I often get asked for recommendations on ways to start learning Python or ways to improve Python skills, so I decided to document my typical response.
The hardest part about learning how to code is the lack of learning resources that teach you how to program anything practical and/or interesting. I remember taking a Java course in college and our final project was creating a glorified interest calculator. The project definitely lacked any interest from me, and although I passed the course, I did not continue with Java.
Fast forward a few years, there was a lot of chatter in infosec about “you can’t be successful in infosec unless you can code”. Regardless of the validity of that statement, and although I could do some basic scripting, I made it my mission to become a programmer. Since Python was (and still is) popular in the infosec space, I chose it as my language.
I spent my evenings doing every online Python tutorial I could find. I completed more helloworld.py programs than I can remember, appended spam and eggs into so many lists, and created plenty of boring programs (like converting Fahrenheit to Celsius). It was quiet time consuming and unenjoyable. Sometime in the middle of my 42nd tutorial, I had the realization that I needed to code something useful to me (or at least related to the security), otherwise I would never progress as a programmer. I couldn’t think of anything useful to code, but I did find a Python specific course related to security, Python for Pentesters.
I purchased the course from SecurityTube (now at Pentester Academy) and dug in. It was infinitely better than what I had previously been doing, and I progressed through the course and tried to complete the exercises. I wasn’t coding anything unique yet, mainly just copying what was shown in the videos, but that is a big part of beginner programming. I moved from that course to reading and working through the code in other security related Python books, such as Violent Python, Black Hat Python, and Gray Hat Python. The more code I wrote (or copied), the more comfortable I got. Muscle memory started to kick in and things started to really click for me. I started to realize I could solve problems with code, and that is when my programming really took off.
I started tackling work problems. Need to search a server for JAR files, unpack them, decompile the several hundred class files and look for hard coded passwords? Give me a couple hours. Need to find the version of all the Drupal sites in a given IP range by looking for and reading the CHANGELOG.txt? I’m on it. I wish Nmap had a csv output format…Wait, I can code, so let me build a parser to do that!
Coding is a skill just like anything else. The more you practice it, the better you will become. The trick is to code things that you enjoy so that practice will be fun. If you are having fun, you will do it longer, and naturally become better. This doesn’t mean you can stop reading books and tutorials though, but you will be able to skip boring parts and go straight to the stuff that is useful to you.
Well anyway, that was my personal story, and here are the Python resources that I recommend the most to those who ask me.
My most-recommended free resources
These are free, but if you like them, consider purchasing them.
Cracking codes with Python – A great way to start learning Python.. It is an interesting read because you are coding programs that deal with primitive and basic cryptography, which is actually pretty cool.
Automate the boring stuff with Python – Lots of practical information in this book. Much less boring than typical programming tutorials.
Python for Everybody – A decent reference to read through, or at least skim the chapters when you want to learn about a particular topic. This is the book that is used for the Coursera Python course (or, at least it used to be) via the University of Michigan.
Free books via Packt Publishing – Sign up with an email address and check daily for free books. There will frequently be Python books. I used to download every Python book I would see, even though the topic is usually narrow. For example, a title might be “Understanding the Django framework”, or “The book of Python Regular Expressions”, which are great references if you are looking to learn about a particular topic. Every once in a while there will be a security focused book, although none of them have truly wowed me. An interesting side note: one of my first programs was a script to navigate to the site, log me in, and download the daily book.
Cybrary Python Course – I’ve never taken this course, but it’s free and security focused. If you like videos better than books, give it a shot.
Free Python challenge sites
Python Challenge – A series of online challenges. The solutions are posted in plenty of places so a decent way to learn. Not security focused.
Cryptopals Challenges – A series of challenges relating to cryptography. It is not Python specific, but solutions exist in Python, and is definitely security related. These challenges are not easy. You will probably need to be pretty decent at Python or another programming language before attempting these.
id0-rsa.pub Crypto Challenges – A series of challenges relating to cryptography but distinctly different challenges than Cryptopals. The challenges range in difficulty, and once again, you will probably need to be pretty decent at Python or another programming language before attempting these.
Other security related books
You may be able to find these for free on the Internet…or you can buy them.
These are all good, security focused books, although some of the code is hard to follow (because of the way it is written, especially when a script spans multiple pages). The code is also usually Python 2.7 or earlier, and some of the code doesn’t work (or that’s what I remember when I went through them).
I’m sure there are others out there, but I’ve taken both of these and recommend them both:
Pentester Academy/Security Tube Python for Pentesters – Excellent video series that focus on Python from a security perspective, mainly offensive security.
SANS SEC573 – Very thorough course that focuses on many areas of security. Expensive, but worth it if someone else is paying or if you have the money.
Hopefully these resources are useful to you, but remember, it is all about finding something that entertains you enough so you can keep learning. If you can find material that keeps your interest, eventually things will click and you will truly enjoy coding!