I’ve put off doing this review for too long. I was sent this book close to its release date, and made quick work of reading through it and making notes for the review. As you’ll see in this post, I don’t think much of it, and I wasn’t looking forward to making such a negative post about it. I would just let it slide, as I prefer to post reviews of books that I like and recommend at least to some extent, but Packt Publishing are heavily promoting this book and I’ve seen several people I know purchase or consider purchasing it. For that reason, I feel like it’s a good idea to warn the target audience of this blog away from it.
At a first glance, it’s easy to be skeptical of this book due to the fact that it had the misfortune of being a Backtrack 4 book published at almost the exact time Backtrack 5 came out. This doesn’t bother me so much. If it were written well, it could easily make up for any differences in the details between versions. Unfortunately, being dated is the least of this book’s problems.
The vast majority of the book is padded with a grocery list of what appears to be each and every tool in the Backtrack distribution. Comprehensive coverage is fine, though each tool is only given the very briefest of coverage, with almost no coverage or consideration to educating the reader on how the tools work or the background needed to effectively use them. New terms and concepts are thrown at the user relentlessly without introduction or explanation. This book falls into a useless “middle” state where a beginning user would be better served by a book that gives more depth of coverage for a handful of tools (see Web Application Hacker’s Handbook), while still failing to serve an advanced user that could find the same information quickly in a man page. The book falls well short of its goal of serving as a “single professional, practical, and expert guide to develop hardcore penetration testing skills from scratch”.
There are many instances of wasted space in the book as well. A straight copy-paste of /etc/services is the worst offender. The text doesn’t exactly live up to the promises of its table of contents either. A segment on “Writing exploit modules” simply takes the reader through the source code of an existing metasploit module, with only the barest of commentary that makes one wonder if the authors understand how it works, much less whether or not the reader will be able to write one (or even read one) in practice.
Aside from the “list of things” approach that takes up the majority of the book, there is a fair amount of text about the penetration testing process that, if executed properly, would make an excellent introduction to newcomers. Unfortunately, it’s written as though the authors intentionally wanted it to be impenetrable and difficult to understand. The following sentence is a representative example:
Since the exponential growth of an IT security industry, there are always an intensive number of diversities found in understanding and practicing the correct terminology for security assessment.
Some of it’s just plain wrong. A set of paragraphs equate “black hat” hacking with “black box” testing, and goes on the state the same about “white” and “grey”. It’s difficult to imagine that anyone in penetration testing believes that. The authors take the reader through overwrought descriptions of various testing “methodologies” (the OWASP top ten is not a methodology), and then throw them out in favor of an over-simplified “Backtrack Testing Methodology” that appears to be a simple depth-first traversal of the BT4 menu options.
While it may be tempting to buy this book as a quick reference or summary of all of the tools, I would not encourage it. I would strongly discourage anyone thinking to start out, or get up to speed in penetration testing from buying this book. It’ll just frustrate you. For more experienced readers, there are books that are far more worthy of your time and money.
I highly recommend “Hunting Security Bugs” and “The Art of Software Security Assessment”.
Many books have come and gone because they primarily listed tools, such as “Professional Pen Testing for Web Applications” by Andres Andreu. However, I don’t think this should immediately discount them from being useful. The content is quality, but only because it’s not written down in one place as a resource guide — not because the content actually has anything particularly useful to say.
In the case of “Professional Pen Testing for Web Applications”, this book was instrumental to my success in testing at the time it was released, even after reading “Hacking Exposed Web Applications, 2nd Edition”. However, a few months later and my top two titles came out — and like “Exploiting Software: How to Break Code”, “Network Security Tools”, and “How to Break Software” — these lay foundations of understanding in addition to casual mentions to tools.
However, if you go back and look at those same titles — many of the tools that they mention are no longer heavily in use. Yes, some mention Fortify, Burp, and Metasploit — but no book (not even ones by the Fortify, Burp, or Metasploit contributors) covers any of these in the detail necessary to use them on the job. No book is going to tell you how to go back and forth between Fortify, Burp, and Metasploit.
