If you are working in the “information security” field, you must know the BackTrack distribution (otherwise you must be an alien coming from a far away planet!). If you search for the word “backtrack” on Amazon, you will find lot of references but only one book is fully dedicated to the Linux distribution: “BackTrack 4: Assuring Security by Penetration Testing“. I received a copy directly from the publisher and here is my review.
Just for those who are not familiar with BackTrack, it’s a Linux distribution made by security professionals for security professionals: It contains hundreds of tools to perform security assessments and penetration tests. Some of them are well-known like Metasploit, WebScarab or sqlmap and others are real gems (example: ua-tester which was added recently) and increase the quality of the toolbox version after version.
Even if BackTrack 5 was released a few weeks ago, it does not reduce the book quality. There are so many tools that a single volume is not enough to cover all of them. I was also surprised to read the name of my friend Peter “corelanc0d3r” Van Eeckhoutte as a reviewer of the book.
The first chapter can be quickly skipped, except if you are a beginner with BackTrack. It gives the required information to install your distribution on a computer. Nothing fancy, the readers must have Linux/UNIX knowledge!
The second chapter is more interesting and discusses about the different penetration testing methodologies. I’ll skip the difference between white- and black-testing. The review of different frameworks is useful and gives a good idea how to start a project. If you are new in pentesting, you have to know that it’s maybe the most boring task ever: Following a strict methodology and writing your report! Just one remark, the book remains focused on classic methodologies. You have to know that things are moving: There are new projects (like the PTES or “Penetration Testing Execution Standard“) which will take more and more importance in the future (IMHO).
The following chapters covered the classic penetration testing schema:
- Target scoping
- Information gathering
- Target discovery
- Enumerating target
- Vulnerability mapping
- Social engineering
- Target exploitation
- Privilege escalation
- Maintaining access
- Documentation and reporting
Each chapter reviews the most interesting tools (according to the authors) to achieve the chapter topic. Tools are briefly explained with examples. Straight to the point!
So, who’s need this book? The author’s goal is certainly not to give recipes on “how to hack a website“. The book must been see as a reference for those who already know the BackTrack distribution or who want to learn it. Don’t forget: this is just a toolbox, it does not prevent you to use your brain!
More information about the book here.