Software Vulnerability Support About

Information Communities

Reputation Library Careers Blog

Center

F R I D A Y , J U LY 1 7 , 2 0 0 9
SUBSCRIBE TO OUR FEED

How do I become a Ninja? Posts

Earlier this week, we posted this blog item: Ask the VRT a Comments
question. We had a few people write in and ask us
questions about Snort, Snort rules and the other obvious Subscribe via Email
Snort related questions. Then, we got something
interesting...

mish asks "How do I become a Ninja?" BLOG

ARCHIVE
(His question was a little longer than that, and we of ► 2 0 1 7 (78)
course assumed that he meant "Vulnerability Research ► 2 0 1 6 (98)
Ninja") ► 2 0 1 5 (62)

► 2 0 1 4 (67)
We threw this around between various VRT people and it ► 2 0 1 3 (30)
apparently hit the hot button on our Senior Director of ► 2 0 1 2 (53)
Vulnerability Research, Matt Watchinski. Here is his
► 2 0 1 1 (23)
manifesto in reply to mish's question:
► 2 0 1 0 (93)

▼ 2 0 0 9 (146)
1. You need to Px your thought process. Most people see
► DECEMBER
computers and programs as tools that have functions that (14)
complete the tasks they need accomplished on a day to ► NOVEMBER
(10)
day basis. If you see everything around you as something
► OCTOBER
that needs to work to do your job then you'll never see it (12)
for what it is, something to break and use to your
► SEPTEMBER
advantage. The best way I've heard this summed up is "Be (13)

Evil". ► A U G U S T (9)

▼ J U LY (19)
2. Reading books without ever turning that information Freakshow

into practical knowledge is not going to make a ninja. Only Microsoft Out of

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 1 of 7
 into practical knowledge is not going to make a ninja. Only Microsoft Out of
Band Patch -
experience will make a ninja, sitting in a library never 28th July 2009
resulted in anything useful. Only whitehat
journalists
need
Once you have the thought process down, technical skills Metasploit to
hack ...
now come into play.
Adobe 0-day
update
3. The main thing with technical skills is you don't need to Rule release for
be a master of any of them, you need to be a master of today - July
22nd 2009
recalling where the information you need is located.
Don’t read this
post
4. Get yourself an old ass RedHat box without Rule release for
today - July
PAX/AppArmor/etc make sure stack randomization is off, 21st 2009
then go download all the ABO's from Gera. Start working Vulnerability
on the simple buffer overcow examples. All the answers Report July
2009
are on google if you get stuck (but don't cheat, it's not
How do I become
worth it). a Ninja?
Rule release for
today - July
5. After that, you now hate GDB. Time to move on to a real 16th 2009
debugger. Get yourself a Windows XP box (no service Rule release for
pack), or a Windows 2000 box with any service pack today - July
15th 2009
(VMWare is great, just saying). Start working through the
Why I'd Dress
AWBO examples that we have on our blog. These will get LIke a
Cheerleader
you all the way up to SEH exploitation on Windows.
Rule release for
(shameless plug about our Fundamentals of Exploit today - July
Development class should go in here, and here it is 14th 2009

Fundamentals of Exploit Development (pdf)) SourcePre VRT

Prebreathing
pig
After completing those, you are by no means a master at Ask the VRT a
question
exploiting things, but all the basics should now be in place.
Following us at
Additionally, you've probably now read every paper on
tumblr
overcows that can be found by google to help you Pnish
Rule
all the above examples. You are also now familiar with Performance
Part One:
WinDBG, OllyDBG, or ImmunityDebugger (WinDBG is Content
better), and are unfortunately familiar with GDB, the worst Matches

debugger on the planet. Microsoft Video

ActiveX
Control rule
coverage
6. Now its time to try some code auditing. The easiest way
Rule release for
to do this is with known vulnerabilities. The best example today - July
of this type of work is here http://xorl.wordpress.com/. 1st 2009

Start doing exactly what this guy is doing. Also its now ► J U N E (11)
time to download the C99 standard, and actually read it. ► M A Y (13)
Also since it takes a bit to get, order the Intel OPCode ► A P R I L (10)

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 2 of 7
 Also since it takes a bit to get, order the Intel OPCode ► A P R I L (10)
manuals, these are free. ► M A R C H (11)

► FEBRUARY
After auditing a couple of hundred programs you'll be (13)

relatively familiar with patterns in C and other languages ► J A N U A R Y (11)

which result in coding mistakes that you can now use to ► 2 0 0 8 (37)
your advantage. It's really all about patterns at this stage,
since real software packages are huge, being able to
quickly Pnd patterns that might be bad is important, as it
RECOMMENDE
lets you skip lots of code and only focus on what is
D BLOGS
interesting.
SNORT BLOG
Sourceforge Hosted
7. Now it's time to start using and playing with a couple of Snort Mailing Lists

other tools. Fuzzers, the best place to start in my opinion CISCO BLOG
is with something like FileFuzz from iDefense. Also check Threat Round-up for
June 2- June 9
out Sully or Peach. Get a bunch of VM's up and running
with different programs and let these things in go in the CLAMAV®
BLOG
background, while you learn other things. Eventually, you'll ClamAV Main.cvd
hate these tools so much you'll get that idea that you can and Main-cdiff.cvd
have been published!
write a better one, go with that feeling and start writing a
simple Plefuzzer. Just learn to hate Sully or Peach and be
ok with it, as rewriting one of these takes a long time, and
you'll forget a bunch of stuff along the way. However, you
might come to like python in the process, not sure if thats
a good thing or a bad thing.

