Where do information security professionals look for the latest and most informative strategies on protecting their enterprise? Books of course! After all, it is hard to hack a paperback book. This week we will take a look at one of the better books for beginners related to penetration testing: Penetration Testing A Hands-On Introduction to Hacking.
Penetration testing is one of those squishy gray area topics that may be hard to find real solid guidance on methods, strategies, and techniques. Georgia Weidman has done an excellent job laying out an easy to understand how-to of ethical penetration testing. She outlines a number of ways to conduct assessments, attacks, and exploitation. The structure of the book highlights the fact that a penetration tester must be multifaceted. Just being able to capture data with Wireshark or running NMAP against a network is not enough to conduct a thorough penetration testing.
One of the more daunting tasks for a beginner penetration tester is simply gathering all of the tools that are needed for the job. There are well over 100 tools that are helpful or necessary. For example having a copy of wireshark, nmap, metasploit, and DNSChef are critical to begin the work. Some experienced penetration testers will utilize over 100 tools on any given project. So, where would you go to acquire all of these tools? Wouldn’t it take hours or even days to put together a toolkit? Not to fear, Kali Linux is here! With one swift download you can have access to most all of the penetration testing tools that you would ever need.
Where the Rubber Meets the Road
Exploit development is another area that Weidman provides good information. Once you have the vulnerability identified, how will you go about exploiting it? Buffer overflow vulnerabilities are one of the most common types of vulnerabilities that can be exploited. A full two chapters in the book are devoted to explaining how to exploit buffer overflows on both linux and windows machines.
Where’s the Mobile Penetration Testing?
If there is one area that is missing from the book, it is the area of mobile devices. She includes a very small section at the end of the book about mobile, but it leaves the current day reader hungry for more. Penetration testing in 2016 requires a much larger focus on mobile. Mobile has become a much larger segment of the technical landscape in the last two years, so I would suggest an update to expand on mobile penetration testing.
Overall a good read for those looking to change jobs into cyber security or for those who have been in the industry for a long time.
Happy Ethical Penetration Testing!