Customer Reviews

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab

5 star:		(3)
4 star:		(4)
3 star:		(2)
2 star:		(0)
1 star:		(0)

 

 

I had fairly high hopes for Professional Penetration Testing (PPT). The book looks very well organized, and it is published in the new Syngress style that is a big improvement over previous years. Unfortunately, PPT should be called "Professional Pen Testing Project Management." The vast majority of this book is about non-technical aspects of pen testing, with the remainder being the briefest overview of a few tools and techniques. You might find this book useful if you either 1) know nothing about the field or 2) are a pen testing project manager who wants to better understand how to manage projects. Those looking for technical content would clearly enjoy a book like Professional Pen Testing for Web Applications by Andres Andreu, even though that book is 3 years older and focused on Web apps.

PPT offers 18 chapters, with 12 chapters on project management and non-technical issues, and 6 ostensibly covering technical issues. The technical material is limited to the basics of conducting reconnaissance, running Nmap, Nessus, CORE IMPACT, Ettercap, Aircrack-ng, Netcat for "maintaining access," SSH for an "encrypted tunnel," and trivial file and script changes to "cover tracks." Seriously. I'm sure some review readers are saying "sometimes it's just that easy." That's true, but we don't need a 528 page book with an outrageous price tag to read about these well-known methods. If your experience with pen testing is limited to this book, take a look at Andres Andreu's title to see the sort of material you should expect in a book on pen testing.

I didn't find the project management parts all that helpful, either. Some of it just repeats material published in various guides like the Open Source Security Testing Methodology Manual. Other sections repeat certification descriptions found on vendor Web sites. It is clear the author really cares about project management, so maybe he should have just written a book on project management for security managers?

I gave the book three stars because I didn't find the book to be technically or managerially incorrect. (If that had been the case, I would have rated it two stars.) If you want much better coverage on technical matters not found in Andreu's book, try the core Hacking Exposed titles. They address the same topics that PPT barely introduces.

I recently finished going through Professional Penetration Testing by Wilhelm. This book is very good for beginers and advance Pen testers. In the past there have not really been any texts that focused on the entire process of Penetration testing. This is where Professional Penetration Testing excells. It goes over the entire process from start to finish.

For beginners, this text gives a very good overview of the entire penetration testing process from scoping all the way to writing an executive summary. For advanced testers, the most valuable sections are problaby the ones on testing frameworks, scoping, and report writing. I have met many testers who were excellent technically but could not communicate the results effectively to business leaders, this book will help these testers improve in that area. Advanced Pen Testers will probably not learn any technical tricks from this text.

My only complaint about the book is that it doesn't really go into how any of the exploits that one would use in pen testing work. For example, the author gives a listing of different NMAP scan options and very briefly goes over what the options are, but doesn't really explain why you would use one over the other. I am guessing that this omission is primarily due to the space required to add such information and the that the goal of the text seems to be to give the whole view of pen testing without going into too much deatil on any section.

I have read quite a few books covering the security field and have found most of them very dry and hard to read. Thomas Wilhelm's PPT book is the exception, I found it easy to read and managed to complete it in a weekend. The book will suit both the security professional and those new to the security field. The technical depth of the book will benefit systems administrators who need to gain an understanding of penetration testing. The project management aspects of the book will benefit the security professional moving into a more managerial role.

I have been a system administrator for several companies and needed a good way to mirror the networks that I am using to find the security holes in them. The virtualization that is explained and the methodology is wonderful for this. As the author explains, a lot of times you don't or can't test things out on a "live" network, this is one of the better ways to find out where many of the flaws are and correct them. The CD that comes with the book is more than worth the price of the book. It has many of the scenarios and exercises that will help you to understand more about pen testing.

Overall, I enjoyed Professional Penetration Testing book. It is aimed at rookies, so I overall found it useful. I was disappointed with the labs corresponding with the CD. I admit I wanted the BackTrack brain dead version, but there is no BackTrack on the CD. No big deal, because it easy enough to download...but when you pay $75, it is disappointing. So why is BackTrack not on the CD? Per [...]link, the "DVD was changed at the last minute to exclude the BackTrack images due to space issues.". So there is not enough space for a "readme" file?

I did like the down to earth explanations of what the reader should be seeing, etc.

A must-have for everyone who wants to start a professional career as a pentester.

The DVD with several system images and hacking challenges is a great addition to the content of this book.

This book appears to be directed toward at least three audiences: Security consultants that may wish to start their own company, project managers interested in managing penetration testing, and finally those that want to get into the penetration testing field. There were some awesome nuggets in this book, but I felt that I had to dig to get to them. The book did not flow well in my opinion. Based on the title, I was hoping for a book that would take you through setting up an advanced "Professional" lab and address more advanced techniques.

The author definitely thought out all the ins and outs of writing up a contract with a client and many more legal ramifications that most companies focus on. That section is much marked up and will be kept for future reference.

I will admit I was a bit disappointed in part 2 as it clearly is directed toward beginners and not those with much experience. Overall, there is valuable information in this book and the material and extras on the CD are valuable. I think that it may have been more suitable to make this into two separate books.

The book has valuable knowledge, but the title is a bit misleading.

The next book on my list: Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques, from the same author.

I'm a Systems Administrator that has been in the business for a little over 10 years. I've been looking for a change of pace and realized that I am married to IT. So I decided to research the Information Systems Security field a bit more. One of the things I wanted to learn more about was how hackers make there way into a network. Found this book on the Ethical Hacker website and the author was nice enough to allow them to host a chapter of the book. I'm about half way through the book and finding it an enjoyable read. The author spends more time focusing on the project cycle of a penetration test rather than how to use the tools. This is great because learning to use the tools can be done with a few google searches. I would highly recommend this book for seasoned IT pros that are thinking about getting into the ISS field.

Just bought it today at Borders with a 30% discount. I'm an IT security professional, wanting to set up a virtual lab to hone my skills, without worrying about slowing down or worse yet rebooting production boxes. I plead guilty to not working through the book yet, but as with most Syngress books...they do a fine job at fully describing a niche in the IT field. After three decades in the IT industry, I feel my brain itching with anticipation. VMs are truly changing the IT field in development & testing as well as in production. May this book taste as good as it smells!