views:

423

answers:

3

Is python or ruby good for penetration testing?

I hear python is very good for pentesting. It has got good modules for that. But not a good framework like metasploit.

+1  A: 

Any language that has good, easy string handling capabilities is a good match for penetration testing. This is why you see scripting languages as the most used languages in this sort of tasks.

To answer your question, they're just as good.

Geo
u are right...but string handling just doesn't count. i saw a previous question asked on which language is best for pentesting, it depends on the tool we use.. ruby if metasploit or python id we use immunity canvas..
Sriram
String handling counts a lot! Not all exploits released today are focused on metasploit or immunity canvas. Some of them only rely on the capabilities of the language ( for example sockets ). Look at most exploits on milw0rm. How many of them use metasploit? Barely any. Almost all of them use socket code and try to overflow something.
Geo
sorry i thought of saying string handling alone just doesn't count...and had in mind what u posted.. the shellcode part is mostly string handling stuff only..and for remote exploits the socket libraries as u have mentioned..
Sriram
+2  A: 

As far as I'm concerned, Python and Ruby are much of a muchness. When you really get down to it they basically do the same things, it's all down to your preference. Metasploit was written in Ruby, and many fantastic pen tools were written in Python. Perl is also a good choice, and one I use often. It has many useful modules, not to mention CPAN (I recommend to check it out if you haven't already). It's good for socket scripts, manipulating data and renown for it's excellent regexp handling. The other things I like about Perl and Ruby is you can perform a Linux command and trap the output in a variable.

eg:

#!/usr/bin/perl -w

use strict;

my $user = `whoami`;
chomp($user); # usually there's a newline character at the end of the output.
print "You are " . $user . "\n";

I love this functionality. There is a way to do something similar in Python, but it's far more long winded.

Most programs on milw0rm are coded in C - but this is not really a scripting language, and not as easy to write a quick script on the fly, if needed to.

My conclusion is Ruby and Python are fine for pen testing, and generally do the same things - but Perl will always be my favorite :-)

Brad
A: 

well i think that c is more powerful than both languages, and is better for pen-testing.

scatman