Earlier this year, I wrote of my long love affair with Ruby coming to an end and my desire to get back to python in order to build additional skills for the purposes of defense and response. That first step back into python resulted in the article, Book Review: Gray Hat Python by Justin Seitz. That book was one of the more interesting ones that I’ve reviewed, so when I had the opportunity to look at his latest work, Black Hat Python: Python Programming for Hackers and Pentesters, I was really excited.
Python has been the language of choice in the pen testing universe for a while now, and so having a good reference for building attack and analysis tools for use during attack exercises is really important. The back cover of the book ponders the question of how the magic of creating these tools happens and offers that, “…you’ll explore the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more.” Sounds perfect. Let’s take a closer look and see if it delivers.
“Hacking and Penetration Testing with Low Power Devices” by Philip Polstra is an excellent read. The author bases this book on his experiences in both hardware, software and penetration testing and combines the various disciplines to both educate and enlighten the reader. Ultimately, the subject matter revolves around using the BeagleBone Black and a customized ARM penetration testing Linux distro, which Polstra’s dubbed ‘The Deck,’ to perform various types of hacking activities. It’s described as, “A practical guide to performing penetration tests from a distance with low-cost, battery-powered devices.” Oh yeah… just what the doctor ordered.
Let me open by saying that this book struck my “techie geek” nerve. Years and years ago, not too long after I became a computer guy, but far before becoming a professional penetration tester, I managed a Radio Shack store (sad to see they’re going away). I guess you could say I was a maker before it was called that. This book, while discussing pentesting, code, automation and stealth, offers the reader a great experience as he brings them into a world of hardware manipulation, discussions of power consumption, radio communication, and other really cool topics. It truly embraces the mindset of the hacker in a cross-disciplinary way and acts like a perfect bridge for those currently in the computer hacking arena into the exciting wider world of the maker movement. I’m excited to share this experience with you, so let’s get to it.
After a long love affair with Ruby, I was excited to get back into more Python in the new year. One of my main goals was to build additional skills with Python, and continue to build up skills in defense and response. When “Python Forensics: A workbench for inventing and sharing digital forensic technology“ by Chet Hosmer came out, I was excited about all of the possibilities. There are a number of books about using Python for attacking, but a strong book on building forensics tools is a nice change of pace.
Python Forensics target audience is “anyone who has a desire to learn how to leverage the Python language to forensic and digital investigation problems.” Hosmer hits the target audience well by both having introductory sections that go over some Python basics as well as a number of cookbook-style chapters that have programs to perform a number of different forensic functions. Let’s take a closer look at this Syngress Publishing title.
“Georgia, Georgia…” The tune “Georgia on My Mind” was spinning through my head when I was given the chance to review “Penetration Testing: A Hands-On Introduction to Hacking,” a book by Georgia Weidman from No Starch Press. Having watched some of her conference presentations online and knowing the work she’s put into the Smartphone Pentest Framework (SPF), I’ve been looking forward to the opportunity to dive into the book for a while now, and her enthusiasm and efforts made it a worthwhile wait. Amazon’s book description includes the following:
“In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine-based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment – including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more.”
So with the new year upon us, this gives everyone the opportunity to dive into a topic whether it be for advancing your current career, jumping into a new one or simply to amaze your friends and families. Hacking news both good and bad are everywhere these days. It’s time for you to get into the game. Find out how Ms. Weidman can help.
As books go, I’m a lifelong reader, so when offered the chance to do more ‘regular’ reviews for The Ethical Hacker Network (EH-Net), I jumped at the opportunity. The past few weeks, I’ve been buried in a GREAT read. Applied Network Security Monitoring: Collection, Detection, and Analysis by Chris Sanders and Jason Smith is an extremely informative dive into the realm of network security data collection and analysis. Fitting for both the offensive and defensive sides of security, the book looks closely at the various concepts, practices and tools that combine to create functional and cost-effective Network Security Monitoring (NSM) solutions for IT environments of all shapes and sizes. For the offensive-security minded, it gives an insight into the tools and techniques used to monitor the network, and allows one to consider how best to circumvent those methods. For the defensive-security minded, the authors do a fantastic job of equipping the reader with not only methodologies but also with tools and realistic examples.
Bear with me on this review, as this book at 496 pages is a long one, but in my opinion, an excellent resource. I’ll do my best to give a thorough overview of the material while keeping things as concise as possible. Hopefully, you’ll see that it’s a worthwhile read in giving a running start into the world of NSM.
When asked by CRC Press to review a recently released book, Ethical Hacking and Penetration Testing Guide by Rafay Baloch, a closer look was in order before agreeing. The book description reads, “Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test.” A brief review of the Table of Contents and Description from Amazon piqued my interest, so I accepted the request and got to reading.
The book was written to take people with some technical but little to no ‘hacking’ background, and introduce them to tools, techniques and methodology in order to familiarize them with pentesting. As there are quite a few books on the subject, I was a bit skeptical at first, as I’m always looking for something ‘groundbreakingly new’ or with some extra insights that other books may not have. I can say, with certainty, that while this wasn’t an overhaul of other books on the market, it was well organized and contained plenty of good information for a newcomer to get started into their learning.
“The Basics of Hacking and Penetration Testing, 2nd Edition, Ethical Hacking and Penetration Testing Made Easy” by Patrick Engebretson covers the essentials. The introduction should not be skipped, because, first and foremost, it conveys that the book is intended for people that are new to pentesting and the hacking scene. It also gives a generic overview of a lot of tools in the book that “might” strongly come in handy even to those not so new to the industry. Additionally, he covers what is needed to follow along in the book, which transforms this work from being just a book into more of a “hands-on” reference guide.
The title by Syngress Publishing is divided into chapters that define each part of the standard methodology that should be used in every pentest. This is important because every good security professional knows that having a methodology or plan of action is the key to making sure that the pentest is successful every time. The “methodology” is covered in the meat of the book which includes Chapters 2 through 7. Most pentesting books have a “What is Pentesting” chapter, so naturally Chapter 1 starts here. The book ends in a great way, because the author covers the most important part of a penetration testing: the report. Now that it is known that the author covers the requisite topics, let’s see how he handles the details of delivering this message.
The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli was recently released by Syngress Publishing in July of 2013. Dr. Pauli’s resume includes several academic journals, but this appears to be his first published book. But, do not be dissuaded. As you might expect, this first work shows the love of an eager first-time author who has an obvious passion about the subject matter. Dr. Pauli gives a nod to other topical works in the area of web application penetration testing and offers gracious thanks to his influences in the security community.
In the introduction Dr. Pauli is quick to explain the niche that his contribution to the topic fills within the available body of knowledge. He states that the intent of this book is to provide the fundamentals of web hacking for people who have no previous knowledge of web hacking, and that this book might act as an introduction that prepares people to consume some of the more thorough and advanced books on the subject. Keep reading after the break to see if he succeeded.