Watch out, System Admins. The floodgates to BlackHat Hackerdom are now open.
Packt Publishing has just released "BackTrack 4: Assuring Security by Penetration Testing", a how-to book based on the freely available BackTrack 4 Linux distribution. The intent of the book is to educate security consultants on the use of this devastatingly complete Hacker's toolkit, and to provide sage words of advice on how to conduct yourself as a penetration testing consultant. On both counts, the authors do well.
I have to admit, at first blush I wasn't impressed by the book. I usually start looking a tech book over by thumbing through it, quickly glancing over snippets every chapter or so to get a feel for how the book is written. My initial impression was that the book contained many 2-page introductions to what appeared to be system tools, showing how to invoke them and the type of text output they would produce. Who needs that, I thought? I settled down to read the text front to back, then realized the full horror of what I was reading. More on that later.
The book starts out telling you how to find BackTrack 4, how to install it or run it as a live DVD, and how to get the parts working. Suffice it to say this is all easy for anyone who's installed a Linux distribution before.
Next up, the authors cover some solid basics for the would-be security professional. There are other tips throughout the book, too-- what kinds of written agreements you should have, what types of reports you should produce, and generally how you should conduct yourself. Well done, and I'm sure anyone reading this book will have the thought that maybe they'll go into business doing this someday. At least that's what I hope everyone is thinking, because after that the gloves are off and you are shown the dark side of this magnificent machinery.
The authors outline a disciplined framework for penetration testing. By myself, I never would have considered such a thing, but these guys clearly have given this a lot of time and effort. The following chapters are broken out into each phase, and within those chapters the various tools of the trade are grouped. (So you'd find the tools that can provide you with a reverse shell in the 'Target Exploitation' chapter, for example.)
The first phase is Information Gathering, and here the reader is introduced to several tools that can glean information like domain names, IP addresses, host names, and other data that can identify potential targets. The 2-page tool introductions I mentioned earlier contain all the tools that do this kind of work. There's enough introductory material to let you figure out which ones you want to try (it seems each chapter covers at least a dozen tools), and how to get started.
Target Discovery is the next phase, it's all about finding hosts and identifying operating systems. Again, no malicious stuff goes on yet, just methodically gathering information. Par for the course, there are a variety of tools presented to help the user.
Target Enumeration is next. The user is exposed to applications that can help find which ports are open, which services (i.e. MySQL) are running, and even what kinds of VPN are present. By the way, throughout the book the authors throw in brief but relevant snippets concerning the topic at hand. As an example, in this chapter you'll find an example of the TCP protocol (SYN, SYN-ACK, etc.) that will tell you when a port's available and when it's not. There's more of this kind of information throughout the book, too. Some of it I knew (not much, really) and some I didn't, so I felt the book advanced my basic knowledge of IT systems in some ways.
Now that the user has all this useful information, they can proceed on to Vulnerability Mapping. Here the tools are used to help calculate which vulnerabilities might exist in the targeted systems.
The following chapters are where the really bad toys come out. They deal with Target Exploitation, Privilege Escalation, and Maintaining Access. True to their titles, they tell all about how the user can attack the targeted systems, set up shop, and leave a backdoor for returning later.
Of course, no good book on penetration technique would be complete without a chapter on Social Engineering, and so we have one here as well. Hardcore hackers might look down their nose at such a thing, but I imagine this is really one of the more effective avenues of attack.
So, who is this book good for? First, for security professionals. They'll want to get a copy just so they can be sure they understand what they're up against, and how to check their own systems using the same tools the bad guys have. Second, programmers with an active sense of curiosity. I fall into this category. Lastly, the bad guys will probably buy a copy (or pirate one), unfortunately. I hope they're too lazy to read it well and end up getting busted and thrown in the clink. Maybe they can talk ethics in programming with Hans Reiser while they're awaiting parole.
Rating? 9 (evil) stars out of 10.
If your livelihood depends on keeping a secure environment, you probably ought to get a copy of this book for your in-house penetration tester. It's an eye-opener."
Link to Original Source