Penetration Testing mailing list archives

Re: Good advice: Learn Assembly

From: "Sanjay R" <2sanjayr () gmail com>
Date: Sun, 17 Aug 2008 19:00:15 +0530

Hi Jim..
Answer to your question lies with you. Just try to figure out how will
you find vulnerabilities (and try to develop some exploit as PoC) if
you are not given source code, rather you get binary to play with. By
doing a black-box type testing, u can find the present of bug, but may
not be able to exploit it or do any analysis to have clear
understanding. I agree that metasploit and ollydbg are great tools,
but still understanding stack.heap, EIP, ESP etc help you to get
things done in your own way. And yes, you need not to be an expert in
assembly to start. Its about Science of Vulnerability Analysis, when
such fundamental knowledge is sought :)

regards
-Sanjay

On Sat, Aug 16, 2008 at 11:48 PM, Jim Kelly <macubergeek () comcast net> wrote:

I have a personal goal of learning how to find vulnerabilities with fuzzers
and code POCs (preferably in Python).

Now I've gotten the traditional advice of "learn assembly" from a couple of
folks. I wonder if that is necessary these days.
I always thought one needed to learn assembly to code shell code.  With the
capabilities of Metasploit, I wonder if this is still true? Do you need to
know assembly coding to decipher the output of disassemblers like IDA Pro or
debuggers like Olly?

Setting aside the logistical problems of finding a local college that still
teaches assembly....am I overlooking something here?

All comments welcome.

Jim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes inSecuring Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------




-- 
Computer Security Learner

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Good advice: Learn Assembly Jim Kelly (Aug 16)
- Re: Good advice: Learn Assembly Jan Muenther (Aug 16)
- Re: Good advice: Learn Assembly Joel Jose (Aug 16)
- Re: Good advice: Learn Assembly Micheal Cottingham (Aug 16)
- Re: Good advice: Learn Assembly Omar Herrera (Aug 16)
- Re: Good advice: Learn Assembly Colin Copley (Aug 17)
- Re: Good advice: Learn Assembly Sanjay R (Aug 17)
- RE: Good advice: Learn Assembly John Vill (Aug 19)