“The Basics of Hacking and Penetration Testing, 2nd Edition, Ethical Hacking and Penetration Testing Made Easy” by Patrick Engebretson covers the essentials. The introduction should not be skipped, because, first and foremost, it conveys that the book is intended for people that are new to pentesting and the hacking scene. It also gives a generic overview of a lot of tools in the book that “might” strongly come in handy even to those not so new to the industry. Additionally, he covers what is needed to follow along in the book, which transforms this work from being just a book into more of a “hands-on” reference guide.
The title by Syngress Publishing is divided into chapters that define each part of the standard methodology that should be used in every pentest. This is important because every good security professional knows that having a methodology or plan of action is the key to making sure that the pentest is successful every time. The “methodology” is covered in the meat of the book which includes Chapters 2 through 7. Most pentesting books have a “What is Pentesting” chapter, so naturally Chapter 1 starts here. The book ends in a great way, because the author covers the most important part of a penetration testing: the report. Now that it is known that the author covers the requisite topics, let’s see how he handles the details of delivering this message.
CHAPTER 1 – What is Penetration Testing?
Mr. Engebretson starts the book off really well by using a great analogy to set the stage. He compares the world of hacking to the Jedis and the Siths. Just like in the world of Star Wars and the use of the “Force,” the knowledge and techniques can be used for good or bad. This is always a good thing to keep in mind as the readers make their way through the book.
To get the ball rolling, Patrick gives a good overview of the basics of Kali Linux (formerly Backtrack) such as starting and shutting down the box, how to get into the GIU and a few other items that new people might not know. He also covers the importance of having a pentesting lab at home, and, more importantly, that not having one is just asking for problems. I feel this is very important to let people know this as not having a lab is like buying a car and not considering the money that needs to be spent on gas and insurance in your finances.
He then gives a good introduction of what a methodology is and the methodology that is going to be covered in the book including Reconnaissance, Scanning, Exploitation, and Maintaining Access. In the scanning section he covers a very valid point. Vulnerability scanners should be used to learn the technology but should be used less and less as you learn more about pentesting. The book says this can lead to being more of a hindrance then helpful, because they prevent development skills used to find vulnerabilities as well as the understanding of the vulnerabilities themselves. Each chapter has two sections at the end, which covers how to practice what you have just learned and then where to go from that point on. Also throughout the book additional information can be found inside educational boxes that include Alerts, More Advanced, and Additional Information.
The Meat – Chapters 2 – 7
After introducing the reader, most likely someone new to the world of ethical hacking but hopefully with some experience in the world of InfoSec, Patrick goes through the methodology by dedicating a chapter(s) for each item. Therefore, the substance of the book is broken down into the following:
- CHAPTER 2 Reconnaissance
- CHAPTER 3 Scanning
- CHAPTER 4 Exploitation
- CHAPTER 5 Social Engineering (Part of Exploitation)
- CHAPTER 6 Web-Based Exploitation (Part of Exploitation)
- CHAPTER 7 Post Exploitation and Maintaining Access with Backdoors, Rootkits, and Meterpreter
And Now for Something Completely Different
It’s at this point that I feel strongly in breaking with tradition. Instead of going through each chapter and giving an overview of the content and then my feedback on what the author has presented, I thought it would be much more interesting to try something different. So in an effort for the reader of this review to determine if this book is truly worth your hard earned dollars, I outlined all the tools in the book in each chapter. I felt it was important to give a brief overview for all the people that are not new to pentesting the opportunity to see if the book was worth picking up.
So here we go…
Recon is the most important part of the Methodology, although this phase is often overlooked and considered boring. This chapter is broken into three reconnaissance sections: Open Source Intelligence (OSINT), DNS Recon, and Email Recon. The book gives an introduction of what recon is and how important it is but then goes straight into the tools.
OSINT tools covered in The Basics of Hacking:
HTTRACK – Copies a website page for page, great for doing steal reconnaissance.
Google FU – AKA Google hacking, using Google to find many things from name server to user names and passwords to many more. Exploit Database has many of these preexisting searches done by people in the hacking community. This can be found on the website http://www.exploit-db.com under GHDB (Google Hacking Database), they are also known as Google Dorks.
The Harvester – Used for reconnaissance and indexing search engines to find sub domains and emails of the company that is being pentested.
WHOIS – Will query the registered user database for information such as domain names, block of IP addresses, Name servers, and many other things.
