Should I learn C?

Viewing 4 reply threads
  • Author
    • #8569

      Hi everyone.

      I’m slowly working on a career change into infosec and pentesting. Right now I’m working full-time as a .NET & JavaScript front & backend developer, and due to my current experience I have been recommended to focus on web application security.

      So I’ve been reading a bit on the OWASP homepage and also bought the “Coding for Penetration Testers” book and I’m working myself through it, trying to get an overview of how things are done. The more I read though, the more difficult and confused I get when trying to choose where to invest my time and put my focus.

      I’ve been reading about socket programming with python in the book, and read a low-level introduction article on how sockets are implemented in C, linked by the python docs. I’ve come to realize that I find all this low level stuff really exciting, and I’m tired of using high level language libraries, without knowing how stuff really works.

      I did a bit of Googleing and found that C/C++ is often used for doing exploits and shellcode. So do you guys think it would be beneficial for a newbie like me learn how to implement network shells, making payloads etc, in a low level language like C? Or would that be a waste of time? Is C programming a useful and often required skill/tool when working as a penetration tester, especially now that web application security seems to become more and more popular?

    • #53458

      It depends what your goals are. If you want to focus on web app testing, Python and/or Ruby would be your best bet. You’ll save yourself a ton of time and headache over trying to do the same thing in C.

      However, if you are more interested in learning how things work behind-the-scenes, C is a good place to start. This is my favorite book on C: Also, if you really want to dive deep, learn assembly. That’ll give you a new appreciation for how memory and the CPU operate. Back when I wasn’t totally neglecting my blog, I wrote an article on how it would be advantageous to learn C and assembly simultaneously:

    • #53459

      I think dynamik nailed it. I use python in my daily life but I bought an intro to c book a few weeks ago because I realized that I really should get comfortable with C before I seriously try to improve my assembly, reverse engineering & exploit dev skills.

    • #53460

      I am not going to tell you that you need to know C/C++ because it is the language that every hacker has to know to be worth of such a name. I am not even going to try to convince you that C/C++ has a shrinking community and this will make the wages rise for those fortunate programmers knowing such language. I will not even use the card of the “high profile” job for a C programmer, also if it is the case since Google, Microsoft, all the high frequency trading players, games studios and everyone in the aerospace industry do need to be as close to the metal as possible to get the maximum from their machines (Luca, a dear friend of mine, used to refer to this as “smelling the soldering”). I am going to use a different point.

      I suppose that as an engineering or computer science graduate, programmer or just a simple self-taught practitioner, you know — or just have a sense of — how the computer you are reading this document on, the network that took it to you and the browser rendering it work.

      Most likely, the operating system that you use and that makes your computer more than a bunch of metal, silicon and carbon-oxide; the drivers of the network card and the browser itself have being written in C. While the compiler for your favourite programming language could be written in the language itself (this is called “self-hosting”), it could be written in C for efficiency or historical reasons. For certain, if it is based on a virtual machine, this last one is written in C/C++.

    • #176448

      It really depends on what your goals are.

      If your goal is infosec and pentesting, you definitely need to be able to read + understand C code since so much code is written in C / C++. Being able to understand C code will help you understand attack vectors.

      But tasks like writing a shell or writing a server in C is not really that important…and it’s a lot of work.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?