/ ltr101

LTR101: Programming Fundamentals

In security it can be very useful to understand programming, whilst you might not be able to code straight away it is very very useful to understand the core fundamentals.

Throughout my blog, I am hoping to give you the basics to prepare you to start your journey in learning the different paths of security & hacking.

This section will cover off logic, programming basics, the differences between language types and some tips on starting points in coding.

To start with I'm going to explain basic logic through the use of truth tables. Now some of you may not know the first thing about logic and may have never even heard of what a truth table is, however do not worry it will all be clear soon.

Logic

Logic is the understanding of whether something is true or false, how it works any why it's correct or incorrect. Outside of programming one will deal with logic on a daily basis sometimes without even realising.

To start with I'm going to explain basic logic through the use of truth tables. A truth table is a mathematical table used in logic. This is the idea of one (1) being true and zero (0) being false which is also known as on and off.

Very basic logic has three main logic gates: and, or, not. Each serves as an operator in a logic statement, the three sections explain what each does and how it works.

And

At a very basic level the and logic operator works with one value AND another equal the third, there are four possible outcomes with this. These are explained below:

Essentially both values need to be True for the end result to be True. This is useful in programming if a statement or function is being made where two arguments need to be present before continuing. Think for example if you write a program that prints out someone's name and age. The inputs are both required in order to print out the result, the following example pseudo code shows this in the form of an if, else loop.

If name & address are true:
print "My name is" + $NAME + "and I am" + $AGE "years old..."
else:
print "Error, name AND age values required"

If you don't follow, essentially it is saying if value x & value y are present like the bottom line of the truth table above then print out the statement "My name is bob and I am 18 years old..." where $NAME is Bob and $AGE is 18 otherwise print the statement "Error, name AND age values required" to the screen.

Or

Similar to the and operator, OR also requires a minimum of two inputs for it to produce an output. The difference being with OR is that it does not require both values to be true for the end result to be true, the following table demonstrates this point:

As can be clearly seen as long as there is a True value (1) in the equation the resulting output will be true, only when both values are false will the end result be false.

Not

The not operator works in a different way to and and or as it only has two possible outcomes, 1 & 0 or true & false. Essentially if one value is presented as an input the output will be the inverse of it.

Logic operators are used a lot in different programming languages, the main example of this in security being related to web applications and database queries such as SQL (Structured Query Language).

An example query might look similar to
SELECT * FROM Users WHERE FirstName equals Bob AND LastName equals Smith where the query is selecting all users with the first and last name matching Bob Smith this demonstrates the use of the AND logic operator in a query language such as SQL.

And, Or & Not are the main basic logic operators however there are a few others, feel free to check these out: AND, OR, XOR, NOT, NAND, NOR and XNOR.

The Basics - Functions, Variables, Learning

Alongside logic the other aspects used a lot in programming are functions & variables, almost all languages both compiled and scripting use functions and variables to do some thing or another.

Variables

What is a variable really? A variable is a value within a program that can change, depending on conditions or on information passed to the program. A variable usually holds information that is used later in the program or referred to for other actions.

Usually, a program or application consists of a list of instructions that tell the computer what to do and data that the application uses when it is running. The data consists of constants or fixed values that never change and variable values (which are usually initialized to "0" or another default value because the actual values will be supplied by a program's user).

Typically, both constants, and variables are defined as certain data types. Each data type limits the form of the data. Examples of data types include: an integer expressed as a decimal number or a string of characters, usually limited in length. There are many different data types across all of the languages available however as a standard typically strings and integers are available at the very least.

Functions

A function is a piece of code usually which utilises various services or actions that can be used over and over again by calling the piece of code. An example of this might be if I set a function named pow() and each time pow is run it prints out the letters x,y & z. This might look like something similar to the function below:

function pow()
{
    print "x,y & z"
}

pow

The code above sets up the function pow() and whenever pow is referenced after that function, the application prints out "x,y & z" to the terminal.

In many programming languages there is access to a compiler which contains a set of pre-made functions that a programmer can specify by writing language statements. These provided functions are sometimes referred to as library routines. Some functions are self-sufficient and can return results to the requesting program without help. Other functions need to make requests of the operating system in order to perform their work. Essentially functions are very important when writing code as they save you time.

Language Types

When dealing in security you're most likely to come across two different types of programming language; compiled & scripting. There are many other types to check out too if you're interested here is a link to Wikipedia that lists a large majority.

The following subheadings summarise the different languages you can learn in each category however if you want a more inclusive list of learning resources check out programming motherfucker... do you speak it?.

Scripting

The main scripting languages & environments that you will come up against first hand is likely to be PowerShell or bash depending on what operating system you use as a base. Both of which have already been discussed in Chapter 3: Operating Systems. However, if you'd like to learn more about either, check out the links: bash or PowerShell.

Other than the two pre-built into the OS, there are many other languages that are classed as scripting. The three most common that I've seen in hacking/InfoSec tend to be: python, ruby & Perl. All of which have different purposes and share different tools being written in them.

Some tools you might have heard of that have been written in one of the three are as follows Perl - Nikto, Python - SQLMap, Ruby - Metasploit

Specifically, when breaking into the field I'd recommend looking into learning python as it is a very useful language to not only be able to write in but to also be able to read. In order to pick it up and learn I'd suggest Learn Python the Hardway, this will give you a solid basic understanding.

However, if books aren’t your thing you should also check out Python on CodeAcademy this will take you through interactive exercises to test your ability to learn. Once you have the basics nailed down I'd highly suggest checking out Violent Python & Black Hat Python both of which give python a backing in the security field with different things to try out and build.

If all else fails, try picking a project to better understand the language; it doesn't need to be security related! The first project I created in Python was an app to calculate whether getting a cinema pass for the month was worth it for you or not. It would take an input of the films you want to see then, work out if it was better value for money to get the pass or just to pay per time.

I put a poll out on twitter to find out what people felt was the most difficult aspect of programming and the result that came out on top was lack of ideas - as an answer to that, try having a look at netsec & hacking on reddit and try to create or recreate some of the tools published on there to allow you to better understand creation of things.

Compiled

Another type of language you're likely to come across is a compiled one, the most common example of this is C and the different flavours of C(C/C++/C#). A lot of exploits & tools are written in C as it's a fast programming language, it also has many build in features allowing for usage of loads of functions.

The main difference between a scripting language and a compiled one is that a scripting language can be written in any text editor and is interpreted. Whereas a compiled language requires the use of a compiler to run in a compiled state. A few examples of scripting vs compiled languages are shown in the list below:

Scripting Languages

  • Python
  • Ruby
  • Perl
  • Lua
  • JavaScript

Compiled Languages

  • C
  • C++
  • C#
  • D
  • Java
  • .Net

Starting out if you've already tried out python and, are hungry to learn more I'd suggest having a look at C. It isn't my strongest language but I can read it and modify where needed.

As a minimum being able to read programming is a must when it comes to hacking. Often exploits and tools will be written in different languages and may need tweaking before they will work - having the ability to spot where things need changed or being able to google the correct questions will stand you in good stead.

As far as learning is concerned much like python, C also has many learning resources the link above(programming-motherfucker) gives many routes to the same end goal however I've found learn C the hard way to be a good resource.

Other than this you can try jumping in at the deep end and going for a project, if you've learned the basics with python you'll find C slightly easier to learn in comparison to other compiled languages.