Penetration Tester's Open Source Toolkit

c o m p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 6 3 0 e6 3 2

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Book review Penetration Tester’s Open Source Toolkit, J. Faircloth. 3rd ed.

ease the reading and visibility. But some points have disturbed my reading and could also disturb the future users/lecturers of this book:

1.

 The book is written mostly in a rather high level style. This is fine when the goal is to inform (cultural objective) but less so when it is a technical person who wants to use this information. The book would benefit from these two reading levels. The reader will choose to go or not in the more technical part,  For the technical aspects and some very interesting parts of the discourse, the author refers most often to figures. Most of these figures are not readable (very small font, black background but the characters are in grey colour, etc.),  Several copy-paste of the results (outputs) of running some tools, but the author’s comments on these outputs is often brief and sometimes superficial,  The depth of sections numbering is high. This makes reading in terms of structuring and links a bit difficult,  A surprising lack of references to literature. Several web references only in the text, but unfortunately they are not grouped at the end of each chapter, it would be useful,  Chapters are unbalanced; the author seems more comfortable with some aspects than others.  A glossary is necessary, it would be nice and helpful to add it (sometimes, the author uses acronyms before defining them),  TIP, Warning, Note, Epic Fail have all the same shape. They do not have the same semantics and the same importance, the reader needs to differentiate them. This would enable the reader choosing to read, not to read or read them later on or when needed.

Summary: content and author

This book is relevant for a community of hackers (in the positive sense hopefully) or technical auditors. The author, Jeremy Faircloth, is a Sr. Manager/Solutions Architect for Best Buy where, with his team, he architects and maintains enterprise-wide client/server and Web-based technologies. He is a member of the Society for Technical Communication and frequently acts as a technical resource for other IT professionals. He is an expert in many areas including Web development, database administration, enterprise security, network design, large enterprise applications and project management. The author is also co-author to several technical books covering a variety of topics. The author presents in this book a kind of toolbox that can help to test systems’ resiliency to penetration actions and thus revealing any exploitable vulnerabilities. The elements presented in this book should enable the design of a penetration tests laboratory.The book is organized in ten chapters: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Tools of the trade, Reconnaissance, Scanning and Enumeration, Client-Side Attacks and Human Weaknesses, Hacking Database Services, Web Server and Web Application Testing, Network Devices, Enterprise Application Testing, Wireless Penetration Testing, Building Penetration Test Labs.

All the chapters are more or less structured in the same way: 1. Objectives, 2. Approach, 3. Core Technologies, 4. Open source tools, 5. Case Study and 6. Hands-on Challenge. There are slightly more than 400 pages and an index. Chapters are not equally detailed (Chapter 1: 28 pages, Chapter 2: 65 pages, Chapter 3: 44 pages, Chapter 4: 48 pages, Chapter 5: 28 pages, Chapter 6: 39 pages, Chapter 7: 32 pages, Chapter 8: 28 pages, Chapter 9: 52 pages, Chapter 10: 31 pages).

2.

General remarks

The book is easy to read and it contains interesting information. Links between chapters are made progressively which

3.

Some remarks per chapter

3.1.

Chapter 1: Tools of the trade

This chapter presents existing tools needed for penetration tests. Case study (1.5): the objective is not very clear, apart from creating a live CD. “Tools in action” does not make sense here since nothing is put into action precisely. It would have been nice to have the error messages if things does not go well and show how to fix problems in that case. Hands-on Challenge (1.6): needs to explain what does it mean “to ensure that everything appears to be set up correctly”.

c o m p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 6 3 0 e6 3 2

3.2.

