2

I'm confused by some terminology - reverse engineering seems to me to be pretty similar to exploit researching. I mean if you can reverse one program probably you will be able to find a vulnerability, but for this you need to be good with C and Assembly.

A lot of people tell me that a pen tester should master python and other scripting language not C and Assembly. This is really confusing so my question is:

Is exploit researching part of pentesting?

Ali Ahmad
  • 4,814
  • 8
  • 35
  • 61
None
  • 21
  • 1
  • 2
  • Do you plan to pen-test binaries (native applications, operating system modules, device drivers, media codecs), and/or distributed applications like web applications? – Mike Samuel Jan 03 '14 at 22:44
  • Well, that depends on your definition of “reverse engineering”, “exploit researching”, and “penetration testing”. – Gumbo Jan 04 '14 at 12:52
  • I think this is mainly defined by the scope of the pentest. – Falcon Momot Jan 05 '14 at 11:08

2 Answers2

13

Short:

Is exploit researching different from penetration testing? Yes.

Is exploit researching part of pentesting? Usually not.


Good summary of what penetration testing is is here: Wikipedia definition of penetration testing.

Simple penetration testing

A lot of penetration testing work is actually just running pre-existing, well-known attacks or exploits. (Like e.g. run MetaSploit.) This work is based on some modeling of where the relevant problems may lie. But does not actually involve exploit researching or reverse engineering.

Going deeper

However, going deeper to penetration testing, it is not sufficient to use tools which are completely off-the-shelf. On this stage, people:

  • Consider the target system (its operations, and its possible weaknesses) in detail
  • Create attacks based on the target system

The analysis of target system is usually on level of examining its high-level design, components (like web servers, frameworks, communication protocols etc.). This analysis can of course go as deep as reverse engineering or source code review, but often already higher level details are good enough to sufficiently nail it down how to attack against the system.

More elaborate description of usual stages relevant for penetration testing can be found in this previous answer What is the difference between a penetration test and a vulnerability assessment?

Why not reverse engineering or exploit researching

The reason reverse engineering and exploit researching is rarely important part of pentesting is that pentesting is being made for the owner of the system. Therefore, the attacker is already given much better tools than exploit researchers typically have: the system is usually revealed to them in detail to allow them to do their work efficiently. (In other words, they are allowed to short-circuit much of exploit research.)

Python and scripting

The reason scripting is important in penetration testing is that penetration testing usually involves large numbers of very similar test cases. To make those small variations efficiently, scripting is typically used.

For example, Metasploit which is common tool to use on this field can be scripted using python.

In addition to python, some other scripting languages, like Ruby and perl are used.


I mean if you can reverse one program probably you will be able to find a vulnerability, but for this you need to be good with C and Assembly.

In case of well written software I would disagree. Even if you have access to original source code of the software, typically it is hard to find vulnerabilities.

If you have only access to the binary, it is even harder, as you effectively need to decompile the software, and lot of knowledge has disappeared and the code is no longer in easy to read format. Modern software is large enough that it is very hard to concentrate on important parts of the binary and dig essential vulnerabilities from it.

user4982
  • 682
  • 3
  • 5
  • **Metasploit** (lowercase 's') is actually written in **Ruby**, not Python (first version [was using Perl](http://blgtechn.blogspot.be/2012/08/metasploit.html)). – Igor Skochinsky Jan 08 '14 at 14:29
2

Building on user4982's great answer, I would also add that reverse engineering and exploit research are two somewhat distinct activities as well. The reverse engineer seeks to understand a product by studying its base components, possibly to interface with an existing product, but maybe sometimes just to clone it. And depending on motives, the exploit researcher may seek to break a product without the intent of fixing or changing anything.

The exploit researcher may use reverse engineering as one of many tools to pry a vulnerability out of a package, but he or she will have others: fuzz testing and injection exploit tools spring immediately to mind. And a reverse engineer may be looking to protect or strengthen a vulnerable product, with the intent of protecting themselves from its inherent vulnerabilities, so he may use the same fuzzing tools and injection tools to find places to patch. They're two different sides of the same coin.

John Deters
  • 33,897
  • 3
  • 58
  • 112