Book Review - Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kerns, and Mati Aharoni
It's nice when a book not only delivers on its stated objective, but it also opens my eyes to a better understanding of a related subject. Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kerns, and Mati Aharoni falls solidly into that class. In addition to learning how I can use Metasploit for network penetration testing, I also saw just how easy it is for someone to compromise a system with very little effort or knowledge. You can never rest when it comes to network and system security.
Introduction; The Absolute Basics of Penetration Testing; Metasploit Basics; Intelligence Gathering; Vulnerability Scanning; The Joy of Exploitation; Meterpreter; Avoiding Detection; Exploitation Using Client-Side Attacks; Metasploit Auxiliary Modules; The Social-Engineer Toolkit; Fast-Track; Karmetasploit; Building Your Own Module; Creating Your Own Exploits; Porting Exploits to the Metasploit Framework; Meterpreter Scripting; Simulated Penetration Testing; Configuring Your Target Machines; Cheat Sheet; Index
The authors set an ambitious goal in trying to write a book that is useful for both beginners and experienced users of Metasploit. Usually that means that neither side ends up being happy. I can say as a member of the beginner group, I can say they were successful on that end of the scale. There's a fine balance between step-by-step hand holding and the assumption that the reader already knows everything. After an introduction to a structured approach to penetration testing, they start to cover the basics of how someone might use Metasploit to probe a network, gather information on potential attack vectors, and then exploit those potential weaknesses. The major features are covered as opposed to trying to write about every last setting, so the material doesn't bog down in minutia. It's also nice that they set up a fictional penetration test scenario, and follow it through the different chapters. It makes for good continuity. As the book progresses, the emphasis moves towards creating your own modules to run within the Metasploit framework. Not every tester will need or want to go that route, but it's a reminder of how flexible this tool can be.
The bonus of this book was realizing how easy it is to launch various attacks without much effort. I guess I really hadn't thought through what would be necessary to set up phishing attacks, either by sending infected documents or setting up a fake site to collect personal information. With Metasploit, it's nothing more than selecting some options and running the tool. You can argue whether Metasploit is a good or bad thing depending on who is using it, but it's a certainty that this type of behavior will exist and happen regardless. By writing this book, the authors have helped even the playing field between the black hats and the white hats.
Metasploit: The Penetration Tester's Guide is a book that should be on the shelf of any serious computer security professional. And if you're just starting to dabble in the world of network security, this is a great resource to start your journey.
Obtained From: Publisher