Geek Answers Handbook

Which of these scripting languages โ€‹โ€‹is more suitable for pen validation?

First of all, I want to avoid a fiery war in languages. The languages โ€‹โ€‹to choose from are Perl, Python, and Ruby. I want to mention that I am comfortable with everyone, but the problem is that I canโ€™t focus on just one.

If, for example, I see a cool Perl module, I should try it. If I see a good Python application, I should know how to do it. If I see Ruby DSL or some kind of rudimentary voodoo, I pull on Ruby for a while.

I am currently working as a Java developer, but I plan to adopt CEH in the near future. My question is: for writing a tool and developing an exploit, which language do you think is most suitable?

Again, I do not want to cause a fiery war or any kind of trouble, I just need honest opinions from screenwriters who know what they are doing.

One more thing: perhaps some of you will ask: "Why settle in one language?" To answer this, I would like to choose only one language to try to master it.

+6
python security ruby perl penetration-testing
source share
12 answers

You probably need Ruby because it is the native language for Metasploit, which is the standard base for testing open source penetration. Ruby is going to give you:

  • Metasploit databases, opcode and shellcode operation databases
  • Metasploit Ruby lorcon bindings for raw 802.11 work.
  • KARMA Metasploit Communications for Redirecting 802.11 Clients
  • Libcurl and net / http for writing web tools.
  • EventMachine for web proxies and fluffy work (or RFuzz, which extends the famous Mongrel web server).
  • Metasm to generate shell code.
  • Distorm for disassembling x86.
  • BinData for a binary file format.

Python comes second. Python has more pentesting libraries available than Ruby (but not enough to compensate for Metasploit). Commercial tools also support Python - if you are an Immunity CANVAS or CORE Impact client, you need Python. Python gives you:

Not surprisingly, much of the web work uses Java tools. The de facto standard tool for web pentons is Burp Suite, which is a Java swing. Ruby and Python have Java options that you can use to access such tools. In addition, both Ruby and Python offer:

  • Direct integration with libpcap to work with the raw package.
  • OpenSSL communications for cryptography.
  • Extensions IDA Pro.
  • Mature (or at least smart) C interfaces for accessing the API.
  • WxWindows for working with the user interface and decent network stacks for web interfaces.

You are not going to make a mistake with any of the languages, although for the main operation pentest Metasploit probably removes all the advantages of Python, and currently, for working with x86 reversal, the excellent Python debugging interfaces limit all the advantages of Ruby.

Also: this is 2008. They are not "scripting languages". These are programming languages โ€‹โ€‹.;)

+27
source share

[Disclaimer: I am primarily a Perl programmer who can color my mind. However, Iโ€™m not particularly generic, and I think that on this particular issue my argument is fairly objective.]

Perl was designed to fit seamlessly into the Unix landscape, and so it feels so alien to people with a background of mostly OO (in particular, the Java OOP school). For this reason, however, it is incredibly widely installed on machines with any kind of Unixoid operating system and many vendor system utilities. For the same reason, servers that have neither Python nor Ruby installed are still likely to have Perl, which once again makes you wonder. Therefore, if your CEH activity includes extensive activity on Unix, you will still need to have some familiarity with Perl, and you can also focus on it.

However, this is mainly a matter of preference. There are not many differences between languages; their expressive power is almost identical. Some things are a little lighter in one of the languages, some are a little lighter in another.

In terms of libraries, I don't know how Ruby and Python compare to each other - I know that Perl beat them the difference. Again, sometimes (especially when you are looking for libraries for general needs), the only effect of this is that you get abandoned options. And if you just want to do something in a specific area that is well covered by libraries for Python or Ruby, a ton of other things on CPAN are not necessarily an advantage. However, in niche areas, it matters, and you never know what unanticipated need you will ultimately receive (erroneously, by definition).

For single-line use on the command line, Python is not a starter.

As for the interactive interpreter environment, Perl ... uhm ... well, you can use a debugger that is not so good, or you can install it from CPAN, but Perl does not send the good one itself.

