“Georgia, Georgia…” The tune “Georgia on My Mind” was spinning through my head when I was given the chance to review “Penetration Testing: A Hands-On Introduction to Hacking,” a book by Georgia Weidman from No Starch Press. Having watched some of her conference presentations online and knowing the work she’s put into the Smartphone Pentest Framework (SPF), I’ve been looking forward to the opportunity to dive into the book for a while now, and her enthusiasm and efforts made it a worthwhile wait. Amazon’s book description includes the following:
“In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine-based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment – including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more.”
So with the new year upon us, this gives everyone the opportunity to dive into a topic whether it be for advancing your current career, jumping into a new one or simply to amaze your friends and families. Hacking news both good and bad are everywhere these days. It’s time for you to get into the game. Find out how Ms. Weidman can help.
Based on her experience and DARPA-funded research with her own firm, Bulb Security, Georgia demonstrates her knowledge of each piece of a pentest (following along with such standards as the PTES – Penetration Testing Execution Standard) and flows seamlessly through numerous processes and examples. The book gives the reader a thorough introduction to the skills and practices that are encompassed in real-life tests and serves as a solid baseline for skill set development, as the reader begins (or builds upon) their journey to grow in this field. Additionally, Georgia has built lab scenarios (downloadable targets and configurations) that correspond to the various instructions throughout the book, allowing the readers to spend quality, hands-on time practicing and improving their skills.
As usual, I’ll break the book down into chapters and give a brief summary of each. The various topics will be highlighted, and I’ll provide generalizations of the ‘meat’ of the materials. For those who don’t want to read the nitty gritty details on each section (or those who QUICKLY want my general thoughts), at the end, I’ll briefly recap the whole review. You can decide if this book would be of value to you. Happy reading!
Before diving into the meatier chapters, Chapter 0 gives the basis for the flow of a penetration test. Here, Georgia explains the phases of a pentest (utilizing PTES) by giving examples of what each phase entails and the data gathered or reviewed at each step. Basically, this chapter serves as a short, sweet introductory chapter, so that the order of operations makes sense as the book goes on.
Similar to other books I’ve reviewed recently, Georgia has broken this book down into ‘Parts’ and their corresponding ‘Chapters.’ “Part 1: The Basics” gives the reader the information they’ll need in order to successfully progress through the rest of the book. Here, the author gives us four chapters of baseline knowledge regarding lab setup, Kali Linux as well as general Linux usage information, programming basics and some general information regarding how to use the Metasploit Framework.
The first chapter covers the setup of a virtual lab that will be useful in following along with the lessons the author provides throughout the rest of the book. Georgia has her labs setup to be run on VMWare Player / Workstation / Fusion and walks the user through setting up a Kali Linux guest (with some locally run Android emulators and extra tools on the same), along with Windows XP SP3, Windows 7 and Ubuntu 8.10 virtual machine target guests. Additionally, she provides links to download some vulnerable applications, which the reader will attack, throughout the remainder of the book.
Chapter 2 focuses on Kali Linux, which will be used as the attack platform for the various exercises in future chapters. The author provides some Linux basics such as filesystem navigation, man pages, privileges, file manipulation / editing, etc. Georgia explains relevant Kali services which need to be configured and running, so that the users can follow along with the exercises, later, configuring networking, and automation, with cron.
The third chapter discusses the basics of computer programming. The reader is introduced to BASH and given examples to get them started. Then the discussion moves into Python basics, so that when exploit code is discussed later on, there is already some basic familiarity with the language. The chapter concludes with a discussion of writing and compiling with C (again, for use in the exploit chapters in the last third of the book).
The next chapter, “Using the Metasploit Framework,” introduces the audience to the ‘de facto standard’ tool for many penetration testers. Georgia explains the modularity and flexibility that the framework offers its users, as well as the fact that its community exploit and module availability have grown substantially over time. The chapter discusses how to start the framework, how to navigate within it using msfconsole, and walks the user through a base example of its usage (start to finish, exploiting a host with the MS08_067_netapi vulnerability), in order to ensure that the reader has gotten a little ‘hands-on’ experience with the tool before proceeding.
Next, the book proceeds into the chapters about “Assessments” beginning with Chapter 5, “Information Gathering.” Here, the author uses tools like Netcraft, Whois, host, nslookup, Maltego and Nmap in order to gather information about her targets. She explains that this information will be used later to research and determine vulnerabilities and other avenues for further enumeration and exploitation of the target network or environment.
In Chapter 6, the reader is introduced into further vulnerability analysis and research, which begins with the information they’ve previously retrieved and uncovered. Georgia proceeds to discuss vulnerability scanners and moves into some examples using Nessus, one of the best known and widely used commercial vulnerability scanners. She explains Nessus policies, scanning, scripting and exporting of results in different formats for usability / readability and use with other tools. Next, Georgia discusses Metasploit’s scanner modules, and how they can be used to look for vulnerabilities, as well (including the ability, in some cases, to confirm the reliability of a vulnerability without necessarily having to exploit it). The chapter concludes with a quick discussion about web application vulnerability scanning with tools like Nikto as well as clarifying the need to manually confirm some vulnerabilities to exclude false positives or to gain further insight into the target.
