Penetration Testing mailing list archives
Re: Good advice: Learn Assembly
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sat, 16 Aug 2008 22:49:08 -0500
Learning assembly language won't hurt, but also think about the trends and where you want to focus. If you want to target O.S. vulnerabilities or use custom made, trojan style, POCs that's fine. PC Assembly Language book by Paul Carter is an excellent and free tutorial (http://www.drpaulcarter.com/pcasm/) and supports several platforms. If you want to focus on Linux/Unix I would recommend searching for ATT syntax tutorial as well and not only staying with Intel based syntax (believe me, it will make your life easier). You would rarely use a debugger or disassembler in a pentester engagement; it is more likely for vulnerability researching or reverse engineering, but be careful with what you want, if you try to be an expert on everything you won't be proficient on anything. Now, back to the trends issue. How many engagements have you been into lately that required this level of specialization? Don't forget this is a market and market changes as well. Most pentesters will follow the trends and focus more of their time and resources with things like Web pentesting. Personally I wouldn't spend more time on assembly, shell coding and the like this days than on Web applications and languages (also something about virtualization environments and mobile devices is getting more important; social engineering is also something that will always be there). With that in mind, learning some scripting languages like Perl for web pentesting might be more rewarding if you consider the cost-benefit balance. Just my opinion. Cheers, Omar Herrera Jim Kelly escribió:
I have a personal goal of learning how to find vulnerabilities with fuzzers and code POCs (preferably in Python). Now I've gotten the traditional advice of "learn assembly" from a couple of folks. I wonder if that is necessary these days. I always thought one needed to learn assembly to code shell code. With the capabilities of Metasploit, I wonder if this is still true? Do you need to know assembly coding to decipher the output of disassemblers like IDA Pro or debuggers like Olly? Setting aside the logistical problems of finding a local college that still teaches assembly....am I overlooking something here? All comments welcome. Jim ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes inSecuring Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Good advice: Learn Assembly Jim Kelly (Aug 16)
- Re: Good advice: Learn Assembly Jan Muenther (Aug 16)
- Re: Good advice: Learn Assembly Joel Jose (Aug 16)
- Re: Good advice: Learn Assembly Micheal Cottingham (Aug 16)
- Re: Good advice: Learn Assembly Omar Herrera (Aug 16)
- Re: Good advice: Learn Assembly Colin Copley (Aug 17)
- Re: Good advice: Learn Assembly Sanjay R (Aug 17)
- RE: Good advice: Learn Assembly John Vill (Aug 19)