Metasploit: The Penetration Tester’s Guide – #bookreview

Metasploit: The Penetration Tester’s Guide
By David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni
(No Starch Press, $49.95, paperback; $27.99, Kindle)

Penetration testing is the process of testing enterprise networks to discover their weaknesses, so they can be made more secure, according to HD Moore, founder of The Metasploit Project.

As a penetration tester, Moore states in the foreword to this book, “[y]ou are paid to think like a criminal, to use guerilla tactics to your advantage, and to find the weakest links in a highly intricate net of defenses. The things you find can be both surprising and disturbing; penetration tests have uncovered everything from rogue pornography to large-scale fraud and criminal activity.”

Indeed, penetration testing is about probing an organization’s systems for weaknesses in their security, so better and stronger safeguards can be erected to keep hackers and data thieves at bay. And the tests may be overt or covert.

Metasploit: The Penetration Tester’s Guide is largely — but not fully — a comprehensive guide to learning “the ins and outs of Metasploit and how to use the Framework to its fullest.” The book is “selective” and does not cover “every single flag or exploit,” the four co-authors concede, “but we give you the foundation you’ll need to understand and use Metasploit now and in future versions.” 

 The 299-page book’s 17 chapters cover “everything from the fundamentals of the Framework to advanced techniques in exploitation.” While penetration testers do not have to be programmers, the writers recommend that readers have at least some understanding of Ruby or Python, since many examples in Metasploit: The Penetration Tester’s Guide are written in those programming languages.

The Metasploit Framework is not an easy tool to learn. Nor is it easy to master the often-complex process of penetration testing. Fortunately, the four co-authors are well aware of this. They have rolled out their combined knowledge and experience in a smooth flow of chapters written in a straightforward, accessible style.

Here is the chapter line-up:

  • Introduction
  • Chapter 1: The Absolute Baisics of Penetration Testing
  • Chapter 2: Metasploit Basics
  • Chapter 3: Intelligence Gathering
  • Chapter 4: Vulnerability Scanning
  • Chapter 5: The Joy of Exploitation
  • Chapter 6: Meterpeter
  • Chapter 7: Avoiding Detection
  • Chapter 8: Exploitation Using Client-Side Attacks
  • Chapter 9: Metasploit Auxiliary Modules
  • Chapter 10: The Social-Engineer Toolkit
  • Chapter 11: Fast-Track
  • Chapter 12: Karmetasploit
  • Chapter 13: Building Your Own Module
  • Chaper 14: Creating Your Own Exploits
  • Chapter 15: Porting Exploits to the Metasploit Framework
  • Chapter 16: Meterpeter Scripting
  • Chapter 17: Simulated Penetration Test

The book also has two appendices. Appendix A covers “Configuring Your Target Machines.”  As the four co-authors point out: “The best way to learn to use the Metasploit Framework is by practicing–repeating a task until you fully understand how it is accomplished.” This appendix explains how to set up a test environment to use with the book’s examples. Appendix B, meanwhile, provides a “Cheat Sheet” listing frequently used commands and syntax “within Metasploit’s various interfaces and utilities.”

Once you become comfortable with the basics of penetration testing, the book then can introduce you to an array of advanced techniques. Metasploit: The Penetration Tester’s Guide is an expanded outgrowth of  an online course, “Metasploit Unleashed,” developed by Offensive-Security.

Si Dunn

#

Advertisements

One thought on “Metasploit: The Penetration Tester’s Guide – #bookreview

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s