Skip to content

Book Review: Metasploit - The Penetration Tester's Guide

Recently I received a free review copy of Metasploit - The Penetration Tester's Guide from No Starch Press. I was pretty excited about the book because I have not yet worked with Metasploit before, even though I have followed the Metasploit development for a long time. For those who do not know, Metasploit is a "free open-source penetration testing solution developed by the open source community and Rapid7". Originally started by HD Moore in 2003, it also doubles as one of the world's largest open-source Ruby projects.

Written by the four authors David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni, this new book aims to "teach you the ins and outs of Metasploit and how to use the Framework to its fullest" while also acknowledging that their "coverage is selective". They set out to live up to that aim on roughly 300 pages divided into 17 chapters and two appendices. The individual chapters are 'The Absolute Basics of Penetration Testing' (6 pages), 'Metasploit Basics' (8 pages), 'Intelligence Gathering' (20 pages), 'Vulnerability Scanning' (22 pages), 'The Joy of Exploitation' (18 pages), 'Meterpreter' (24 pages), 'Avoiding Detection' (10 pages), 'Metasploit Auxiliary Modules' (12 pages), 'The Social-Engineering Toolkit' (28 pages), 'Fast-Track' (14 pages), 'Karmetasploit' (8 pages), ' Building your own Module' (12 pages), 'Creating your own Exploits' (18 pages), 'Porting Exploits to the Metasploit Framework' (20 pages), 'Meterpreter Scripting' (17 pages), and 'Simulated Penetration Test' (16 pages).

As you can see, due to the small amount of pages and the high number of chapters there is not a lot meat per chapter. In fact, roughly one-third of the book is console output listings or screenshots. That means you can subtract one-third of the pages of each chapter to get a more accurate estimate of the information provided in each chapter. It also means that you will read roughly 100 pages of console output over the course of book. In the beginning I made an effort to do that but after a while this gets ridiculously boring and I began skipping most console output.

There is a reason for the huge amount of console listings you are expected to read. The book is a cook book, not a compendium. Throughout the book, you are basically told to 'enter <somestring> and hit enter' or 'click menu X' and then they show the console listing of what output you can expect. Between being told what to enter and output dumps to expect, there is little space left for any in-depth background discussion of what is actually going on. Now, I learned to write code using these sorts of books and it worked out well for me so if you are at that stage of your professional life you might appreciate this writing style. I have moved on to prefer compendium style books though.

Another issue I noticed is probably the result of having different authors write individual chapters of the book seemingly without much coordination. The assumed skill level of the reader is confusing and non-linear. Here is an example. At the beginning of chapter eight (Exploitation using Client-Side Attacks), the authors spend a whole paragraph explaining the x86 instruction NOP starting with the phrase "NOPs are covered in detail in chapter 15 [in itself the funniest phrase of the book, nearly as absurd as my long-time favorite 'There aren't actually physical rings on the microchip' from Greg Hoglund's rootkit book], but we'll cover the basics here...". Just a few pages later (and again in chapter 14), without explaining other x86 instructions before, the reader is expected to understand complete Immunity Debugger code listings. Only in chapter 15 - after you were supposed to create your own exploits in chapter 14 - do the authors explain things like 'EIP and ESP registers' or 'The JMP Instruction Set'. The order of assumed and explained knowledge of x86 assembly code is completely out of whack.

Before starting the book I expected to read about internal in-depth information about the Metasploit framework itself and less cook book style. This might have been a wrong assumption since it's the penetration tester's guide after all, not the contributor's guide. The good news is that the last few chapters kind of go into that direction and were more interesting to me. Starting with chapter eight, the content of the chapters move away from pure usage of Metasploit to extending Metasploit. Especially the chapters 14 and 15 about creating your own exploit and adding it as a module to the Metasploit framework were enjoyable.

Let's take a closer look at those two chapters. In chapter 14, the authors explain how you can use Metasploit as a fuzzer. The target of the chapter is a known vulnerable version of SurgeMail. Once the fuzzer hits the expected crash, they walk you through the bug and instruct you how to control the SEH chain to get to remote code execution and how to structure the shellcode. In the end, a new module is created to add this exploit to Metasploit. At the beginning of chapter 15 - after writing a SEH overwrite exploit - you finally learn about ESP, EIP, JMP and NOP. Afterwards the authors take an existing MailCarrier exploit written in Python and port it to Metasploit. Even though I liked those two chapters I have to wonder whether both are necessary (they are really similar) or whether the order of the two chapters was supposed to be different at first.