Chapter 7, “Capturing Traffic,” dives into tools like Wireshark, used for traffic and packet analysis, looking at session data, and even grabbing plain text information straight from the wire. The author explains ARP and DNS Cache Poisoning, and their use in manipulating machines to route traffic to an attacking machine, for analysis (or more sinister attack purposes). Finally, SSL attacks are discussed, using tools like sslstrip and Ettercap, which can provide a means for decrypting traffic in order to gather valid, usable data for analysis.
Part 3, “Attacks,” begins with Chapter 8 which focuses on exploitation. In this chapter, Georgia builds upon the findings of the previous ones, and the reader attacks various vulnerabilities that had been found. She touches on backdoored software vulnerabilities, web server misconfigurations, operating system vulnerabilities and other weaknesses in third-party software applications. This leads into the coming chapters, where the focus moves into post-exploitation activities.
In the next chapter, the reader is introduced to various password attacks, and methods used to obtain and / or decrypt passwords in a variety of cases. The author explains the use of wordlists and rainbow tables, along with ‘brute force’ attempts and default passwords for hardware, software or services. Various tools are demonstrated, such as Hydra, John the Ripper et al as well as discussing different hashing methods (LM / NTLM) and methods of retrieving passwords and / or hashes from the Windows SAM file or memory (using WCE – Windows Credential Editor).
In Chapter 10, the author moves into client-side exploitation. Topics in this chapter include bypassing filters (content and port filters, for example), using Meterpreter to create HTTP / HTTPS payloads to bypass some content-inspection filters, and client-side exploitation (such as malicious PDFs, Java vulnerabilities and browser_autopwn in Metasploit). Georgia explains each and gives some examples, such as exploiting a Winamp vulnerability by tricking a user into replacing an application configuration file with a vulnerable one, subsequently pwning the process. This appropriately leads into Chapter 11, “Social Engineering.”
In this chapter, the concept of social engineering is defined as ‘exploiting human vulnerabilities.’ As most seasoned veteran pentesters know, the human element is quickly becoming the easiest point of entry when attacking a target these days, as new software vulnerabilities are becoming less frequent or are quickly patched. The Social-Engineer Toolkit (credit to Dave Kennedy at TrustedSec) is introduced to the reader, and a few examples are given for its use including Phishing and Web Attacks (such as credential harvesting and ‘Tabnabbing’). It is also mentioned that it can be used to create USB stick payloads, QR codes, and even rogue wireless APs.
Chapter 12 deals with bypassing antivirus. Here, Georgia discusses using msfvenom and Metasploit to create and encrypt payloads and shows how testing against multiple antivirus solutions allows the reader to see how various stealth methods work to evade each type of detection, such as heuristic- and signature-based detections. Additionally, she discussed a couple of other tools for defeating AV such as Hyperion and Veil-Evasion. The author stressed that while she was unable to defeat every AV solution in her examples, she was able to show that not every solution works the same way, and, with effort and the combining of various methods, it’s often possible to defeat or bypass antivirus detection entirely.
Next, the discussion turns to further post-exploitation activities. These include but aren’t limited to privilege escalation, expanding the attack surface through pivoting, keylogging, maintaining access and persistence, and information gathering from compromised host(s). The reader walks through examples of each of these topics, using various techniques such as existing Metasploit functionality, using native commands on Windows or Linux, and even some examples of cross-compiling code to run on different platforms. Also discussed are ‘pass the hash’ attacks, token impersonation, and other methods for authenticating to additional hosts, where the reader doesn’t have the actual password, in order to continue their lateral movement through the environment.
In Chapter 14, the author dives deeper into Web Application Testing. The reader is advised of the differences between automated and manual testing, specifically the fact that often the automated methods can overlook things or provide ‘false positives.’ The author goes on to discuss the use of Burp Proxy to capture and manipulate web requests, discusses testing for and validating SQL and XPath Injection, looking for LFI / RFI (local and remote file inclusion) vulnerabilities, command execution, and XSS and CSRF vulnerabilities. Georgia concludes with a brief mention of w3af (Web Application Attack and Audit Framework) and its use in finding these vulnerabilities.
Chapter 15 is a discussion on Wireless attacks. Georgia explains her setup for the examples she gives, so that the reader can duplicate the scenarios as closely as possible including the access point and wireless adapter models she’s using. Although these can obviously vary greatly, she acknowledges that so long as functionalities match, other hardware should suffice, as well. Along with the basic setup, the author explains the differences between some of the wireless encryption methods such as WEP and WPA, how each functions, and methods for attacking them with some basic examples of each attack.
