4

I hear Python is very good for pentesting. It has got good modules for that. But it's not a good framework, like Metasploit.

Teun Zengerink
  • 4,277
  • 5
  • 30
  • 32
Sriram
  • 1,180
  • 2
  • 15
  • 27

4 Answers4

5

As far as I'm concerned, Python and Ruby are much of a muchness. When you really get down to it they basically do the same things, it's all down to your preference. Metasploit was written in Ruby, and many fantastic pen tools were written in Python. Perl is also a good choice, and one I use often. It has many useful modules, not to mention CPAN (I recommend to check it out if you haven't already). It's good for socket scripts, manipulating data and renown for it's excellent regexp handling. The other things I like about Perl and Ruby is you can perform a Linux command and trap the output in a variable.

eg:

#!/usr/bin/perl -w

use strict;

my $user = `whoami`;
chomp($user); # usually there's a newline character at the end of the output.
print "You are " . $user . "\n";

I love this functionality. There is a way to do something similar in Python, but it's far more long winded.

Most programs on milw0rm are coded in C - but this is not really a scripting language, and not as easy to write a quick script on the fly, if needed to.

My conclusion is Ruby and Python are fine for pen testing, and generally do the same things - but Perl will always be my favorite :-)

Brad
  • 51
  • 1
  • 2
4

Any language that has good, easy string handling capabilities is a good match for penetration testing. This is why you see scripting languages as the most used languages in this sort of tasks.

To answer your question, they're just as good.

Geo
  • 93,257
  • 117
  • 344
  • 520
  • u are right...but string handling just doesn't count. i saw a previous question asked on which language is best for pentesting, it depends on the tool we use.. ruby if metasploit or python id we use immunity canvas.. – Sriram Nov 04 '09 at 19:16
  • String handling counts a lot! Not all exploits released today are focused on metasploit or immunity canvas. Some of them only rely on the capabilities of the language ( for example sockets ). Look at most exploits on milw0rm. How many of them use metasploit? Barely any. Almost all of them use socket code and try to overflow something. – Geo Nov 04 '09 at 19:29
  • sorry i thought of saying string handling alone just doesn't count...and had in mind what u posted.. the shellcode part is mostly string handling stuff only..and for remote exploits the socket libraries as u have mentioned.. – Sriram Nov 04 '09 at 19:43
1

But C isn't a scriptng language there is many arguments that proof that python/ruby are better for pen testing . For example with C you can't automate so fast as with python/ruby , python/ruby is high-level language and writing programs on them are a lot easier than C . But if you want to deal with pen-testing you should learn Python or any other scripting language and C/C++ or other languages like PHP depent what are you testing but you should know a least one scripting language they make things a lot easier some times .

Artari
  • 19
  • 1
1

well i think that c is more powerful than both languages, and is better for pen-testing.

scatman
  • 14,109
  • 22
  • 70
  • 93