As working closely with IT systems, this is the book I wish I have read a long time ago.
Written by David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni, all working in Security and contributing to security tools, the book describes precisely how a modern professional attack against an IT infrastructure is happening with the Metasploit framework.
Metasploit framework is clearly beyond comprehension for a beginner in penetration testing. So many panels, windows, shell capabilities, objectives you want to accomplish and targets to test, to not know what to do and where to start. The books explains step by step how to perform successful attacks, covering the reasons for each step, the part of the framework used, vulnerabilities targeted and what to write in consequence in penetration reports.
As well as diving into Metaploit, the book goes into details about penetration testing philosophy, setting up and using a social engineering toolkit (which was my favorite part), faking Wireless access point, and in the last part of the book, the authors explain how to create or research exploit in a chosen application and then contribute to Metasploit framework by porting the discovered exploit into it.
This book opened my eyes on how easy it is to find a way into a machine by experimenting it and also how to prevent it. The social engineering toolkit is great, but maybe lacks of delicacy for some parts (cloning a website for instance).
To fully understand and experiment the content of the book, downloading and installing Metasploit (or run a Backtrack iso) is mandatory and some virtual machines with different OS are also needed to play with.
O’Reilly product page : Metasploit
- La Commune : review - 30 March 2024
- Fearless Dinosaur - 12 March 2024
- Au Printemps des Monstres : review - 25 November 2023