Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 7Chapter 7Programming for Security ProfessionalsProgramming for Security Professionals
22
ObjectivesObjectives Explain basic programming conceptsExplain basic programming concepts Write a simple C programWrite a simple C program Explain how Web pages are created Explain how Web pages are created
with HTMLwith HTML Describe and create basic Perl Describe and create basic Perl
programsprograms Explain basic object-oriented Explain basic object-oriented
programming conceptsprogramming concepts
33
Introduction to Computer Introduction to Computer ProgrammingProgramming
Computer programmers must Computer programmers must understand the rules of programming understand the rules of programming languageslanguages Programmers deal with syntax errorsProgrammers deal with syntax errors
One minor mistake and the program One minor mistake and the program will not runwill not run Or worse, it will produce unpredictable Or worse, it will produce unpredictable
resultsresults Being a good programmer takes time Being a good programmer takes time
and patienceand patience
44
Computer Programming Computer Programming FundamentalsFundamentals
Fundamental conceptsFundamental concepts Branching, Looping, and Testing (BLT)Branching, Looping, and Testing (BLT) DocumentationDocumentation
FunctionFunction Mini program within a main program Mini program within a main program
that carries out a taskthat carries out a task
55
Branching, Looping, and Branching, Looping, and Testing (BLT)Testing (BLT)
BranchingBranching Takes you from one area of the program Takes you from one area of the program
to another areato another area LoopingLooping
Act of performing a task over and overAct of performing a task over and over TestingTesting
Verifies some condition and returns true Verifies some condition and returns true or falseor false
66
A C ProgramA C Program
Filename ends in .c It's hard to read at first A single missing semicolon can ruin a
program
77
CommentsComments
Comments make code easier to read
88
Branching and TestingBranching and Testing
main()
printf()scanf()
Diagram of branchesSee links Ch 7b, 7c
99
LoopingLooping
1010
Branching, Looping, and Branching, Looping, and Testing (BLT)Testing (BLT)
AlgorithmAlgorithm Defines steps for performing a taskDefines steps for performing a task Keep it as simple as possibleKeep it as simple as possible
BugBug An error that causes unpredictable resultsAn error that causes unpredictable results
PseudocodePseudocode English-like language used to create the English-like language used to create the
structure of a programstructure of a program
1111
Pseudocode For ShoppingPseudocode For Shopping
PurchaseIngredients Function Call GetCar Function Call DriveToStore Function Purchase Bacon, Bread, Tomatoes,
Lettuce, and Mayonnaise End PurchaseIngredients
Function
1212
DocumentationDocumentation Documenting your work is essentialDocumenting your work is essential
Add comments to your programsAdd comments to your programs Comments should explain what you are Comments should explain what you are
doingdoing Many programmers find it time Many programmers find it time
consuming and tediousconsuming and tedious Helps others understand your workHelps others understand your work
1313
BugsBugs Industry standardIndustry standard
20 to 30 bugs for every 1000 lines of code20 to 30 bugs for every 1000 lines of code(link Ch 7f)(link Ch 7f)
Textbook claims a much smaller number without a sourceTextbook claims a much smaller number without a source
Windows 2000 contains almost 50 million Windows 2000 contains almost 50 million lineslines And fewer than 60,000 bugs (about 1 per 1000 And fewer than 60,000 bugs (about 1 per 1000
lines)lines) See link Ch 7e for comments in the leaked Win See link Ch 7e for comments in the leaked Win
2000 source code2000 source code Linux has 0.17 bugs per 1000 lines of codeLinux has 0.17 bugs per 1000 lines of code
(Link Ch 7f)(Link Ch 7f)
1414
Learning the C LanguageLearning the C Language Developed by Dennis Ritchie at Bell Developed by Dennis Ritchie at Bell
Laboratories in 1972Laboratories in 1972 Powerful and concise languagePowerful and concise language UNIX was first written in assembly UNIX was first written in assembly
language and later rewritten in Clanguage and later rewritten in C C++ is an enhancement of the C C++ is an enhancement of the C
languagelanguage C is powerful but dangerousC is powerful but dangerous
Bugs can crash computers, and it's easy Bugs can crash computers, and it's easy to leave security holes in the codeto leave security holes in the code
1515
Assembly LanguageAssembly Language The binary language hard-wired into the The binary language hard-wired into the
processor is processor is machine languagemachine language Assembly Language uses a combination Assembly Language uses a combination
of hexadecimal numbers and expressionsof hexadecimal numbers and expressions Very powerful but hard to use (Link Ch 7g)Very powerful but hard to use (Link Ch 7g)
1616
Compiling C in Ubuntu Compiling C in Ubuntu LinuxLinux
CompilerCompiler Converts a text-based program (source Converts a text-based program (source
code) into executable or binary codecode) into executable or binary code To prepare Ubuntu Linux for C To prepare Ubuntu Linux for C
programming, use this command:programming, use this command:sudo apt-get install build-essential
Then you compile a file named Then you compile a file named "program.c" with this command:"program.c" with this command:
gcc program.c –o program.exe
1717
Anatomy of a C ProgramAnatomy of a C Program
The first computer program a C The first computer program a C student learns "Hello, World!"student learns "Hello, World!"
