Python Virtual Environments for Hackers

A quick guide and recommendations for using Python venv from the perspective of a professional hacker.

The What & Why

Firstly, the definition for venv defined in Python’s own documentation is as follows:

“The venv module supports creating lightweight “virtual environments”, each with their own independent set of Python packages installed in their site directories. A virtual environment is created on top of an existing Python installation, known as the virtual environment’s “base” Python, and may optionally be isolated from the packages in the base environment, so only those explicitly installed in the virtual environment are available.”[1]

To put this in more simple terms for the layman, venv are created as stand alone [virtual] environments where only the packages you add to them will be there. This is to prevent packages that you may be getting from pip(3) from causing dependency issues from all sorts of different packages and programs.

I have personally had a VM that I borked so bad it was nearly unusable with Python packages because I had created so many discrepancies among the various packages. Between that issue and beginning my position as a professional pentester I needed to begin regularly using venv for every tool I use in my day-to-day.

Creating & Using Venv

This method was taught to me by one of our senior pentesters so shout out to Chris for standardizing this practice for me.

For this example we’re going to install fierce – a DNS reconnaissance tool build in Python. Obviously, this process will work with any Python tool you want to install.

  1. We like the practice of creating a directory in $HOME named “Tools” in which we will place our Python tools and others. Within this directory clone your desired github repository using git clone.
  1. Cd into your repository’s directory.
  1. We will then create the venv with the following command:
python3 -m venv venv

What this is doing is telling Python to create a virtual environment (venv) called “venv”. You could change the name (second “venv” in this case) to anything you desire, though.

  1. Now that we have created the venv we need to “activate” it and then we’ll be ready to install our packages.
source venv/bin/activate

Where venv will be the name of your venv. In this case we went with venv as the name.

Depending on your terminal settings and customization you may notice on the right side of my screen my terminal will display that you are currently within the venv in fierce.

  1. From here, we can go ahead and install our packages and requirements for our tool and run it.
pip3 install -r requirements.txt
  1. Lastly, ensure when you are done with your tool to deactivate your venv before moving onto your next tool and packages. We can also see that after we deactivate the venv the indicator on the right side of the screen has been removed confirming we are no longer within that venv.

In conclusion, I hope this write up will be able to help those like myself when I was just looking for a quick and concise how-to guide for Python virtual environments. Feel free to reach out to me with any questions or criticisms. Happy hacking!



My First Help Desk Job: Lessons Learned

Your first IT job can be one of the most exciting and nerve racking experiences of your professional career, at least that is how it was for me- up to the day I was terminated nine months later. In this article I want to share some of my experiences, mistakes, and advice I would like to share with others starting their first job in this awesome field of work and how I hope yours will be much better than my own.

I’ll provide a key takeaways section near the bottom for those that want to save themselves from my internet ramblings.

The before time

First I’ll give a quick background of my knowledge and skill set entering my first position. I was never one of those people in this industry you hear so often who was fascinated with computers and had been tinkering with them from an early age. I always had a passing interest in them watching some of the things my older brother of nine years would do with them, but the passing part would come anytime I would pass by or think of the stacks of massive C++ or Windows administration books he would have scattered around his room and desk. My brother was a very intelligent person and I was had the mindset of, “Well I could never be smart enough to work with computers or understand those books of his.”. Obviously I know now how silly this thought was and still is when talking to other curious people like I was, but I digress. It wouldn’t be until around 2014/2015 when I would begin seriously considering IT as a career path.

This consideration began after a discussion one evening with a close friend of mine whom was approaching the completion of their associates degree in Networking Technology from our local community college. Hearing them talk about how much they enjoyed working in IT was very enlightening, especially in contrast to many people I would hear mention their job with dread and melancholy. This really piqued my interest since I currently had no long term career aspirations or plans at the time, and was still trying to determine what I wanted to do with my life. The following semester I enrolled in the same program my friend was just finishing. I performed quite well in the program despite having little to no in-depth understanding of computers or networks (I didn’t even know what a router was beyond-the box that gives you internet). I made up for this lack of knowledge with a very high commitment to understand these concepts, a trait that I feel describes my entire professional experience. In those earlier intro courses I would stay late very often to ask for further elaboration or clarification on the previously discussed topic (Shout out David Pope). This resulted in me completing my program with quite high grades overall, at least for me, in the fall of 2017 where my next challenge awaited me.

Foot in the door

Near the end of my last semester a different friend of mine whom at this point was well established and respected within the industry got me in connection with my first IT job.

