Let's be honest; knowing how to code and writing your own exploits separates script kiddies (also known as skids or skiddys) from true professional hackers, penetration testers, and Red Teamers. By definition, Script kiddies can only copy and use code found online, usually without a deep understanding of what it actually does. Hacking is complex, and unless a security tester understands how various programming languages work, they will not be able to fully use their skillset. Bending existing scripts or creating new ones from scratch gives hackers an edge over cyber defenders/Blue Teamers when it comes to besting security measures. Knowing a few programming languages can certainly give one an advantage when conducting penetration tests and Red Team engagements. This article highlights the top 10 programming languages used in hacking engagements and cybersecurity assessments.
NOTICE: Hacking into networks, computers, and any other information technology (IT) system without permission is ILLEGAL in most, if not all, jurisdictions worldwide. I am not a lawyer in any jurisdiction; therefore, this is NOT legal advice. However, as an ethical hacker, I want to give you some sort of notice. PLEASE only break/hack into systems you have permission to access or those you are the owner of. I do not, and will NEVER, condone the act of illegally hacking into computer systems for any reason. I only condone ETHICAL and LEGAL hacking. Please behave responsibly.
The top 10 most-used programming languages by hackers in order are:
Python
C and C++
Structured Query Language (SQL)
JavaScript
PHP: Hypertext Preprocessor
Java
Ruby
Perl
Bash
Assembly
It's important to note that this list is NOT my opinion. This list was carefully generated by careful research done by myself, putting aside any bias I may have to the best of my ability. The explanation of how this list was put together is at the end of the article.
Python
Python is easily the top language of choice for hackers and penetration testers due to its ease of use, simple syntax, and powerful library capabilities. It is considered the most versatile programming language for hacking as it can be used for tasks such as creating scripts for manipulating databases, port scanners, network sniffers, malware analysis, botnets, and more. Its wealth of supporting libraries makes Python the go-to language for hackers wanting to create their own tools and exploits.
C and C++
C and C++ are popular languages for hackers due to their flexibility and power. Hacking requires a lot of code manipulation, so accessing low-level system libraries without hindrance makes them attractive choices. Hacking is all about exploiting software vulnerabilities, so the depth and flexibility of the language allow penetration testers to go further and deeper into their targets than other languages. With C and C++, you can use assembly instructions for more control over the system. This allows for more in-depth security testing that wouldn't be possible with higher-level languages like the other programming languages on this list, excluding Assembly. In short, due to widespread usage, powerful data manipulation capabilities, assembly instruction support, and flexibility to modify existing code, C and C++ are popular for hacking and penetration testing. I've seen C and C++ on many penetration tester job postings, so knowing these programming languages may be what you need to land your first job as a full-time penetration tester.
Structured Query Language (SQL)
SQL is an immensely popular language among hackers due to its capacity to manipulate data. Hacking requires high precision and accuracy when manipulating data, so it's easy to see why SQL has become the go-to language for hackers who want to access databases. Even though SQL is primarily used for legitimate purposes such as software development or web development, it also makes for an effective language for creating and using malicious code. SQL injection (SQLi) attacks are some of the most prominent attacks carried out by malicious threat actors and ethical hackers. SQL is regularly used in penetration testing to identify and exploit database vulnerabilities. For this reason, knowing SQL is undoubtedly advantageous to hackers.
JavaScript
Hacking using javascript can encompass a variety of techniques, from penetration testing to web application exploitation. Hacking tools written in javascript can target desktop and mobile applications. Knowing JavaScript will aid in identifying and performing cross-site scripting (XSS) attacks. An advantage of hacking with Javascript is that scripts are often lightweight and easily distributed, meaning attackers have more freedom in developing code tailored to various attack scenarios. Javascript's user base ranges from security testers and enthusiasts, offering accessible knowledge-sharing resources online, making it all the more popular amongst hackers.
PHP: Hypertext Preprocessor
PHP is a popular programming language for hackers as it is quick and easy to learn, with plenty of existing components that enable rapid development. Hacking often involves testing for system vulnerabilities, which can be done using widely-available PHP code snippets—speaking to its popularity among hackers. Likewise, the cross-platform nature of PHP and its ability to interface easily with web applications further enhance its appeal to penetration testers. Whether an experienced programmer or coding beginner, tools and techniques written in PHP make hacking a more accessible pursuit—and demonstrate why this language has become one of the go-to resources among hackers.
