About Duffbert...

Duffbert's Random Musings is a blog where I talk about whatever happens to be running through my head at any given moment... I'm Thomas Duff, and you can find out more about me here...

Email Me!

Search This Site!

Custom Search

I'm published!

Co-author of the book IBM Lotus Sametime 8 Essentials: A User's Guide

Purchase on Amazon

Co-author of the book IBM Sametime 8.5.2 Administration Guide

Purchase on Amazon


Visitor Count...

View My Stats

« Book Review - Lake Charles by Ed Lynskey | Main| Our cruise vacation in review... »

Book Review - Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kerns, and Mati Aharoni

Category Book Review David Kennedy Jim O'Gorman Devon Kerns Mati Aharoni Metasploit: The Penetration Tester's Guide
A picture named M2

It's nice when a book not only delivers on its stated objective, but it also opens my eyes to a better understanding of a related subject.  Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kerns, and Mati Aharoni falls solidly into that class.  In addition to learning how I can use Metasploit for network penetration testing, I also saw just how easy it is for someone to compromise a system with very little effort or knowledge.  You can never rest when it comes to network and system security.

Introduction; The Absolute Basics of Penetration Testing; Metasploit Basics; Intelligence Gathering; Vulnerability Scanning; The Joy of Exploitation; Meterpreter; Avoiding Detection; Exploitation Using Client-Side Attacks; Metasploit Auxiliary Modules; The Social-Engineer Toolkit; Fast-Track; Karmetasploit; Building Your Own Module; Creating Your Own Exploits; Porting Exploits to the Metasploit Framework; Meterpreter Scripting; Simulated Penetration Testing; Configuring Your Target Machines; Cheat Sheet; Index

The authors set an ambitious goal in trying to write a book that is useful for both beginners and experienced users of Metasploit.  Usually that means that neither side ends up being happy.  I can say as a member of the beginner group, I can say they were successful on that end of the scale.  There's a fine balance between step-by-step hand holding and the assumption that the reader already knows everything.  After an introduction to a structured approach to penetration testing, they start to cover the basics of how someone might use Metasploit to probe a network, gather information on potential attack vectors, and then exploit those potential weaknesses.  The major features are covered as opposed to trying to write about every last setting, so the material doesn't bog down in minutia.  It's also nice that they set up a fictional penetration test scenario, and follow it through the different chapters.  It makes for good continuity.  As the book progresses, the emphasis moves towards creating your own modules to run within the Metasploit framework.  Not every tester will need or want to go that route, but it's a reminder of how flexible this tool can be.

The bonus of this book was realizing how easy it is to launch various attacks without much effort.  I guess I really hadn't thought through what would be necessary to set up phishing attacks, either by sending infected documents or setting up a fake site to collect personal information.  With Metasploit, it's nothing more than selecting some options and running the tool.  You can argue whether Metasploit is a good or bad thing depending on who is using it, but it's a certainty that this type of behavior will exist and happen regardless.  By writing this book, the authors have helped even the playing field between the black hats and the white hats.

Metasploit: The Penetration Tester's Guide is a book that should be on the shelf of any serious computer security professional.  And if you're just starting to dabble in the world of network security, this is a great resource to start your journey.

Obtained From: Publisher
Payment: Free

Post A Comment


Want to support this blog or just say thanks?

When you shop Amazon, start your shopping experience here.

When you do that, all your purchases during that session earn me an affiliate commission via the Amazon Affiliate program. You don't have to buy the book I linked you to (although I wouldn't complain!). Simply use that as your starting point.


Thomas "Duffbert" Duff

Ads of Relevance...

Monthly Archives