Part 4 is a deeper dive into exploit development. Many books that I’ve read or reviewed don’t get as deep into the topic as Georgia’s book does (honestly, not as many courses that I’ve attended or reviewed have covered this topic ‘well’), so I was very happy to see these chapters included. I won’t discuss each of the chapters (16-19) individually, as that could be a long section of this review by itself. Here, Georgia discusses general memory theory, DEP and ASLR protections, stack-based buffer overflows on both Linux and Windows, SEH overwrites, fuzzing, porting exploits, and writing / modifying existing Metasploit modules.
While not going into a huge amount of detail here, these 4 chapters were a LARGE part of why I wanted to review this book, as I wanted to see how well Georgia covered the topics. I was very pleased with what she’s done here. Her explanations were very clear, her examples were easy to follow, and she did a fantastic job on the coverage in this section. The fact that the foreword to the book was written by Peter “corelanc0d3r” Van Eeckhoutte (the Founder of the Corelan Team), and that he felt strongly about this book, alone was enough to solidify my confidence in these chapters, as he’s considered ‘elite’ in the world of exploit development. (Needless to say, Peter, if you read this review, I have every intention of taking your course one day… pending time, availability, money…) Again, though, these 4 chapters were extremely well done and will present solid value for the reader’s investment in this book by themselves.
And a Cherry on Top!
Finally, we reach Part 5 (the other part I was eager to read), “Mobile Hacking.” Knowing of Georgia’s research and experiences with mobile hacking, it was great to read Chapter 20, where she goes into a discussion about mobile vulnerabilities and the use of her widely used tool, the SPF – Smartphone Pentest Framework. Here, Georgia discusses various threat vectors that exist in mobile technologies (not all inclusive obviously) such as apps, QR codes, Near Field Communication, Text / SMS Messages, etc. Using the Android emulators that were setup early in the book, Georgia walks the reader through the use of her tool, demonstrating how each attack vector can be used against mobile phones. She discusses the differences between iOS and Android, and how each handles memory / app protection, and shows how a vulnerable mobile device can be a launching point to attack the larger network infrastructure. All in all, another very enlightening chapter, especially considering I don’t have a lot of experience (yet) with mobile hacking. Thanks, Georgia for motivating me to go into another realm!
The book concludes with a section of valuable resource links for information pertaining to each chapter and topic. Georgia compiled a great list of links and reading materials, so that the reader can follow up on each topic after finishing the book to expand their knowledge in each area. I’m certain that I’ll be occupied for a while, particularly in the areas that were newer to me or ones in which I’d like to better my skills.
Final Thoughts on “Penetration Testing: A Hands-On Introduction to Hacking”
In summary, “Penetration Testing: A Hands-On Introduction” is an excellent resource into the realm of penetration testing. The author demonstrated her knowledge in each area she covered, giving excellent examples and instruction on each topic while going the extra mile and building vulnerable targets and applications for the reader to download and learn on. She covered some areas (exploit development and mobile attacks) better than many other books I’ve read and reviewed, and gave a solid baseline in all the areas she wanted to talk about.
For moderately seasoned veteran pentesters, some of the early chapters may be a bit of light reading, as they’re geared more for individuals who are breaking into the field, so you might skip over some of those chapters and head to the ‘meatier’ stuff at the end. For the hardened pro, this book will whet your appetite for some of the newer aspects on pentesting, but only so much can be covered in a single book. Clearly as one advances in any field, a much deeper dive into each topic is required along with loads of experience before ever becoming an expert. But for beginners, this is where this book really shines and lives up to its title as being a hands-on introduction to hacking. Georgia presents a very solid instructional read and most anyone in IT and InfoSec will benefit greatly as you start your journey and become acquainted with the topics at hand. Overall, I feel this book is well worth the price you’ll pay at around $35.
Thanks for taking the time to read my monthly musings. Next month I’ll be mixing it up a bit as I mix a little maker movement action with penetration testing on an open source hardware platform. The Beaglebone will be the focus of my hacking as I dive into “Hacking and Penetration Testing with Low Power Devices” by Philip Polstra by Syngress Publishing. Happy Holidays and a wonderfully educational and prosperous 2015!
Tim Everson, OSCE, OSCP, GPEN, C|EH AKA hayabusa is an avid pentester and security enthusiast / professional who has been involved in IT for nearly 20 years with mixed experiences in pretty much every sector of the industry from SMB to enterprise, manufacturing, education and government. He enjoys reviewing new books and courses to build his knowledgebase and challenge himself as well as to help others find appropriate learning to help them progress in the field. When he’s not tucked behind a computer screen, he’s an avid sport-bike enthusiast, a busy husband and dad, and has a passion for cartoon drawing and computer graphics / animation.Tags: book review exploit dev mobile pentest wireless