Penetration Testing mailing list archives
Newbie Book - Gray Hat Hacking
From: AdamT <adwulf () gmail com>
Date: Mon, 25 Jul 2005 01:28:43 +0100
IIRC, there was recently a thread about learning to be an ethical hacker/pen-tester. Feel free to discard my comments, as I haven't performed a penetration test in over 2 years, but I recently ventured across what I'd consider to be something of a 'gem' for budding would-be pen-testers. It's a book called 'Gray Hat Hacking'[1], crediting Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness and Michael Lester as the authors. The reason I think it's a good buy is because it goes in to a far deeper technical level than you'll find in any 'Hacking Exposed' book. Some of what's in there is pretty basic, and the book spends (IMHO) far too much time discussing various legal and ethical stances, such as your preferred choice of disclosure policy. Whilst this is valuable information to any tester, as is what I call the 'legally covering your ass' section -in my experience things like 'disclosure policy' are dictated by the client, not the evaluation team. Usually with a 'Non-disclosure' agreement. Also - the legal section in this book is geared towards the US legal system. Brits like myself will need to remember this when reading that chapter. However - the key thing that sets this book apart from books like the 'Hacking Exposed' series is that it actually goes to the trouble of not using layman's terminology to describe how illustrated exploits work, rather than using an analogy to provide 'script-kiddies' just enough clue to make themselves sound knowledgeable (or 7337 if you prefer) on IRC and USENET. Another good point with this book is that it provides exam-type questions with every section - so the reader gets the chance to think for themselves a little. If you've been reading up for your Microsoft/LPI/Novell/Cisco certs, you'll no doubt be used to such a format, and may even find it helpful - although the book doesn't seem to be geared towards any particular syllabus. If you're a seasoned tester, this book will probably be of little worth to you, unless you've been stuck in management for a few years, and just want to brush up on your hands-on skills. However -if you're new and genuinely interested in penetration testing, and currently think that shellcode is 'something that other people write', this book will be a good starting point for you. Obviously, it won't teach you *everything* in little more than 400 pages, but if you can use google and the 'man' command, it will give you a good start. If you're not in to pen-testing, but broadly concerned with your organization's security policies, I'd also recommend reading Kevin Mitnick's 'Art of Deception' - although I haven't read this in a while, and lent my copy to an IT manager some months back, so can't say too much about it right now. [1] If you're interested, the ISBN above the barcode is 0-07-225709-1 -- AdamT "People may not like giving up their kids, but that's why we run the country. We know better." -nationstates.net
Current thread:
- Newbie Book - Gray Hat Hacking AdamT (Jul 24)