Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 7Chapter 7Programming for Security ProfessionalsProgramming for Security Professionals

22

ObjectivesObjectives Explain basic programming conceptsExplain basic programming concepts Write a simple C programWrite a simple C program Explain how Web pages are created Explain how Web pages are created

with HTMLwith HTML Describe and create basic Perl Describe and create basic Perl

programsprograms Explain basic object-oriented Explain basic object-oriented

programming conceptsprogramming concepts

33

Introduction to Computer Introduction to Computer ProgrammingProgramming

Computer programmers must Computer programmers must understand the rules of programming understand the rules of programming languageslanguages Programmers deal with syntax errorsProgrammers deal with syntax errors

One minor mistake and the program One minor mistake and the program will not runwill not run Or worse, it will produce unpredictable Or worse, it will produce unpredictable

resultsresults Being a good programmer takes time Being a good programmer takes time

and patienceand patience

44

Computer Programming Computer Programming FundamentalsFundamentals

Fundamental conceptsFundamental concepts Branching, Looping, and Testing (BLT)Branching, Looping, and Testing (BLT) DocumentationDocumentation

FunctionFunction Mini program within a main program Mini program within a main program

that carries out a taskthat carries out a task

55

Branching, Looping, and Branching, Looping, and Testing (BLT)Testing (BLT)

BranchingBranching Takes you from one area of the program Takes you from one area of the program

to another areato another area LoopingLooping

Act of performing a task over and overAct of performing a task over and over TestingTesting

Verifies some condition and returns true Verifies some condition and returns true or falseor false

66

A C ProgramA C Program

Filename ends in .c It's hard to read at first A single missing semicolon can ruin a

program

77

CommentsComments

Comments make code easier to read

88

Branching and TestingBranching and Testing

main()

printf()scanf()

Diagram of branchesSee links Ch 7b, 7c

99

LoopingLooping

1010

Branching, Looping, and Branching, Looping, and Testing (BLT)Testing (BLT)

AlgorithmAlgorithm Defines steps for performing a taskDefines steps for performing a task Keep it as simple as possibleKeep it as simple as possible

BugBug An error that causes unpredictable resultsAn error that causes unpredictable results

PseudocodePseudocode English-like language used to create the English-like language used to create the

structure of a programstructure of a program

1111

Pseudocode For ShoppingPseudocode For Shopping

PurchaseIngredients Function Call GetCar Function Call DriveToStore Function Purchase Bacon, Bread, Tomatoes,

Lettuce, and Mayonnaise End PurchaseIngredients

Function

1212

DocumentationDocumentation Documenting your work is essentialDocumenting your work is essential

Add comments to your programsAdd comments to your programs Comments should explain what you are Comments should explain what you are

doingdoing Many programmers find it time Many programmers find it time

consuming and tediousconsuming and tedious Helps others understand your workHelps others understand your work

1313

BugsBugs Industry standardIndustry standard

20 to 30 bugs for every 1000 lines of code20 to 30 bugs for every 1000 lines of code(link Ch 7f)(link Ch 7f)

Textbook claims a much smaller number without a sourceTextbook claims a much smaller number without a source

Windows 2000 contains almost 50 million Windows 2000 contains almost 50 million lineslines And fewer than 60,000 bugs (about 1 per 1000 And fewer than 60,000 bugs (about 1 per 1000

lines)lines) See link Ch 7e for comments in the leaked Win See link Ch 7e for comments in the leaked Win

2000 source code2000 source code Linux has 0.17 bugs per 1000 lines of codeLinux has 0.17 bugs per 1000 lines of code

(Link Ch 7f)(Link Ch 7f)

1414

Learning the C LanguageLearning the C Language Developed by Dennis Ritchie at Bell Developed by Dennis Ritchie at Bell

Laboratories in 1972Laboratories in 1972 Powerful and concise languagePowerful and concise language UNIX was first written in assembly UNIX was first written in assembly

language and later rewritten in Clanguage and later rewritten in C C++ is an enhancement of the C C++ is an enhancement of the C

languagelanguage C is powerful but dangerousC is powerful but dangerous

Bugs can crash computers, and it's easy Bugs can crash computers, and it's easy to leave security holes in the codeto leave security holes in the code

1515

Assembly LanguageAssembly Language The binary language hard-wired into the The binary language hard-wired into the

processor is processor is machine languagemachine language Assembly Language uses a combination Assembly Language uses a combination

of hexadecimal numbers and expressionsof hexadecimal numbers and expressions Very powerful but hard to use (Link Ch 7g)Very powerful but hard to use (Link Ch 7g)

1616

Compiling C in Ubuntu Compiling C in Ubuntu LinuxLinux

CompilerCompiler Converts a text-based program (source Converts a text-based program (source

code) into executable or binary codecode) into executable or binary code To prepare Ubuntu Linux for C To prepare Ubuntu Linux for C

programming, use this command:programming, use this command:sudo apt-get install build-essential

Then you compile a file named Then you compile a file named "program.c" with this command:"program.c" with this command:

gcc program.c –o program.exe

1717

Anatomy of a C ProgramAnatomy of a C Program

The first computer program a C The first computer program a C student learns "Hello, World!"student learns "Hello, World!"

