E-Book, Englisch, 528 Seiten, Format (B × H): 191 mm x 235 mm
Wilhelm / Wilhelm MSc Professional Penetration Testing
1. Auflage 2009
ISBN: 978-0-08-096094-4
Verlag: Elsevier Science & Technology
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Creating and Operating a Formal Hacking Lab
E-Book, Englisch, 528 Seiten, Format (B × H): 191 mm x 235 mm
ISBN: 978-0-08-096094-4
Verlag: Elsevier Science & Technology
Format: EPUB
Kopierschutz: 6 - ePub Watermark
An invaluable book and DVD package, 'Professional Penetration Testing: Creating and Operating a Formal Hacking Lab' is designed to replicate the experience of in-classroom, instructor-led, penetration testing training, which costs the typical security professional (or their employer) $1,000 or more for the courses alone, plus T&E, and days upon days of non-billable hours. Expert author Thomas Wilhelm has delivered exactly this type of penetration testing training to countless security professionals and, for the first time, provides his years of experience, training, expertise, labs, and real-world vulnerability scenarios in a single book/DVD retail product.
Penetration testing is the act of testing one's own network (or that of a client) to find security vulnerabilities before these exact same holes are found and more importantly exploited by phishers, digital piracy groups, and almost countless other organized or individual malicious havkers. Addressing the profession holistically and practically, the material presented in this book targets all levels of hacking skills, benefitting both management and engineers in the trenches. This book bridges the gap between theoretical and hands-on knowledge of professional hacking techniques, targeting information systems and networks. It includes everything required to establish a secure hacking lab, learn methodologies, conduct attacks, and use real-world examples of vulnerable and exploitable servers.
* Unique book and DVD package delivers for the first time the art and science of penetration testing in a retail product.
* Focus on establishing a formal penetration testing laboratory bridges the gap between a talented hacker and a professional who can turn those skills into an actual career.
* Integration of project management workflow in penetration testing gives security managers the knowledge and skillset necessary for running a formal penetration tests and setting up a professional ethical hacking business.
* Details on metrics and reporting provide experience crucial to a professional penetration tester with actual clients, an area in which many amateur hackers have no knowledge or other means for learning.
* DVD includes instructional videos to replicate classroom instruction and live, real-world vulnerability simulations of complete servers with known and unknown vulnerabilities to practice havking skills in a controlled lab environment.
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
CHAPTER 1. Introduction Introduction
??? ?????? ? ???? ?? ??????. – Russian proverb: “Skill will accomplish what is denied to force.” (Mertvago, 1995) There are plenty of books on the market discussing how to use the various “hacker” tools, including some books to which I have contributed chapters. However, professional penetration tests are not all about tools – they require skills beyond simply understanding how to use a tool, including knowledge of project management, understanding and following methodologies, and understanding system and network architecture designs. The primary purpose of this book is to provide the reader an in-depth understanding of all facets of a penetration test, rather than simply discuss which tool to use and when. The book and the accompanying DVD were written to be used in a variety of different ways. The initial intent is to provide a formal training program on penetration testing. The DVD includes video courses that have been used to teach how to use the current PenTest methodologies and apply those methodologies to a penetration test. In addition, this book can be used in technical courses – in either educational institutions or “boot camp” training events – to provide the readers a way to learn how to use various hacker tools in a controlled and secure manner, through the use of a personal PenTest lab. The final objective of this book is to provide managers an understanding of what engineering activities occur within a professional penetration test, what needs to be reported, how to take metrics, monitor quality, identify risks, and other essential processes, so that management may provide the resources, training, and funding necessary to successfully complete a PenTest. This book is not meant to be a complete reference to all topics related to penetration testing; rather, it is a guide to conduct professional penetration tests from conception to conclusion. Volumes have been written on each topic discussed within this book, which will require us to expand our knowledge through other sources. To speed up the learning process, hands-on exercises are provided in each chapter, written in a way that will assist in locating authoritative sources and expand the skills of the reader. Another feature of the DVD is that it includes several server images (in the form of LiveCDs or virtual machine [VM] images) that can be used in a penetration test lab. These LiveCDs are specifically designed to mimic exploitable real-world servers so that we can practice the skills learned within the video courses and the book in a safe and legal manner. Examples in both the book and the videos reference these LiveCDs, and after the readers set up their own penetration test lab, they can follow along, exactly as presented in the material. About the Book
