Frequently Asked Questions

Ronin is not exactly a framework. Ronin consists of a Ruby Hacking Environment and a Platform for Publishing Code/Exploits/Payloads/etc.

Besides, the term "framework" is soooo 2000s.

GPL-2

Ronin has extensive YARD documentation of it's API. Various Tutorials and HOWTOs are always in the works.

Other projects have been criticized for having poor programming conventions or a lack of documentation. To avoid this, Ronin enforces a set of coding style guidelines to ensure that all source-code is clean and readable.

Yes, Ronin comes with extensive RSpec specification tests.

Why yes. Ronin's design allows for the libraries of Ronin to add various sub-commands to the main ronin command. To view all available commands simply run the following command:

$ ronin help

To view help information on a specific command:

$ ronin help command_here

Not currently. The developers of Ronin are considering creating a GUI using JRuby + Swing or possibly Shoes. A Web-interface is also being considered, possibly using Merb or Sinatra.

Why yes it is! As of Ronin 0.2.3 and above, all spec tests pass on Ruby 1.9.1-p0.

Ofcourse there still might be bugs which the spec tests did not uncover. We encourage users to test their favorite Ruby projects against Ruby 1.9 and submit bug-reports/patches accordingly.

The Platform simply manages Overlays and their contents, allowing users to install, update and remove Overlays.

Overlays are directories which can contain Objects (such as Exploits or Payloads) or Extensions (small groupings of code) that can be used within Ronin. An Overlay also contains a small XML file named ronin.xml that describes the Overlay, it's authors and it's licensing.

An Overlay can be hosed on any Subversion (SVN), Mercurial (Hg), Git or Rsync server.

Simply pass the URL of the Overlay to the ronin install sub-command.

$ ronin install svn://www.example.com/overlay

If you have previously checked out an Overlay, then simply pass the path of the local Overlay to the ronin add sub-command.

$ ronin add path/to/local/overlay

You can generate a skeleton Overlay by simply running the following command provided by the Ronin Gen library:

$ ronin-gen overlay path/to/overlay/name

Or if you wish to specify additional Overlay metadata:

$ ronin-gen overlay -n Overlay-Name -L GPL-2 \
-m "Author <email>" \
-S http://svn.mysite.com/overlay \
-U http://myblog.com \
-D "This is my Overlay, enjoy." \
path/to/overlay

Yeah, so? There are plenty of similar projects which are freely available on-line, that can be used to scan and exploit vulnerabilities.

Technically, we're helping everyone, since Ronin is freely available to download. What people choose to do with Ronin is their own ethical responsibility. If you are scared of Hackers or TERRORISTS, we suggest you help raise awareness of bad programming habits which helped create all those vulnerabilities in the first place. Perhaps you could stand outside Computer Science departments holding up signs such as:

"Parametrize your SQL data"

Or the classic:

"Don't use strcpy!"

Ronin was never intended to ship with any built-in exploits or payloads. Ronin's design allows user to checkout various Overlays of exploits, payloads and extensions. This design choice allows users to selectively choose which Overlay they want to use, update them when they like and even create their own.

In some ways Ronin is similiar to Metasploit. They both use Object Relational Mappers (ORMs) to manage their Databases. They both are focused on exploiting vulnerabilities within code. They both have a console-like interface. That's where the similarities end.

Ronin uses DataMapper to manage it's Database, while Metasploit uses the less flexible ActiveRecord. Ronin also provides a succinct syntax for defining exploits or payloads in Ruby. Ronin also provides an Overlay system that allows one to distribute their code, exploits, payloads and other data to other Ronin users over any SubVersion (SVN), Mercurial (Hg), Git or Rsync repository. Ronin also provides plenty of convenience methods, which makes working with data a little nicer.

I wanted to explore different software design concepts and architectural choices, other than the ones followed by Metasploit. I also didn't prefer the coding style used within Metasploit's code-base.

By starting from scratch with Ronin, I was able to freely make radical decisions, such as hosting the code on GitHub, choosing to use DataMapper to manage and update the Database or package Ronin as separate RubyGems hosted on RubyForge and GemCutter.

Technically speaking, yes you could load Ronin's convenience methods and use them within Metasploit exploits. But Metasploit would still be unable to make use of Ronin's Database, use any of Ronin's objects, or access the Ronin Overlay cache. You would have to manually load and access these things from within Metasploit.

No, we're not that kind of project. Besides, you shouldn't need a certificate to feel good about yourself.

Even though Ronin is licensed under the GPL-2, there's nothing stopping you from using it at work.

Although, we warn users of Ronin who are under various contracts, that the work you do with Ronin technically may not be yours, but owned by your employeer.

Probably not. Since Ronin is licensed under the GPL-2 license, any linking to Ronin's code-base (either statically or dynamically at run-time) creates a derived work which is considered to be covered by the GPL-2 license.

Go struggle somewhere else. No one is selling Ronin, we don't want to see it become another Nessus.