Penetration Tester's Open Source Toolkit [With CDROM]

Great starter book into Pen Testing. Big book with lots of information. Great book to read to prepare to start your CEH or CISSP studies.

If you live and breathe IT security, this books is for you. I would like to somewhat disagree with some of the earlier reviewers. I don't think this book was intended to be "the one and only" penetration toolkit manual. However, what it does do - it introduces one to the world of penetration testing providing enough information and examples on a wide variety of tools. A lot of great subjects are covered, such as reconnaissance, enumeration, scanning, web application testing, wireless penetration and more. It's a very insightful read, even for those who are just researching in the area of security. It will open your eyes on many aspects of information security. The CD itself is a good resource, but you may need to update some applications by now. Nessus signatures do get updated regularly.

If you are going to do any work in the Information Assurance world you will want to add this book to your shelf and keep it handy. The authors of this book know the topics and present information clearly. Each chapter is a stand-alone lesson, and all chapters build on each other to create a big-picture of exploiting any network and reporting results. The CD that comes with the book gives you excellent tools to start or fill out your library. Some are getting dated as of this writing, but all are still solid tools that you can update once you've learned them. I highly recommend this book!

Title: Penetration Tester's Open Source Toolkit Author: Johnny Long, Aaron Bayles, James Foster, Chris Hurley, Mike Petruzzi Noam Rathaus, Mark Wolfgang Publisher: Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Copyright: 2006 ISBN: 1597490210 Pages: 678 plus appendix and index This book not only covers what tools are available for penetration testing but also details how to use them to effectively test the system. Some of the tools, such as whois and ping, will be very familiar to the Linux user and most power users of other operating systems. Other tools are less familiar but very powerful and a real insight into what can be done to gather information on a system before attempting to penetrate it. Part of what makes this book really interesting is the way the authors approach this subject. They don't walk the reader through all the details of a handful of tools but instead they take a task-oriented approach. For example they go first through enumerating and scanning a system, then testing databases, web server testing, web application testing, wireless penetration and network devices. They then end this section with information about writing open source security tools. Chapter 8 starts a section on the Open Source vulnerability scanner Nessus. It automatically finds many problems in the system by trying to penetrate it using various scripts. The results are captured and the generated reports detail the information it was able to obtain. This is a very powerful testing product and one of the most common ones you will find in the marketplace. The authors detail how to set up a Nessus client and server, scan the system and understand the results. Although almost three hundred pages are dedicated to Nessus it is a very powerful and highly configurable program that can consume a full book by itself to use its full potential. Penetration Tester's Open Source Toolkit is highly recommended, insightful, and very interesting to read and experiment with.

I found this book to be a great way to learn how to use many of the tools used in vulnerability assements/pen-testing as well as some methodology. In particular i found the chapters 1 and 2 on recon/scanning to be preatty through (150 pages to the topic). Alot of the ideas covered in these tow chapters can be read elsewhere but not to this level of complete throughness. The book goes preatty deep into not just using Nessus but how to use NASL. It also covers at an "intro-level" on testing databases (MSSQL, Oracle), Web apps, and starting to code in Perl and C#. Outside of that the rest of the book is mainly devoted to using tools with lots of screenshots which i found helpful. My personal favorite chapter was 13. It is a very well done discussion of how buffer overflows are exploited and how to build exploits and payloads using the Metaspolit framework. The topic can be very complex yet the author managed to make it very readable. I was so impressed i decided that i will read another book by the author (James Foster) on the topic. Overall i found this book is great for folks who already have an idea in mind what they want to accomplish. This book just tells you how to use the right tool for the job.