1818

CommentsComments

Use /* and */ to comment large Use /* and */ to comment large portions of textportions of text

Use // for one-line commentsUse // for one-line comments

1919

IncludeInclude

#include statement#include statement Loads libraries that hold the commands Loads libraries that hold the commands

and functions used in your programand functions used in your program

2020

FunctionsFunctions

A Function Name is always followed by A Function Name is always followed by parentheses ( )parentheses ( )

Curly Braces { } shows where a Curly Braces { } shows where a function begins and endsfunction begins and ends

main() functionmain() function Every C program requires a main() Every C program requires a main()

functionfunction main() is where processing startsmain() is where processing starts

2121

FunctionsFunctions

Functions can call other functionsFunctions can call other functions Parameters or arguments are optionalParameters or arguments are optional

\n represents a line feed\n represents a line feed

2222

Declaring VariablesDeclaring Variables

A variable represents a numeric or A variable represents a numeric or string valuestring value

You must declare a variable before You must declare a variable before using itusing it

2323

Variable Types in CVariable Types in C

2424

Mathematical OperatorsMathematical Operators

The i++ in the example below adds The i++ in the example below adds one to the variable ione to the variable i

2525

Mathematical OperatorsMathematical Operators

2626

Logical OperatorsLogical Operators

The i<11 in the example below The i<11 in the example below compares the variable i to 11compares the variable i to 11

2727

Logical OperatorsLogical Operators

2828

Demonstration: Buffer Demonstration: Buffer OverflowOverflow

2929

Understanding HTML BasicsUnderstanding HTML Basics

HTML is a language used to create HTML is a language used to create Web pagesWeb pages

HTML files are text filesHTML files are text files Security professionals often need to Security professionals often need to

examine Web pagesexamine Web pages Be able to recognize when something Be able to recognize when something

looks suspiciouslooks suspicious

3030

Creating a Web Page Using Creating a Web Page Using HTMLHTML

Create HTML Web page in NotepadCreate HTML Web page in Notepad View HTML Web page in a Web browserView HTML Web page in a Web browser HTML does not use branching, looping, or HTML does not use branching, looping, or

testingtesting HTML is a static formatting languageHTML is a static formatting language

Rather than a programming languageRather than a programming language < and > symbols denote HTML tags< and > symbols denote HTML tags

Each tag has a matching closing tagEach tag has a matching closing tag <HTML> and </HTML><HTML> and </HTML>

3131

3232

3333

3434

Understanding Practical Understanding Practical Extraction and Report Extraction and Report

Language (Perl)Language (Perl) PERL PERL

Powerful scripting languagePowerful scripting language Used to write scripts and programs for Used to write scripts and programs for

security professionalssecurity professionals

3535

Background on PerlBackground on Perl

Developed by Larry Wall in 1987Developed by Larry Wall in 1987 Can run on almost any platformCan run on almost any platform

*NIX-base OSs already have Perl installed*NIX-base OSs already have Perl installed Perl syntax is similar to CPerl syntax is similar to C Hackers use Perl to write malwareHackers use Perl to write malware Security professionals use Perl to Security professionals use Perl to

perform repetitive tasks and conduct perform repetitive tasks and conduct security monitoringsecurity monitoring

3636

3737

Understanding the Basics of Understanding the Basics of PerlPerl

perl –h command perl –h command Gives you a list of parameters used with Gives you a list of parameters used with

perlperl

3838

3939

Understanding the BLT of Understanding the BLT of PerlPerl

Some syntax rulesSome syntax rules Keyword “sub” is used in front of Keyword “sub” is used in front of

function namesfunction names Variables begin with the $ characterVariables begin with the $ character Comment lines begin with the # Comment lines begin with the #

charactercharacter The & character is used when calling a The & character is used when calling a

functionfunction

4040

Branching in PerlBranching in Perl

&speak;&speak; Calls the subroutineCalls the subroutine

sub speaksub speak Defines the Defines the

subroutinesubroutine

4141

For Loop in PerlFor Loop in Perl

For loopFor loop

4242

Testing Conditions in PerlTesting Conditions in Perl

4343

Understanding Object-Understanding Object-Oriented Programming Oriented Programming

ConceptsConcepts New programming paradigmNew programming paradigm There are several languages that There are several languages that

support object-oriented programmingsupport object-oriented programming C++C++ C#C# JavaJava Perl 6.0Perl 6.0 Object CobolObject Cobol

4444

Components of Object-Components of Object-Oriented ProgrammingOriented Programming

ClassesClasses Structures that hold pieces of data and Structures that hold pieces of data and

functionsfunctions The :: symbolThe :: symbol

Used to separate the name of a class Used to separate the name of a class from a member functionfrom a member function

Example:Example: Employee::GetEmp()Employee::GetEmp()

4545

Example of a Class in C++Example of a Class in C++

class Employeeclass Employee

{{

public:public:char firstname[25];char firstname[25];

char lastname[25];char lastname[25];

char PlaceOfBirth[30];char PlaceOfBirth[30];

[code continues][code continues]

};};

void GetEmp()void GetEmp()

{{// Perform tasks to get employee info// Perform tasks to get employee info

[program code goes here][program code goes here]

}}

4646

Error in textbookError in textbook C example on page 138 should be this insteadC example on page 138 should be this instead