I'm with tqbf. I've worked with Python and Ruby. Currently I'm working with JRuby. It has all the power of Ruby with access to the Java libraries so if there is something you absolutely need a low-level language to solve you can do so with a high-level language. So far I haven't needed to really use much Java as Ruby has had the ability to do everything I've needed as an API tester.
Well, what kind of exploits are you thinking about? If you want to write something that needs low level stuff (ptrace, raw sockets, etc.) then you'll need to learn C. But both Perl and Python can be used. The real question is which one suits your style more?
As for toolmaking, Perl has good string-processing abilities, is closer to the system, has good support, but IMHO it's very confusing. I prefer Python: it's a clean, easy to use, easy to learn language with good support (complete language/lib reference, 3rd party libs, etc.). And it's (strictly IMHO) cool.
If you're looking for a scripting language that will play well with Java, you might want to look at Groovy. It has the flexibility and power of Perl (closures, built in regexes, associative arrays on every corner) but you can access Java code from it thus you have access to a huge number of libraries, and in particular the rest of the system you're developing.
Speaking as a CEH, learn the CEH material first. This will expose you to a variety of tools and platforms used to mount various kinds of attacks. Once you understand your target well, look into the capabilities of the tools and platforms already available (the previously mentioned metasploit framework is very thorough and robust). How can they be extended to meet your needs? Once you know that, you can compare the capabilities of the languages.
I would also recommend taking a look at the tools available on the BackTrack distro.
metasploit is a great framework for penetration testing. It's mainly written in Ruby, so if you know that language well, maybe you can hook in there. However, to use metasploit, you don't need to know any language at all.
If you plan on using Metasploit for pen-testing and exploit development I would recommend ruby as mentioned previously Metasploit is written in ruby and any exploit/module development you may wish to do will require ruby.
If you will be using Immunity CANVAS for pen testing then for the same reasons I would recommend Python as CANVAS is written in python. Also allot of fuzzing frameworks like Peach and Sulley are written in Python.
I would not recommend Perl as you will find very little tools/scripts/frameworks related to pen testing/fuzzing/exploits/... in Perl.
As your question is "tool writing and exploit development" I would recommend Ruby if you choose Metasploit or python if you choose CANVAS.
That depends on the implementation, if it will be distributed I would go with Java, seeing as you know that, because of its portability. If it is just for internal use, or will be used in semi-controlled environments, then go with whatever you are the most comfortable maintaining, and whichever has the best long-term outlook.
Now to just answer the question, I would go with Perl, but I'm a linux guy so I may be a bit biased in this.
Perl has all of CPAN - giving you a huge advantage in pulling together functionality quickly. It also has a nice flexible testing infrastructure that means you can plug lots of different automated testing styles (including tests in other languages) in the same framework.
Ruby is a lovely language to learn - and lacks some of the cruft in Perl 5. If you're doing web based testing it also has the watir library - which is trez useful (see http://wtr.rubyforge.org/)
Python - nice language and (while it's not to my personal preference) some folk find the way its structured easier to get to grips with.
Any of them (and many others) would be a great language to learn.
Instead of looking at the language - I'd look at your working environment. It's always easier to learn stuff if you have other folk around who are doing similar stuff. If you current dev/testing folk are already focussed on one of the above - I'd go for that. If not, pick the one that would be most applicable/useful to your current working environment. Chat to the rest of your team and see what they think.
[Disclaimer: I am primarily a Perl programmer, which may be colouring my judgement. However, I am not a particularly tribal one, and I think on this particular question my argument is reasonably objective.]
Perl was designed to blend seamlessly into the Unix landscape, and that is why it feels so alien to people with a mainly-OO background (particularly the Java school of OOP). For that reason, though, it’s incredibly widely installed on machines with any kind of Unixoid OS, and many vendor system utilities are written in it. Also for the same reason, servers that have neither Python nor Ruby installed are still likely to have Perl on them, again making it important to have some familiarity with. So if your CEH activity includes extensive activity on Unix, you will have to have some amount of familiarity with Perl anyway, and you might as well focus on it.
That said, it is largely a matter of preference. There is not much to differentiate the languages; their expressive power is virtually identical. Some things are a little easier in one of the languages, some a little easier in another.
In terms of libraries I do not know how Ruby and Python compare against each other – I do know that Perl has them beat by a margin. Then again, sometimes (particularly when you’re looking for libraries for common needs) the only effect of that is that you get deluged with choices. And if you are only looking to do things in some particular area which is well covered by libraries for Python or Ruby, the mass of other stuff on CPAN isn’t necessarily an advantage. In niche areas, however, it matters, and you never know what unforeseen need you will eventually have (err, by definition).
For one-liner use on the command line, Python is kind of a non-starter.
