Sunday, June 23, 2013

Book Reviews: METASPLOIT The Penetration Tester’s Guide


          The Penetration Tester’s Guide                                  

Authors: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni        
Publisher: O’Reilly Media, Inc.
Reviewer/Blogger: Virginia Benedict

Target Audience:  This Guide offers a wealth of information to both the novice as Tutorial and the experienced as Reference.  For starters, the Novice will learn relevant steps on how to get started; and the Experienced with benefit from the discussions on Methodology. Program Managers and Stake Holders will benefit from a managers perspective
Pre-requisites:  Desire to lean, Integrity, Methodical, Analytical, Programming & Scripting languages recommended but not required
Overview: This Metasploit guide will help the Pen Tester get started; or take him/her to the next level 
Related Standards:  Pen Testing Standards are loosely followed due to the nature of the investigative process and intelligent garthering. 
Related Commercial Products:  Metasploit Express Edition || Metasploit Pro Edition
Related Basic Products:  Metasploit Framework Edition || Metasploit Community Edition
Chapters:  Seventeen Chapters extensively indexed and a Cheat Sheet referencing important commands with syntax commonly used within Metasploit’s various interfaces and utilities. 
A guide such as this is best produced by an extensive collaborative effort of experienced professionals.  It is especially valuable when the related community of information security experienced professionals has had direct or indirect input into the final product, as with this outstanding effort.
Once the authors have taken the reader through the absolute basics of Penetration Testing, then they introduce the basics of Metasploit, arming the novice with the necessary knowledgebase to move into the intelligence gathering processes while teaching you the various commands and tools.
I found their discussion on the risks and responsibilities of the Tester very poignant. 
I recommend that since the Metasploit Framework is large and complex requiring an array of innate and learned skill sets that the novice reader first study the organizational framework of this guide.  In other words, become familiar with the flow of the work by creating an inventory of the various learning points. 

As with any learning process, I always recommend that the “student” begin by fully understanding their learning style(s).  Be aware that you, as many of us do, may have different learning styles and combinations thereof for different learning requirements.  As a reader in this case, you might have a couple of learning styles, which you might apply in perspective. By studying the method(s) used by the authors hereby to present the information and processes, you will gain the ability to understand and retain the knowledge presented. 

About the Authors

Mati AharoniMati (muts) is a network security professional, currently working with various Military and Government agencies. His day-to-day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing. In addition, he is the lead trainer in the “Offensive Security” courses, which focuses on attacker tools and methodologies. Mati has been training security and hacking courses for over 14 years and is actively involved in the security arena, and is the core developer of Kali Linux.

Devon kearns (dookie2000ca) is a former Communications Technician and IS Security Analyst with over 15 years of formal IT experience but his true passion lies in the field of information security, most notably in the realm of software exploitation and bug hunting. This fascination with vulnerabilities has led Devon to being the lead administrator of the Exploit Database, a co-author of the free online Metasploit Unleashed training course, and a Kali Linux developer.

Jim O'GormanJim (Elwood) is a professional penetration tester, an instructor at Offensive Security, and manages Offensive Security’s consulting services. Jim has lived online from the times of BBS’s, to FidoNet, to when SLIP connections were the new hotness. Jim spends time on both network intrusion simulation as well as digital investigations and malware analysis. When not working on various security issues, Jim spends his time assisting his children in their attempts to fight Zombie hordes.

David Kennedy
 is Chief Information Security Officer at Diebold Incorporatedand creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools. He is on the Back|Track and Exploit Database development team and is a core member of the Social-Engineer podcast and framework.Kennedy has presented at a number of security conferences including Black Hat, Defcon, ShmooCon, Security B-Sides, and more. - Your tech ebook super store