Review: BT4: Assuring Security by Penetration Testing

BackTrack 4 Assuring Security by Penetration TestingIf you are working in the “information security” field, you must know the BackTrack distribution (otherwise you must be an alien coming from a far away planet!). If you search for the word “backtrack” on Amazon, you will find lot of references but only one book is fully dedicated to the Linux distribution: “BackTrack 4: Assuring Security by Penetration Testing“. I received a copy directly from the publisher and here is my review.

Just for those who are not familiar with BackTrack, it’s a Linux distribution made by security professionals for security professionals: It contains hundreds of tools to perform security assessments and penetration tests. Some of them are well-known like Metasploit, WebScarab or sqlmap and others are real gems (example: ua-tester which was added recently) and  increase the quality of the toolbox version after version.

Even if BackTrack 5 was released a few weeks ago, it does not reduce the book quality. There are so many tools that a single volume is not enough to cover all of them. I was also surprised to read the name of my friend Peter “corelanc0d3r” Van Eeckhoutte as a reviewer of the book.

The first chapter can be quickly skipped, except if you are a beginner with BackTrack. It gives the required information to install your distribution on a computer. Nothing fancy, the readers must have Linux/UNIX knowledge!

The second chapter is more interesting and discusses about the different penetration testing methodologies. I’ll skip the difference between white- and black-testing. The review of different frameworks is useful and gives a good idea how to start a project. If you are new in pentesting, you have to know that it’s maybe the most boring task ever:  Following a strict methodology and writing your report! Just one remark, the book remains focused on classic methodologies. You have to know that things are moving: There are new projects (like the PTES or “Penetration Testing Execution Standard“) which will take more and more importance in the future (IMHO).

The following chapters covered the classic penetration testing schema:

  • Target scoping
  • Information gathering
  • Target discovery
  • Enumerating target
  • Vulnerability mapping
  • Social engineering
  • Target exploitation
  • Privilege escalation
  • Maintaining access
  • Documentation and reporting

Each chapter reviews the most interesting tools (according to the authors) to achieve the chapter topic. Tools are briefly explained with examples. Straight to the point!

So, who’s need this book? The author’s goal is certainly not to give recipes on “how to hack a website“. The book must been see as a reference for those who already know the BackTrack distribution or who want to learn it. Don’t forget: this is just a toolbox, it does not prevent you to use your brain!

More information about the book here.

2 comments

  1. Title: BackTrack 4: Assuring Security by Penetration Testing

    Whenever someone asks me about computer security, I try to differentiate between two concepts defensive security (Cisco, McAfee, Checkpoint, Policies, Procedures, Rules, etc) and offensive security (Pen-testing, ethical hacking, etc). This book is an absolute guide for IT & network professionals who wish to explore the offensive security world. Especially those who have prior knowledge and experience with information security concepts or hold basic certification like Security + or CISSP. Today, many penetration testing courses offer the insights of offensive security through BackTrack operating system, not just because it is a hacking platform but it also leverages the process of penetration testing in a systematic order. The book begins with a brief history, description, installation and configuration of BackTrack 4. It also explains how to handle various types of installations (Virtualization, HDD, USB), and how to start-up and running your own BackTrack 4 copy in just few steps.

    Reading through the initial chapters you will encounter the core pen-testing concepts and descriptions of various assessment methodologies. They are explained very clearly and precisely as a whole. You will also find explanations of best security assessment tools, their options usage and results interpretation, and pen-testing project management and reporting guidelines. What I most like about this book is that the tools are well-organized in penetration testing methodology shown with practical examples and best yet, compatible with BackTrack 5 too. I hope the authors will take out an update of this book for BackTrack 5 soon. It is a great addition to my information warfare arsenal.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.