Python is a must-know programming language for anyone seeking a career in penetration testing. With it, pen testers can write custom scripts and services to examine a company's security infrastructure, sniff networks, exploit defensive tools for offense and enable command-and-control servers, among other critical tasks.
While it isn't the only programming language pen testers should learn, they should have the most familiarity with it.
Here, Black Hat Python: Python Programming for Hackers and Pentesters 2nd Edition authors Justin Seitz and Tim Arnold explain why Python remains an ideal programming language for pen testers, along with the differences between Python 2 and 3. They also break down other programming languages pen testers should know. In addition, Seitz offers next-step recommendations after finishing Black Hat Python to continue gaining pen testing experience and knowledge.
Editor's note: The following interview was edited for clarity and length.
Why is Python an important language to learn?
Tim Arnold: Python is a wonderful language to start with. It's often used in college to teach programming -- programmers call it 'duck typing.' With Python, you don't have to type out every variable. For example, you may need to say, 'This is going to be an integer; this is going to be a float.' But not with Python. It does whatever it knows how to do. Whether you have a list or a set, you can iterate over both of them because the code and practices can go from one type of data structure to another.
I didn't like Python when I first saw it because I couldn't believe white space was so significant. But I think it's made me a better programmer because now I do my indentation -- it's second nature.
Python is an easy language to learn. One of the people pushing me to learn it said, 'It's like you just write pseudocode and it runs.' That's not far from the truth. It's not uncommon to write a program and have it work the first time. Python is simple and easy to read.
Why was 2021 the right time to update Black Hat Python?
Arnold: There have been a lot of changes since the first edition came out in 2015. Some of the original examples are outdated. For example, it used Windows XP, 32-bit and Python 2. At that point, Python 3 had been out a while, but people weren't using it. The big push to Python 3 came when most libraries started to support it. Once that hit critical mass, nearly everyone moved to use it.
Who would benefit from reading Black Hat Python?
Arnold: It isn't meant to be a book to learn the language; it's more for intermediate or high-level beginners. There's so much to know about programming before you can start communicating between computers on a network. If you have footing in programming, you can use this book to start off with what packets look like and how you deal with those in Python.
You'll also learn how to create a reader for IP packets and ICMP [Internet Control Message Protocol] packets and how to create an exploit that will take over a Windows machine or how to use the Internet Explorer executable to exfiltrate files. The book goes from a low level with socket programming and packets to a higher level of what you can exploit on a machine.
Would you recommend only learning Python 3, or is there value in knowing Python 2?
Arnold: It's useful to know both. Having Python 2 knowledge is important. I always used Python 3 when building something new. But you still need to know Python 2 because there's so much of it still out there; many proof-of-concept code and shell scripts are still written in Python 2. You need to understand it to make sure you're not accidentally putting malware on your own machine. If you know Python 3, you'll be able to learn Python 2 well enough.
What are some differences between Python 2 and 3?
Arnold: There are differences between Python 2 and 3 to be aware of. The big one for me was how Python 3 supports Unicode out of the box. Python 2 has strings and bytes. When you get used to those, they're not a problem. But you'll often encounter issues when trying to read a string. For example, you'll say, 'I don't understand this because it's using ASCII encoding by default.' It's easier with Python 3 because it's a Unicode string.
The biggest changes between Python 2 and 3 are under the surface. For example, if you're dealing with socket communication, you'll experience the biggest differences between versions 2 and 3 because you need bytes to do encoding and decoding for the former.
The thing that got me was that running print() with Python 2 had to be a statement, and now it's a function, meaning you need to put what you want to print in the parentheses. I know that sounds like a small thing, but it's a difference in the syntax you'll see. You can often look at how a Python script uses the print statement to know if it's version 2 or 3.
There are also small syntax sugar changes in Python 3 I like. For example, take anytime you want to lock and unlock something. Sometimes, you forget to do that second part, or you want to enter a function and exit. Python 3 has a context manager, which was another big change. With Python 3, you can say with and some function, and the context manager will guarantee that you exit it cleanly. You can say with open(filename) and then do whatever you need to do, and you don't have to close it -- the context manager will close it immediately once you're outside that block.
Are there any other programming languages beginners should learn?
If speed is an issue, Go is a nice language to know. It compiles to an executable and can be run anywhere, unlike Python, which you need to have installed everywhere it's run.
Justin Seitz: When it came time to pull out Metasploit and do customizations, I really struggled because I didn't learn Ruby. I've also seen an uptick in the usage of Go for developing some tools, but I haven't found a programming language quite as versatile for pen testing and intelligence gathering as Python.
What do you recommend readers do after finishing the book to continue their education in pen testing in general or Python?
Seitz: Practice. Join CTFs [capture the flag, an infosec competition]; work on reverse-engineering challenges and hack-the-box VMs. All of these are great places to keep your skills sharp.
What tools do you find yourself using when pen testing that you'd suggest people learn?
Seitz: The most important thing about pen testing for me was not the tools, but network and OS knowledge. Once you fundamentally understand how low-level tasks work in Windows and Linux and how network traffic is moved around or filtered, you can jump to any tool and largely understand how to use it. We often teach people tools first today, but they don't always understand why something isn't working until it doesn't. Only then do they learn the core knowledge. Start with the mundane, arcane educational aspects -- it's still important.