I had a similar complaint recently about “The IDA Pro Book, 2nd Edition”, which goes very deep into the tool itself, as well as related tools, but it doesn’t hit the concepts. It doesn’t demonstrate how to find vulnerabilities in a static analysis of a binary. It doesn’t make mention to identification and reversal of self-modifying and self-checking code (or even the differences between these, and what the capabilities are). Yet, the “Malware Analyst’s Cookbook” does go into these topics a little — the whole time while walking the reader through sets of tools. Have you ever heard the expression, “You can’t judge a book by its cover”?
In summary, if you haven’t already read, “Gray Hat Hacking, 3rd Edition”, go read that first. But still read the “Backtrack 4″ book because, well, it has some useful information. We’ve come a long way from books solely about Kismet or Nessus. It’s refreshing to read books like “Backtrack 4″, even if it doesn’t scratch all of your itches.
I agree on “Hunting Security Bugs” and “The Art of Software Security Assessment”. Excellent books.
I’m actually a really big fan of “The IDA Pro Book”, and you’ll see a review of it here at some point in the near future as well. It bills itself as a “missing manual” of sorts for IDA Pro, makes its assumptions about the user’s skill level, and doesn’t apologize for itself nor try to pitch itself as a beginners’ text as “Backtrack 4: Assuring Security” does.
I agree that “Gray Hat Hacking” isn’t a bad place to start, but I would advise (and, have been advising) that people skip “Backtrack 4: Assuring Security” for all of the reasons above.
Your review extremely sound as an opposition in politics. I have 14+ years of experience in penetration testing field and compared many factors relating to the topic of BackTrack and/or penetration testing itself. We have already ordered over 115 copies of this book (and more soon) to streamline penetration testing course in the University after careful examination of the contents. Therefore, I have no doubt to completely deny your “explanations” that have no supporting evidence and are considered to be “immature arguments”. By the way, “OWASP Top 10 Risk Rating is a Methodology”. Better you study and learn more in-depth before you blame the authors. Google is your friend. Thus, I highly recommend the Beginners and Intermediate class pen-testers to buy this book, as such it will help you understand and guide you through the utilization of BackTrack OS in penetration testing activity. Its really a cost-effective book in comparison to those expensive courses from SANs, and other companies. I have also left the same comments on your Amazon.com review.
Hi Kenneth,
Sorry you disagree. You left your URL as mit.edu and mention that you have ordered many copies of the book for a penetration testing course at the “University”. What course is it, as I am having difficulty finding a mention of a Kenneth Mongan at MIT?
It’s always fun to see someone say one’s opinion is driven by politics (I think that’s what was meant?) and immature, when they then describe a 115-book-count vested interest in preserving the mystique of the book. And that situation in itself isn’t a counter-argument anyway. If that were true, Bieber must truly make amazing music to equate to his sales numbers!
And it’s always fun to see people giving an item praise on Amazon with their sole review. I guess everyone needs a start somewhere, I just wouldn’t have expected it on this book.
Anyway, cheers!
I’m sure the students will be very happy that the books were purchased for them, rather than having to spend their own money, when they see how poorly the book is written.
You would think that someone at MIT with a Ph.D. would have better grammar skills than that. Oh, wait… I see that he started a sentence with “thus” so I take back what I said.
@”Kenneth Mongan, PhD.”
Booo. Hiss…
@Jackie Chan… “My mind is full of ….” lol. Yeah I got that joke.
@Kennen Morgan Phd – Obvious troll is obvious, don’t feed the trolls.
@Wesleys Review – I’ll take your word for it. Sounds pretty bad man. I know you love the book “Hacking the Art of Exploitation (2cnd Edition)”. That’s the book everyone raves about that I work with. Sounds like this book is poorly written as you described.
@Andre – As for the “Hacking Exposed” book series… those books are a joke as well. They have decent material for beginners going to security 101, but all they do is touch the surface. If you really want to learn how to hack web applications go check out the Web Security Dojo. The virtual machine comes with things like google’s app Gruyere and will actually teach you hands on instead of doing a simple ‘ OR 1=1 as the end all be all of SQLi.
It is sad to see all the very similar reviews on Amazon, which have now buried Wesley’s review.
It also doesn’t help to see Shakeel’s blog is just a collection of reposted presentation PDFs with no attribution.
Bah!