Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Penetration testing basics : a quick-start guide to breaking into systems
Messier R., Apress, New York, NY, 2016. 114 pp. Type: Book (978-1-484218-56-3)
Date Reviewed: Jan 18 2017

Penetration testing basics is a small book, about 110 pages, that intends to give readers a quick start with penetration testing, in seven chapters.

The first chapter explains what penetration testing is. It is certainly worth pointing out the ethical side and the requirement to have a “get out of jail free” letter. It briefly discusses the objectives, the limitations, and various testing types. Finally, the well-known methodology for penetration testing is explained, which serves as an introduction to the following chapters that zoom into the steps of the methodology.

“Digging for Information” (12 pages) covers intelligence gathering and includes Google hacking, using social networking, and Internet registries.

The second step, scanning (16 pages), starts by looking at the domain name system. The more classical network protocol scanning, operating system, and version scanning are next. Grabbing system and service banners concludes this chapter.

Vulnerability scanning (14 pages) is the next step of the methodology. “Exploitation” (24 pages) goes beyond vulnerabilities to really break into systems. It uses the obvious tool, metasploit and its auxiliary modules, but also the social engineer’s toolkit, a nice plus.

“Breaking Web Sites” (24 pages) addresses a very important subset, often executed by dedicated testers. It presents a selection of common web application attacks: cross-site scripting, SQL injection, command injection, Extensible Markup Language (XML) external entity attacks, clickjacking attacks, and cross-side request forgery. Additionally, testing strategies and tools are discussed.

The last chapter, “Reporting” (8 pages), starts with what often matters most: the executive summary. The need to report on the methodology is covert. The expected report elements follow: finding, recommendation, evidence, and references.

The book does not go deep into any subject, as expected for an introduction. Each chapter ends with a summary and exercises.

The assumption that the reader still needs an introduction to the underlying technologies is somewhat of a concern. Using powerful tools on systems with shallow knowledge of how they work is not a proper start for penetration testing. The book provides a good quick start for de-mystification: an experience of what penetration testing looks like and what is involved.

Reviewer:  A. Mariën Review #: CR145003 (1704-0230)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Security and Protection (K.6.5 )
 
 
Security and Protection (C.2.0 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy