Customer Reviews

Hack I.T. - Security Through Penetration Testing

5 star:		(12)
4 star:		(3)
3 star:		(0)
2 star:		(5)
1 star:		(3)

 

 

This book is fairly well written but like the author mentions, there is nothing in this book that can not be found on the net. In short, this book is a compilation of various sources up for grabs for free on the net. What is a valuable in this book are all the lessons learnt and real life scenarios that are included.

Since not much new is revealed in this book I suggest not buying this book and instead check out the Open Source Security Methodology Testing Manual, which is a decent framework for penetration testing, including methodology and tools. Alternatively have a look at the NIST publication on penetration testing. Both come at a great price - they are FREE!

If your are exteremely lazy or a newbie to penetration testing then the Hack I.T. book might come in handy as an introduction. However, I suggest using one of the frameworks mentioned above and supplement with sources that are freely available on the web and dedicate time to learn the penetration testing methodologies, tools and techniques instead of reading only one book which scratches the surface.

This book compiles a comprehensive list of tools, both commercial and freeware, which nowadays security consultants used to conduct penetration testing. That's all. Nothing in details, such as dealing with false positive results of commercial scanners, CVE, etc. Claiming to have extensive experience in conducting penetration testing for Fortune 500 companies, the writers seem unwilling to share their real-world experience. I expect that there should be some example scenarios given in the book, and then to discuss the approach on selecting the best tools to conduct the test, i.e to find the most number of vulnerabilities in a short period of time. (usually we ethical hackers are only given short time frame (e.g. 3 hours, or at most one day to conduct the test, in order to minimize business interruption of the clients) And most important, how to correlate the results obtained by different freeware and commercial tools, and present the result to technical as well as management people. And then basing how the risk level of the vulnerability, how to choose appropriate safeguard to protect the company from financial loss. All of these important things are not found in the book.

...

This book is good for beginners. I have finished it within 2 days, very easy going, enjoyed reading it.. Most of exploits that are on the cd don't work with unix. However this book explains some nice techniques and i recommend this book to anybody who is into protecting his/her system from break ins.

This book is like a loaded gun. In the wrong hands the information can be used to harm, but in more benevolent hands the information can be used to protect. This is especially true when you subscribe to the adage that forewarned is forearmed.

The authors have collected the most common penetration exploits and tools used by those who will attempt to penetrate your systems and have presented them in encyclopedia fashion. Each of the techniques and tools are thoroughly discussed from the aspect of defense through penetration testing to assure that common exposures are deal with. This information is valuable for two reasons:

(1) Each of the most common security exposures are identified, and how attackers exploit them is thoroughly examined. This is the forewarning part that you'll come away with.
(2) The tools your attackers will probably use are provided on CD ROM, and the book shows you how your attackers will probably use them, as well as how you can use these tools to test your systems. (NOTE: many of the tools are provided as source code).

Here are the book's strengths and weaknesses:
Strengths: it raises awareness, provides tools and techniques, and discusses the legal aspects of penetration testing. The last strength is especially important because you're need a signed "get out of jail" card before embarking on penetration testing, either as an employee or consultant to the target. One key point the authors make, and which should be at the top of any checklist, is ensuring that whomever authorizes the penetration testing actually has the authority to do so.

Weaknesses: no structured approach - the authors provide many anecdotes, discuss cases and what they did, but is appears to be ad hoc with no test plan or test cases. These should have been included because penetration testing should be a part of any test strategy developed and executed by software QA personnel as a part of acceptance and product qualification test cycles. Since the authors are all employees of a well known international consulting firm I was disappointed that this material was omitted.

Overall: this book is valuable because it addresses head on the techniques and tools against which you need to defend your systems. The added value is that you'll become skilled in the use of these tools and techniques to exploit your own systems, discover the holes and close them. Of course you should prudently track the latest attack ploys by monitoring the URLs and newsgroups that are provided in the book because the tools and techniques are constantly evolving. The book will get you started, but it's up to you to keep up. On the other hand, the unskilled "script kiddies" will also benefit from this book because it clearly explains the technical underpinnings. That unintended audience can, unfortunately, use this book to increase their skills. Despite the noted weaknesses this book is valuable as long as you're aware that it's only a starting point and it's your responsibility to take the knowledge and tools and keep them up-to-date.

This book will give anyone who reads it the basic knowledge on how to perform effective penetration tests. The CD included includes many helpful tools that are discussed in the book. In addition, the case studies are first rate in giving the reader a real-world example on the material covered in the text. I am also very pleased that this book not only covers hacking techniques but also the ethics involved. Great buy!

This book is an overall well rounded view of the methods that can be used for PEN testing. Although it does have for examples some "dated" material (backdoors, etc.), it makes up for this in shear volume, utilizing ideas from different OS's. It is also an easy read, but I was a little disappointed in some of the visuals such as Figure 1.1 (Hard for my eyes to see the Hacked sites in the Hacked site list). This is a 2002 book. Hopefully,the authors will have an updated version soon. On a side note, an associate of mine had the pleasure of meeting Simple Nomad (forwarded this book) at DEFCON, said he's a likable guy.

After reading through this book, it was clear that it teaches you nothing about:
1) Penetration testing
2) Securing your environment

What it does go over are all the possible tools you can download out there, and how you can randomly hack things around you.

Moreover, it is light on methodology, and only touches on operating system and application level security.

This book is a bad idea for those new to pen testing: seek other resources. It is even worse for professionals, who should be cautious altogether.

This text, I call it a text because you can use it as a great learning tool, is wonderful. The book has great illustrations and gives wonderful insights into the inner workings of the hacking world. I fully recommend the use of this book and the CD-ROM included.

Very well written and comprehensive. A real orientation to PEN-TEST procedures. Includes very interesting issues such as: Rootkits, DDoS, Social Engineering, Unix and NT tools and methods, IDSs,'Future Trends' (Including Biometrics) and useful countermeasures.
The companion CD contains several powerful tools like Hunt,Dsniff, Nmap, Whisker, NetCat, Nessus and others.
Buy it, you won't be disappointed.

You can get the same info free off the web!