In terms of interactive interpreter environment, Perl… uhm… well, you can use the debugger, which is not that great, or you can install one from CPAN, but Perl doesn’t ship a good one itself.
So I think Perl does have a very slight edge for your needs in particular, but only just. If you pick Ruby you’ll probably not be much worse off at all. Python might inconvenience you a little more noticeably, but it too is hardly a bad choice.
使用这两种语言都不会出错,尽管对于主流渗透测试工作,Metasploit 可能会超越 Python 的所有优势,而目前,对于 x86 逆向工作,Python 卓越的调试界面超越了 Ruby 的所有优势。
另外:现在是 2008 年了。它们不是“脚本语言”。 它们是编程语言。 ;)
You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:
Metasploit's framework, opcode and shellcode databases
Metasploit's Ruby lorcon bindings for raw 802.11 work.
Metasploit's KARMA bindings for 802.11 clientside redirection.
Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:
PaiMei for program tracing and programmable debugging.
CANVAS and Impact support.
Dornseif's firewire libraries for remote debugging.
Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).
SpikeProxy for web penetration testing (also, OWASP Pantera).
Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:
Direct integration with libpcap for raw packet work.
OpenSSL bindings for crypto.
IDA Pro extensions.
Mature (or at least reasonable) C foreign function interfaces for API access.
WxWindows for UI work, and decent web stacks for web UIs.
You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.
发布评论
评论(12)
我和tqbf在一起。 我曾经使用过 Python 和 Ruby。 目前我正在使用 JRuby。 它具有 Ruby 的所有功能,可以访问 Java 库,因此,如果您确实需要低级语言来解决某些问题,则可以使用高级语言来解决。 到目前为止,我还不需要真正使用太多 Java,因为 Ruby 已经能够完成我作为 API 测试人员所需的一切。
I'm with tqbf. I've worked with Python and Ruby. Currently I'm working with JRuby. It has all the power of Ruby with access to the Java libraries so if there is something you absolutely need a low-level language to solve you can do so with a high-level language. So far I haven't needed to really use much Java as Ruby has had the ability to do everything I've needed as an API tester.
那么,您正在考虑什么样的利用呢? 如果您想编写一些需要低级内容的东西(ptrace、原始套接字等),那么您需要学习 C。但是 Perl 和 Python 都可以使用。 真正的问题是哪一种更适合您的风格?
至于工具制作,Perl 具有良好的字符串处理能力,更接近系统,有良好的支持,但恕我直言,它非常令人困惑。 我更喜欢 Python:它是一种干净、易于使用、易于学习的语言,具有良好的支持(完整的语言/库参考、第 3 方库等)。 而且它(严格来说)很酷。
Well, what kind of exploits are you thinking about? If you want to write something that needs low level stuff (ptrace, raw sockets, etc.) then you'll need to learn C. But both Perl and Python can be used. The real question is which one suits your style more?
As for toolmaking, Perl has good string-processing abilities, is closer to the system, has good support, but IMHO it's very confusing. I prefer Python: it's a clean, easy to use, easy to learn language with good support (complete language/lib reference, 3rd party libs, etc.). And it's (strictly IMHO) cool.
如果您对 CEH 感兴趣,我会看一下 灰帽 Python。 它展示了一些非常有趣且相关的东西。
话虽这么说,任何语言都应该没问题。
If you are interested in CEH, I'd take a look at Grey Hat Python. It shows some stuff that is pretty interesting and related.
That being said, any language should be fine.
如果您正在寻找一种能够与 Java 良好配合的脚本语言,您可能需要考虑 Groovy。 它具有 Perl 的灵活性和强大功能(闭包、内置正则表达式、每个角落的关联数组),但您可以从中访问 Java 代码,因此您可以访问大量的库,特别是您需要的系统的其余部分。重新发展。
If you're looking for a scripting language that will play well with Java, you might want to look at Groovy. It has the flexibility and power of Perl (closures, built in regexes, associative arrays on every corner) but you can access Java code from it thus you have access to a huge number of libraries, and in particular the rest of the system you're developing.
作为 CEH,首先要学习 CEH 材料。 这将使您接触到用于发起各种攻击的各种工具和平台。 一旦您很好地了解了您的目标,请研究现有工具和平台的功能(前面提到的metasploit框架非常全面和强大)。 如何扩展它们来满足您的需求? 一旦了解了这一点,您就可以比较这些语言的功能。
我还建议您查看 BackTrack 发行版上提供的工具。
Speaking as a CEH, learn the CEH material first. This will expose you to a variety of tools and platforms used to mount various kinds of attacks. Once you understand your target well, look into the capabilities of the tools and platforms already available (the previously mentioned metasploit framework is very thorough and robust). How can they be extended to meet your needs? Once you know that, you can compare the capabilities of the languages.
