2011
09.01
Metasploit The Penetration Tester's Guide

Front Cover

A few weeks ago, I ordered the MSF pentest guide mostly authored by the Offsec crew (www.offsec.com).  Hailed as the best MSF guide, and highly praised by the project’s founder H.D Moore this guide does live up to the hype.  I rarely find an IT book that can be read cover-to-cover, especially one that is as specific as this one.

The book covers the framework’s basic functions as well as more advance ones.  It does this by taking the reader through a mock penetration test on vulnerable systems; Windows XP SP2 & Ubuntu 9.04 for example.  Some may criticize the OS selection, saying “what’s the point”, but they need to keep in mind the object of the book is the tool and not “how to hack”.

New and old users to Metasploit will appreciate this work. It covers the basics in such a way as to not lose the new comer’s interest, and for the veterans it may serve as a good refresher on certain auxiliary modules.

The guide starts off with basic setup of the tool, setting up with a database for record keeping.  Moves on to the scanning capabilities; features such as using NMAP straight from the application’s console.  Scanning for mySql or MSSql databases from the console using MSF’s built in features.  Loading and running exploits against found targets, encoding payloads to avoid anti-virus detection, pass-the-hash attacks and so on.

It also convers porting existing exploits to Metasploit and meterpreter scripting. Fast-Track and SET (www.social-engineer.org) are covered as well in later chapters.

Even if this guide is a shade under 300 hundred pages, I must say it covers Metasploit very well.  It could have easily been a few hundred pages longer, but then how good a read would that have been is unsure. For new users to the framework, this book coupled with Offsec’s Metasploit Unleasched WiKi  is great, provides enough material to have a firm understanding.  As for the veterans, they may skip a few chapters but I’m convinced some of the pages will hold their interest.

The book is published by No Starch press, and can also be purchased from their web site directly.

One last note on the authors and the work they have done. Lots of time and effort was put into this.  Seeing they are not professional writers (people that make a living off writing books), I must say they did a great job.  Pretty sure writing and compiling such a book together is no small feat.  Hats off to them…