At the very beginning of getting into pentesting most users come across Metasploit as an embedded tool in Back Track. And many times our first experience is this… cd /opt/framework3/msf/ …. Scratching our heads wondering what’s next. Well after some Google searches we come up with the answer “ah, yes! I must enter msfconsole or was it ./msfconsole” and this most glorious low-tech ascii picture comes up, sometime a cow, sometimes the word Metasploit, but it’s splendor lays in that blinking cursor preceded by ” msf >” it’s laying there waiting, wanting for a command to do it’s master’s bidding. Then reality hits you over the head like Hacksaw Jim Duggan with a 2×4 – I don’t know what to do! This is where Metasploit Penetration Testing Cookbook by Abhinav Singh comes in handy.
The book does a really good job of providing a beginning foundation with escalating use of difficulty. It was not overly difficult to follow along but I think it’s strong point will be in providing reference for different areas in the use of Metasploit.
I really think the book was a stand out in a few areas:
– The quick walk through of what could go wrong during setup and how to potentially fix the issue. The screen shots served as a good reference point of what to expect in that regard. From memory I cannot recall very many technical security books that addressed what could go wrong and the fix(es).
– The use of SSH to help save on memory resources. I think many like to use the Linux UI to get to the Metasploit framework and this is a great alternative to reach Metasploit and really exercise ones command line skillz. (yes, I actually used “z” instead of “s”… Gotta keep street cred Yo!)
– The inclusion of multiple OS’s for targeting against. This was great run through as most will only have Windows XP SP2 and a Linux flavor listed. This actually brought the exercises to feel more real. Unfortunately though, it didn’t go into more depth on the OS exploitation and felt limited.
– The inclusion of Armitage was a nice surprise, but far to little in comparison to the rest of the Metasploit chapters. The introduction to fast and easy hacking was far to little.
– The introduction to the Social Engineering Toolkit (SET) was nice as well. Again in my opinion, it could’ve used a little more exposure along with Armitage.
– The “How it works…” sections were nice as well. I know some just want to get it working but there are those of us who want to go deeper into the rabbit hole to understand how and why it works, but alas it seems like there can never be enough information.
Even though the book didn’t go as in-depth, the reality is you can’t otherwise we’d all be toting 10 lbs. book that could go on for days and days. But I do think that a few of the subjects like Armitage and SET could’ve been expanded upon a little more as they’re are becoming more and more important tools in the security professionals toolkit for finding vulnerabilities and exploiting them. Overall, there are quite a few good book on this subject out there and this is one that should be included on your reference shelf.
Bond Must Die!! 