This book is different from most, in that there are two mediums in which you learn about the topic of penetration testing. The first is the printed material and the second is the accompanying DVD. Read from cover to cover, the printed material provides the reader a systematic way of learning how penetration tests are conducted professionally and what management and engineering skills are needed to successfully complete a PenTest. The DVD includes two different video courses, which have been used to teach fundamental and intermediate penetration test skills online to students around the world. Even though the DVD could be used independently from the book, the material on the DVD and in the book complement each other, and should be used in tandem. The DVD also contains LiveCD images of servers that can be used as learning platforms so that we can reinforce what we cover in the book or in the videos. Target Audience
There are three groups of people who can benefit by reading this book and performing the exercises at the end of each chapter: ¦ Individuals new to the topic of professional penetration testing ¦ Professional penetration testers who want to increase the “capability maturity” of their current PenTest processes ¦ Management trying to understand how to conduct a penetration test For those who are new to professional penetration testing, knowledge of computer systems or network devices should already be understood – the field of penetration testing is not an entry-level position within Information Technology (IT) and prior knowledge of computing systems and the networks that support them is necessary. Although this book will cover topics related to IT, including protocols and system configuration, it is not intended to instruct the readers on the communication mechanisms used in networks. Those who have experience in IT will be able to use personal knowledge throughout this book as a foundation to learn the challenges unique to penetration testing, and how to conduct penetration tests within an organization or for clients. Those of us who have conducted or participated in a penetration test will understand that tools are not the only thing necessary to successfully complete a PenTest. Methodologies are essential for ensuring that the assessor identifies all vulnerabilities within the client's network. The book and the intermediate video course on the DVD can be used to incorporate methodologies into a PenTest project and provide the reader an understanding of the role of a PenTest engineer within the project as a whole. Project managers new to penetration test projects are often confronted with dramatically different challenges than those found in other IT projects, such as application and engineering projects. A solid understanding of project management and the challenges posed within the field of PenTesting are essential to successfully conclude a professional penetration test. The book provides information beneficial to project managers who are tasked with overseeing a PenTest and discusses ways to integrate formal project management frameworks with methodologies related to penetration testing. How to Use This Book
Although the book and the exercises can be used independently, it is intended to be used with the accompanying DVD. The examples within each chapter often use material from the DVD, which can be used by the reader to repeat the examples in a lab. Practice exercises are included at the end of each chapter, which can be used to expand understanding of the chapter's topic. The chapters of the book are organized into three different sections: Part 1 covers topics related to setting up a PenTest lab and knowledge essential to the profession of penetration testing, including ethics, methodologies, metrics, and project management. The following chapters are included in Part 1: ¦ Ethics and Hacking: Discusses ethics and laws specific to penetration testing ¦ Hacking as a Career: Identifies career paths, certifications, and information on security organizations that can assist in career development ¦ Setting Up Your Lab: Designs a corporate or private penetration test lab ¦ Creating and Using PenTest Targets in Your Lab: Uses turnkey scenarios and real-world targets in the penetration test lab ¦ Methodologies: Examines the different methodologies available for professional penetration test projects ¦ PenTest Metrics: Identifies the different methods of applying metrics to vulnerabilities found in a penetration test project ¦ Management of a PenTest: Explains team members, roles, and organizational structures that influence the success of a penetration test Part 2 discusses the actual penetration test and walks the reader through the different steps used to examine target systems and networks for vulnerabilities and exploits using a peer-reviewed methodology. ¦ Information Gathering: Collects information on a target system ¦ Vulnerability Identification: Examines target systems for possible vulnerabilities ¦ Vulnerability Verification: Attempts to exploit discovered vulnerabilities ¦ Compromising a System and Privilege Escalation: Finds ways to “own” the system ¦ Maintaining Access: Discusses how to stay on the exploited system ¦ Covering Your Tracks: Manipulates the system to remain undetected Part 3 wraps up the PenTest project by discussing reporting, data archival, and preparing for the next penetration test. ¦ Reporting Results: Writes a report and verify the facts ¦ Archiving Data: Saves penetration test data ¦ Cleaning Up Your Lab: Saves configuration and data from the lab ¦ Planning for Your Next PenTest: Identifies training needs and obtaining resources Each chapter includes information for both engineers and project managers. The addition of project management topics within a book on penetration testing provides engineers a better understanding of the engineer's role within the project. It also provides the project manager a view of what tasks the project engineers must perform to successfully complete the project on time and under budget. For those individuals just starting out in the world of penetration testing, the way to get the most out...
