Sunday, March 16, 2014

Book Review: "Penetration Testing with BackBox"

This is my review of the 100 page pen-test primer, Penetration Testing with BackBox written by Stefan Umit Uygur. Right off the bat, it should be mentioned that Stefan is part of the BackBox team as their public relations specialist, so I wouldn't exactly call this book unbiased. It's a cheap book on Amazon, you can get the kindle edition for $10, which makes it a fairly priced, light read, however I don't think I'de pay more than $10 for this book. Overall, I give this book 4 out of 10 stars, for reasons I will explain below. The book is a solid introduction to penetration testing with a scoped subset of tools, so I recommend it to people looking to get into penetration testing. The book is light in both technical detail and theory, but it provides solid working examples of tools and where they fit into the methodology, making it a great book for practically getting into pen-testing. There is certainly a lot left to be desired, in both explaining the theory and advanced techniques of penetration testing, as well as doing a deeper dive on the tools discussed. However, despite those critiques, this is the type of book you can hit the ground running with, and because BackBox isn't your standard pen-test kit, your bound to be introduced to a few cool, new tools for your repertoire.

I divide the book into two solid sections, the first being a small header to the book, 'Starting out with BackBox Linux', which is an overview and introduction to what BackBox 3.13 Linux is and the tools it has. This section includes all of the tools in BackBox 3.13, the systems it's built on (Ubuntu and XFCE), and it's primary advantages as a pen-test distro. The rest of the chapters deal with pen-test methodology and specifically how to carry those tasks out using tools in BackBox. Thus, the majority of the book goes through the sections of methodology, usually enumerating the use of two or three tools to accomplish the laid out goals, and while lacking both the details in methodology and in the use of the tools, I personally came across a few new tools and new ways of doing the same old. To really understand by what I mean by that, the following are the methodology chapters and the tools they highlight to get the job done:

Information Gathering: 
Automater, Whatweb, Recon-ng, and Nmap

Vulnerability Assessment and Management:

Sqlmap, and W3af

Eavedropping and Privilege Escalation:
Sslstrip, Ettercap, JohnTheRipper, and Hydra,

Maintaining Access:

Penetration Testing Methodologies with BackBox:
HostWhatweb, NslookupNmap, and Metasploit

Documentation and Reporting:

And there you have it, that's basically the whole book, crammed into 100 pages. Which gets to my final point, why perform penetration testing with BackBox and not a larger toolset such as Kali Linux? For starters, this small toolset is perfect for learning, sometimes too many options can be overwhelming, you may not know where to start, and it's just best to stick with the tried and true tools when starting. I also think it's important to note that Backbox 3.13 (Jan 2014) has made significant progress from when I first tried BackBox 1.0 (2011). I think the largest reason to use BackBox over a more robust toolset, such as Kali, is a combination of operations and utility. The minimal requirements that BackBox asks for is perfect for bootable drives, old systems, and staying light. Boasting this improved toolset, BackBox can really shine as the best distro for the job now where Kali may be too large for operations, such as live booting on systems with 512 or less RAM.  BackBox also has some unique and useful tools that the book didn't exactly highlight, so if you haven't played with BackBox in awhile, I suggest checking it out again.

Just to recap, I would recommend this book for anyone looking to get into practical, hands-on penetration testing, as this book provides you the tools and brief walkthroughs to get the job done. Overall though, I only give this book 3 out of 5 stars, as I think it could be a lot deeper on both the theory and tool overviews.

No comments: