Customer Reviews

Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

5 star:		(0)
4 star:		(0)
3 star:		(0)
2 star:		(3)
1 star:		(1)

 

 

I'm going to take a harsh stance on this book, mostly because this book had potential to really build upon all the information publicly available for Metasploit and really make a great book on Metasploit internals and advanced usage. Instead it seems like current public/free information was just rehashed and new information not updated for the 3.x branch of MSF.

What I consider the "meat" of this book, and what should have made this a 4 or 5 star book, covers the Metasploit Framework 2.x branch and NOT the current 3.x branch. By "meat" I mean the case studies covering exploitation using MSF. The major difference between the two is that 2.x was written in Perl and 3.x in Ruby. To be fair the first 5 chapters cover using MSF 3.x, but I really didn't feel they covered much, if anything, that's not out on the net with the exception of Chapter 5 (Adding new Payloads). "Using" Metasploit has been covered a million times in a million other books. A book specifically on Metasploit should have covered things not covered in every other hacking book.

Chapter 1 is an "Introduction to Metasploit." If you haven't ever used the tool and didn't want to RTFM, then "maybe" it would be useful for you. Most of the material I felt could be found on the Metasploit main support page, the wiki, or via google, but mostly the first two. I'm also not sure why there are pages and pages of current payloads and exploits with no explanations as to why I would use one type of payload versus another especially for the obscure ones like find tag or ordinal payloads. Doing a "show exploits" or "show payloads" without dialogue on the differences adds little value. The Leveraging Metasploit on Penetration Tests section is one paragraph :-(

Chapter 2 is "Architecture, Environment, and Installation." There are 2-3 pages on locking down a system. Why is that included? Very random. Let me cover the installation covered in the book for you. Windows, double click the executable. *nix, download via svn. That's about the level of detail we get...sigh :-(

Chapter 3 is a whopping 7 pages including the FAQ section on "Metasploit Framework and Advanced Environment Configurations." That chapter covers what is in the directories of your msf installation and using the setg command.

Chapter 4 is "Advanced Payload and Add-on Modules." Covers some old information on meterpreter and some meterpreter basics, the stuff on the net covers it in far more detail. Decent coverage of the VNC Inject payload, crappy coverage of the PassiveX payload, ok coverage of auxiliary modules and a mention of db autopwn.

Chapter 5 is "Adding New Payloads." Chapter 5 is the best chapter in the book because it discusses something...here it goes...NEW! and related to MSF 3.x. Chapter 5 is an excellent chapter walking us thru building a SIP Invite spoofer auxiliary module. Had the whole book been of this caliber it would have been a 5 star book.

The case studies should have been rewritten to work with MSF 3.x, they are all for 2.x. They are good and contain the required detail (but I didn't not work through all the examples yet) Things are similar between the branches and you can probably muddle through the conversions but it makes no sense for the first half of the book to be about 3.x and the meat to be about 2.x. At a minimum a chapter or section on converting exploits from 2.x to 3.x was in order, but was not included.

I didn't find Appendix B, "Building a Test Lab for Penetration Testing" to be all that helpful either. I think it's a reprint from Penetration Tester's Open Source Toolkit v2, but can't confirm because I don't have that book.

What could have been a brillent book, turned out to be more of a dud then anything else. By the time this book came out, Framework 3 should have been covered, instead, the book focuses on version 2.x.

If you are a newbie to Metasploit I can understand that this book could have been helpful, primarily for the historical purposes, and if you've used 2.x and intend on staying at the version, go ahead, read the book. But, if you are like 99.9% of the rest of use, save your money and wait until someone else either writes an in-depth book on the actual use of the most current version of Metaspolit and the inner workings, etc, or, look up the information needed on the web. You'll feel more satisified with yourself knowing you didn't waste your time and money.

Much like the other reviews, I would have to say the information is outdated and very basic. The section on analyzing the different exploit modules would be useful if it was up to date. No need to repeat what has already been said. I had high hopes for this book. Wish I read the reviews first. For a list price of $60? Way overpriced. It's a book capitalizing on the popularity of the tool.

This was a good intro to Metasploit. However, in order to get Metasploit to do more than hack your old Windows box, you'll need to add your own code. There is nothing about the libraries and functions built into Ruby to help you do this. They have included nothing in the book about altering your payload so that virus checkers won't scream at it.

A version of Meterpreter that could pass by the virus checkers would be a huge asset to IT departments doing remote support over slow links. Having had to do support for computers on oil rigs (60 computers sharing a 128kb/sec VSAT link), remote desktop of any kind was not an option.

It's a good start, I just wish it had more meat.