I would also recommend taking a look at the tools available on the BackTrack distro.
metasploit 是一个很棒的渗透测试框架。 它主要是用 Ruby 编写的,所以如果您很了解该语言,也许您可以使用它。 然而,要使用metasploit,您根本不需要了解任何语言。
metasploit is a great framework for penetration testing. It's mainly written in Ruby, so if you know that language well, maybe you can hook in there. However, to use metasploit, you don't need to know any language at all.
所有这些都应该足够了。 除非您需要一些仅以一种语言提供的库,否则我会让个人偏好引导我。
All of them should be sufficient for that. Unless you need some library that is only available in one language, I'd let personal preference guide me.
如果您计划使用 Metasploit 进行笔测试和漏洞开发,我会推荐 ruby,如前所述,Metasploit 是用 ruby 编写的,您可能希望进行的任何漏洞/模块开发都需要 ruby。
如果您将使用 Immunity CANVAS 进行笔测试,那么出于同样的原因,我会推荐 Python,因为 CANVAS 是用 python 编写的。 另外,Peach 和 Sulley 等模糊测试框架也是用 Python 编写的。
我不会推荐 Perl,因为你会发现 Perl 中与笔测试/模糊测试/漏洞利用/...相关的工具/脚本/框架非常少。
由于你的问题是“工具编写和漏洞利用开发”,如果你选择Metasploit,我会推荐Ruby;如果你选择CANVAS,我会推荐Python。
希望有帮助:)
If you plan on using Metasploit for pen-testing and exploit development I would recommend ruby as mentioned previously Metasploit is written in ruby and any exploit/module development you may wish to do will require ruby.
If you will be using Immunity CANVAS for pen testing then for the same reasons I would recommend Python as CANVAS is written in python. Also allot of fuzzing frameworks like Peach and Sulley are written in Python.
I would not recommend Perl as you will find very little tools/scripts/frameworks related to pen testing/fuzzing/exploits/... in Perl.
As your question is "tool writing and exploit development" I would recommend Ruby if you choose Metasploit or python if you choose CANVAS.
hope that helps :)
这取决于实现,如果它是分布式的,我会选择 Java,正如你所知,因为它的可移植性。 如果它只是供内部使用,或者将在半受控环境中使用,那么请选择您最喜欢维护的方式,并且选择具有最佳长期前景的方式。
现在回答这个问题,我会选择 Perl,但我是一个 Linux 爱好者,所以我对此可能有点偏见。
That depends on the implementation, if it will be distributed I would go with Java, seeing as you know that, because of its portability. If it is just for internal use, or will be used in semi-controlled environments, then go with whatever you are the most comfortable maintaining, and whichever has the best long-term outlook.
Now to just answer the question, I would go with Perl, but I'm a linux guy so I may be a bit biased in this.
我可以为这三个方面提出一个论点:-)
Perl 拥有 CPAN 的全部 - 为您提供快速整合功能的巨大优势。 它还拥有一个非常灵活的测试基础架构,这意味着您可以在同一框架中插入许多不同的自动化测试样式(包括其他语言的测试)。
Ruby 是一门值得学习的可爱语言 - 并且缺乏 Perl 5 中的一些缺陷。如果您正在进行基于 Web 的测试,它还有 watir 库 - 这是 trez 有用的(请参阅 http://wtr.rubyforge.org/)
Python - 很好的语言,而且(虽然这不符合我个人的喜好)有些人发现它的结构方式更容易掌握。
其中任何一个(以及许多其他)都是一门很好学的语言。
我不会看语言,而是看你的工作环境。 如果你周围有其他人在做类似的事情,那么学习东西总是更容易。 如果您当前的开发/测试人员已经专注于上述内容之一 - 我会这样做。 如果没有,请选择最适合您当前工作环境/最有用的一种。 与团队的其他成员聊天,看看他们的想法。
I could make an argument for all three :-)
Perl has all of CPAN - giving you a huge advantage in pulling together functionality quickly. It also has a nice flexible testing infrastructure that means you can plug lots of different automated testing styles (including tests in other languages) in the same framework.
Ruby is a lovely language to learn - and lacks some of the cruft in Perl 5. If you're doing web based testing it also has the watir library - which is trez useful (see http://wtr.rubyforge.org/)
Python - nice language and (while it's not to my personal preference) some folk find the way its structured easier to get to grips with.
Any of them (and many others) would be a great language to learn.
Instead of looking at the language - I'd look at your working environment. It's always easier to learn stuff if you have other folk around who are doing similar stuff. If you current dev/testing folk are already focussed on one of the above - I'd go for that. If not, pick the one that would be most applicable/useful to your current working environment. Chat to the rest of your team and see what they think.
