I had the great pleasure of learning directly from Mark Baggett, the Technical Editor of Violent Python, during his Python for Penetration Testers SANS class. Violent Python book was the basis for many of the things done during the week-long training. I totally don’t mean to brag, but I aced that training, beat all the challenges, and won a snazzy coin.
SEC573 Python for Penetration Testers Coin
So I might be biased, but I really liked the layout of the class and working through the book exercises and have been wanted to share my thoughts on it. Now I have finally gotten time to give it a proper go over.
Overview
There is no wishy-washiness to this book’s intentions, it’s for the Vader in you. If there was a commercial for this book, it would play out like Jaguar’s “It’s good to be bad” campaign.
In writing this book, we really set out to write an evil cookbook of examples for the darker side of Python
The book is intended for the professional penetration tester more than true black-hats; however, the code in the book itself is not biased towards good or evil. Like a gun, it’s who and how people use it that makes the difference. So why not make the biggest baddest gun around!
The Good
Violent Python is designed for anyone’s skill level. The first chapter is an introduction to Python, while the rest of the chapters are independent, designed as equal part tutorial and reference material. I wouldn’t use it as the very base to start learning how to code, but it may be enough for someone coming from other languages.
The book is laid out really well. Each chapter is self-contained, so they don’t need to be read in order, and each one starts with an excellent summary page. The summary page has a bullet list of what information is in the chapter, an index of its contents, an inspirational quote, and a real-life example of that type of code in action.
The book serves dual purpose, as an intro to common attack surfaces and how to think like a black hat. Each tutorial will start out with an explanation of why you would do something and what it would accomplish. From there it will expand out into multiple scenarios with provided examples.
The examples are functionally well written, which each line of code executing a very clear and specific action with purposeful variable and function names. This helps make it very clear to anyone exactly what the scripts are doing.
They show external tools that are everyday friends of the penetration tester, such as tcpdump. This is important because you need to realize that Python is only a single tool in a hacker’s toolbox. Just because you can do it with Python doesn’t mean you should. Sure, you can write a TCP connect port scanner, but why not just use the excellent and already written nmap?
The Bad
What bugs me the most is their code style choices. PEP8 is technically only guidelines, but I can’t help but wish they didn’t use camelCaseForEverything in SCRIPTS_Named_Weird.py that have VERYLOUD globals. There are a few annoying inconsistencies as well, such as switching between optparse and directly using sys.argv.
At lot of the recipes use a blank try except:
try: someCode() except: pass
Don’t do this in real life. It’s fine for quick script prototyping, but you should never have a blank exception, at minimum have except Exception: so that it does not capture SystemExit or KeybaordInterrupt (if you do plan to capture those, do so explicitly and have logging for why you are doing so.)
It is becoming outdated, which is only partial fault of the authors, as it is over four years old. When they say ‘Python’ they are referring to Python 2.6 in the book, even though 2.7 and 3.3 were available before it’s initial release in late 2012. There are several best practices they are missing out on, such as context managers, and outdated libraries, like optparse. I would love to see them update and expand it with a ‘Violent Python 3’ (get it?) at some point.
Verdict
The book overall is very good and I highly recommend it. It’s a fun way to learn or better yourself with Python. Even after reading through it multiple times, I will continue to keep it on my shelf as a valuable reference guide.
Check it out at amazon.com
