When asked by CRC Press to review a recently released book, Ethical Hacking and Penetration Testing Guide by Rafay Baloch, a closer look was in order before agreeing. The book description reads, “Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test.” A brief review of the Table of Contents and Description from Amazon piqued my interest, so I accepted the request and got to reading.
The book was written to take people with some technical but little to no ‘hacking’ background, and introduce them to tools, techniques and methodology in order to familiarize them with pentesting. As there are quite a few books on the subject, I was a bit skeptical at first, as I’m always looking for something ‘groundbreakingly new’ or with some extra insights that other books may not have. I can say, with certainty, that while this wasn’t an overhaul of other books on the market, it was well organized and contained plenty of good information for a newcomer to get started into their learning.
Quick Note on Ethical Hacking and Penetration Testing Guide
Before I dive deep, let me mention that there were times it was obvious that the author’s first language wasn’t English, and that there were a few places where editing missed some things. On page 280 for instance, the author discussed mona.py, and inadvertently pointed the reader to http://coleran.be instead of http://corelan.be. There were also a few places where there were misspellings or repeated use of the same phrase in the same sentence. But these didn’t detract from the information the book contained, nor were they distracting from my reading. My only other note was a kind of humorous faux pas with regards to it being a “book on Ethical Hacking,” which I noted to the Publisher. On page 65, the author stated, “Lots of Webmasters of websites that sell e-books and other products forget to block the URL from being indexed. Using filetype, you can search for these files, and if you are lucky, you may be able to download products for free.” While the point is that ‘security can be breached /manipulated to get an application to perform in ways it wasn’t designed to do,’ I was a bit baffled that the author would make light of ‘downloading products for free’ in a book about ethical practice. Again, however, these points were minor, and in the end they didn’t lessen my respect for the book or the author.
Chapter by Chapter Details
The book is divided into twelve chapters, following in much the same order as most penetration testing courses flow. It begins with an Introduction, where many of the relative terms and definitions are spelled out, explaining the differences between Exploits and Risk, for instance, and talking about the various methodologies for pentesting, categories of tests (white / black / gray box, etc.), and report writing information. Additionally, the author explains the need to understand the audience when final reporting is presented to a customer, so as to give the right information to the right people.
Chapter Two dives into a base discussion on Linux. Rafay first explains filestructures, permissions and cron, then moves into BackTrack-specific configurations and basic usage. He covers the basics of starting necessary services / processes, such as mysql / postgres and sshd, finishing the chapter by giving some useful links to further resources.
Next, he moves into Information Gathering in Chapter Three. While the general topics are not different from what is covered in other materials, the author did cover a few tools that, while I’ve used them, I have not seen covered in other books or courses. So it was definitely nice to see a little sidestep from the norm in this section. Additionally throughout the entire book, Rafay covers a lot of tools with some in more depth than others. He also encourages users to dive deeper into the tools at each stage, as he acknowledges that there is far too much information on many of them than can be covered in his book.
In the following chapter, Target Enumeration and Port Scanning Techniques, the reader progresses into port scanning and fingerprinting of targets. First, the basics of TCP communication are explained (3-way handshake, etc.), and the material moves into the different types of port scans (SYN, CONNECT, NULL, FIN, XMAS), as well as explanations regarding ‘noise levels’ and detectability of different types of scans in order to try to remain stealthy in an assessment. The author explains the basics of how OS fingerprinting is performed and interpreted, as well as briefly talking about the evasion of Firewalls and IDS. A nice touch is that the author takes the time to not only cover the techniques, but also showing how some of them are seen from a packet level in Wireshark. I would’ve liked to have seen more in the Firewall / IDS section. Understandably due to the amount of content he was putting into this book, he simply couldn’t spend enough time on that topic, especially as this book is geared more toward beginning pentesters.
Chapter Five is focused on Vulnerability Assessment. The usual tools are discussed (NMAP and NESSUS), and Rafay discusses installation and usage of the tools, to look for common vulnerabilities on a target(s). He covers keeping the tools current, as well as integration with Metasploit. He then talks about Exploit-db and other places to look for / research exploits on the internet. A few more tool usage examples are shown, and he talks a bit about plugins and dependencies.
