Re: Good advice: Learn Assembly

[Omar Herrera <oherrera () prodigy net mx>]

Learning assembly language won't hurt, but also think about the trends
and where you want to focus. If you want to target O.S. vulnerabilities
or use custom made, trojan style, POCs that's fine. PC Assembly Language
book by Paul Carter is an excellent and free tutorial
(http://www.drpaulcarter.com/pcasm/) and supports several platforms. If
you want to focus on Linux/Unix I would recommend searching for ATT
syntax tutorial as well and not only staying with Intel based syntax
(believe me, it will make your life easier). You would rarely use a
debugger or disassembler in a pentester engagement; it is more likely
for vulnerability researching or reverse engineering, but be careful
with what you want, if you try to be an expert on everything you won't
be proficient on anything.

Now, back to the trends issue. How many engagements have you been into
lately that required this level of specialization? Don't forget this is
a market and market changes as well. Most pentesters will follow the
trends and focus more of their time and resources with things like Web
pentesting. Personally I wouldn't spend more time on assembly, shell
coding and the like this days than on Web applications and languages
(also something about virtualization environments and mobile devices is
getting more important; social engineering is also something that will
always be there). With that in mind, learning some scripting languages
like Perl for web pentesting might be more rewarding if you consider the
cost-benefit balance.

Just my opinion.

Cheers,

Omar Herrera

Jim Kelly escribió:
> I have a personal goal of learning how to find vulnerabilities with
> fuzzers and code POCs (preferably in Python).
>
> Now I've gotten the traditional advice of "learn assembly" from a
> couple of folks. I wonder if that is necessary these days.
> I always thought one needed to learn assembly to code shell code. 
> With the capabilities of Metasploit, I wonder if this is still true?
> Do you need to know assembly coding to decipher the output of
> disassemblers like IDA Pro or debuggers like Olly?
>
> Setting aside the logistical problems of finding a local college that
> still teaches assembly....am I overlooking something here?
>
> All comments welcome.
>
> Jim
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes inSecuring Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------