RSSBook Reviews

Book Review: Violent Python

| February 28, 2013

Violent Python Book CoverAs stated in its tagline, Violent Python is A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers. This is a relatively broad scope and demonstrates how Python can be used to automate and assist with tasks across a variety of diverse InfoSec disciplines. However, breadth does not preclude depth in this case; the exercises build up to a fairly advanced level. Violent Python is authored primarily by TJ O’Connor, with Rob Frost contributing a chapter on Web Reconnaissance, and Mark Baggett acting as the Technical Editor. A quick glance at their collective credentials and experience undoubtedly creates high expectations for this title.

For those unfamiliar with cookbook-style resources, the contents are made up of dozens of short, self-contained “recipes.” The objective is not to comprehensively teach Python from the ground-up, but rather present scripts that focus on a specific task. The end result is that the book demonstrates how powerful just a few dozen lines of Python code can be (even the longest of recipes rarely exceed 100 lines). However, while the aim is not to teach Python programming in general, useful tips and tricks will surely be acquired simply by working through the exercises. The recipes were created in a modular fashion, with code reusability in mind, and they can easily be incorporated into larger projects. Let’s take a closer look.

Continue Reading

Book Review: Coding for Penetration Testers

| May 29, 2012

Coding for Penetration Testers Book CoverReview by Andrew Johnson CISSP, GPEN, eCPPT, OSWP et al

With a title as ambitious as Coding for Penetration Testers, it’s important to set expectations properly at the onset. In this context, coding is synonymous with scripting, and the content primarily focuses on Bash Scripting, Python, PERL, Ruby, PHP, SQL, PowerShell, and scripting related to various scanners such as Nmap and Nessus. Compiled languages such as Assembly, Java, and the C variants are not within the content’s scope.

This Syngress published book by EH-Net Columnists Jason Andress and Ryan Linn strives to remove the mystery surrounding the development of security tools and scripts by presenting dozens of easy-to-follow examples. The ultimate goal is to alleviate the reliance on pre-built security tools and create more versatile and effective penetration testers. With this resource, readers will gain the knowledge to start such a journey that will likely have numerous, “That’s all there is to it!?” epiphanies as they progress through the book. 

Continue Reading

Book Review: Metasploit – The Penetration Tester’s Guide

| April 25, 2012

Metasploit – The Penetration Tester's Guide Front Cover“Metasploit – The Penetration Tester’s Guide” by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni is perhaps the most enjoyable book I have come across regarding the uses and functionality of Metasploit. There were so many concepts it refreshed me on, many functions I didn’t know existed and other functions I did not correctly understand even with my years of using Metasploit. Let’s take an in-depth look into this stellar publication by No Starch Press.

Initially I skipped through the first chapter of the book, “The Absolute Basics of Penetration Testing.” However, I went back to the chapter as I had already been in and out of reading the methodologies laid out by the Penetration Testing Execution Standard (PTES). This chapter actually made sense after the fact, since my approach was that of the technical one: Show me the meat of this book. Not everyone who uses Metasploit (and other tools like it) has a concise understanding of penetration testing, and many will assume that aiming Metasploit at an address constitutes a penetration test. The chapter is clear, summarized and offers much food for thought outside of Metasploit and into the realm of penetration testing.

 

After the break, look for a link to a free download of Chapter 8: “Exploitation Using Client-Side Attacks”

Continue Reading

Book Review: The Tangled Web

| March 29, 2012

Michal Zalewski, author of 2005’s highly praised Silence on the Wire, is at it again with “The Tangled Web: A Guide to Securing Modern Web Applications,” an incredible and highly technical book published by No Starch Press. Since the browser is the portal of choice for so many users, its inherent security flaws leave the user at a significant risk. This book details the issues surrounding insecure web browsers and what developers can do to mitigate those risks.

Mr. Zalewski writes about modern web applications which are built within a tangled mess of technologies, developed over time and then slapped together into a confusing monstrosity.  This in turn leads to inconsistent operation with all kinds of vulnerabilities at several levels. The author goes into great detail taking apart every level of web applications from HTTP communication to browser and server-side scripts and dissects the subtle security consequences and the corresponding dangers of the unorganized conglomeration of web applications and browser code. The author then goes into how developers can work through the current problems and solve them down the road through new and revised code.