So, I think Perl has a very small advantage for your needs, in particular, but just simple. If you choose Ruby, you probably won't be much worse. Python may cause you some inconvenience, but it is also a bad choice.

+8
source share

I can make an argument for all three :-)

Perl has all the CPANs - giving you a huge advantage in quickly combining features. It also has a good flexible testing infrastructure, which means that you can plug in many different testing styles (including tests in other languages) in the same structure.

Ruby is a great language to learn - and some of the cracks in Perl 5 are missing. If you do web testing, it also has a watir library - which is useful for trez (see http://wtr.rubyforge.org/ )

Python is a good language and (although this is not my personal preference), some people find a way in which its structuring is easier to handle.

Any of them (and many others) will be a great language to learn.

Instead of looking at the language, I would look at your work environment. It is always easier to learn if you have other people who do similar things. If you want current developers / testers to focus on one of the above, I would go for it. If not, choose the one that will be most applicable / useful for your current work environment. Chat with the rest of your team and see what they think.

+4
source share

It depends on the implementation, if it is distributed, I would go with Java, seeing, as you know, because of its portability. If it is used only for internal use or will be used in semi-controlled environments, then move on to what is most convenient for you to support, and depending on which one has the best long-term forecast.

Now, to just answer the question, I would go with Perl, but I'm a Linux guy, so I can be a little biased in this.

+3
source share

If you plan to use Metasploit for pen testing and exploit development, I would recommend ruby, as mentioned earlier. Metasploit is written in ruby, and any exploit / module development that you might want to do requires a ruby.

If you would use Immunity CANVAS to test your pen, then for the same reasons I would recommend Python, since CANVAS is written in python. Fluffy frames such as Peach and Sully written in Python also stand out.

I would not recommend Perl as you will find very few tools / scripts / frameworks related to checking pen / fuzzing / exploits / ... in Perl.

As your question is โ€œwriting tools and developing exploits,โ€ I would recommend Ruby if you choose Metasploit or python if you choose CANVAS.

hope that helps :)

+3
source share

Speaking like CEH, learn CEH material first. This will provide you with various tools and platforms used to set up different types of attacks. Once you understand your purpose well, explore the capabilities of existing tools and platforms (the previously mentioned metasploit infrastructure is very thorough and reliable). How can they be expanded to meet your needs? Once you know this, you can compare the capabilities of languages.

I would also recommend taking a look at the tools available in BackTrack distro.

+2
source share

To do this should be enough. If you do not need a library that is available in only one language, I would advise me on a personal setting.

+1
source share

If you are looking for a scripting language that works well with Java, you can check out Groovy. It has the flexibility and power of Perl (closures built into regular expressions, associative arrays at every corner), but you can access the Java code from it, so you have access to a huge number of libraries and, in particular, to the rest of the system, evolve.

+1
source share

metasploit is a great base for penetration testing. It is mostly written in Ruby, so if you know this language well, maybe you can connect there. However, to use metasploit, you donโ€™t need to know any language at all.

+1
source share

If you are interested in CEH, I would look at Gray Hat Python . He shows some things that are quite interesting and related.

In this case, any language should be in order.

+1
source share

Well, what feats do you think? If you want to write something that requires low-level material (ptrace, raw sockets, etc.), then you will need to learn C. But you can use both Perl and Python. The real question is: which one is more suitable for your style?

As for the tools, Perl has good string processing capabilities, closer to the system, has good support, but IMHO it is very confusing. I prefer Python: it is a clean, easy to use, easy to learn language with good support (full link to / lib, third-party libraries, etc.). And this (strictly IMHO) is cool.

0
source share

I'm with tqbf. I worked with Python and Ruby. I am currently working with JRuby. It has all the features of Ruby with access to Java libraries, so if you need something you need is a low-level language that you can solve, you can do it with a high-level language. Until now, I did not need to use much Java, since Ruby was able to do everything I needed as an API tester.

0
source share

More articles:


All Articles