哪种脚本语言更适合笔测? [英] Which of these scripting languages is more appropriate for pen-testing?
问题描述
首先,我想避免语言激战.选择的语言是Perl,Python和Ruby.我想提一提,我对所有这些方法都很满意,但问题是我不能只专注于其中一个.
First of all, I want to avoid a flame-war on languages. The languages to choose from are Perl, Python and Ruby . I want to mention that I'm comfortable with all of them, but the problem is that I can't focus just on one.
例如,如果我看到一个不错的Perl模块,则必须尝试一下.如果我看到一个不错的Python应用程序,那么我必须知道它是如何制作的.如果我看到Ruby DSL或某些Ruby伏都教,我迷上了Ruby一段时间.
If, for example, I see a cool Perl module, I have to try it out. If I see a nice Python app, I have to know how it's made. If I see a Ruby DSL or some Ruby voodoo, I'm hooked on Ruby for a while.
现在我正在以Java开发人员的身份工作,但计划在不久的将来采用CEH.我的问题是:对于工具编写和漏洞利用开发,您认为哪种语言最合适?
Right now I'm working as a Java developer, but plan on taking CEH in the near future. My question is: for tool writing and exploit development, which language do you find to be the most appropriate?
再次,我不想引起大战或任何麻烦,我只想让脚本编写者诚实的意见,知道他们在做什么.
Again, I don't want to cause a flame-war or any trouble, I just want honest opinions from scripters that know what they're doing.
另一件事:也许你们中的一些人会问为什么要选择一种语言?".要回答这个问题:我想只选择一种语言,以便尝试掌握它.
One more thing: maybe some of you will ask "Why settle on one language?". To answer this: I would like to choose only one language, in order to try to master it.
推荐答案
您可能想要Ruby,因为它是Metasploit的本地语言,它是事实上的标准开源渗透测试框架. Ruby将给您:
You probably want Ruby, because it's the native language for Metasploit, which is the de facto standard open source penetration testing framework. Ruby's going to give you:
- Metasploit的框架,操作码和Shellcode数据库
- Metasploit的 Ruby lorcon 绑定,用于原始802.11工作.
- 用于802.11客户端重定向的Metasploit的KARMA绑定.
- Libcurl 和net/http用于编写Web工具.
- EventMachine 用于Web代理和模糊测试(或RFuzz,它扩展了著名的Mongrel Web服务器) .
- Metasm 用于生成Shellcode.
- Distorm 用于x86拆卸.
- BinData 用于二进制文件格式的模糊测试./li>
- Metasploit's framework, opcode and shellcode databases
- Metasploit's Ruby lorcon bindings for raw 802.11 work.
- Metasploit's KARMA bindings for 802.11 clientside redirection.
- Libcurl and net/http for web tool writing.
- EventMachine for web proxy and fuzzing work (or RFuzz, which extends the well-known Mongrel webserver).
- Metasm for shellcode generation.
- Distorm for x86 disassembly.
- BinData for binary file format fuzzing.
第二个地方是Python.与Ruby中相比,Python中可以使用的渗透测试库更多(但不足以抵消Metasploit).商业工具也倾向于支持Python-如果您是Immunity CANVAS或CORE Impact客户,则需要Python. Python给您:
Second place here goes to Python. There are more pentesting libraries available in Python than in Ruby (but not enough to offset Metasploit). Commercial tools tend to support Python as well --- if you're an Immunity CANVAS or CORE Impact customer, you want Python. Python gives you:
- 扭曲用于网络访问.
- PaiMei 用于程序跟踪和可编程调试.
- CANVAS和Impact支持.
- Dornseif的远程火线库调试.
- 已与WinDbg集成用于远程Windows内核调试(在Ruby中,内核调试仍然没有很好的答案,这就是为什么我仍然偶尔使用Python的原因.
- 桃子Fuzzer 和Sully用于起毛.
- 用于网络渗透测试的SpikeProxy(另请参见 OWASP Pantera ). li>
- Twisted for network access.
- PaiMei for program tracing and programmable debugging.
- CANVAS and Impact support.
- Dornseif's firewire libraries for remote debugging.
- Ready integration with WinDbg for remote Windows kernel debugging (there's still no good answer in Ruby for kernel debugging, which is why I still occasionally use Python).
- Peach Fuzzer and Sully for fuzzing.
- SpikeProxy for web penetration testing (also, OWASP Pantera).
不出所料,许多网络工作都使用Java工具.实际上的标准Web渗透测试工具是Burp Suite,它是Java swing应用程序. Ruby和Python都有Java变体,您可以使用它们来访问类似的工具.另外,Ruby和Python都提供:
Unsurprisingly, a lot of web work uses Java tools. The de facto standard web pentest tool is Burp Suite, which is a Java swing app. Both Ruby and Python have Java variants you can use to get access to tools like that. Also, both Ruby and Python offer:
- 与libpcap直接集成以进行原始数据包工作.
- 用于加密的OpenSSL绑定.
- IDA Pro扩展程序.
- 用于访问API的成熟(或至少合理的)C外部函数接口.
- 用于UI工作的WxWindows,以及用于Web UI的体面的Web堆栈.
这两种语言都不会出错,尽管对于主流的渗透测试而言,Metasploit可能会超越所有Python优势,而目前,对于x86逆向工作而言,Python的高级调试接口会超越所有Ruby优势.
You're not going to go wrong with either language, though for mainstream pentest work, Metasploit probably edges out all the Python benefits, and at present, for x86 reversing work, Python's superior debugging interfaces edge out all the Ruby benefits.
也:是2008年.它们不是脚本语言".他们是编程语言. ;)
Also: it's 2008. They're not "scripting languages". They're programming languages. ;)
这篇关于哪种脚本语言更适合笔测?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
