Introduction
Ethical hacking does not require you to be a programmer, but it does help greatly if you are! Understanding C# can help in many ways. The language can be utilized to create ad-hoc applications that may outperform the tools we use today, many of which are written in Python. C# and the Microsoft stack are used in many organizations for many different purposes. C# is a first-class citizen in enterprise businesses and is used for mobile, desktop, and web applications. For penetration testers, possessing a background in C# and .NET increases the likelihood of identifying a vulnerability during the testing phase. Finally, C# is an open-source, modern, and feature-rich programming language that can provide a solid foundation for anyone getting into programming, even if the goal is merely to improve their hacking workflows.
Background: The Evolution of C# and Other Programming Languages
Let’s begin by looking at where C# came from, where it is headed, and contrast that journey with a few other popular programming languages.
C# and .NET
C# was born in 2002 along with the Microsoft .NET Framework. Microsoft’s goal was to create a consistent set of reusable features, libraries, and components that developers could use to build any required software application. Originally designed as a competitor to the Java programming language, C# occupied a comfortable middle ground between Microsoft’s two other programming languages of the time: C++ and Visual Basic. At the time, developers didn’t find Visual Basic compelling enough and found the C++ language too cumbersome for rapid application development work.
Over the years, Microsoft continued to improve the .NET Framework and the C# programming language, eventually abandoning Visual Basic in favor of C#. Numerous language improvements, new features, and modern abilities were added to C# over the years. However, there was one particular problem that Microsoft couldn’t solve with the existing architecture. Microsoft was aiming for a more modular, cross-platform architecture, and the .NET Framework only worked on Microsoft Windows environments, leaving Linux and Mac OS users out of scope for any .NET development. Additionally, the .NET Framework was entirely proprietary, and Microsoft faced numerous criticisms and challenges from users and organizations who preferred to work with open-source community environments and projects.
C# and .NET Core
In 2016, a new version of .NET called the “.NET Core” was released by Microsoft. C# was the prominently featured language in this release, which adopted an open architecture and was fully open source. Despite these advancements, .NET Core initially lacked some major features. While sufficient for developers to get started with, it took several years before Microsoft reached parity with the .NET Framework. Finally in 2020, Microsoft merged the .NET Framework and .NET Core together to release .NET 5. Going forward, Microsoft now schedules a .NET release annually, with .NET 9 anticipated for November 2024. This ongoing commitment shows Microsoft’s dedication to supporting this platform. Comparatively, Java has only seen minimal updates to its programming language. Only recently did they start developing new modern features that C# developers have worked with for years. Since its inception in the 1990s, Python is only on its third iteration, and not much has changed.
In my course, “C# 101 for Hackers,” I compare programming languages to vehicles. Python is like a good, solid pickup truck. It won’t win any races, but it has plenty of modern conveniences and a ton of utility. Java is a minivan. It’s a bit bloated and slow, but it has some modern conveniences and a proven track record. C#, on the other hand, is a Tesla Model X. Tesla reimagined the SUV by giving it winged doors, a yoke steering wheel, and providing advanced capabilities such as self-driving, and this is precisely how I view the various modern advancements made within the C# and .NET ecosystem. Microsoft has re-envisioned what a programming language should be like, and that has resulted in an annual upgrade cycle that focuses on developer needs, workflows, security, and performance. What’s more, the entire .NET and C# ecosystem is open-source, has gained the attention of a huge community, and runs across all major operating systems!
Programming Skills Help Find New Attack Vectors
Much of the activity undertaken by hackers involves us breaking into software applications. These could be applications for specific hardware, such as a firewall or network appliance, or it could be a business line-of-sight application used in the production of goods or services for a company. Logically, it stands to reason that acquiring some programming knowledge will help us better understand the functionality of the underlying software.
Many hackers concentrate on the interaction between software and the server and rely on the HTTP pipeline to produce their tests, but there’s a whole other world of vulnerabilities and flaws that could be discovered just by looking at and understanding some of the patterns and flows used by developers.
Furthermore, developers rely on libraries that might contain vulnerabilities, and having developer experience may allow us to identify the library used and find additional attack vectors as a result. A perfect example is using UI libraries, such as those provided by Telerik and DeveloperExpress. Both have unique characteristics and can be easily spotted when viewing an application. Once identified, finding CVEs against a particular vendor’s product is easy.
Of course, getting to a point where you can determine if a particular .NET or third-party library is used is not something you can just learn and memorize. Libraries and software change all of the time. So it’s only by working with C# and .NET that you gradually gain the confidence to recognize when a particular function is using a specific library or written in a way that can be manipulated.
There’s no better time to get started with this language, as books, courses, and learning materials are readily available to support your learning. You can start with the basics with TCM Security’s C# 101 for Hackers course and then dive into more detail with Microsoft Learn, which has numerous paths for C# development. Adding C# and .NET proficiency to your resume may also open doors for new opportunities, as the Microsoft stack is widely used and respected within enterprise environments.