Netcraft – This tool like whois will collect various information related to the pentest, information such as Name servers, IP’s, OS running, Web server kind, as well as other related information.
HOST – This command is used to translate an IP into a host name, as well as the other way around.
NSLookUp – DNS tool used to query name servers in order to pull IP and host names related to targets on the network in question.
DIG – Tool used to run zone transfers on name servers.
FIERCE – The tool will first try a zone transfer against the specified DNS server. If the zone transfer fails, the pearl script is designed to start brute forcing host names on the DNS server.
E-mail information gathering tools:
Email – Sending a .bat file or a simple .exe to the email server in the hopes that it will get reject will aid in collecting information about the server.
METAGOOFIL – Metadata Tool, This is a script used to search the internet for files owned by the company in question, files include .pdf, .doc, .xls and so forth. It does this by the use of metadata, metadata includes information such as who created the file, what the name and size is of the file, the save location of the file.
Additional reconnaissance tools:
ThreatAgent – This tool is designed to take a domain name and then does a full reconnaissance of the domain.
Social Engineering – When Hackers/Crackers use what they know about a company to gain even more information about that company. Getting people to share information that should be kept security is one of the oldest forms of hacking, even though many people know about it, it is still very successful.
FOCA – Metadata Tool, use to collect metadata from a many different files like .docx, .ppt, .pdf and so forth.
SearchDiggity – A tool that not only makes Google hacking simple but does a lot more for a pentest.
Maltego – Maltego is a great tool that is used to collect information from public databases, when used correctly will produce a lot of detail about the company in question.
Robtex – No pentesting tool guide would be complete without Robtex, one of the oldest and best information gathering sites out there. This site is a must because when it comes to information gathering Robtex is known as the “Swiss Army Knife of Internet Tools.”
This chapter continues with the information that was found in the previous chapter, naturally taking the IP list collected from the recon step. Scanning will be used to find open ports and services running on those ports. The main methodology path continues, while he also introduces a sub-methodology for scanning:
- Using ping packets to figure out if a system is online.
- Using Nmap to probe for open ports.
- Nmap scripting engine should be used after step two in order to gain more information from the box.
- Nessus should be used for vulnerability assessment to figure out what to exploit.
This chapter was mostly about NMAP, but, once again, this is an introductory book. Therefore no advanced techniques were covered. This chapter once again had a short introduction and then went straight into tools. The book spent a majority of the chapter on NMAP which is good and bad. Naturally good because NMAP is not only the most popular but also happens to be one of the best tools for scanning purposes. On the other hand, I also feel it was a negative, due to that fact that no other scanning tolls (like Unicornscan) were even mentioned. He does cover the Nmap Scripting Engine (NSE) which is a very powerful part of Nmap. Tools covered in the scanning chapter are:
Fping – Use to perform a ping sweep of a range of network IP addresses.
NMAP – Tool used to do port scanning, best tool by far for port scanning.
Nessus – Vulnerability scanning tool used to scan an IP or range of IPs to find vulnerabilities associated with that particular box that could be exploited.
This part of the methodology spans over chapters 4, 5, and 6. Chapter 4 covers Metasploit, what it is and how to use it while pentesting/hacking. Chapter 4 also goes over all of the basics of Metasploit including launching, updating, and using exploits/payloads. Password cracking and resetting is the next chunk of this chapter. Then sniffing network traffic and “Armitage,” a GUI interface for Metasploit, were all covered.
The following are tools enclosed in this chapter:
Password/Frameworks/GUI Interface/Sniffer Tools
Medusa – Password guessing tool, can be used to do both on and offline password guessing against many different services that include but not limited to FTP, SSH, SQL, POP3 and many more.
Metasploit – Exploitation framework which is used to develop and launch exploits when pentesting. The framework was brought to the hacking community by HD Moore as open source and will remain so till the end of time. The best part about open source it allows for free access to the whole hacking community to use it, develop, and share exploits.
JTR – John the Ripper is a password cracking application.
Samdump2 – Allows the user to extract the password hashes from the Windows SAM file.
Chntpw – Used to reset a windows password through a Linux OS.
Wireshark – Tool used to capture and sniff network traffic. Many protocols still use clear text like FTP, when using a tool like Wireshark sniffing authentication of a protocol such as FTP will show the username and password in clear text.
