Best Programming Language

list;

I believe that every security specialist must be able to write his own
tools, it's a handy skill and you would need it sooner or later.

Can you share what is your programming language of choice, and why?

Cheers

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Ahmed,

On Fri, Oct 16, 2009 at 7:08 AM, Ahmed Sheipani <sheipani@...> wrote:
> list;
>
> I believe that every security specialist must be able to write his own
> tools, it's a handy skill and you would need it sooner or later.
>
> Can you share what is your programming language of choice, and why?

Python. Easy to learn, easy to write, others understand your code
easily, lots of pre-existent code to learn from.

On the other hand, asking which programming language is the best is
like asking which girl is the most beautiful to 10 different guys.
You`ll get a group that will say the blonde one, but others will say
LISP ;)

Cheers,



--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

mine is perl,
it's very easy and is scriptable and relatively fast.
though i don't think that there is a 'best' programming language. it
also depends on the type of tools you create.
eg if you were to create network packets, you are better off with C.
but if you want to analyse a file, perl is the best

On 10/16/09, Ahmed Sheipani <sheipani@...> wrote:
--
Sent from Gmail for mobile | mobile.google.com

Kalgecin
http://kalgecin.110mb.com
http://kalgecin.110mb.com/forums
http://kalgecin.blogspot.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

2009/10/16 Ahmed Sheipani <sheipani@...>:
> list;
>
> I believe that every security specialist must be able to write his own
> tools, it's a handy skill and you would need it sooner or later.
>
> Can you share what is your programming language of choice, and why?

I'd say it all depends on the job, the environment and the tools you
have at hand. I tend to do a lot of work on embedded systems that are
too large to take a python install so I do a lot in ruby and bash/ash.
For desktop apps again ruby and bits of python where there are better
libraries for certain things. I do my web scripting in php because it
is widely deployed and you can find it on a lot of web servers you get
access to.

I'll also throw in a quick plug for a new project I'm setting up with
Kevin Johnson, Chris Riley and a few others called Pentester
Scripting. We are planning to put together a wiki or a blog that
contains lots of scripts and snippets written in various languages to
help out pen testers. The site will be at
http://www.pentesterscripting.com and if you follow @PenTesterScript
on Twitter we will make announcements when things move forward.

Robin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Java for many reasons:
 - security
 - libraries (many great frameworks)
 - power and support

This for development.

From an hacker point of view (building exploits and so on), maybe
Python would be better, but you can obtain almost the same results (if
you don't need to have low level access to the SO) in Java too.

:::Michele Orru':::
Network & Security Manager, IntegratingWeb.com
http://www.integratingweb.com

On Fri, Oct 16, 2009 at 11:08 AM, Ahmed Sheipani <sheipani@...> wrote:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hello, Ahmed!

It depends on purposes.
For general usage the best choice is Python or Ruby.
If you are old-school man then Perl is for you.

On Fri, 2009-10-16 at 11:08 +0200, Ahmed Sheipani wrote: Taras - OSCP, OSWP
----
"Software is like sex: it's better when it's free." - Linus Torvalds

i do most of my tools with Python and C

madunix

On Tue, Oct 20, 2009 at 12:16 PM, Robin Wood <dninja@...> wrote:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi,

first I have to agree with all those who already stated that it depends on the job at hand, your personal preferences and the framework you have to work in.

> Can you share what is your programming language of choice, and
> why?

Bash - never leave your house without,  I am often astonished what features are there that I have ignored for such a long time and for which tasks you don't have to fire up some additional interpreter, plus there are some handy tools that can be used easiest from the command line.
Python - for currying (loved that in Haskell), classes for complex tasks, curiosity because some well-skilled friends          used it, and one needs at least one scripting language
C - grown up with it, manpages are plenty, it is THE classical not-too-low-level language for OSes and almost everyone uses its syntax/libs as a corner-stone for his language (at least to distinguish oneself from it, but why use a different word for "if" or "while" if most people intuitively grasp its meaning)
C++ - if it is a larger thing to do that needs classes
NASM - low-level-manipulations will never work without some Assembler

I don't shun Java, I simply never got the knack of it, but people are doing great work in it. Basically I am doing some kind of C-ish stuff when I am forced to do Java. I'd like to have somewhat more Ruby, because Metasploit is using it. I used Perl for a while and still like it now and then, and most RegExps are using Perl-ish syntax.

