Try to learn something about everything

Review: Metasploit - the Penetration Tester's Guide

Disclaimer: The fine folks at No Starch Press were nice enough to provide me with a review copy of this book, but this has not influenced this review in any way.

Where to start? The Metasploit Framework (MSF) is a very popular penetration testing tool used by security professionals the world over. It was previously written in Perl but underwent a complete rewrite for version 3, where the developers switched the project to Ruby. The tool unifies the various stages of penetration testing in convenient interfaces (“msfconsole” for interactive use and “msfcli” for scripting purposes): information gathering and storage, exploit and payload configuration, IDS and antivirus evasion and actually exploiting the system.

From this you probably can gather that Metasploit is quite big and complex, as well as in a state of constant flux. This makes it rather hard to write a definitive book on it, which is illustrated by the fact that shortly after this volume got published, the Metasploit team released version 4 of the framework. Considering these difficulties, I’m tempted to say that the authors have done a tremendous job describing MSF as it was at the time of writing.

Now for the actual content: after a foreword by Metasploit’s main developer HD Moore, there’s a little introduction section on penetration testing and the history of the framework. This is followed by the first chapter, which covers some penetration testing basics. After this the authors give a first introduction to the MSF, before dedicating a chapter each to various phases of pen testing, namely information gathering, vulnerability scanning and the actual exploitation. After this you’ll find a whole chapter on Meterpreter, covering various aspects of post-exploitation techniques. Once you get to this point, you should have a good idea about how Metasploit works in principle and how capable it is. The authors don’t stop here though, but use the following chapters to try to teach you about avoiding detection, client-side exploits and Metasploit’s auxiliary modules. By this point in the book it felt like I already had learned a lot, but then I realized that I’m only halfway through the book! There still were chapters on various topics, including the social-engineering toolkit which is built in the MSF and wireless exploitation with Karmetasploit. As a Ruby developer/dev ops guy I was really interested in the next couple of chapters, which deal with building your own modules and exploits as well as porting existing exploits to Metasploit and Meterpreter scripting. Wow, the authors definitely covered a lot of ground until here, but we are still not done, since there’s on more chapter on how to simulate your pen tests.

While the above shows what the book covered, it doesn’t say much on how it was covered. In my opinion the authors did a very good job, the text is easy to follow and to the point and helped by screenshots and transcripts of “msfconsole” sessions. Sure, most of this material is also available on the Metasploit Unleashed web site, but I like having it all in the form of one compact book. I noticed 2-3 places where the textual description and the content of the screenshot/transcript didn’t exactly match, which can lead to brief moments of confusion, but nothing dramatic.

If you are new to Metasploit and want to get up to speed quickly, it’s hard to imagine that you’ll find a better book at the moment. More experienced users of the framework should flip through it in a book store to decide how much they’ll really get from it, but it’s probably still a good book to have around, even if it’s just for the cheat sheet in Appendix B.