Java
Java is one of the most popular programming languages amongst hackers due to its versatility and cross-platform compatibility. Hacking involves a large range of tasks that require different skills, tools, and techniques. Java offers many options for hackers looking to perform various tasks, including web application penetration testing, port scanning, IP address spoofing, data exfiltration, password cracking, and more. The language is also platform-independent, with code able to run on any device running the Java Virtual Machine. Additionally, the vast availability of libraries allows developers greater efficiency when writing code since they do not need to reinvent the wheel for every task. All these features make Java an attractive choice for savvy hackers seeking access to sensitive data or systems.
Ruby
Ruby provides all the necessary features for writing exploits and penetration testing tools. Metasploit – the popular open-source framework for exploiting vulnerabilities – is written in Ruby, allowing security experts to extend it with their own custom code, giving them greater flexibility and control over their tasks. It is also quite simple to pick up compared to more complex languages like C and C++, making it easier and faster for hackers to get results. All these reasons make Ruby a powerful tool for anyone interested in getting into hacking and cybersecurity.
Perl
Perl is a favored programming language among hackers due to its wide range of capabilities, making it a great tool for penetration testing and other hacking activities. Perl allows users to process text, manipulate files and data, do network communications and even handle graphics. Additionally, Perl is highly extensible, with the ability to call other programs and libraries in different languages, making Perl an excellent choice when writing large-scale scripts. Overall, Perl's versatility makes it a well-suited option for hacking purposes that require broad functionality.
Bash
Bash is the go-to choice for many hackers due to its robust capability when it comes to hacking tools. Its shell scripting ability leads to simple scripts that provide quick results in penetration testing and allow hackers to gain access. Bash also provides "Living off the Land" abilities, allowing hackers to complete their objectives without downloading additional files and tools, as well as allowing automation of frequent tasks. Because Bash is based on Unix, it is compatible with most operating systems, making it incredibly versatile.
Assembly
Assembly is a particularly popular language for hackers because it allows more direct access to computer architecture than many alternatives. Less abstraction enables greater control and, in certain cases, faster speeds while performing penetration testing using your own custom-made tools. Hacking with Assembly allows the user to delve deeper into the inner workings of software and hardware without being confined by structured high-level programming languages. An experienced hacker can toy around with microprocessors and system instructions to increase efficiency and tighten the security of their projects or those of a client. Hacking endeavors concerning cracking programs or injecting code into existing software can also be enabled with Assembly, offering plenty of stimulating avenues for exploration and opportunities for enhancement.
Conclusion
Hacking is a large and complex field encompassing many activities, tools, and techniques. While many programming languages can be used for hacking purposes, I've outlined the top 10 most popular ones here. Each language has its own unique strengths and benefits that make it well-suited for certain tasks. So regardless of your level of expertise or interests, there's sure to be a programming language right for you when it comes to writing code that enables you to do your hacking objectives.
How was this list generated?
I was curious about which programming languages were the best/most popular for hackers and penetration testers. So I googled "Top programming languages for hackers." Immediately it was evident that every website had its own bias and opinions, and everyone presented their list in a different order from each other. It was hard to determine which ones were actually more popular than the others. I wanted to take a sample from multiple sources and generate a new list that "averaged" them together. I used 30 sources (in statistics, 30 is generally considered a good sample size in most situations).
The first 28 sources came from the first 28 links displayed to me on google. One source was the first YouTube video displayed, and the last source was the programming languages in the CompTIA PenTest+ PT0-002 objectives. From there, I tallied the number of occurrences each programming language showed, and I ranked each programming language based on how many times they were mentioned across the 30 sources. For example, Python was mentioned 29/30 times (which is why it's at the top of my list).
SQL and Javascript were tied in the number of occurrences and ranked in the same spot on average. To break the tie, I chose SQL because it was ranked higher on average from the sources on the first page of Google. On page three, Javascript was ranked higher on average, while page 2 was about even. These two are almost at the same popularity level.
Java, PHP, and Ruby were also tied in the number of occurrences. I used the same method to break the tie as SQL and Javascript. I looked at their average placement, and PHP was ranked higher than Java and Ruby 15 times, while Java ranked higher ten times and Ruby 4 times. I then used the same comparison between Java and Ruby. Java ranked higher than Ruby 19 times, while Ruby ranked higher eight times. Remember that all programming languages are not mentioned in every source. So that's why they don't add up to 30 if you're doing the math.
Overall, I think I used a good method to rank the programming languages based on popularity rather than their usefulness or features. The goal was to determine what programming languages I should learn that would make me more valuable in the industry. I hope my research is as useful to you as it was to me.