Originally an insight on Wolf and Company website: https://www.wolfandco.com/resources/blog/how-learning-code-helps-penetration-testing/

Written by: Stephen Nelson

Imagine this: You sit at a computer with a nice piping hot cup of coffee (or tea, you pick) and look up at the screen. There you see the latest and greatest tool released on GitHub with hundreds of lines of code and think to yourself, “What will this code do when it’s executed in a client’s environment?” Well, to answer those questions, you must first understand what the underlying code does and what programming language it is written in.

In understanding a programming language, someone might be able to gather what the script is doing in the environment before execution. If someone was to accidentally execute a program in an environment without prior knowledge of a programming language, that person might be executing malicious software (malware) or any type of ransomware.

Understanding code helps to automate otherwise time-consuming menial tasks. Tim Ferriss, a noteworthy American entrepreneur, coined the phrase, “Never automate something that can be eliminated, and never delegate something that can be automated or streamlined. Otherwise, you waste someone else’s time instead of your own, which now wastes your hard-earned cash. How’s that for incentive to be effective and efficient?” With this phrase in mind, what simple tasks can you automate by learning how to code? You can:

• Pull specific live traffic from any website if an application programming interface (API) is associated with it.

• Automate sending personalized emails to many people.

• Clean your computer of very large and unnecessary files.

• Throw a party with your HUE lights at the end of the workday to celebrate.

• Obtain internal server logs and email them to the IT (Information Technology) team.

• Pull a specific tweet or post from Twitter or Facebook of your favorite celebrity.

• Use an automated service such as Zapier or IFTTT (if this then that).

• Create a bot that automates sending GitHub links to an online repository (more on that in the future).

Automating anything is great and makes our lives easier. Learning code also helps with our work as cybersecurity specialists. We look to code to help automate certain tasks such as:

• Updating our operating system to the latest and greatest version.

• Finding information on organizations through open-source intelligence (OSINT) techniques.

• Using code to build our infrastructure setups.

• Previewing web pages of IP (Internet Protocol) addresses that were given to us.

Learning code also helps us better understand what tools we will use in a client’s environment and how to best execute code in the production environment. In hacker lingo, we call people that execute lines of code without reading through the source code a Script Kiddie. According to techtarget.com, Script Kiddies “aren’t interested in learning and understanding the exploits they use, instead using what is easy to find and available.” Many people in our industry go through the motions of cloning a GitHub repository and executing the software in a client’s environment without knowing the repercussions of the software itself or diving into what each function calls means. To be a true ethical hacker, we must know what the underlying code does and how it will affect the current environment where it’s being executed. To ensure that nothing nefarious is brought to a client’s environment, one must do the following:

• Test the current tools on a local network environment, preferably one that is air-gapped (isolated from a network, in a virtual network)

• If an air-gapped environment is not available, use an online network or sandboxed environment such as hybrid-analysis.com

• Ask the vendor before performing any penetration test on the environment, confirm what tools the testers use, and how they would affect the production environment

• During an exit or status meeting, ensure that the client understands what the tool does and how it works in the environment

• See what the current tool uses for credentials – if a tool requires domain administrator credentials, look at the minimum requirements and apply those

In conclusion, not only do we benefit from learning code and programming languages, but we also see other people benefit from learning. Life becomes easier and more fulfilling when we apply automation. In fact, learning code helps us to better understand the tools that we are using and why they do the things they do, and we become more confident in the tools we use to enable a safer environment for our clients. Next time you are caught saying to yourself, “I need to do this, but I really just don’t want to,” ask yourself, “can this task be automated?” If it involves technology, it can always be automated. The best way to get started with learning a programming language is to take a free course online, which can be as easy as checking YouTube. There are many YouTube videos that someone can look at right now to learn code and automation by searching “free [insert programming language here] course.”