8. Hopefully at this point, you've got a couple crashes from

your fuzzers. This is where being a master of nothing, but
recalling information comes in very handy. Time to start
reading RFC's, protocol docs, Pleformat docs, or whatever
is relevant to the crash you have. It is now time to buy IDA
Pro. Work on developing a reliable test case for your
crash, so you understand exactly what is happening. This
is an art, and isn't something that can be reliably taught,
as debugging binary only applications requires tons of trial
and error for determining if something is exploitable or not
in a lot of situations.

At this point you'll be a borderline alcoholic, from banging

your head on some problem you just can't Pgure out and
turning to the bottle in an attempt to dull the pain. It's now
time to get a support network, not for the alcoholism, but
for your other problem. Alcoholism is Pne (not really), if

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 3 of 7
 for your other problem. Alcoholism is Pne (not really), if
you get really good at this you'll need this to get though
your day, when you realize that every tool and software
app you run contains massive amounts of vulnerabilities
that can be used to own your box. Also if you've written a
number of tools in the above process you will now Pnd
vulnerabilities in them, because most "in training" ninja's
are crappy coders. (Sometimes real ninjas are still crappy
coders) (Ed note: actually boss, they all are)

9. Once you get your Prst actual working 0-day, you will
now need to invent a root dance. This is important, as it
will used in the future when you Pnd more to signify to
your friends that you have a new 0-day. Comes in very
handy at a Defcon, as long as you're not playing
vulnerability poker, as it will tip your hand. While this
seems silly, its very important, since you are now an
alcoholic, you need to be able to quickly celebrate your
accomplishments, without dulling your senses.

10. Now you essentially have a choice. You have a skill

that is worth money, you can strike out on your own and
start selling your vulnerabilities, or you can now impress
some employer with a portfolio of disclosed
vulnerabilities. If you're used to a professional services life,
then striking out on your own may be the way to go.
However, it does have its ups and downs, just like any
consulting job. But this isn't a business lesson, its a "how
to be a ninja" manifesto.

11. If you go the job route, it's now possible to specialize.

This will really open your mind as you will have to invent
new tools and techniques if you pick a realm that has little
to no public information. Let's take vxWorks applications
as an example. Nothing useful about reversing vxWorks
exists on the InterTubes. Sorry, Matasano your singular
blog post on the subject doesn't count, and mine probably
violates something in the DMCA, so I can't post it.

Now that you've read all of the above I'm going to assume
something in the back of your mind says "You didn't
answer my question, I asked for speciPc steps, books, and
articles to help me out." Well, unfortunately nothing you

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 4 of 7
 articles to help me out." Well, unfortunately nothing you
will read will ever make you what you want to be, its all
about cold hard practical experience. You won't see it
unless you go do it, as each adventure will open up new
paths to information and ideas that didn't seem relevant
until you needed them. Finally, you need to love the quest,
and it needs to consume you. If walk into a restaurant and
see a computer with a menu on it and your Prst thought
isn't to touch all the buttons and see if it breaks, then you
don't love the quest.

If you have a question you would like to be answered, feel

free to send us an email (research at sourcePre dot com)
with the subject line "Ask the VRT" or post a comment on
this blog post Ask the VRT a question.

P O S T E D B Y N I G E L H O U G H T O N AT 1 1 : 2 6 A M
LABELS: ASK THE VRT

SHARE THIS POST

2 COMMENTS:

ROB FULLER (MUBIX) JULY 18, 2009 AT 1:15 AM

My wife slaps me every time we pass by a

computer or something even remotely resembling
one. She is the ninja master. She knows my
thoughts.

Great article.

Reply

SPACEMAN SPIFF JULY 29, 2009 AT 3:32 AM

I've found "Hacking: The Art of Exploitation, 2nd

Edition" to be a good start. There are quite a
number of errors on the book, especially of you get

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 5 of 7
 number of errors on the book, especially of you get
the 1st edition, so you will have fun Pguring out
why somethings dont work as expected ;-) Also
dont use a too new Linux distribution....

Reply

Enter your comment...

Comment as: Google Account

Publish Preview

POST A COMMENT

NEWER POST HOME OLDER POST

S U B S C R I B E T O : P O S T C O M M E N T S ( AT O M)

Software
Reputation Center
Vulnerability Information

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 6 of 7
 Library
Support Communities
Microsoft Advisory Snort Rules
IP Blacklist Download
AWBO Exercises
About Talos
Careers
Blog

CONNECT WITH US

© 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our Privacy Policy here.

http://blog.talosintelligence.com/2009/07/how-do-i-become-ninja.html?m=1 6/12/17, 3A50 AM

Page 7 of 7