This book begins with the observation that the field of information security seems to be a mature and well-defined discipline, but in reality there is not even a rudimentary framework for understanding and assessing the security of modern software. So let’s dive deeper into the book to see how Mr. Zalewski addresses the issues in an attempt to untangle this mess.

After the break, look for a link to a free download of Chapter 3: “Hypertext Transfer Protocol”

Continue Reading

Book Review: A Bug Hunter’s Diary

| December 28, 2011

bhd_coverSo often as security professionals we hear how bug hunters both black hat and white hat find vulnerabilities and release them to the vendor or use them for monetary gain. We wonder how they actually went about finding these vulnerabilities and what hurdles they had to jump to find them. “A Bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security” by Tobias Klein focuses on helping different levels of security professionals understand the approaches used to uncover vulnerabilities, testing the vulnerabilities found and finally reporting on those vulnerabilities. It is short and to the point and offers nothing but valuable content with little to no fluff content.

The book was written as though Tobias was writing in a journal as he was progressing through his research of a particular application. Each chapter is a separate journal entry focused on a single application into which he dug and eventually found a vulnerability. He then determined if it was exploitable and in turn released it to either the vendor or to a vulnerability broker. This is a fascinating look into the heart of a sector of the security economy not previously exposed to a wider audience.

After the break, look for a link to a free download of Chapter 2: “Back to the 90s”

Continue Reading

Book Review: The IDA Pro Book 2nd Ed

| September 27, 2011

It seems like yesterday that I was reviewing Chris Eagle’s book, but in reality it’s been 3 years.  So when I had an opportunity to review The IDA Pro Book: The Unofficial Guide To The Worlds Most Popular Disassembler, 2nd Edition, I looked forward to seeing what had changed. And thus a change in the normal extensive EH-Net book review is in order and brevity is the word of the day.

A few things haven’t changed since my last review.  I am still not a reverse engineer, although I occasionally use the tools clumsily for Capture The Flag (CTF) exercises.  I’m not a professional programmer, although I can program and do so frequently.  Although this isn’t material that I suspect I will master in the near future, this is material in which I have an interest.  If you have basic programming skills, an interest in learning, and are willing to sit down and spend time with this material, you will definitely benefit from this book.

After the break, look for a link to a free download of Chapter 24: “The IDA Debugger.”

Continue Reading

Book Review: Thor’s Microsoft Security Bible

| August 29, 2011

Review by John R. Luko, Security+, CCENT, CEH

A few weeks ago I saw an ad for Thor’s Microsoft Security Bible: A Collection of Practical Security Techniques (TMSB) by Timothy "Thor" Mullen and thought, “Hey that sounds like it could be useful.”  I work for a Managed Services Provider (MSP) that supports tons of Microsoft servers, so any extra knowledge can always come in handy.  Originally, I thought it might be over my head.  I held off on buying it, until I found some reviews.  Fortunately (or unfortunately depending on how you look at it) TMSB came out and no reviews have been found.  I decided to go on Amazon and read the first chapter for free to see if it was something I could handle.  After reading the intro and half of chapter one, I was hooked.

Before I get to the review and some thoughts, I thought I’d offer a couple quick hints.  The first hint is to buy the hard copy.  Online retailers are selling the electronic version for the same price as the hard copy, and there is media that comes with the book.  Therefore, getting the hard copy gets you both for the same price.  Second, having read through the book, I’d suggest having the following intermediate level skills:  C#, T-SQL, and Server 2008 experience.  On with the review!

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Book Reviews}

Continue Reading

Book Review: Practical Packet Analysis, Second Edition

| July 27, 2011

Review by J. Oquendo AKA sil

"Practical Packet Analysis: Using Wireshark to Solve Real World Problems" is a decent book for readers who are relatively new to networking. It makes a great addition for someone in the one-to-three year range of their career. Whether this career is security-centric, network administration, or simply as a hobbyist, Chris Sanders made great work of keeping things simple yet informative for his readers. While this is a plus for the entry person, it is also its minus for the seasoned pro.

The beginning of the book gives an overview of the OSI layer, which I have found many in the IT industry skimp on. Whether you are in networking, systems, programming or the security arena, understanding the interconnections of protocols and how they operate with one another across the layers should be the first and foremost knowledge one should memorize. Because Chris took the time and brought this out at the forefront, it will be beneficial to the reader, which once again I feel would be a junior administrator. Let’s get into some more details after the break.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Book Reviews}

 

Continue Reading