ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Thu Aug 07, 2003 11:47 pm Post subject: Book Review - Hack I.T. Security Through Penetration Testing |
|
|
Hack I.T. Security Through Penetration Testing
Author: T.J Klevinsky, Scott Laliberte and Ajay Gupta, Foreword by Simple Nomad
Publisher: Addison-Wesley
Book Specifications:Soft-cover, 512 pages with CD-ROM
Category: Ethical Hacking
User Level: Intermediate-Advanced (Prior General Networking & Security Knowledge needed)
Suggested Publisher Price: $42.99 USA/ $64.50 CAN/ £26.91 Net UK (inc of VAT)
ISBN: 0-201-71956-8
Amazon.co.uk: Hack I.T. Security Through Penetration Testing
Amazon.com: Hack I.T. Security Through Penetration Testing
Info from Cover: "This book covers not just the glamorous aspects such as the intrusion act itself, but all the pitfalls, clauses and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art"
Introduction
This was a book I was very much looking forwards to getting my hands on as penetration testing is something I've always been interested in and is an area I would quite like to move into professionaly.
The authors of this book are all full time pen-testers/infosec pros for Ernst & Young's Security division.
Hack I.T. is a good book for anyone into security really, pen-testing is an important skill to learn and understand even if you only use it against yourself and your own networks.
Most people are afraid of pen-testing, it sounds too much like hacking, destructive, somewhat of a black art. Even if you are a technical manager or someone with a passing interest in security and how hackers (ethical and otherwise) operate, this book will be of interest.
On another tack, for a technical book I have to say I couldn't put it down, I'll admit I've seen most of the techniques and tools in the book, but not all and it's written in a very free flowing and informative manner.
Contents
As a general overview of how the book works, the first part (Ch 1-4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. The second part (Ch 5-10) provides a structured framework for a pen-test (standard stuff as you find in Hacking Exposed et al). The third part (Ch11-16) provides greater detail on the tools and techniques used, the final section (Ch 17-23) focuses on advanced techniques useful for those who have seen all the normal stuff (this section includes how to evade firewalls, IDS etc).
Run down of chapters/sections/contents (I feel are important)
Hacking Today- What's going on
- Where everything is at
- Figures & stats and good stuff to sell pen-testing services.
Defining the Hacker- Hacker Skill Levels
- Hacker Myths
- Infosec Myths
Penetration for Hire- Covers ramifications
- Requirements (skill set, knowledge, tools, hardware etc)
Where the exposures Lie- Application holes
- BIND
- Sendmail
- CGI etc
Internet Penetration- Enumeration
- Analysis
- Exploitation
Dial-in Penetration- War dialing
- number gathering
- Tools
Internal Penetration Testing- Scenarios
- Network Discovery
- NT
- UNIX
Social Engineering
UNIX Specific Methods
The Tool Kit
All the normal things follow here, vuln scanners, discovery, port scanners, sniffers, pass crackers, web-testing tools, remote control software
Intrusion Detection Systems
Firewalls
DoS
Future Trends
The book is written very progressively, it starts off with a foreword by a well respected hacker Simple Nomad (http://www.nmrc.org/) introducing pen-testing and hacking in simple terms, then a preface explaining the goals and aims of the book, the intended audience and a little bit about the authors and how to use the book.
After this is the Introduction which examines recent trends and security in general terms. The covered is hacking today, what goes on, the damages caused etc.
Then a part I really enjoyed defining the hacker, they have a three tier system with the true 3l33t, second tier (sys admin level) hackers and 3rd tier script kiddies, which well most don't even consider as hackers. But if you look at is a pyramid that's certainly how it works. A few elite, a few more of the second level and shit loads of skiddies.
The book then basically progresses nicely through every area of pen-testing, what skills you need, the hardware and tools you need, what you would actually do, how you would approach it and includes various nice real life scenarios and case studies.
Style and Detail
As mentioned above the book is well written with a nice flow to it and as much details as is needed in case studies etc (all commands and switches used with nmap, netcat etc).
I have to say if you've never heard of nmap and netcat this book may be a steep learning curve for you. To get the most out of this book you'd be familiar with most common 'security' tools, TCP/IP, granular file permissions, ACL's etc.
The book itself is well laid out in an easy to read font with lots of screen shots and the options to use in various tools/apps.
Appendix B also contains a whole load of exploits, how to test for vulnerability and how to protect against them. A veritable arsenal for any pen-tester
The book also comes with a useful CD-ROM which is not packed to the brim with loads of tools, but does contain some of the nifty rare tools and things like Nessus aswell as a handy reference.
Conclusion
As I've said before I was familiar with most of the tools and techniques in this book allready, but that's me and I've been interested in pen-testing for quite a while and have been trying to learn as much as I can on my own.
I was really interested to see how the 'pro's would put it and I'm happy to see I'd got most of the right ideas allready, they just clarify it and make a handy guide to the tools and techniques needed in todays infosec world.
All in all I recommend this book, I recommend it highly.
If you are into ethical hacking of any sort, get hold of this and enjoy it.
I give it a 9/10
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Keywords: Penetration Testing Pen Testing Hack I.T
Last edited by ShaolinTiger on Sun Jan 18, 2004 8:36 pm; edited 3 times in total |
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Wed Sep 10, 2003 1:16 am Post subject: |
|
|
Sgt_B wrote: |
How would you compare this book to Hacking Exposed 4th Edition? I noticed you gave this one a slightly higher grade. Is there something here that HE doesn't cover? Both books seem to cover the same topic (hacking/pen-testing). Which, in your opinion, is the better book? or are they both worth a read? |
Slightly different viewpoints.
HE4 is more of a how to hack thing, with tools common methods, how to protect yourself etc.
This book is more about how to pen test systematically, with figures, legalities, types of hackers/sec pro's, methodology, advanced techniques and so on.
Personally I would thouroughly recommend reading both.
|
|