What defines a programming language as useful for hacking?

Languages are useful for doing things. What type of things it's suitable for completely depends on the type of language, the frameworks available for it, what OSes have interpreters / compilers for it, etc.

Let's look at the ones you've mentioned:

  • Perl
    • Scripting language
    • General purpose
    • Available on most *nix OSes since the '90s.
    • Great for quick hacks and short scripts.
  • Ruby
    • Scripting language
    • General purpose
    • Cross-platform
    • Object-oriented
    • Reflective (can see its own structure and code)
    • Good for dynamic frameworks
  • Python
    • Scripting language
    • General purpose
    • Cross-platform
    • Designed for clear and readable source code
    • Huge framework of libraries
  • JavaScript
    • Scripting language
    • Web-based
    • Cross-platform (available on every major browser)

So what makes these particularly good for pentesting? Well, most pentesting involves writing up quick throw-away tools to do a specific job for a specific test. Writing such a tool in C or C++ every time you want to do a quick job is cumbersome and time-consuming. Furthermore, they tend to produce platform-specific binaries or source that requires platform-specific compilation, rather than cross-platform scripts that just run. Scripting languages give you the flexibility to produce such tools quickly and easily.

For example, Ruby and Python are popular for more complex tasks because they have comprehensive libraries, whereas Perl is popular for quick data processing hacks. JavaScript is commonly utilised as a simple browser-based language that everyone has access to. Other languages such as C tend to be used for more low-level tasks that interface with the OS.

Now, the other side of the coin is languages used as payloads. This is where the line gets blurred, because requirements are so varied. For attacking Windows boxes, any payload that has no dependencies outside of what the OS provides is useful. This might be C, C++, VBScript, x86 asm, C# / VB.NET (.NET 2.0 is on most machines these days), etc. For attacking Linux boxes you might use C, C++, bash scripts or Perl. Java is also common for cross-platform attacks.

At the end of the day, pick the language that you find best for the job!


Here is a great answer I found on a stack overflow question of similar context by @tqbf: (I copied this answer here, because I believe it gives valid reasons for which they may be prefered, so it might be useful to future readers)

You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:

  • Metasploit's framework, opcode and shellcode databases

  • Metasploit's Ruby lorcon bindings for raw 802.11 work

  • Metasploit's KARMA bindings for 802.11 clientside redirection

  • Libcurl and net/http for web tool writing

  • EventMachine for web proxy and fuzzing work (or RFuzz, which extends the well-known Mongrel webserver)

  • Metasm for shellcode generation

  • Distorm for x86 disassembly

  • BinData for binary file format fuzzing.

Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:

  • Twisted for network access

  • PaiMei for program tracing and programmable debugging

  • CANVAS and Impact support

  • Dornseif's firewire libraries for remote debugging

  • Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).

  • Peach Fuzzer and Sully for fuzzing

  • SpikeProxy for web penetration testing (also, OWASP Pantera).

Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:

  • Direct integration with libpcap for raw packet work

  • OpenSSL bindings for crypto

  • IDA Pro extensions

  • Mature (or at least reasonable) C foreign function interfaces for API access

  • WxWindows for UI work, and decent web stacks for web UIs

You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.

Also: it's 2008. They're not "scripting languages". They're programming languages. ;)


Libraries, Time to write Code, cross-platform compatibility are key here. I found that using Python I was able to come up with Proof-of-concept exploits in a very short amount of time with minimum lines of code. This is possible because of the extensive standard library and additional libraries that you can download as well. I believe that is python's greatest strength to be used for pentesting and hacking.

Ex. you need a string of 1000 characters / 1000 bytes long.

In python: 

print "A"*1000

In C : 

for(i=0;i<1000;i++)printf("A");`

(Apart from all the includes mumbo jumbo and compiling it)

That is just a simple example. But as you can see the time taken for such a trivial task is far simpler in python.

The difference can be even more enhanced when you want to send http requests etc from your code. With urllib, httplib, etc for python, you can do it in a matter of 2 lines of code.

Tags:

Programming

Penetration Test

Recent Posts