Shortly after my friend putting me in connection with the IT manager and following a short phone call with him I was invited into their office for a formal interview. This interview was made up of the manager and both system admins. This has been about five years as of writing this so my memory may be a bit fuzzy on the details, but I will try and highlight a few aspects of the interview to help others in this position. I was asked about some of my college courses, which are my favorite, what challenges I faced, how I overcame said challenges, and if I had any personal technology related projects. After the interview I was given a short written exam to test my technical knowledge. I want to say there were about twenty questions almost all of which I felt confident in my answers. These were relatively simple questions one would learn in an introductory course such as- “What protocol would you expect to see running on TCP port 445?”, or “What is DNS short for?”.

This should go without saying, but do not lie or exaggerate your knowledge or experience, certainty not in an entry level position. They are aware you have no “real world” experience and are usually just looking to see that you are professional, have some basic knowledge, and an interest in the field.

Later that week I was extended an official offer from the company for the position. The salary for the position was around $28,000 and this was late 2017. I feel it’s important to share our salaries, at least past salaries to help others know what they should expect and what is fair. At the time, I believe this was very fair and although it was about what I was making bartending and serving I was still ecstatic to get my first salaried position.

Not a great start…. Not a great end

So my first week felt like I was drinking from a fire hose. This being my first experience seeing anything and learning about a network of this size was very daunting, but exciting. I felt like the sysadmin that was walking me through various things would think less of me or possibly even laugh if I asked what I perceived as dumb questions. This leads into two major mistakes I made going into this job of which I am sure you are already noticing. Failing to ask questions when appropriate, and not adequately taking note of the different concepts and techniques being taught to me. I’ll go a little bit more into detail on each of these and how I would recommend to my successors how to avoid these pitfalls in their first IT job.

When starting any new job, not just an entry level one, you should never worry about asking someone what you may consider dumb questions. It is always better to clarify and understand a topic rather than just pretending you know it because you feel you should. If your colleague or supervisor scoffs at these questions I would recommend immediately looking for a new position because it is not going to get any better for you, unfortunately.

This leads into the next issue I previously mentioned- not taking proper notes. When I started and one of my colleagues would demonstrate the process for a particular task and I would think to myself, “Okay, that wasn’t too much or too complex; I’m sure I’ll be able to remember that.”. The issue would arise though when I would be shown dozens of process or procedures throughout the work week. When I would need to execute one of these procedures that I had observed possibly weeks prior I would only have a slight idea of how to go through the process and need to ask someone for assistance. In this line of work, or any technical field this is just not a sustainable form of working and learning for the vast majority of the population. I have learned from my mistakes and now will write out detailed steps of the process if it has more than one or two steps in its entirety if there was not already documentation made by a coworker.

It’s at this point in this article I was debating on how far I should go into detail on the slow steady decline of my performance (or rather perceived performance) at this position that lead to my eventual termination. Although I have decided I will forgo this details for the sake of both brevity and professionalism.

Ultimately my short comings and issues were my responsibility. I made mistakes. Some I learned from immediately and made the appropriate corrections, while others may have taken quite a few mistakes before making those corrections. Though I would be remiss if I did not also bring up issues with the team/management. As mentioned previously, my intention is not to write up this entire autopsy and criticize those that helped start my career and taught my many foundational knowledge that I still carry into my job to this day. Although I do believe there was a disconnect in what was expected of me in terms of knowledge and skill and what I was able to bring to the team at that time.

I had this help desk position for about nine months before I was terminated. I was both incredibly upset as one could imagine, but also incredibly relieved as the stress and anxiety this position caused was becoming nearly unbearable near the end. Thankfully just a few months later I was able to land a great opportunity to work on my first blue team with an incredible team and management.

Looking back at this help desk position, at the end of the day it just wasn’t a good fit for either me nor the company. Sometimes that happens and that’s alright. You will find yourself in a position or company that isn’t going to make you or them totally satisfied. My only advice is to try to determine this early and not waste the time and effort for either party. With remote work in the field of IT and cyber security becoming more common there are hundreds of incredible teams and companies out there that will make a perfect professional relationship- don’t settle.

Key Takeaways & Suggestions

  • It’s okay to not know something or to have questions. Ask questions and clarify topics early and often. If senior admins or managers treat you poorly for this- immediately begin looking for a new position.
  • Take extensive notes. You won’t be able to remember everything you are taught in any technical job. Take good notes and document processes and procedures. Not only will it make your job much easier, but it will also instill confidence in your supervisors/coworkers that you are truly listening and understanding the topics they are demonstrating to you.
  • On note taking: I would highly suggest using an hierarchical note taking application such as Evernote, OneNote, Obsidian, or even CherryTree. I may also just have a note pulled up to use as a daily “scratch pad” for quick and simple notes on something I’m doing at that very moment.
  • Problem solving and escalation: I did not touch on this during the article but I feel it’s important to mention for anyone starting out in IT. Before trying to immediately escalating a ticket to a more senior person always check internal documentation, Google (an invaluable tool), and vendor documentation. This will all depend on both the structure of your organization and when you are to escalate tickets and the severity of the issue.