***** Metasploit: The Penetration Tester’s Guide. By David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. No Starch Press, nostarch.com; 328 pages; $49.95.
People who design networks or build software applications are often oblivious to security faults that their designs may have. Those serious about information security will perform or will have an outside firm perform a penetration test—which is a way to evaluate how effective the security of a network or application is. Those performing a penetration test will imitate what an attacker would do in an adversarial situation to see how the system holds up.
The Metasploit Project is an open-source security project that provides information about security vulnerabilities and assists those performing the penetration tests in building a framework in which to carry out the testing. For those looking to use the Metasploit to its fullest, Metasploit: The Penetration Tester’s Guide is a valuable aid. Metasploit itself is an extremely powerful tool, but it is not an intui-tive piece of software.
While there’s documentation on Metasploit available at the project Web site, the authors use the book to help the reader become more fluent in how to use the base Metasploit methodology to be an effective penetration tester.
The first two chapters provide an introduction to penetration testing and Metasploit. By chapter four, the reader is deep in the waters of penetration testing. The book progressively advances in complexity. And by the time the reader finishes chapter 17, he or she should have a high comfort level on how to use Metasploit.
The book is meant for someone who is technical and needs to be hands-on with Metasploit and really understand it. For firms that are looking to do their own penetration testing, Metasploit is a free open-source tool, also used by firms that charge for the service.
For those looking to jump on the Metasploit bandwagon, this book is a great way to do that.
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), is an information security manager with a major hospitality firm.