Which of these scripting languages is more appropriate for pen-testing? [closed]

2024/11/16 3:14:11

First of all, I want to avoid a flame-war on languages. The languages to choose from are Perl, Python and Ruby . I want to mention that I'm comfortable with all of them, but the problem is that I can't focus just on one.

If, for example, I see a cool Perl module, I have to try it out. If I see a nice Python app, I have to know how it's made. If I see a Ruby DSL or some Ruby voodoo, I'm hooked on Ruby for a while.

Right now I'm working as a Java developer, but plan on taking CEH in the near future. My question is: for tool writing and exploit development, which language do you find to be the most appropriate?

Again, I don't want to cause a flame-war or any trouble, I just want honest opinions from scripters that know what they're doing.

One more thing: maybe some of you will ask "Why settle on one language?". To answer this: I would like to choose only one language, in order to try to master it.

Answer

You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:

  • Metasploit's framework, opcode and shellcode databases
  • Metasploit's Ruby lorcon bindings for raw 802.11 work.
  • Metasploit's KARMA bindings for 802.11 clientside redirection.
  • Libcurl and net/http for web tool writing.
  • EventMachine for web proxy and fuzzing work (or RFuzz, which extends the well-known Mongrel webserver).
  • Metasm for shellcode generation.
  • Distorm for x86 disassembly.
  • BinData for binary file format fuzzing.

Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:

  • Twisted for network access.
  • PaiMei for program tracing and programmable debugging.
  • CANVAS and Impact support.
  • Dornseif's firewire libraries for remote debugging.
  • Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).
  • Peach Fuzzer and Sully for fuzzing.
  • SpikeProxy for web penetration testing (also, OWASP Pantera).

Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:

  • Direct integration with libpcap for raw packet work.
  • OpenSSL bindings for crypto.
  • IDA Pro extensions.
  • Mature (or at least reasonable) C foreign function interfaces for API access.
  • WxWindows for UI work, and decent web stacks for web UIs.

You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.

Also: it's 2008. They're not "scripting languages". They're programming languages. ;)

https://en.xdnf.cn/q/71716.html

Related Q&A

Keras: Optimal epoch selection

Im trying to write some logic that selects the best epoch to run a neural network in Keras. My code saves the training loss and the test loss for a set number of epochs and then picks the best fitting …

error in loading pickle

Not able to load a pickle file. I am using python 3.5import pickle data=pickle.load(open("D:\\ud120-projects\\final_project\\final_project_dataset.pkl", "r"))TypeError: a bytes-lik…

How to test if a webpage is an image

Sorry that the title wasnt very clear, basically I have a list with a whole series of urls, with the intention of downloading the ones that are pictures. Is there anyway to check if the webpage is an i…

Generic detail view ProfileView must be called with either an object pk or a slug

Im new to Django 2.0 and im getting this error when visiting my profile page view. Its working with urls like path(users/<int:id>) but i wanted to urls be like path(<username>). Not sure wh…

Python Pandas group datetimes by hour and count row

This is my transaction dataframe, where each row mean a transaction :date station 30/10/2017 15:20 A 30/10/2017 15:45 A 31/10/2017 07:10 A 31/10/2017 07:25 B 31/10/2017 07:55 …

Get Bokehs selection in notebook

Id like to select some points on a plot (e.g. from box_select or lasso_select) and retrieve them in a Jupyter notebook for further data exploration. How can I do that?For instance, in the code below, …

Upload CSV file into Microsoft Azure storage account using python

I am trying to upload a .csv file into Microsoft Azure storage account using python. I have found C-sharp code to write a data to blob storage. But, I dont know C# language. I need to upload .csv file …

GeoDjango: How can I get the distance between two points?

My Profile model has this field:location = models.PointField(geography=True, dim=2, srid=4326)Id like to calculate the distance between the two of these locations (taking into account that the Earth is…

Reading direct access binary file format in Python

Background:A binary file is read on a Linux machine using the following Fortran code:parameter(nx=720, ny=360, nday=365) c dimension tmax(nx,ny,nday),nmax(nx,ny,nday)dimension tmin(nx,ny,nday),nmin(nx,…

Fabric/Python: AttributeError: NoneType object has no attribute partition

Have the following function in fabric for adding user accounts.~/scripts #fab -lPython source codeAvailable commands:OS_TYPEadduser_createcmd Create command line for adding useradduser_getinfo Prom…