[免责声明:我主要是一名 Perl 程序员,这可能会影响我的判断。 然而,我不是一个特别部落的人,我认为在这个特定问题上我的论点是相当客观的。]
Perl 被设计为无缝地融入 Unix 环境,这就是为什么它对于主要面向对象的人来说如此陌生背景(特别是 OOP 的 Java 学派)。 但出于这个原因,它非常广泛地安装在任何类型的 Unixoid 操作系统的机器上,并且许多供应商系统实用程序都是用它编写的。 同样出于同样的原因,既没有安装 Python 也没有安装 Ruby 的服务器仍然可能安装 Perl,这再次使得熟悉 Perl 变得很重要。 因此,如果您的 CEH 活动包括 Unix 上的广泛活动,那么您无论如何都必须对 Perl 有一定程度的熟悉,并且您最好专注于它。
也就是说,这很大程度上是一个偏好问题。 语言之间没有太多区别; 他们的表达能力几乎是相同的。 有些事情在一种语言中更容易一些,而另一些则在另一种语言中更容易一些。
就库而言,我不知道 Ruby 和 Python 之间的比较如何——我只知道 Perl 以一定优势击败了它们。 话又说回来,有时(特别是当您正在寻找满足常见需求的库时)唯一的影响是您会被选择淹没。 如果您只想在 Python 或 Ruby 库很好地涵盖的某个特定领域做一些事情,那么 CPAN 上的大量其他内容不一定是优势。 然而,在利基领域,这一点很重要,你永远不知道你最终会遇到什么不可预见的需求(错误,根据定义)。
对于命令行上的单行使用,Python 是一种不可能的选择。
就交互式解释器环境而言,Perl……呃……好吧,您可以使用调试器,这不是很好,或者您可以从 CPAN 安装一个调试器,但 Perl 本身并没有提供一个好的调试器。
所以我认为 Perl 确实在满足您的需求方面确实有一点点优势,但也只是而已。 如果您选择 Ruby,情况可能不会更糟。 Python 可能会给您带来更明显的不便,但它也不是一个坏选择。
[Disclaimer: I am primarily a Perl programmer, which may be colouring my judgement. However, I am not a particularly tribal one, and I think on this particular question my argument is reasonably objective.]
Perl was designed to blend seamlessly into the Unix landscape, and that is why it feels so alien to people with a mainly-OO background (particularly the Java school of OOP). For that reason, though, it’s incredibly widely installed on machines with any kind of Unixoid OS, and many vendor system utilities are written in it. Also for the same reason, servers that have neither Python nor Ruby installed are still likely to have Perl on them, again making it important to have some familiarity with. So if your CEH activity includes extensive activity on Unix, you will have to have some amount of familiarity with Perl anyway, and you might as well focus on it.
That said, it is largely a matter of preference. There is not much to differentiate the languages; their expressive power is virtually identical. Some things are a little easier in one of the languages, some a little easier in another.
In terms of libraries I do not know how Ruby and Python compare against each other – I do know that Perl has them beat by a margin. Then again, sometimes (particularly when you’re looking for libraries for common needs) the only effect of that is that you get deluged with choices. And if you are only looking to do things in some particular area which is well covered by libraries for Python or Ruby, the mass of other stuff on CPAN isn’t necessarily an advantage. In niche areas, however, it matters, and you never know what unforeseen need you will eventually have (err, by definition).
For one-liner use on the command line, Python is kind of a non-starter.
In terms of interactive interpreter environment, Perl… uhm… well, you can use the debugger, which is not that great, or you can install one from CPAN, but Perl doesn’t ship a good one itself.
So I think Perl does have a very slight edge for your needs in particular, but only just. If you pick Ruby you’ll probably not be much worse off at all. Python might inconvenience you a little more noticeably, but it too is hardly a bad choice.
您可能需要 Ruby,因为它是 Metasploit 的母语,而 Metasploit 是事实上的标准开源渗透测试框架。 Ruby 将为您提供:
第二名是Python。 Python 中可用的渗透测试库比 Ruby 中更多(但不足以抵消 Metasploit)。 商业工具往往也支持 Python——如果您是 Immunity CANVAS 或 CORE Impact 客户,您就会需要 Python。 Python 为您提供:
毫不奇怪,许多 Web 工作都使用 Java 工具。 事实上标准的 Web 渗透测试工具是 Burp Suite,它是一个 Java swing 应用程序。 Ruby 和 Python 都有 Java 变体,您可以使用它们来访问此类工具。 此外,Ruby 和 Python 都提供:
使用这两种语言都不会出错,尽管对于主流渗透测试工作,Metasploit 可能会超越 Python 的所有优势,而目前,对于 x86 逆向工作,Python 卓越的调试界面超越了 Ruby 的所有优势。
另外:现在是 2008 年了。它们不是“脚本语言”。 它们是编程语言。 ;)
You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:
Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:
Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:
You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.
Also: it's 2008. They're not "scripting languages". They're programming languages. ;)