1818
CommentsComments
Use /* and */ to comment large Use /* and */ to comment large portions of textportions of text
Use // for one-line commentsUse // for one-line comments
1919
IncludeInclude
#include statement#include statement Loads libraries that hold the commands Loads libraries that hold the commands
and functions used in your programand functions used in your program
2020
FunctionsFunctions
A Function Name is always followed by A Function Name is always followed by parentheses ( )parentheses ( )
Curly Braces { } shows where a Curly Braces { } shows where a function begins and endsfunction begins and ends
main() functionmain() function Every C program requires a main() Every C program requires a main()
functionfunction main() is where processing startsmain() is where processing starts
2121
FunctionsFunctions
Functions can call other functionsFunctions can call other functions Parameters or arguments are optionalParameters or arguments are optional
\n represents a line feed\n represents a line feed
2222
Declaring VariablesDeclaring Variables
A variable represents a numeric or A variable represents a numeric or string valuestring value
You must declare a variable before You must declare a variable before using itusing it
2323
Variable Types in CVariable Types in C
2424
Mathematical OperatorsMathematical Operators
The i++ in the example below adds The i++ in the example below adds one to the variable ione to the variable i
2525
Mathematical OperatorsMathematical Operators
2626
Logical OperatorsLogical Operators
The i<11 in the example below The i<11 in the example below compares the variable i to 11compares the variable i to 11
2727
Logical OperatorsLogical Operators
2828
Demonstration: Buffer Demonstration: Buffer OverflowOverflow
2929
Understanding HTML BasicsUnderstanding HTML Basics
HTML is a language used to create HTML is a language used to create Web pagesWeb pages
HTML files are text filesHTML files are text files Security professionals often need to Security professionals often need to
examine Web pagesexamine Web pages Be able to recognize when something Be able to recognize when something
looks suspiciouslooks suspicious
3030
Creating a Web Page Using Creating a Web Page Using HTMLHTML
Create HTML Web page in NotepadCreate HTML Web page in Notepad View HTML Web page in a Web browserView HTML Web page in a Web browser HTML does not use branching, looping, or HTML does not use branching, looping, or
testingtesting HTML is a static formatting languageHTML is a static formatting language
Rather than a programming languageRather than a programming language < and > symbols denote HTML tags< and > symbols denote HTML tags
Each tag has a matching closing tagEach tag has a matching closing tag <HTML> and </HTML><HTML> and </HTML>
3131
3232
3333
3434
Understanding Practical Understanding Practical Extraction and Report Extraction and Report
Language (Perl)Language (Perl) PERL PERL
Powerful scripting languagePowerful scripting language Used to write scripts and programs for Used to write scripts and programs for
security professionalssecurity professionals
3535
Background on PerlBackground on Perl
Developed by Larry Wall in 1987Developed by Larry Wall in 1987 Can run on almost any platformCan run on almost any platform
*NIX-base OSs already have Perl installed*NIX-base OSs already have Perl installed Perl syntax is similar to CPerl syntax is similar to C Hackers use Perl to write malwareHackers use Perl to write malware Security professionals use Perl to Security professionals use Perl to
perform repetitive tasks and conduct perform repetitive tasks and conduct security monitoringsecurity monitoring
3636
3737
Understanding the Basics of Understanding the Basics of PerlPerl
perl –h command perl –h command Gives you a list of parameters used with Gives you a list of parameters used with
perlperl
3838
3939
Understanding the BLT of Understanding the BLT of PerlPerl
Some syntax rulesSome syntax rules Keyword “sub” is used in front of Keyword “sub” is used in front of
function namesfunction names Variables begin with the $ characterVariables begin with the $ character Comment lines begin with the # Comment lines begin with the #
charactercharacter The & character is used when calling a The & character is used when calling a
functionfunction
4040
Branching in PerlBranching in Perl
&speak;&speak; Calls the subroutineCalls the subroutine
sub speaksub speak Defines the Defines the
subroutinesubroutine
4141
For Loop in PerlFor Loop in Perl
For loopFor loop
4242
Testing Conditions in PerlTesting Conditions in Perl
4343
Understanding Object-Understanding Object-Oriented Programming Oriented Programming
ConceptsConcepts New programming paradigmNew programming paradigm There are several languages that There are several languages that
support object-oriented programmingsupport object-oriented programming C++C++ C#C# JavaJava Perl 6.0Perl 6.0 Object CobolObject Cobol
4444
Components of Object-Components of Object-Oriented ProgrammingOriented Programming
ClassesClasses Structures that hold pieces of data and Structures that hold pieces of data and
functionsfunctions The :: symbolThe :: symbol
Used to separate the name of a class Used to separate the name of a class from a member functionfrom a member function
Example:Example: Employee::GetEmp()Employee::GetEmp()
4545
Example of a Class in C++Example of a Class in C++
class Employeeclass Employee
{{
public:public:char firstname[25];char firstname[25];
char lastname[25];char lastname[25];
char PlaceOfBirth[30];char PlaceOfBirth[30];
[code continues][code continues]
};};
void GetEmp()void GetEmp()
{{// Perform tasks to get employee info// Perform tasks to get employee info
[program code goes here][program code goes here]
}}
4646
Error in textbookError in textbook C example on page 138 should be this insteadC example on page 138 should be this instead