In general, while the first edition of the book is rocky, not all is lost for a second edition. The authors are clearly knowledgeable and touch upon large parts of the Metasploit framework. It's just that they favored breadth over depth. My recommendation would be to find a way to seriously cut down on the console output listings to improve the flow of reading, to give more in-depth background knowledge instead of mostly cookbook style instructions (think of the IDA Pro book as a positive example), and to make a clear model of what skill level you are targeting in the reader. I think it is safe to assume that the average reader of a penetration testing book knows what a NOP is. Even more so after implementing a SEH exploit earlier in the book.

Book Review - Gray Hat Python

So I finally got around to writing a review for Justin Seitz's new No Starch Press book Gray Hat Python (Official Website / Amazon). Unlike the other No Starch Press books I reviewed in the last months my copy of Gray Hat Python is not a free review copy. I actually bought Gray Hat Python because I wanted to support Justin Seitz who I met at this year's CanSecWest conference for the first time. And because Justin seems to be a pretty nice guy I will punch a bit harder in this review than I usually do (unless the reviewed book really sucks) by giving unsolicited advice on how to improve the book for the second edition.

What is Gray Hat Python all about? The back cover of the book describes it like this: "Gray Hat Python explains the concepts behind hacking tools and techniques like debuggers, trojans, fuzzers, and emulators." And all of that using Python code and popular Python libraries. How awesome is that? Pretty awesome I thought when I first heard about the book. So awesome in fact that several months before the book was published I actually sent Justin an email asking him if everything's fine because I was concerned that the publisher is imposing stuff on him which could lead to a shitty book (see: Reverse Engineering Code with IDA Pro; if you ever meet any of the authors of that book ask them to tell you just how much Syngress sucks; it's an entertaining story).

Continue reading "Book Review - Gray Hat Python"

Book Review - Growing Software

Growing Software - Proven Strategies for Managing Software Engineers (Amazon / Official Website) written by Louis Testa is the latest No Starch Press book I received a free review copy of (thank you No Starch Press). Imagine that you are working for a mid-sized software development company and you were recently promoted to become the manager of a small development team. Now you have to figure out how to plan and schedule the software development process and how to manage the people in your team. Growing Software wants to assist you with this.
Continue reading "Book Review - Growing Software"

Book Review - Profiling Hackers

In late 2008 Raoul Chiesa, Stefania Ducci, and Silvio Ciappi published an interesting book called Profiling Hackers (Amazon). The idea behind this book is simple: Police officers use profiling to find criminals. Hackers often do illegal things. Police officers therefore need to profile hackers. Most police officers do not have a clue about hackers though. On 240 pages divided into seven chapters this book tries to help them by explaining what Hackers are like.

Continue reading "Book Review - Profiling Hackers"

Book Review - The Adventures of Dr Debugalov

A few weeks ago I read some Reverse Engineering related blog which I can't remember right now and my Google-Fu is failing me too or I would link to it. Anyway, in one of the comments on that blog, the book Dumps, Bugs and Debugging Forensics - The Adventures of Dr Debugalov (Amazon) was mentioned. Since the book title and its cover amused me a lot and I can't spend all of my money on hookers and blow I quickly grabbed a few Benjamins from my money bin and bought the book without checking out what it is actually about.

Some days later it arrived and I was surprised. The book is actually a comic book. It is a compilation of the comics you can find here. As you can see, the comics are not especially well-drawn and they're nearly completely unfunny to boot. OK, four or five of the comics in the book are actually funny. The other 40 or so are not. The problem is obvious. There are only so many good jokes you can make about debugging (and to be honest, I debug a lot of stuff and I know very few good jokes about debugging). About four years and 100 blog entries ago, I complained about the ridiculous puns in the book C++ Coding Standards. The Dr Debugalov book suffers from exactly the same problem. Except that the Dr Debugalov book has (nearly) no content except for the puns in comic form. This magnifies the problem to the point where it's getting painful.

Talking about ridiculous puns. The pages of the book do not just contain comics. Every single page also features a more or less famous quote that has been reworked (by replacing or inserting words) to turn it into a quote about debugging. After reading approximately 20 of these so called bugtations I wanted to shoot myself.

