Ethical Hacking, Book Review: A Practical Guide for Future Security Professionals
The precarious state of software and IT infrastructure security is also a career opportunity, with malware analysts, security researchers, penetration testers and red teams all wanted. Defenders need to know how attackers think and what tools they are using, so that they can assess vulnerabilities in their own infrastructure and learn to detect malicious activity on the network.
In Ethical hacking: a practical introduction to break-ins, Daniel G Graham sets out to provide a how-to guide for learning hacking techniques, and you go straight to the how-to guide by creating a set of Linux virtual machines to host the environment you are going to enter (since you cannot hack ethically someone else’s environment). You then work on some known vulnerabilities, progressing to capturing traffic, creating a botnet and ransomware server, generating phishing emails and deepfakes.
While you should know how to write and execute Python code, you don’t need a lot of expertise to get started because the step-by-step instructions are clear and detailed. Along the way, complex concepts are well explained: if you want to run ransomware or try to bypass TLS, you need to understand encryption first, you need to understand system calls and Linux fundamentals for rootkits, as well as the hash to crack passwords.
Graham reviews common hacking techniques, creating deepfake video and audio, exploring how publicly available information is interconnected with Maltego to reveal information about an organization’s personnel and infrastructure, uploading Hacked and broken password databases, searching for vulnerable devices exposed with Masscan, Shodan and Nessus, creating Linux Trojans and rootkits (you will need to know the C encoding for this), using the SQL injection to extract website usernames and passwords, cross-site scripting attacks, and elevation of privilege after you are connected to a network. You are unlikely to discover your own zero days, but you will learn fuzzing and how to exploit the OpenSSL Heartbleed vulnerability.
SEE: Ransomware: Finding Weaknesses In Your Own Network Is Key To Stopping Attacks
Along the way, Graham introduces other hacking tools such as King Phisher, SMTP swaks audit tool in Kali Linux, John the Ripper for password cracking, Hydra for automating password attacks. brute force pass, and many more.
The chapter on attacking domain servers, Active Directory and Kerberos on large Windows networks could probably be expanded to fill a separate book, but if you are a Windows network administrator and don’t already know how to use Mimikatz , even this a quick survey of the approaches hackers will take should be a bit of a wake-up call. (Microsoft provides detailed advice on how to resolve many of the issues discussed here.)
While this book helps even a relative beginner to familiarize themselves with a wide range of tools that are useful for hackers, it is – as promised – a hands-on introduction. Readers will be able to explore further, and the final chapter tells you how to harden a hosted VM that you can use for true ethical hacking. He also mentions enticing advanced targets like industrial systems and cellular infrastructure, though readers won’t immediately be able to pursue them without doing a bit of extra work.
Even if you don’t plan to engage in active ethical hacking, it should be a salutary warning to all computer scientists that hacking tools are both sophisticated and widely available. There are many tutorials out there aimed at using them maliciously, so the details in this book do not increase the risk for those with vulnerable systems. If you want to pursue this career, Ethical hacking will guide you through the first steps.
Read more book reviews