Ad-Hoc Scripting with C#
C# and .NET both work well on Kali Linux! There are many benefits to working with C# over Python and other scripting technologies for ad-hoc work during an engagement. For example, here’s a simple code snippet of a C# application and a Python application. They both perform exactly the same task, which is to add a value to a variable over a billion iterations.
C#
using System;
using System.Diagnostics;
var stopwatch = Stopwatch.StartNew();
long result = 0;
for (long i = 0; i < 1000000000; i++)
{
result += i;
}
stopwatch.Stop();
Console.WriteLine($"C# / .NET 7 result: {result}");
Console.WriteLine($"C# / .NET 7 execution time: {stopwatch.Elapsed.TotalSeconds}");
Python
import time
start = time.time()
result = 0
for i in range(1000000000):
result += i
end = time.time()
print("Python result:", result)
print("Python execution time:", end - start)
In both cases, the result is the same at 499999999500000000, but the duration of the scripts’ execution is totally different.
Python performs the work in 52.57 seconds, while C# crunches through this example in 1.82 seconds. That is a significant difference, and since a lot of ethical hacking involves testing through iterations, we can improve the performance of our scans or brute-force attacks by changing the tools we use to write our script.
Like Python, .NET has a wide range of free, third-party libraries that make your life even easier. They’re called Nuget Packages, and there are almost 400,000 of them available. You can also create and publish your own. Imagine that rather than writing your own code to work with SSH, you can grab a free SSH library, pass the login information, and have an interactive, programmable terminal from which to launch attacks!
Getting Started with C#
Microsoft has made it really easy for you to get started with .NET and C# on any platform. First, you’ll need a text editor. I would encourage you to use Microsoft Visual Studio Code, although there are many options available that will work. By using VSCode, you can leverage Microsoft extensions that simplify programming tasks, greatly increasing the speed at which you can write your scripts. Next, you’ll want to download and install the .NET framework. I always recommend using the latest production version, currently at 8. Once installed, you are ready to tackle your C# projects. Using the .NET CLI is intuitive and provides you with boilerplate code to create APIs, Console, and Web applications.
The full instructions for .NET 8 setup for Debian-based operating systems are available here: https://learn.microsoft.com/en-us/dotnet/core/install/linux-debian. Visual Studio Code can be downloaded from https://code.visualstudio.com. You’ll need to grab the appropriate version for your platform (x64, ARM, etc). Once downloaded, follow the instructions on the download page to install VSCode.
Lastly, I find some extensions useful while working with C# and .NET. First, you’ll need the official Microsoft C# extension, called the “C# Dev Kit.” It requires you to sign in with your Microsoft account. Next, I like “Jupyter” and “Polyglot Notebooks.” Both are from Microsoft and allow you to write interactive code. You can combine Markdown and C# code together on a single page, which is great for creating interactive documentation, validating your finds, and documenting your steps.
Conclusion
Today, we explored some of the reasons why learning C# is beneficial for ethical hackers. C# is a modern, open-source programming language that can be used for a wide range of tasks and project types. Not only is it easy to learn and work with, but it is also extremely performant. The performance gains could lead to a reduction in the number of hours you need to spend on a given attack vector. In addition, the modern features and open-source nature of .NET enable you to quickly write your own applications that can be used on any engagement. Finally, having knowledge of .NET and C# can give you a better insight and understanding into how an application works, which can help you better plan your attacks. While any programming skills are helpful to the ethical hacker, having C# and .NET skills, in particular, can be beneficial because of the language’s modern nature and because it is used at many large organizations.
About the Author: Alex Tushinsky
Alex has over three decades of expertise in software development, application architecture, cybersecurity, and technical education. As a lifelong learner, he holds more than twenty active IT certifications and is a Microsoft and CompTIA Certified Trainer. Alex’s passion for sharing his knowledge has led him to teach at numerous institutions, including Rutgers University, Bergen Community College, County College of Morris, College of Southern Nevada, and the University of Nevada, Las Vegas (UNLV). Additionally, he is the author of numerous online courses on platforms such as Pluralsight and TCM Academy, including our C# 101 for Hackers course.
Alex holds a Bachelor of Science in Software Development and a Master’s in Cybersecurity and Information Assurance from Western Governors University. His passion for software development has led him to work at Fortune 500 organizations such as PepsiCo, Intel Corporation, Gen Re, and several smaller businesses, where he has worked on enterprise software development projects primarily in C# and Java. In the cybersecurity field, Alex has worked as a Chief Information Security Officer and is a consultant to several small and mid-sized organizations, where he educated and provided guidance on the importance and proper use of information security. Currently, he is the Chief Technology Officer at TCM Security.
When not working, Alex spends his time with his wife and many pets, including two cats and three Boston Terrier dogs. He is an active runner and cyclist and is an ethical and health-conscious vegan.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.