I recently obtained the Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide book, so I figured I write a little summary about it as I did with the other security books that I read.
To start off with I must say I liked it. It didn’t tell me so much new, but still… let me explain.
What is it about?
It is about penetration testing as a whole. If you did something like the OSCP course then this book covers most of the course’s topics. It goes through the general pentest topics i.e. enumeration, exploitation, web attacks, client-side attacks, post exploitation, bypassing firewall. However it does it a very precise and descriptive way. It is more like a huge tutorial (or guide as the title says) then a theoretical book. It describes everything what one has to do to try everything out. To be precise it describes how to build your own virtual pentest lab, with every resources linked and everything is illustrated with screenshots and terminal output snippets. I think it is really useful that if you follow the book you can try out everything in your own test environment.
Another important topic it covers is all the other tasks related to penetration testing which is usually not mentioned. Such as planning the pentest, communicating with the customer, managing your own work, managing all your data and writing the report. I like that it talks about penetration testing as a profession which has requirements and outputs and not as just fun and play.
It also introduces quite a few tools that are used during the examples, I think everybody will see something new.
I think the people who can benefit the most, are those who decided to become penetration testers. As the book describes everything from the very beginning I assume that it targets the beginner pentesters. Still it goes into topics which could be too much for people who just wanna get an introduction. But if you are not a pentester yet but you have decided to become one then this is a very good resource to start with.
I’ve already mentioned the most of it but I wanna structure the information a bit.
- Penetration testing as a whole. Well described planning, reporting etc..
- Covers the most of the network pentest.
- Builds a virtual pentest lab.
- Very descriptive, well written and easy to follow.
- Full of examples that can be tried in the lab.
- Not that advanced(see later).
- Some topics are not detailed enough, for instance you won’t be able to write your first buffer overflow exploit based on the book.
- The Web application exploits part is not that detailed.
- Sometimes it’s more about tools then about the technique.
The only thing about this book that I cannot digest is it’s title. It says ‘Advance’ and ‘Ultimate’, both are quite strong words. When I say advanced penetration testing then I mean something like what average pentesters don’t know. It implies that you can still learn something new even if you are not a beginner. From this point of view I don’t think it is too advanced. There are some topics which are advanced but it is definitely for beginners in the network pentest.
With the ‘ultimate’ I just don’t know what makes a security guide ultimate.
Still it’s a good book and if you feel that you are in the target audience then it is a good choice.