Before diving deep into the programming languages hackers tend to use, it depends on the type of hacking you’re willing/going to do. At which layer are you trying to hack or crack something? Application-, system, and implementation-, or the hardware layer. We can also say web hacking, exploit writing or reverse engineering. I’ll cover the languages used for web hacking, as it is the starting point for most of us without any coding knowledge.
Why should I learn programming as an ethical hacker?
Let’s start with a “why learn programming as a hacker” in the first place. Many people in the industry say it’s a bonus, but it’s necessary if you ask me as someone who is a work in progress. If you can’t read code, you aren’t hacking but using random tools and scripts of others to do the job for you without really understanding what’s happening, a.k.a. script, kiddie. You need to comprehend the working of the target system or application to hack. Therefore you need to learn a programming language.
Consider the following example:
You’re tasked to test a webshop. Brute-forcing is forbidden. You test the system with some tools you’ve found on the internet and some of your own. The script you’ve found on the internet performs some tasks that give you a shell, but it also does some other that brings the website down for some time without you realizing it. Downtime results in lost sales and even clients, you get in big trouble, meaning plenty of money for the company.
You need to comprehend the tool fully you’ll use and, if not, manually test the system, adapt someone’s code or maybe even write a tool or script to suit your needs. Later on, you’ll need to tell the company the steps to reproduce the vulnerability you’ve found and provide a fix for it. The best hackers out there are also the ones with a programming background. Keep in mind, “Time is of great essence in hacking.” Programming can help you automate many tasks.
What Programming Language Do Hackers Use?
I want to start with a top 5 list without overwhelming myself and continue from there later on with some experience in the field.
One of the first and easiest to learn markup (appearance) language in web development. The starting point in web hacking. Login forms and other data entry methods on the web use HTML forms to get data. Writing and interpreting HTML makes it easy for you to identify and exploit weaknesses in the code.
With HTML, you can do the following:
- Create a look-alike webpage for phishing with some CSS
- Retrieve information from the source code on the webpage
- HTML injection
- Web development
- Game development
- Mobile apps
- Building web servers, etc.
As we know from above, PHP still dominates the backend programming language of most websites and web apps. If you’re into web app hacking, popular Content Management Systems such as WordPress and Drupal run on a foundation of PHP. Older PHP website versions often contain deprecated scripts/libraries; manipulating them can give you easy access to servers. PHP is used to process HTML forms, and therefore unvalidated input enables you to do HTML injection.
You can hack PHP for server misconfiguration, vulnerable code, and zero-days:
- weak file permissions
- enabled directory indexing
- exposed ports of the backend services
- inadequate security of the hosting provider
- unsanitized user input: PHP SQLi, Stored, Reflected or DOM-based XSS
- Cross-Site Request Forgery (CSRF)
- Local or Remote File Inclusion (LFI/RFI)
- Buggy plugins/themes
- compromised PHP package/libraries
Databases are written in different programming languages, the most popular being SQL. Knowing SQL will also help you understand the structure of a database and how it works, making it easier to hack.
The most common SQL hack is SQL injection (SQLi). The databases’ data can be manipulated, retrieved (UNION attacks), deleted, or even added to it with SQL injection.
A great starting point will be PortSwigger Academy; it’s free, well-written, and teaches you the four most common database languages. They also provide you with a great cheat sheet that’s constantly updated.
5. Python / Bash / Ruby / Perl
Python is used by 1.4% of all the websites whose server-side programming language we know, opposed to PHP with 79,1% when it comes to websites.
However, Python is the second most in-demand programming language for job openings in cybersecurity, based on my research. The available ready-made modules for Python are excellent, as you can load the suitable modules for the target.
You can use Python in the following ways:
- Writing of hacking scripts, e.g., a port scanner
- Exploiting vulnerable code in the backend
- Developing exploits
- Creating malicious programs
- Automating tasks
Ruby, Bash & Perl can also help you in automating tasks and or editing available scripts. Getting a shell is a popular use case.
What are the first cybersecurity programming languages I should learn and the best approach?
I tried starting with Python, but it quickly got boring, as I wasn’t hacking. The approach of learning while trying to hack is much more interesting to me, although it can be frustrating at times. You get a better understanding of the language used in each specific scenario. Afterward, you can dive deeper into that particular language for more advanced hacking.
What’s the best platform for hacking?
After testing plenty of platforms, the easiest to start and the most addictive platform was tryhackme. They do it the right way, with each room teaching you about a different topic that’s hands-on practice and giving you a sense of accomplishment (dopamine) with each completed step, thus making it addictive. I have some writeups on some of the rooms if you want to check out. I hope you get the answer to “What Programming Language Do Hackers Use?” If you find this article helpful, don’t forget to share it with the community around you.
Disclaimer: This article is solely for information purposes. We aim to spread awareness about cyber security and ethical hacking.