Which of these scripting languages is more appropriate for pen-testing? [closed]

Question

First of all, I want to avoid a flame-war on languages. The languages to choose from are Perl, Python and Ruby . I want to mention that I'm comfortable with all of them, but the problem is that I can't focus just on one.

If, for example, I see a cool Perl module, I have to try it out. If I see a nice Python app, I have to know how it's made. If I see a Ruby DSL or some Ruby voodoo, I'm hooked on Ruby for a while.

Right now I'm working as a Java developer, but plan on taking CEH in the near future. My question is: for tool writing and exploit development, which language do you find to be the most appropriate?

Again, I don't want to cause a flame-war or any trouble, I just want honest opinions from scripters that know what they're doing.

One more thing: maybe some of you will ask "Why settle on one language?". To answer this: I would like to choose only one language, in order to try to master it.

Answer 1

You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:

• Metasploit's framework, opcode and shellcode databases
• Metasploit's Ruby lorcon bindings for raw 802.11 work.
• Metasploit's KARMA bindings for 802.11 clientside redirection.
• Libcurl and net/http for web tool writing.
• EventMachine for web proxy and fuzzing work (or RFuzz, which extends the well-known Mongrel webserver).
• Metasm for shellcode generation.
• Distorm for x86 disassembly.
• BinData for binary file format fuzzing.

Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:

• Twisted for network access.
• PaiMei for program tracing and programmable debugging.
• CANVAS and Impact support.
• Dornseif's firewire libraries for remote debugging.
• Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).
• Peach Fuzzer and Sully for fuzzing.
• SpikeProxy for web penetration testing (also, OWASP Pantera).

Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:

• Direct integration with libpcap for raw packet work.
• OpenSSL bindings for crypto.
• IDA Pro extensions.
• Mature (or at least reasonable) C foreign function interfaces for API access.
• WxWindows for UI work, and decent web stacks for web UIs.

You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.

Also: it's 2008. They're not "scripting languages". They're programming languages. ;)