Alright, alright already… Another Pen Testing book… Many, if not all of us have purchased or downloaded purchased *cough, cough* copies of Pen Testing books in its many forms and have gone through them only to find it was fairly similar to the last one purchased. Does it lay out the phases of a pen test? Check. Does it mention the scanners we all know and love? Check. Does it mention and give examples of using Metasploit? Check. Well, for all the experienced testers out there and for us noobs alike there is a new Sheriff-in-Town and he, or she, is looking really promising! The book is called Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide by Lee Allen.
I know you’re probably thinking, “what another book on pen testing?, whatever…”, but I think that this one picks up where the others have left off or left out. I’m not going to go chapter by chapter but highlight areas that I think are great to read and with methods to use. So away we go!
It’s quite refreshing that it is assumed the reader is somewhat technical and doesn’t need to be fully hand held through the lab setup process so not a lot is wasted on setting up your VMs or debating what flavor is the best. It can also be said that the information is also great for getting the noob up and running. The one part that I really appreciated reading was on setting up BackTrack and the snippets of commands used to get it up and running, installed, and updated (for all us noobs it shortens the amount of time spent in the forums, but doesn’t alleviate the need to “TRY HARDER!!”).
This book is also great in introducing tools that I hadn’t had much exposure to and the thought of using Magic Tree as a means to help create your report is great! I know that we’ve all muddled through results trying to ensure that our text files are somewhat organized. Having Magic Tree help to collect your information and then format into a report is invaluable. I also like that Dradis is introduced as a means to gather all of you information into one place that can be shared. This would be very helpful when working on a team test.
One thing that I’ve enjoyed through the book is the use of the Metasploit framework and the Social Engineering (SET) Toolkit. I know that Metasploit has been covered in-depth within other books but I think it’s the presentation of use and updating that makes it really refreshing! I also really like that a small part of SET is discussed and walked through. Those two tools have become di rigueur in the pen tester’s bag of tricks! Even though it’s not deep it gives enough for the reader to get started down the path.
One chapter that I haven’t really seen anywhere else is on Post Exploitation. To read about and try some of the methods in the chapter has been fun. More so it has the old brain-housing group really thinking about how to positively perform post exploitation that gives the customer or client a solid feel for what can be had in their environment.
Something else that I’ve really enjoyed seeing is that there are progressively harder challenges through the use of Kioptrix. The reader has the chance to start at level one and move up to more advanced techniques, which the user can use to practice against. Reminds me a lot of Web Goat and hacking challenges from Astalavista in that you have progressively harder challenges to get through.
There are so many good qualities to this book that I’ve enjoyed that I would recommend this to my friends and colleagues, even if it were only for a reference. The pacing of the read and the examples were good enough to keep me from saying “WTF how did he set that up?” and actually kept me engaged in the content. If you’re in the market for a good book that is not only a great primer on the subject but also an excellent reference, this is one I would recommend considering.
Bond Must Die!! 