Friday, December 16, 2011
"Metasploit : The Penetration Tester's Guide" Review
Dave Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni set out to do the impossible. How do you write a book about a software project that improves nearly every day? How do you keep it relevant for more than a few weeks or months? Other books have tried and in my opinion failed, but this one is great. It doesn't just teach you how to use this great security tool, it takes you through some of the thought and methodology involved in a professional penetration test.
Almost everyone can learn something from this book. I particularly liked the following chapters because they contain the most complete coverage of topics that you won't find much on anywhere else:
Chapter 3 - Working with Databases in Metasploit
Chapter 5 - Resource Files
Although I found a few tips that I was able to immediately start utilizing on engagements, I think the book would be even better for those with less exposure to Metasploit and SET.
Most of my gripes about the book stem from the content in Chapter 6 (Meterpreter). Process migration is explained, but I think the authors should have gone into more depth about how to choose the right processes to migrate to. Most Host IPS products protect a specific set of processes which should be avoided if at all possible. A warning similar to that about the use of bind shells on page 94 would have been have nice. Another potential improvement to Chapter 6 could be a discussion on why NOT to kill antivirus. If you have gone through the trouble getting code execution with Meterpreter with AV installed, why not leave AV alone? Meterpreter is running in memory so in theory it shouldn't be affected by AV. You should avoid uploading tools if at all possible.
The acknowledgment on page 108 is completely accurate. Generating a payload to bypass some AV products is nearly impossible using the methods described in the book. Any popular method of generating payloads will eventually be reversed (for good reason) by the AV vendors. There is a great discussion about this concept here and here. For that reason, its normally best to find your own method and keep it private.
Overall, the book is well-written and organized. If I were designing a course on penetration testing, this book would definitely be mandatory reading. Its on the short list of books I would recommend to any security practitioner. You can pick it up from amazon or directly from No Starch.