Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Penetration testing basics : a quick-start guide to breaking into systems
Messier R., Apress, New York, NY, 2016. 114 pp. Type: Book (978-1-484218-56-3)
Date Reviewed: Apr 28 2017

Citing the first sentences of this volume’s chapter 1:

Penetration testing is an art. You can learn a lot of techniques and understand all of the tools, but the reality is that software is complex, especially when you start putting a lot of software systems together.

The focus is indeed on testing the systems architecture of software systems and web services, to ensure that only authorized users can access them and that they can only access the information they otherwise are allowed to view. The point of view taken in this volume is that of ethical penetration testing, that is, to attempt to carry out the attempted breaches, with proper permissions, aiming at enhancing systems information security; it does not dwell on hacking or gaining unlawful access to information, computers, and networks.

This short 111-page volume takes the process view, addressing in sequence several topics: digging for the information, what’s open, vulnerabilities, exploitation of penetrations, breaking websites, and reporting the findings. It mentions most of the usual techniques, ending each chapter with a summary and some exercises the reader can eventually carry out with common tools like a virtual machine, Kali Linux, and a target image. The information covered in chapter 2 includes Google index commands, Google hacking database (GHDB), social networks, and Internet registries via the “whois” command. Chapter 3 explains the domain name system structure and the results of “whois” and “dig” commands, as well as the usual port scanning, transmission control protocol (TCP)/user datagram protocol (UDP) scanning tests, operating system scanning, and grabbing banners. Chapter 4 is a bit superficial and limited in scanning for vulnerabilities, sticking to only classical buffer overflows, simple vulnerability scanners like Nexpose, and brief coverage of those constantly identified by the computer emergency response team (CERT). Chapter 5 on exploitation links the discovery of vulnerabilities with using Metasploit, a system meant to exploit other systems, allowing it to add custom scripts. The Social-Engineer Toolkit is also discussed, on the way to get someone to do something they shouldn’t do. In chapter 6, the focus is on breaking websites using Ajax updates, cross-site scripting (XSS), SQL request injection, and other techniques. Chapter 7 explains how to write executive reports about ethical penetration tests from a consultant’s point of view, as this is the background of the author. There is an excellent index.

All in all, this volume is easy to read and quite pedagogical, which is maybe its greatest strength, together with putting together some examples and preparing the reader for them. Therefore, it is strongly recommended to chief information officers and IT operations and network operations directors, to ensure in-house information security processes are comprehensive enough. Next, it is also strongly recommended as a supplementary practice-oriented textbook for students in computer and information security, to guide them along in their perfection of this art. It is, however, of less interest to professionals in computer security service firms, who would miss a wide range of state-of-the art tools, databases, and vulnerabilities.

Reviewer:  Prof. L.-F. Pau, CBS Review #: CR145232 (1707-0447)
Bookmark and Share
  Reviewer Selected
 
 
Security and Protection (K.6.5 )
 
 
Security and Protection (C.2.0 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy