Skip to content

Book Review: Metasploit - The Penetration Tester's Guide

Recently I received a free review copy of Metasploit - The Penetration Tester's Guide from No Starch Press. I was pretty excited about the book because I have not yet worked with Metasploit before, even though I have followed the Metasploit development for a long time. For those who do not know, Metasploit is a "free open-source penetration testing solution developed by the open source community and Rapid7". Originally started by HD Moore in 2003, it also doubles as one of the world's largest open-source Ruby projects.

Written by the four authors David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni, this new book aims to "teach you the ins and outs of Metasploit and how to use the Framework to its fullest" while also acknowledging that their "coverage is selective". They set out to live up to that aim on roughly 300 pages divided into 17 chapters and two appendices. The individual chapters are 'The Absolute Basics of Penetration Testing' (6 pages), 'Metasploit Basics' (8 pages), 'Intelligence Gathering' (20 pages), 'Vulnerability Scanning' (22 pages), 'The Joy of Exploitation' (18 pages), 'Meterpreter' (24 pages), 'Avoiding Detection' (10 pages), 'Metasploit Auxiliary Modules' (12 pages), 'The Social-Engineering Toolkit' (28 pages), 'Fast-Track' (14 pages), 'Karmetasploit' (8 pages), ' Building your own Module' (12 pages), 'Creating your own Exploits' (18 pages), 'Porting Exploits to the Metasploit Framework' (20 pages), 'Meterpreter Scripting' (17 pages), and 'Simulated Penetration Test' (16 pages).

As you can see, due to the small amount of pages and the high number of chapters there is not a lot meat per chapter. In fact, roughly one-third of the book is console output listings or screenshots. That means you can subtract one-third of the pages of each chapter to get a more accurate estimate of the information provided in each chapter. It also means that you will read roughly 100 pages of console output over the course of book. In the beginning I made an effort to do that but after a while this gets ridiculously boring and I began skipping most console output.

There is a reason for the huge amount of console listings you are expected to read. The book is a cook book, not a compendium. Throughout the book, you are basically told to 'enter <somestring> and hit enter' or 'click menu X' and then they show the console listing of what output you can expect. Between being told what to enter and output dumps to expect, there is little space left for any in-depth background discussion of what is actually going on. Now, I learned to write code using these sorts of books and it worked out well for me so if you are at that stage of your professional life you might appreciate this writing style. I have moved on to prefer compendium style books though.

Another issue I noticed is probably the result of having different authors write individual chapters of the book seemingly without much coordination. The assumed skill level of the reader is confusing and non-linear. Here is an example. At the beginning of chapter eight (Exploitation using Client-Side Attacks), the authors spend a whole paragraph explaining the x86 instruction NOP starting with the phrase "NOPs are covered in detail in chapter 15 [in itself the funniest phrase of the book, nearly as absurd as my long-time favorite 'There aren't actually physical rings on the microchip' from Greg Hoglund's rootkit book], but we'll cover the basics here...". Just a few pages later (and again in chapter 14), without explaining other x86 instructions before, the reader is expected to understand complete Immunity Debugger code listings. Only in chapter 15 - after you were supposed to create your own exploits in chapter 14 - do the authors explain things like 'EIP and ESP registers' or 'The JMP Instruction Set'. The order of assumed and explained knowledge of x86 assembly code is completely out of whack.

Before starting the book I expected to read about internal in-depth information about the Metasploit framework itself and less cook book style. This might have been a wrong assumption since it's the penetration tester's guide after all, not the contributor's guide. The good news is that the last few chapters kind of go into that direction and were more interesting to me. Starting with chapter eight, the content of the chapters move away from pure usage of Metasploit to extending Metasploit. Especially the chapters 14 and 15 about creating your own exploit and adding it as a module to the Metasploit framework were enjoyable.

Let's take a closer look at those two chapters. In chapter 14, the authors explain how you can use Metasploit as a fuzzer. The target of the chapter is a known vulnerable version of SurgeMail. Once the fuzzer hits the expected crash, they walk you through the bug and instruct you how to control the SEH chain to get to remote code execution and how to structure the shellcode. In the end, a new module is created to add this exploit to Metasploit. At the beginning of chapter 15 - after writing a SEH overwrite exploit - you finally learn about ESP, EIP, JMP and NOP. Afterwards the authors take an existing MailCarrier exploit written in Python and port it to Metasploit. Even though I liked those two chapters I have to wonder whether both are necessary (they are really similar) or whether the order of the two chapters was supposed to be different at first.

In general, while the first edition of the book is rocky, not all is lost for a second edition. The authors are clearly knowledgeable and touch upon large parts of the Metasploit framework. It's just that they favored breadth over depth. My recommendation would be to find a way to seriously cut down on the console output listings to improve the flow of reading, to give more in-depth background knowledge instead of mostly cookbook style instructions (think of the IDA Pro book as a positive example), and to make a clear model of what skill level you are targeting in the reader. I think it is safe to assume that the average reader of a penetration testing book knows what a NOP is. Even more so after implementing a SEH exploit earlier in the book.