[RFC] Hacking the InfoSec Track

C has an ability to address bits, bytes and memory structures in a predictable bare metal format not shared by any of the other higher languages. That makes it the generally preferred language for IO of all sorts, but especially accessing data off the network to modify it in ways not intended by the protocols.

C, C++, or Python?

All of them. When one learns C++ they in a way learn C. Python goes one step above C++ in that it has modules like scapy, scrappy, tensorflow, and ansible which makes writing tools, building botnets, and working with large scale datasets a easy task. Python itself even uses C to go faster

But, again core fundamentals are needed. C is what the kernel is written in and therefore has access to bare metal, with a bit of understanding on x86 assembly then reverse engineering malware becomes a fun task. Plus operating at this level one’s able to grok what’s going on at near kernel space instead of python’s user space.

For example; if one was trying to write shellcode they would need to know assembly and C/C++ to find the security vulnerability, then use python as the code for the exploit, C to create the exploit[1], and finally word to write up the CVE Report.

Another example and more real world than anything is doing post processing of malware captured by a honeynet. One absolutely needs to understand C to discover the internals of the malware and be able to shut down the botnet that is attacking the network under one’s watch.

[1]: debasish dot in /2012/04/execute-shellcode-using-python.html

I had taught myself C as a programming language in college. Is there any specific area of C you want us to get expertise?

But the order of those bytes does depend the system… Little-endian vs Big-endian

C is closer to the actual machine codes compared to python. But it depends on which type of hacking you are doing. If you are just doing security research for sql injection, python is far easier. If you are doing any sort of buffer overflows with compiled code, you will need to know the assembly language of the system you are testing. Many things that are compiled are written in C, so you will be looking at complied C code in assembly from the perspective of the system. So, knowing C will help you.

Could someone take a Prep class in DMS, for someone who is exploring Cyber Security. Topics like vulnerabilities, back doors, brute force testing, Dark web etc…This will be a good start…
Or provide some website url which has this all…

I think we are working toward having classes on things like that. One of the fun ways is to learn CTF or Capture the Flag. It is a way to polish your skills and learn new ones. Basically, you are given a puzzle to find a text flag. Depending on the challenge it could be embedded in text or it could be a file on the system that you have to find a way into to find or any number of places depending on the challenge

Here is a simple one that anyone can do:

the flag is somewhere here,
will you be able to find it?

it seems like the flag is invisible,
if you look Carefully, you will find it!

you could try looking at the Letters,
Or you can just try with any word

but i reCommend you the first hint,
already all said,

good lucK!

You can find many events online and we are planning to host several as well.
check out https://ctflearn.com/

1 Like

Here is another site

1 Like

That’s a fairly ok site but can be seen as not infosec approved, even if half of their team would bookmark it.

Is there any sites that you can post that detail why injection works and how to fix it?

1 Like

How Injections work

How to fix them

But seriously, I would love to have a good reference site as well.

How about the original DEFCON track that brought the concept to life?

Defcon 15 - T202

You might take a link at the Cybrary Penetration Testing intro for a well rounded intro with Linux command line, scripting, vulnerabilities. Advanced Penetration Testing Course & Pen Testing Training - Cybrary

1 Like

Does anyone know courses from RCHS. I saw someone talking about it in a Q&A forum. They don’t have a website and you have to send a email to enrol. I did email them and they asked me to add a id to hangout to process/interview. Any idea?

It took me only five minutes to track down the guy behind that group and what their about.

I’d say go ask they guys at the next 2600, binrev, DHA meeting or poke around some other forum that is their sort of thing. Talk and Dallas Makerspace does not support nor advocate groups associated with credit card theft.

The talks and discussions about cyber security is purely for educational purposes with an emphasis on ethical computing and entry into a legitimate information security role. Any of those that discuss these topics follow the Hacker’s Ethic which in of itself parallels the maker ethic of be excellent to all.