Regards,
        Lars

> I believe that every security specialist must be able to write his own
> tools, it's a handy skill and you would need it sooner or later.
>
> Can you share what is your programming language of choice, and why?

Whatever's easiest for the task and time that it's written. I may use
a number of languages to try initial exploits (including C, shell,
awk, python, perl or even nasl).

A lot of choices may also be restricted by available libraries (e.g.
doing some work with flash local shared objects, meant the python was
the only real choice unless I rolled my own). Or it may just be
related to whatever you're doing at the time (e.g. my printer FTP
script was written in perl -- even though I hate perl[*] -- just
because I'd been doing a lot of Nikto work).

dave

[*] perl is sort of a poor man's awk/shell bastard mix with libraries
added, the libraries are pretty much all that saves it being consigned
to the wastebin of history.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

david lodge wrote:
> [*] perl is sort of a poor man's awk/shell bastard mix with libraries
> added, the libraries are pretty much all that saves it being consigned
> to the wastebin of history.

Perl isn't a poor man's anything. It's got a massive feature set before
you start to look at the libraries. It's very quick to develop with,
very flexible and cross platform. It's a great language for security
work: it's network access functions are excellent, low level right
through to high level. It's got great HTTP, SQL and sysadmin facilities.
Loads of exploits are written with it and it's perfect for knocking up
quick, automated custom tests and attacks.

David, if you don't like Perl that's fine, but stating your rather
extreme opinions as facts to people asking for advice really isn't fair,
either on the language or the person asking for advice.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Right tools for the job:
Perl: is good for quick and dirty but can quickly get unwieldy.  If
you expect your project to grow more than 100 lines, I would recommend
going with a language that offers inherent object oriented
capabilities such as c++/python/ruby.  Most projects shouldn't need to
grow larger than that anyhow because CPAN is just awesome.

Python: easy to use, easy to pick up, massively scalable.  Whitespace
rules for code blocks are frustrating until you get your IDE set up
right.  A lot of modules but because it's really a thin layer above C,
a lot of these modules aren't portable or centrally distributed.  A
lot more ad-hoc.  Very good language if you expect more than one
developer from different backgrounds.  As opposed to perls (there's
more than one way to do it) philosophy, python enforces code clarity
by practicing a philosophy of there should be one right and proper way
to do things.  This is good because programmers from various
backgrounds can end up reading each others code (i.e. some domain
expert who just picked up python to work with the programmer who comes
from a systems background).  Interactive prompt, excellent for
learning.  Great first language.

Ruby: descended from perl but pure Object Oriented (OO).  Centralized
library repository similar to CPAN (gem).  Sweet language, slower than
python (sometimes dramatically), but very versatile.  Syntax is
beautiful though.

C: dangerous as fuck.  I know people that have been programming in C
since it was invented that still haven't mastered the language.  Very
flexible though, you have to manage all the memory yourself.  Very
fast.  Easy to create create a security mistake that can easily lead
to your entire system being compromised.  Very good for high speed
networking tools.  Compiled rather than interpreted, so the
development cycle has the extra steps of compiling/linking which is
slightly more time consuming.  You have to roll your own memory
management which is good because you have precise control over just
how much memory you consume, bad because it is easy to mess up.
People writing in C generally spend their time dealing with the
semantics of the language and compiler warnings rather than actually
focusing on the task at hand.

C++:  C with OO, better large project management with the speed of C.

SQL: used with almost all databases, definitely worth knowing.

Assembly:  as fast and tight as you're going to get but highly
hardware dependent.  Generally used for optimizing specific parts of
programs or for writing micro (or not so micro) injectable shellcode.

Javascript:  the language of the web, worth knowing for most browser
based projects.

C#:  Great for rapid development in Microsoft environments and on MONO.

There is no best, there is only a best within your context.
My 2 cents,
Z



On Wed, Oct 28, 2009 at 2:51 PM, Derek Fountain
<derekfountain@...> wrote:
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------