Chapter 2: Reconnaissance

This chapter deals with gathering information in a non intrusive manner and existing tools to reach this goal. Four steps are discussed: Intelligence gathering, foot printing, human recon and verification. Some examples taken do no longer correspond to reality and have to be revised. For instance, in Section 2.3.2.1 “Real-world intelligence”, MySpace is no longer part of News Corporation. Page 43, in Section 2.3.3.3, BiLE software suite is presented as an intelligence gathering tool whereas it has been specified that it is a foot printing tool. Pages 78, 79 and 80: repeatedly, tools are succinctly presented and then the author concludes that it should not have been presented there, but in the next chapter. This is part of things that disrupt reading, some lack of organization from time to time of the book. Figure 2.14 is not readable. Pages 64, 65 and 66: not well organized. Page 75, about “IP subnetting”, the author says too much or not enough. Page 81: “Figure 2.25” is an example of useless figures; its content can be integrated into the text. Page 82: exact references to previous sections are needed when some discussions related to these sections are mentioned. There are several redundancies so that in some sections the author finds almost nothing to say, for example see pages 83 and 84 on tools for the verification phase. Page 88, Figure 2.33, a list of domains generated by tldexpand via whois, there is no need to have such not readable figure for that. Page 91, the author claims that “at this point it is clear that there is a strong relationship between SensePost and SecureData Holdings”, why the author considers that this is clear? Some explanations are needed here.

3.3.

Chapter 3: Scanning and enumeration

This chapter deals with “vitality”, checking that the discovered IP addresses during the reconnaissance phase are reachable. Some tools related to scanning and enumeration are rather well presented and illustrated. Figure 3.1 and Figure 3.2 and other figures in this chapter are not readable. Pages 132 and 133: Nmap outputs is dumped but without any explanation. How novice penetration testers or security auditors can extract useful and interesting information from these outputs? How they have to read it?

3.4. Chapter 4: Client-side attacks and human weaknesses The author honestly states that there is no magic recipe to help handling this aspect. It is essentially based on skills. Page 161: Lengthy and not very useful explanation on social networks. Page 170, Section 4.4.1.1, “Fantasy football” e “RSS”: for those who do not know this hobby, this is not a very meaningful example.

631

Page 171, Section 4.4.1.2, this section is neither very accurate nor very informative. Page 172, Section 4.4.2.1, and Page 173, Section 4.4.2.2 are not very informative. Figure 4.22, not readable.

3.5.

Chapter 5: Hacking database services

This paper focuses on Oracle and SQL Server with regard to penetration testing. There is no need to scan and to use tools to discover that in Oracle there is a login “Scott” and the corresponding password is “Tiger”. This Chapter it is very disappointing. The author does not seem comfortable with this chapter.

3.6.

Chapter 6: Web server and web application testing

This chapter deals with web vulnerabilities. Page 224: Section 6.2.3, web application testing is very light. Page 226: for the first time, figures are readable, but I don’t think that the author needs one page and half for this kind of figures. However, page 246, figures are not readable. This chapter it is also disappointing.

3.7.

Chapter 7: Network devices

This chapter deals with vulnerabilities and configuration errors of routers, firewalls and switches. Figure 7.3, useless figure. Page 283: Some non detailed aspects deserve references to books or papers to allow interested readers to learn more on these subjects, for instance, “Ettercap”.

3.8.

Chapter 8: Enterprise application testing

This chapter presents ways to compromise one or more levels of the application stack. The “integration” aspect is not clear, not well explained. Page 306: soapUI, the text is not clear, the author is not didactic. The reader defines in this chapter the meaning of some acronyms used in the previous chapter like CRM (Customer Relationship Management). Pages 309, 310, 311 and 312, what’s the objective? To show to the reader that it is not really readable? Page 313, what the author writes on Metasploit in the chapter context is too macroscopic. In the Case Study section, the transition from Sapyto to the use of a specific module of Metasploit is not explained. It is unclear how the reader of this book can have this kind of illumination in another context or case study.

3.9.

Chapter 9: Wireless penetration testing

This chapter focuses on material associated with penetration testing of wireless networks.

632

c o m p u t e r s & s e c u r i t y 3 1 ( 2 0 1 2 ) 6 3 0 e6 3 2

One of the longer chapters of the book, the author is clearly more comfortable on this topic. Tools and explanation are more detailed. Again, some problems with the figures, it is perhaps due to a white and black printing.

3.10.

Chapter 10: Building penetration test lab

What a pity! This chapter which was supposed to put finally all the things together is a bit disappointing. The chapter is verbose and rather oriented towards recommendations.

Fortunately, the case study achieves somehow the objective of the chapter. Nora Cuppens-Boulahia TELECOM Bretagne, LUSSI, 2 rue de la Chaˆtaigneraie, 35576 Cesson Se´vigne´ Cedex, France E-mail address: [email protected] 0167-4048/$ e see front matter doi:10.1016/j.cose.2012.03.008