Book Review: "The Hacker Playbook: Practical Guide To Penetration Testing"
"The Hacker Playbook" By Peter Kim, CEO of the infosec company SecurePlanet, is a must read for any penetration tester. It is the ins and outs of one man's practice and its clearly told from experience and success. The book covers almost all areas of performing a penetration test, which can be a large breadth, in a concise and powerful way. I give this book 8 out of 10 stars because you can instantly tell the expertise of the author based on how tried-and-true the techniques are, as well as how he presents them in such a concise and straight forward manner. Throughout the book, Kim uses sports analogies to convey complex topics in a high level and practical way. The book can be used as a reference manual if you get stuck in a pen-test or read cover to cover in less than 300 pages. I highly recommend quickly reading through this book to all penetration testers, especially those who want to up their network penetration testing game. I'de say the book is split 20/80, in reference to theory vs practice. A large part of the book deals with the tools and walkthroughs to get the job done, however Kim constantly highlights important theories to live by, such as never becoming tool dependent to get a task accomplished, understand the vulnerability your exploiting, verify all of your tool findings independently, and draw all of your own reports and conclusions based on the findings. Having paid only $15 for the Amazon ebook, I'de say it was definitely worth it in value.
The book is largely based on modern security tools and techniques used by the open source info-sec community. Many of the techniques reference white papers written by other parties and there are lots of links and references to presentations at security conferences. The book is divided into 10 different sections, with odd sports reference names, but I will also give my interpretation of the sections along side. Each chapter covers a number of different tools, I will list them out, similar to my Penetration Testing with BackBox review:
Pregame: (aka Setting up your Pen-test Environment:)
This chapter is all about setting up your tools in advance, so you have everything at your fingertips once you start your test. It has you set up too many tools for me to list here, but overall it's a great selection and you end up covering the minimum physical requirements for the attacker's machine, budget for paid software, an updated Kali install w/ some extra tools, and a Windows VM w/ security tools.
Before the Snap: (aka Recon, Active Scanning, and Web Application Scanning:)
This topic kind of rolls all of the scanning you will be doing into one big kickoff, which is often true to a real world pen-test with limited time. It covers tools such as:
Discover Scripts
Recon-ng
Using Wordlists
Nessus
Nexpose
Nmap
Peeping Tom
Burp Suite Pro
FoxyProxy
The Drive: (aka Exploitation:)
The goal of this chapter is to understand and validate the vulnerabilities found in scanning section. Here the focus is on getting a working exploit and getting a foothold on the target system. This is a very high level chapter that covers the theory of searching out a PoC and validating an exploit. It covers tools such as Metasploit but not in depth. One of the reasons I like this book is because the author will be straight-forward when he is not going to go in depth on a subject, and will point you to more resources to find answers.
The Throw: (aka Manual Web Pen-Testing:)
While this section is certainly no WAHH or Tangled Web, it provides a good overview on some critical web application vulnerabilities, as well as using the tools to get an escalated presence on the server. This chapter puts a large focus on using Burp, and chaining exploits to get access or credentials.
This covers tools such as:
Burp Suite Pro
SQLmap
Sqlninja
BeEF
and a nifty script for finding new attacks: AlertReddit
The Lateral Pass: (aka Owning the Network:)
This is where the book really shines in my opinion. This chapter includes powerful attacks such as ARP poisoning, IPv6 MitM, WPAD MitM, NTLM Relaying, Pass The Hash, and various methods of owning a Domain Controller. Peter demonstrates a serious threat through chaining multiple tools and owning key pieces of the network.
This chapter covers tools and techniques such as:
Responder
Decrypting GPP passwords
Windows Credential Editor
Mimikatz
Post Exploitation Tips
PSExec
SMBExec
Veil
PowerSploit
Nishang
Cain and Able
Ettercap
Evil Foca
Hamster / Ferret
SET
SSLStrip
The Screen: (aka Social Engineering:)
A chapter devoted to practical social engineering attacks. This chapter emphasizes creativity while teaching classic attack vectors such as site cloning and spear phishing. I especially enjoyed when Kim introduced special techniques like Doppelganger Domains!