So yeah, what to recommend. You should probably buy the book, rip off the cover (which is really cute), frame it and hang it onto the wall of your little cog-in-the-machine cubicle or wherever you are working. The rest of the book can quickly be discarded.

Book Review - The Art of Debugging with GDB, DDD, and Eclipse

Recently No Starch Press sent me another book for free. Thank you No Starch Press. The book is called The Art of Debugging with GDB, DDD, and Eclipse (Official Website / Amazon) and was written by Norman Matloff and Peter Jay Salzman. The concept of the book is to introduce the reader to debugging (using Linux C/C++ example programs) with the debuggers/IDEs GDB, DDD, and Eclipse. Throughout the book the user is guided through sample debugging sessions first with GDB and afterwards (in briefer form) with DDD and Eclipse.

The book is roughly 260 pages long and divided into eight chapters.

Continue reading "Book Review - The Art of Debugging with GDB, DDD, and Eclipse"

Book Review - The IDA Pro Book

About two weeks ago I received a copy of Chris Eagle's new book The IDA Pro Book (Official Website / Amazon). The publisher No Starch Press was nice enough to send me a free copy of the book to write a review for it. Thank you No Starch Press. And even though I've sworn the official RE blogger's oath to uphold my blog to the highest journalistic standards, this obviously means that my review is completely biased because I hope that No Starch Press will continue to send me books for free (please contact me for a precise list of the books I'm interested in, thanks in advance).

Anyway, less talk about No Starch Press and more about The IDA Pro Book. Written by Chris Eagle, The IDA Pro Book is the latest book that tries to guide reverse engineers through the exciting world of binary files you've "lost" the source code for. The approximately 580 pages of the book (it's not 640 pages long as claimed on Amazon) are divided into 26 chapters which are themselves grouped into six parts.

Continue reading "Book Review - The IDA Pro Book"

Book Review - Dreaming in Code

Yesterday I finished reading Scott Rosenberg's book Dreaming in Code - Two Dozen Programmers, Three Years, 4,732 Bugs, and One Quest for Transcendent Software (Official website / Wikipedia). Inspired by a severely problematic content management system for salon.com, Rosenberg started to think about the problems of creating complex software. Why do so many software projects fail to meet deadlines? Why do they spiral off into money black holes? Not being a software developer himself, the journalist Rosenberg started to hang out with the developers of Chandler (Official website / Wikipedia), a "revolutionary" personal information manager. He followed the Chandler team for three years, attended meetings and presentations, and asked the people involved in the project about their thoughts about software development in general and Chandler in particular. The results of this journey are written down in the book.

Continue reading "Book Review - Dreaming in Code"

Book Review - Advanced Windows Debugging

After my last two book reviews were rather negative, I'm happy to say that this review is going to be positive again. Mario Herwardt's and Daniel Pravat's book Advanced Windows Debugging (Official Website / Amazon) keeps what the title promises. It's a book for people that need to find bugs in Windows programs that are for whatever reason (too) difficult to find with the "normal" developer tools like the integrated Visual C++ debugger. That's not what the authors say in the introduction of course. They say it's a book for everyone that does Windows development. And that's probably true because the book is a real eye-opener for what's possible with the debugging tools provided by Microsoft. Nevertheless I guess that most developers will probably rarely if ever leave the cushy environment of their IDE's debugger. But just in case you do, this book prepares you well. Continue reading "Book Review - Advanced Windows Debugging"

Book Review - Reverse Engineering Code with IDA Pro

This week I managed to read Reverse Engineering Code with IDA Pro. I was pretty curious about the book because it's the first book specifically about everyone's favourite disassembler IDA Pro and it turned out to be very different from what I expected.

Co-authored by Dan Kaminsky (editor), Justin Ferguson, Jason Larsen, Luis Miras, and Walter Pearce, Reverse Engineering Code with IDA Pro sets out to give an introduction to IDA Pro and how to use it to reverse engineer software. The book is approximately 310 pages long and divided into nine chapters ("Introduction", "Assembly and Reverse Engineering Basics", "Portable Executable and Executable and Linking Formats", "Walkthroughs One and Two", "Debugging", "Anti-Reversing", "Walkthrough Four", "Advanced Walkthrough", "IDA Scripting and Plug-Ins").