Network Sniffing (Chapter Six) goes into detail about what is required to sniff a network (active / passive mode, hubs versus switching, the function of ARP, etc.). Various tools are mentioned and discussed such as Wireshark, Ettercap, and Dsniff, different aspects of man-in-the-middle attacks are explained, as well as SSL stripping and ARP poisoning. He concludes the chapter with a discussion around DNS and DHCP spoofing. Again, would like to see more details covered in some areas, but due to overall size of the book, he was unable to go into real depth at times.
The reader now moves on to Remote Exploitation, in Chapter Seven, beginning with basic discussion about different protocols (binary versus text) and giving info to point the reader to further information on these topics. Rafay moves on to discuss attacking remote services, and spotlights various tools for attacking passwords, using brute force, dictionary and mixed methods for accomplishing the tasks. He discusses looking for weak authentication mechanisms, SQL fingerprinting and a few other items, before moving into a handful of pages discussing Metasploit, basic usage of the tool, and its use in many of these tasks.
Chapter Eight discusses Client-Side Exploitation, and discusses four different attack scenarios, and how they might be accomplished. Rafay begins with phishing and email delivery of malicious attachments and / or URLs. He discusses compromising client-side updates, then moves into talking about malicious USB sticks. Along the way, the author covers tools and methods for these attacks, such as SET (Social Engineering Toolkit), malicious PDFs, and TeensyUSB.
The following chapter moves into the Post-Exploitation phase of a pentest. Here, the discussion moves into situational awareness, understanding where the reader finds themselves on various machine types, and what to do once they’ve gained their initial access to a target or network. The author discusses maintaining access, privilege escalation and the use of Metasploit and other tools to enumerate and gather password hashes, methods to disable firewalls and antivirus, and password cracking.
In Chapter Ten, Windows Exploit Development Basics, the reader is given a very brief introduction to the world of exploit development (specific to Windows, although some topics obviously apply to other operating systems). Buffer overflows are explained, as well as some rudimentary explanations of debugging to find return addresses, bad characters and shellcode placement. Finally, Rafay explains basic shellcode generation and porting exploits to Metasploit.
Wireless Hacking is covered briefly in Chapter Eleven. Explanation of monitor mode, MAC filter bypass and different types of wireless encryption protocols (WEP, WPA2…) are discussed with brief explanations of some tools and methods for cracking each. I found just enough to whet the reader’s appetite here, but not nearly enough to substantiate a full course (obvious length limitations of a book, once again).
Finally, the reader reaches Chapter Twelve, Web Hacking. This chapter was by far the longest in the book, and in my opinion, I think the author is likely MOST comfortable with this section of penetration testing. As most experienced pentesters know, specialization in one or more areas is ‘usually’ the strength of individuals (few pentesters will claim to be ‘expert’ in all areas). Here, Rafay spends nearly 200 pages diving into various web technologies, vulnerabilities and methods of attack. He uses well-known targets (for instance, live-cd distros) as well as examples of vulnerabilities he and others have found in the wild, spends a considerable amount of time explaining what each involves, and how the underlying code of some of them behaves. Covering everything from Authentication Bypass to Captcha flaws, XPATH Injection, Session-based attacks, SQL Injection, XSS and more, the author explains these vulnerabilities and how to use some of the tools to both locate and exploit them. Overall, in my opinion, he could very well have spent more time and focus on Web Hacking, even taking it into an entirely new book.
All in all, for the beginning pentester, I think this is a good read. It contains enough information to get the reader into a position of understanding the various processes involved in a pentest, as well as covering enough information on each topic to whet their appetite, while giving them further resources in order to grow beyond the scope of the book. Obviously no book in ~500 pages will be enough to take a pentester or security professional into the next level by itself, but Rafay Baloch has done a good job here with giving a baseline for folks to start their journey. A list price of $60 may seem a little steep, but the sheer amount of information in the book shows good value, particularly if the reader cannot afford to attend a training course or go to school to move up the ranks in the professional hacking community.
Tim Everson, OSCE, OSCP, GPEN, C|EH AKA hayabusa is an avid pentester and security enthusiast / professional who has been involved in IT for nearly 20 years with mixed experiences in pretty much every sector of the industry from SMB to enterprise, manufacturing, education and government. He enjoys reviewing new books and courses to build his knowledgebase and challenge himself as well as to help others find appropriate learning to help them progress in the field. When he’s not tucked behind a computer screen, he’s an avid sport-bike enthusiast, a busy husband and dad, and has a passion for cartoon drawing and computer graphics / animation.
Category: Book Reviews