Updated: May 2, 2011
Several weeks ago, I was contacted by Packt Publishing and asked to review their book, BackTrack 4: Assuring Security by Penetration Testing, written by Shakeel Ali, Tedi Heriyanto. This was an interesting offer. On one hand, I'm well familiar with Linux security. On the other, I have used BackTrack 4 in the past. So what new and cool stuff can a book that combines these two topics teach me?
Quoting from the original site, BackTrack 4: Assuring Security by Penetration Testing is a fully focused, structured book providing guidance on developing practical penetration testing skills by demonstrating the cutting-edge hacker tools and techniques in a coherent step-by-step strategy. It offers all the essential lab preparation and testing procedures to reflect real-world attack scenarios from your business perspective in today's digital age. The book is written as an interactive tutorial and covers the core of BackTrack with real-world examples and step-by-step instructions. It is intended for IT security professional and network administrators with at least basic knowledge of Linux, interested in using BackTrack for penetration testing.
The book is 392 pages long, written in English and broken down into twelve principal chapters. The book starts in low gear, aiming at getting you familiar and comfortable with the concepts of using Linux, if you've never done that before. It slowly digs deeper into difference aspects of penetration testing and coming close full circle with documentation and reporting.
Chapter 1 is a very simple introduction into Linux and getting started with BackTrack. You are provided with instructions on how to setup virtualization software and download the BackTrack virtual image. Too much focus is given on the overview of setting up the environment, as you may not be using the specific products listed, like VMware Player or VirtualBox. Next, you are taught about the basic concepts of the operating system, like managing services, network connectivity, and updates. There's also a reference on how to upgrade your kernel, which might not be suitable for new users.
While you do get an introduction level of understanding how Linux works, you will not gain enough skill or knowledge to use BackTrack from Chapter 1. It's more sort of a sampling of how things ought to be done and will make sense for people who are familiar with Linux rather than new users.
Chapter 2 introduces the concepts of penetration testing. It's a generic chapter, not specifically related to BackTrack, and somewhat long. You do learn about the terminology of hacking, things like white hat, black hat, gray hat and suchlike. Chapter 3 follows up with Penetration Testing armory, going through steps in a typical testing steps. Initial steps are also a bit generic, covering things that sounds a bit corporate in nature, like test plan, restrictions, business objectives, project management, and more. None of these are relevant to testing itself, as they are a core part of any serious project.
Things start to become interesting in Chapter 4, which covers information gathering. You are introduced to tools like dnswalk, metagoofil and others, teaching you how to start about your testing. Most of the stuff is related to Web information gathering.
Chapter 5 talks about Target discovery. Most of the focus is ping-family tools. nmap is discussed later on, under enumerating in Chapter 6. There's no overview of the network topology and its limitations, which should help a tester understand why certain protocols or certain implementations just might not work.
Chapter 6 is quite interesting, with in-depth explanation of UDP/TCP, with most of the focus on using nmap. Personally, I'd like to see more, especially the lower layers of the stack as well as things like fragmented packets, routing, duplicate IPs, network discovery protocols, and similar. There's also some mention of service and VPN enumeration.
Chapter 7 Vulnerability Mapping discusses taxonomy, as well as using openVAS vulnerability assessment system to manage your vulnerabilities. It is sort of a counterbalance to auditing tools like Secunia PSI, sitting on the far end of the situational awareness spectrum. There's also quite a bit on Cisco tools, fuzzy analysis with tools like BED and Bunny, as well as detailed explanations on Samba, SNMP and database hacking. Web tools are also mentioned. The chapter is good, but it tries to cover too much, too generically, with not enough screenshots.
The weakest chapter of the book is number 8, knighted Social Engineering, which elaborates on the philosophy of social engineering, as well as using the Social Engineering Toolkit (SET) to create attacks. Except, the tool create malicious payloads using modules like mass mailer attacks and infectious media generator, which are then sent to victims. This is hardly social engineering, since it involves a digital element rather than just duping people into voluntarily surrendering information or money on the false premises of trust. Some emphasis is given to password cracking and guessing. The chapter feels incomplete and misses the core point of trust involved in social engineering.
The next chapter reads very well, focusing on target exploitation with reverse engineering, disassemblers and decompilers. Most of the work is done using the metasploit toolkit to generate attacks. The chapter assumes a fairly high and intimate knowledge of how things work under the hood, including a good deal of assembly code, but it's the best of the bunch.
In Chapter 10, you learn about privilege escalation, password attacks with tools like rainbowcrack and John the Ripper, online tools like Hydra and bruteSSG, network sniffers like tcpdump, Wireshark, as well as spoofing and some other tools. Quite colorful and spicy, it complements Chapter 9 in providing the reader with a good understanding on the advanced stages of testing. It would benefit if it were longer, as it really discusses important things.
Chapter 11 slows down, as it focuses on what comes after a successful exploitation. It's about maintaining
access, using tunneling and proxying. It's quite short and somewhat unneeded. Chapter 12 summarized the book
with documentation and reporting, breaking down into separate levels like corporate, managerial and technical.
There's some talk about best practices toward the end, but not quite enough. The book ends with supplementary
tools and key resources.
Overall, the book is quite good, but it's not perfect. My biggest gripe were screenshots, which were too few, a bit small, blurry and not quite readable. Example, see below, even at 100% zoom, the screenshot is not easy to use; the values are barely readable.
Moreover, the book teaches you how to use tools. It dissects BackTrack and presents its pieces. I'd probably go the other way around, decide what I intend to do, then narrow down my work to best tools of the trade. Of course, such a thing is not possible without intimate knowledge of said tools, but the bi-directional approach could give a better understanding of the testing procedure and its objectives. Going through every single program and utility can be a little tiring, as you are not quite sure what to use.
What I'd like to see more of are real-life examples. The book does offer real cases, but they are only one or two per tool at most, tactical in nature rather than covering the entire scope of the project on a strategic level. You don't see any examples where multiple tools are used to cross-reference information and create a global scope of the target. There's also no mention of the time and computation powers required for some of the tasks.
Finally, I would like to see more about mitigations, workarounds and best practices, as penetration testing is
a cooperative relationship between two parties.
Did Assuring Security by Penetration Testing teach me anything? Definitely. A lot, actually. The book is a good read overall, but you can't possibly digest it in one go. Since I'm a practical person with a visual memory, I believe additional examples and bigger, cleaner screenshots would make the book even better. This could have been easily achieved without inflating the book too much by removing some of the bureaucratic bits and generic stuff and adding more complex, multi-layered testing cases.
The one dangerous bit of the book is its premise that users with basic Linux knowledge could manage its contents. I disagree. This book is best used by experienced engineers with a good understanding of network and entailed risks in botching something with an automated attack script.
The book is priced GBP52.98, offered for GBP31.19 at the moment. It's a somewhat steep price, but if you're using the book as part of your job, it should not be a problem. Overall, BackTrack 4: Assuring Security by Penetration Testing gets 8/10. Hopefully, the second revision will see many more difficult, more accurate examples added, with fewer distractions, so it can truly become a comprehensive BackTrack guide.