Most helpful positive review
10 of 10 people found the following review helpful
Worth every Penny.
on 1 December 2011
I've always been interested in penetration testing but oddly enough, I had never used metasploit. So a few weeks ago I bought this book and another one about Metasploit by Syngress. I started with the Syngress one, and it was OK but it was terribly outdated so I literally had to throw it away. This one from NoStarch is a completely different story. For starters, I did a background check on the authors. I was glad to find that some of them are key members of the BackTrack Linux distro, which I'm particularly fond of. The others are well respected professionals of the information security community and have spoken at cons like Blackhat or Defcon.
So considering the experience of the authors I had high expectations and I have to say that they were surpassed.
The book starts off with a nice introduction to Penetration Testing where it explains the different phases of the process and the types of pentests. Then goes on to introduce the actual metasploit framework, covering the basic terminology, the available interfaces and the most important companion tools (msfpayload, msfencode, and so on). However, the fun begins after the introduction, where the authors show how to use metasploit to conduct a penetration test. They divide the process into three phases: intelligence gathering, vulnerability scanning and exploitation. They guide the reader through several step-by-step examples, each one demonstrating different techniques and components. The chapter on the meterpreter is specially detailed and interesting.
Apart from the basic find-a-vuln-and-exploit-it, the book also covers advanced topics such as detection avoidance, client-side attacks or social engineering. It even shows how to hack the framework and build your own modules and exploits.
Summing up... I really liked the book, I think it's worth every penny. I wanted to learn how to use metasploit and I did it. Of course, the book does not cover every single exploit and module available but it does a great job at at teaching you how to use metasploit to conduct a penetration test and compromise the security of your systems.