Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

Metasploit: The Penetration Tester's Guide

by Zeljka Zorz - Wednesday, 28 March 2012.

Author: David Kennedy, Jim O’Gorman, Devon Kearns and Mati Aharoni
Pages: 328
Publisher: No Starch Press
ISBN: 159327288X

Introduction

Metasploit Framework (MF), the open source tool for launching exploits against remote machines, is a well-loved instrument that allows penetration testers to automate routine and complex tasks. This book explains how to use it and other assorted tools and will have you up and running your own exploits in a flash.

About the authors

David Kennedy is CISO at Diebold Incorporated and creator of the Social-Engineer Toolkit, Fast-Track, and other open source tools.

Jim O'Gorman (Elwood) is a professional penetration tester, an instructor at Offensive Security, and manages Offensive Security’s consulting services.

Devon Kearns is an instructor at Offensive-Security, a BackTrack developer, and administrator of The Exploit Database.

Mati Aharoni is the creator of BackTrack and founder of Offensive-Security.

Inside the book

The book starts with two very short chapters about basic penetration testing and introduces the tools within the MF.

As it continues through the various phases of a penetration test (pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post exploitation and reporting), the authors slowly introduce various tools (the Meterpreter, the Social-Engineering Toolkit, Fast-Track, Karmetasploit, and Metasploit's modules) and concepts such as antivirus evasion techniques, browser bugs and client-side exploitation, social-engineering attacks, fuzzing, the creation of one's own exploitation modules, and more.

Each chapter builds upon the knowledge shared in the previous one in a very organic and seamless way. The language is as technical as it needs to be and the explanations clear.

All the chapters are a finely balanced combination of text, code, screenshots and tips, and coupled with a machine on which the reader can try out everything he reads about, this book is the perfect guide for those beginning to work with Metasploit. Experienced penetration testers and MF users will likely skip a lot of the content, but could find it useful as a reference.

In order to understand the things shared in it, the reader should be familiar with Ruby and/or Python, as many of the examples shown are written in one of those two programming languages.

Final thoughts

HD Moore, the founder of the Metasploit Project, wholeheartedly recommends the book - and who am I to say otherwise?

But, in all seriousness, it is a very helpful and interesting book for beginners, especially those who like to learn by doing - every chapter is like a thoroughly documented project covered from beginning to end.