Armitage – Tool used to give Metasploit a GIU interface as well as make many tasks automated in Metasploit.
SET – The Social-Engineering Toolkit was made so that pentesters can utilize social engineering techniques with ease. The tool includes many different SE techniques such as Spear-Phishing, Website Attach Vectors, Powershell Attack Vectors, and many more.
Web-Based Exploitation Tools
Nikto – Used to scan a webserver to see if the box is unpatched and if older software is running on the machine, also checks for files that have the potential to do damage to the webserver.
W3AF – Tool used to run against a website to discover vulnerabilities such as SQL inject, XSS, file includes, crossOS-site request forgery.
Web-Scarab – One feature is spidering a website, spidering or crawling a website allows the user to review all links and files of a website. Once done all is cataloged, in the cataloged the pentester/hacker can gain access to restricted pages as well as files that were not supposed to be seen. Another is intercepting traffic which allows the user to edit GET and POST requests to update the page as they see fit, monitor HTTP responses for things like usernames and passwords.
ZAP – Tool from OWASP that can be used as an intercepting proxy, as well as used for spidering and web site vulnerability scanning.
Maintaining access is an important part of a penetration test. Malicious people would say the same thing as well. This is because normally once you have exploited a vulnerability, unless that machine is rebooted, that exploit will probably not run again. Having something in place that the tester can come back to is very important. This chapter’s main focus is on backdoors and rootkits. Tools discussed for backdoors are:
Netcat – Tool used to connect two computers together from a simple chat session between two users to being used to transfer files from one computer to another. It can also be used to connect itself to a process, once bound it allows for the remote user to utilize that process like he/she was sitting in front of that computer themselves.
Cryptcat – Its Netcat with an improvement instead of sending data from the server to client and back in clear text, cryptcat encrypts the traffic.
Hacker Defender – Rootkit that allows a malicious person to do multiple things to a computer anything listed in the Hidden Table section will hide the list in Windows from the file manager and explore. Hidden Processes will hide Processes if listed; Root Processes is used to be able to interact with hidden processes once hidden. Hidden Services will hide any services installed or run by the malicious person. Hidden RegKeys can be used to hide registry keys and Hidden RegValues can be used to hide the registry value instead of the whole key. Startup Run is used to automatically start programs when the OS starts. Free Space is used to add back fake space when a malicious person installs a program and wants the hard drive to look like.
Meterpreter – It’s a tool that has many different functions that makes the process of moving from exploitation to post exploitation very easy. This is a payload that is included with Metasploit.
Not only does Patrick nicely cover rootkits, but he also covers ways to look for and locate rootkits that have been deployed on your systems. It was strongly suggested by the author that backdoors and rootkits must be discussed over and over again with the client with many warnings about this subject and how it can get you into a lot of trouble.
CHAPTER 8 Wrapping Up the Penetration Test
This chapter gives details on what a penetration test report is and the major importance that it plays in a pentest. The following should all be included in a pentest report:
- An executive summary.
- A walk-through of how the penetration test was performed to provide an understanding of how you successfully compromised or hacked the system(s).
- A detailed report.
- Raw output from each of the tools (when requested) and supporting information.
Conclusions on The Basics of Hacking and Penetration Testing 2nd Edition
As with any work, be it a course, video or book, it has an intended audience. The title alone dictates who the author feels is the intended audience for his book. And he does well in hitting the right topics and tones while not overreaching. For that reason, I would say that this book is by far one of the best books I have read on the topic of introducing penetration testing to those looking to make a career of it.
Therefore, for anyone new to the field of penetration testing, “The Basics of Hacking and Penetration Testing” is a must have. For the more experienced penetration testers who use these tools and techniques on a daily basis, this book would probably not be for you. However, since the format of the book mimics the proper methodology of a penetration test, it would be a great reference title to keep on your shelf for not only aspiring network penetration testers but also for those internal employees tasked with either hiring an outside firm or performing their own annual test.
Kevin Hattingh has almost 10 years of IT experience and 3 of which are in Information Security, which includes Risk Assessment, AV Administration, IDS management, Firewall Analysis and Vulnerability Scanning/Penetration Testing. He is currently working on both the OSCP and few SANS classes. He is new to review writing, and looks forward to doing more. When he’s not at work he’s at home tinkering in his pentesting lab, studying for a cert, cooking, spending time with the wife and cats, or playing DotA.
Category: Book Reviews