Penetration testing is a nice way of saying that we are legally trying to break into a system. Practitioners call it pen-testing. The difference between pen-testers and hackers is that pen-testers have permission to break into a system and are trusted not to inflict damage. This book is not a manual for breaking into systems. It doesn’t delve into the science behind operating systems, applications, or employees. It does provide a very nice overview of the field for anyone with a good computer systems background. It should be a must-read for system administrators and operations teams.
The book is not a reference manual. Its goal is to introduce the reader to a variety of tools and tool suites that can be used to break into an organization’s computer-based resources. It is organized as a walk-through of the methodology that a pen-tester would use. It includes suggestions for legal, hands-on experimentation and describes how to build a pen-testing laboratory.
The scary part of this book is just how easy it has become to break into unprotected systems. Open-source tools described in the book can do everything from scanning information about a target organization’s employees to embedding a payload on a universal serial bus (USB) key--and just about everything in between. I used to think that pen-testing was something for serious experts. Now I know that powerful tools are available to professionals--both legal and otherwise. Reading this book was an eye-opening experience. As a professional, you should use it to understand the challenges and risks associated with operating a secure system. If you are a pen-tester, then you will probably be aware of most of these tools. Nonetheless, the wide scope of the book will probably yield at least one or two new tools or approaches.