don’t love web app pentesting, I recognize just how important it is in today’s environment, and just how lacking my skills with it are.
So, in an effort to improve, I did my homework. I dove into modern web app development. This meant learning a little more about node.js (and the other thousand and one Javascript frameworks), as well as Python’s flask and Django. Side note: funny enough, I think I still enjoy developing applications, just not testing their security. Or maybe it’s reading other people’s code I’m (still) not fond of.
In any case, web app pentesting requires familiarity with code. This one should hopefully be obvious, but it’s the same case across the board. Mobile application pentesting? Code. You’re going to be doing a lot of reverse engineering, code review, and crafting exploits.
On an internal assessment and EDR/AMSI/ETW is blocking all your payloads? Code. You’re probably going with custom solutions. Binary exploitation? Code. If you’re lucky, the executable is written in Java or C#. Otherwise, I hope you know Assembly. Code Review? Code. Do I even need to explain this one?
While we, as pentesters, may not need to get crazy deep into development, coding is a necessary part of our job. It is not enough to know what scripts we need to run and when to run them. We also need to be capable of customizing existing tools and at times creating our own. It’s all code, and there’s no escaping it. Embrace it. You’ll end up a better pentester for it.