Book Review: The Hacker Playbook...20 May 2014 in Security
The Hacker Playbook: Practical Guide To Penetration Testing is an attempt to use a continuous series of football metaphors to describe the process of a network penetration test. Maybe the metaphors would work better for someone who actually watches sports, but I felt they were a bit strained and forced at times. That being said, the actual content and techniques described are solid and generally useful information. It’s arranged in the stages of a good penetration test, and reads like a strong guide for those relatively new to penetration testing. Unfortunately, it doesn’t set up general guides for each area as much as describing specific “plays” for each area, so once those techniques start to fall flat, it doesn’t leave you with a lot of depth.
- Chapter 1. Introduction is unsurprisingly lackluster, describing only the flow of the book and the benefits perceived by the author in thinking about the penetration test like a series of football plays.
- Chapter 2. Pregame – The Setup is all about getting into a position to conduct your test, including reconnaissance, scoping, and all of the prep required before the actual pentest.
- Chapter 3. Before the Snap – Scanning the Network will be familiar territory to anyone who’s used Nmap before, but goes into more depth and explores the other scanning tools, such as vulnerability scanners like Nexpose/Nessus, and how to get the most out of using your scanners (as well as how you can be covert when scanning).
- Chapter 4. The Drive – Exploiting Scanner Findings describes a step that too many pentesters do not follow. Altogether too many “penetration testers” deliver a report that is little more than straight output from a web security scanner. If clients wanted a Nexpose report, they’d just buy a Nexpose license and skip the pentester’s markup. The value of a pentester is in verifying findings, evaluating the real risk to the organization, and providing advice on remediation or mitigation. This chapter handily covers how you can not only verify scanner findings, but use them to pivot and escalate.
- Chapter 5. The Throw – Manual Web Application Findings really just scrapes the surface of the world of web. There’s so much to be covered in web that you really ought to go far beyond this and review The Tangled Web for an overview of the problems faced by modern web applications, and The Web Application Hacker’s Handbook for a more practical approach to web pentesting through vulnerability discovery and exploitation. However, if you’re going to be focusing on internal enterprise networks, the Playbook gives you some handy approaches to looking at internal webapps that you might find on a corporate network.
- Chapter 6. The Lateral Pass – Moving Through the Network covers basic Pass-the-Hash and other approaches to leverage the access you already have into more access. It’s important to see how far an attacker could take things, so pivot & escalate is critical, and this chapter provides a handful of plays that could fit the bill.
- Chapter 7. The Screen – Social Engineering is, again, just a brief preview into a topic far too deep to be adequately covered in a book as broad as this one. The plays here are quite basic, and focus on phishing-style social engineering, leaving out the many ways social engineering can be leveraged in reconnaissance, physical pentesting, and other scenarios.
- Chapter 8. The Onside Kick – Attacks that Require Physical Access was a little disappointing. While there are good parts to it (like the use of the Odroid U2 as a dropbox), nothing was particularly groundbreaking and I was hoping for a little more unique aspect to physical. (On the other hand, maybe I just want to live vicariously through this book – I don’t do get to do much physical pentesting.)
- Chapter 9. Special Teams – Cracking, Exploits, Tricks
- Chapter 10. Post Game Analysis – Reporting provides some sage advice on producing the report that gets you paid. Since I work on an internal Red Team, I don’t have to write the type of reports described here, but if you’re in a position to be writing reports, this will really help in crafting a clear and concise report. Most importantly: don’t ever hand a client a Nessus scan and expect to be getting paid.
- Chapter 11. Continuing Education is surprisingly thorough, though it is mostly a list of resources to help you find more things to try, such as conferences to attend, vulnerable targets to practice on, and more. There were a few vulnerable targets I hadn’t heard of, but will definitely be giving a try in the near future.
Overall, it’s an interesting book, and would definitely be good for someone who hasn’t been pentesting much, but ultimately, it’s just a collection of specific tasks (“plays” in the parlance of the book) that you can execute. I wasn’t expecting much more, and plays in there are solid, but eventually you’ll need to learn to craft your own plays, and I feel the book falls short there. It’s 294 pages and attempts to cover an entire field while remaining practical. Naturally, this is very difficult, and while there may be some shortcomings, Peter Kim manages to provide several useful plays, but probably best for those who haven’t yet developed their own playbook.