Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Penetration Tester's Open Source Toolkit", Johnny Long et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKPTOSTK.RVW 20061031 Penetration Tester s Open Source Toolkit , Johnny Long et al, 2006, 978-1-59749-021-0, U$59.95/C$83.95 %A Johnny Long et al
    Message 1 of 1 , Dec 6, 2006
    View Source
    • 0 Attachment
      BKPTOSTK.RVW 20061031

      "Penetration Tester's Open Source Toolkit", Johnny Long et al, 2006,
      978-1-59749-021-0, U$59.95/C$83.95
      %A Johnny Long et al johnny.ihackstuff.com
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2006
      %G 978-1-59749-021-0
      %I Syngress Media, Inc.
      %O U$59.95/C$83.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O www.amazon.com/exec/obidos/ASIN/9781597490210/robsladesinterne
      %O www.amazon.co.uk/exec/obidos/ASIN/9781597490210/robsladesinte-21
      %O www.amazon.ca/exec/obidos/ASIN/9781597490210/robsladesin03-20
      %O Audience s Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 704 p. + CD-ROM
      %T "Penetration Tester's Open Source Toolkit"

      There is no preface or explanation for the book, so you have to infer,
      from jacket references and other mentions, that the work is based
      (possibly very loosely) on Max Moser's Auditor Security Collection of
      (open source) penetration testing tools, available at www.remote-
      exploit.org. It is difficult to say how close the relationship
      between the text and the CD is, since there isn't even a listing of
      the contents of the Auditor Security Collection, although the
      collection is included on the CD-ROM that is packaged with the primer.

      Chapter one addresses the reconnaissance phase of a penetration.
      There is a general introduction to the task and a listing of some
      available tools, both in software and utility Websites. Some of the
      concepts of port scanning are outlined in chapter two, although the
      explanations are sometimes careless. (It is possible to obtain
      information related to scanning through passive means, but the
      implication that port scanning itself is a passive activity is
      misleading at best.) A few tools for examining Oracle and Microsoft
      SQL Server databases are listed in chapter three. Chapter four turns
      to Web servers (and applications). Various tools are described,
      mostly with extensive (and not always illustrative) screenshots.
      There is also a brief but wide-ranging overview of general penetration
      testing ideas (such as methods for trying to find the ever-present
      buffer overflows). Wireless networks are described in detail in
      chapter five, particularly in terms of the weaknesses of the various
      forms of encryption technologies used. Chapter six describes a number
      of standard network utilities, plus some of the more recent mapping
      and enumeration tools.

      Chapter seven is supposed to introduce readers to the joys of writing
      security utilities for the open source community, but screenshots of
      development environments and lists of keywords are not going to teach
      anyone to code, let alone design elegant tools.

      There is a meager description of the Nessus vulnerability scanner in
      chapter eight, although it is complimented by a detailed outline of
      the Auditor startup script and options. Chapter nine covers the
      Nessus Attack Scripting Language (NASL) so you can script your own
      attacks. Nessus libraries and references are discussed in chapter
      ten. The calls for Nessus SMB (Server Message Block) programming, in
      chapter eleven, allow attacks to be scripted for Microsoft Windows
      systems.

      Chapter twelve is an introduction to the interfaces and options of the
      Metasploit Framework (MSF) exploit and vulnerability coding utility.
      Chapter thirteen purports to be about writing your own exploits for
      and in Metasploit, but instead walks through the examination of a
      buffer overflow situation. Metasploit tools are used, but poorly
      explained, and the exegesis of writing modules for Metasploit is
      similarly inadequate.

      The chapters of the book are written by different authors, so the
      quality of both writing and material varies tremendously. The lack of
      direction in terms of the intent of the work does not help in
      assessing either the overall value or specific groups who might
      benefit from the text. Much of the space is taken up with screenshots
      and illustrations of dubious merit, and the text, while often
      informative, is sparsely structured and generally aimed at a level
      which is either too simplistic or too advanced to be used as an
      introduction to the tools or techniques being discussed. There are
      nuggets of information throughout the work, but you have to plow
      through a lot of stuff to find them.

      copyright Robert M. Slade, 2006 BKPTOSTK.RVW 20061031


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Heaven is my throne and the earth is my footstool. Where is the
      house you will build for me? Where will my resting place be?
      Has not my hand made all these things, and so they came into
      being? - Isaiah 66:1,2
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.