This chapter includes tools such as:
Custom SSHd that records failed password attempts
Metasploit Pro
SET
Custom Python, Excel, and Powershell scripts.
The Onsides Kick: (Wireless and Physical Pen-Testing:)
In this chapter there is extensive coverage of wireless pen-testing, and over all this does a good job of outlining practical attacks on corporate Wi-Fi, including a Fake Radius Attack to capture username/ password combinations for WPAv2 Enterprise wireless using a radius server! This chapter also has oddities such as RFID cloning, as well as dropping malicious computers and media.
This chapter covers tools such as:
Kismet
Aircrack-ng
Fern
wpaclean
oclHashcat
Modified FreeRadius patch
Asleap
Karmetasploit
Tastic RFID
Making your own Pwnplug
The Quaterback Sneak: (aka Evading AV:)
This chapter rocks for getting around anti-virus. It's something that snares every pen-tester at least once, but Kim just breaks through with some great tips. The chapter starts with a fun exercise to identify the strings AV is recognizing in a tool and effectively NOPs these strings out. Despite the contrived example, this chapter moves on to provide some time saving tips and tools for bypassing anti-virus. This chapter includes tools such as:
Evade
Custom Python Shells
Veil
SMBExec
Special Teams: (aka Password Cracking and Finding Exploits:)
This chapter is devoted to password cracking and wordlists. Throughout the book, Kim puts an important emphasis on credential theft and password reuse. Proper password management means passwords will likely be encrypted, so it's important to be prepared with methods to obtain clear text credentials during a pen-test. Kim also includes a few methods to find working exploits and shell code. I appreciate that Kim consistently reminds his audience to practice due diligence and fully understand or write their own shell code as a best practice, such that they don't end up shooting them selves in the foot by simply running code they found on The Internet.
This chapter covers tools such as:
JohnTheRipper
oclHashcat
PACK
SearchSploit
Metasploit
Post-Game Analysis: (aka Report Writing:)
I'm glad Peter included this chapter because good report writing is so critical in professional penetration testing. Kim asserts that security experts need to be able to convey highly technical issues in a digestible way to both senior management and engineers. This means that the results have to be triaged, well understood, and documented in a way that both gets the point across and has technical steps on how to remediate the issue. Peter urges penetration testers not to regurgitate automated reports but to add a human touch and explain the findings and results.
Overall, there are some fantastic lessons to be gained from The Hacker Playbook. Despite covering a lot of paid for tools, Kim covers mostly popular and open-source tools and techniques. Peter Kim also places a strong emphasis on tool independence, or rather than becoming reliant on a single technique to exploit a vulnerability, learning about the vulnerability and even reimplement the exploit in a new language. This is probably why Kim shows you at least two tools to get every job done, but also points out how he learned exploit development by re-coding exploits off of exploit-db. Kim also emphasizes due diligence and professional rigor, consistently point out how a penetration tester is responsible for vetting each of his findings and understanding the vulnerability, not just using the tool and regurgitating the report. Kim also doesn't stop at one technique, he chains tools together to get powerful results out of his exploitation, often ending with elevated access as opposed to just exposing a vulnerability. Throughout the book, Kim sheds knowledge that clearly comes through lots of experience penetration testing, and the techniques he teaches in the book are solid and effective. I also like how the book references a lot of the security community's conferences and training material, always pointing to open sources of knowledge in penetration testing. The book moves at a fast pace, often assuming the reader is familiar or simply gives links to resources that explain the topic in depth, and overall I think this was a wise move, as Kim can't possibly explain all of the details for each step in each combo, but rather he is giving the reader a reference guide of useful techniques to be a lethal penetration tester. So if you want a concise tutorial to many of the above tools and techniques, just go buy the book! You can also view a lot more of Kim's pen-testing notes on his wiki, it's full of more great stuff!!
I really enjoyed all of the tips and python scripts throughout the book. The final thing I'll leave you with is a little Windows command line for creating a hard to delete directory:
mkdir \\?\c:\tmp\".. \"
Enjoy and have fun!!