Continue reading "Book Review - Reverse Engineering Code with IDA Pro"

Book Review - The New School of Information Security

Hi everyone and welcome to another post in my favourite blog entry category: Book Reviews. I'm happy to announce that for the first time ever I have actually managed to read a book and write a review of it before its official release (unlike my other reviews where I often review three year old books). I'm talking about Adam Shostack's and Andrew Stewart's new book The New School of Information Security here which will be released tomorrow.

The New School of Information Security is a weird book. From the title of the book you'd think that this is a book about information security for people who have at least some kind of clue about information security. I mean why would people that do not have a clue about information security read a book about reforming and improving the field of information security? Unfortunately this assumption is wrong.

Continue reading "Book Review - The New School of Information Security"

Book review: The Art of Software Security Assessment

The Art of Software Security Assessment - Identifying and Preventing Software Vulnerabilities (Amazon / Official Website) by Mark Dowd, John McDonald and Justin Schuh is a huge book. At more than 1100 pages it's the fourth biggest book I've ever read. It was quite a task to read it front to back and so it took me a while. Here's my review of the book.

Continue reading "Book review: The Art of Software Security Assessment"

Book review: The Algorithm Design Manual

Steven S. Skiena's book The Algorithm Design Manual is different from all the other algorithm books I've read so far. Skiena's book makes you aware of three things:
  • Optimize the algorithm instead of the implementation
  • Choose proper data structures
  • Recognize that many problems can be reduced to well-researched standard problems
At this point I can hear you saying "Gee sp, don't all algorithm books teach you that?". Maybe they do. All decent ones at least. But Skiena's book is different. All the other algorithm books I've read so far deal with the three points I mentioned only briefly in the introductory chapters. The rest of the books present implementations of algorithms. In Skiena's book the three points are the central theme of the book. The book teaches you how to extract the relevant information from a problem, how to transform a given problem into a well-researched problem, how to select the best data structure for the job and how to really improve algorithms. Implementations of actual algorithms or data structures were omitted. Skiena's book might be the only algorithm book that doesn't present any actual algorithm code (there are a few tiny algorithms given in pseudo-code but not many). That's what makes the book so different and yet so valuable. Continue reading "Book review: The Algorithm Design Manual"

Book review: Programming Interviews Exposed

The first thing that amused me about the book "Programming Interviews Exposed - Secrets to Landing Your Next Job" were two sentences from the beginning of the third paragraph of the preface:

At this point you may be wondering who we are and what gives us the authority to write this book. We're both recent graduates who've been through a lot of interviews in the past few years.

Are people who went through a lot of job interviews actually qualified to write a book about acing job interviews? On the other hand a guy who only needed a single job interview to get his dream job is probably not qualified either. I guess only people who actually sat on both sides of the table can really write good books about job interviews. If you want to have an example of what I'm talking about check out Steve Yegge. He writes amusing blog posts about job interviews once in a while (old site - new site). Continue reading "Book review: Programming Interviews Exposed"

Book review - Hacker's Delight

When the Quake 3 source code was released a while ago, people found a curious function called InvSqrt. This function turned out to calculate the inverse square root of a floating-point number in a pretty cool way (read everything about the function here). Recently someone tried ( unsuccessfully ) to find out the origin of the function and the function was once again on Slashdot and Digg.

Personally I'm not concerned with calculating square roots or their inverses but I'm implementing a compiler for a severely limited RISC architecture right now. This architecture only knows 15 very basic operations. For example there are only logical shifts. Arithmetic shifts and rotate operations have to be compiled to a combination of logical shifts and bit-wise operations like "and" and "or". There's not even a bit-wise "not" instruction. Inversing an operand means xor-ing it with a bitmask with every bit set.

Anyway, the latest round of e-popularity of the InvSqrt function and my current work brings me to this update. Three years ago I bought the first edition of the book Hacker's Delight by Henry S. Warren, Jr (the official website of the book is http://www.hackersdelight.org/ ). On nearly 300 pages it tells the tale of some decades of assembly programming on weird platforms and what tricks people came up to overcome the limits of older computers. An Amazon reviewer describes the book in the following words: "Think of it as 'The Art of Computer Programming, Volume 0: Bit Manipulation'. Except without the annoying Knuth attitude". This describes it well, I think.

Continue reading "Book review - Hacker's Delight"