Four stars if published in fall 2003 instead of fall 2005

Penetration testing is becoming a hot topic again, but the available books on the subject continue to underwhelm. Penetration Testing and Network Defense (PTAND), published in the fall of 2005, would be a four star book if it had been published two years earlier. Stephen Northcutt, unlike all other reviewers, noticed this fact as well. When you combine this problem with PTAND with several other deficiencies, the result is a book you can unfortunately skip.

I usually try to avoid reading and reviewing books that I expect not to like. However, PTAND looked promising. I have several excellent Cisco Press books, like Cisco Router Firewall Security. A major problem with PTAND is that it is largely out of date. For example, Ch 12 discusses malware, but uses B02K, SubSeven, the Melissa virus, and Brown Orifice as examples. In Ch 6, session hijacking is done with Hunt and Juggernaut, but ignores Ettercap, Cain and Abel, and Yersinia. (I found it funny that p 131 of this Cisco Press book describes Juggernaut's author as "someone with the handle of 'route'", but doesn't say that 'route' is Mike Schiffman, Cisco employee since April 2003.)

In addition to outdated or missing tools (THC's Amap and Hydra are also neglected), PTAND fails to mention problems with many of its techniques. In Ch 5, the authors never hint that servers susceptible to DNS zone transfers are not as plentiful as they were in 1998. A discussion of Visual Route doesn't explain that information reported by the tool may have nothing to do with the physical location of a system. Ch 10's description of ACK tunnels ignores that stateful firewalls have been denying such covert channels for years.

PTAND also misses some technical and conceptual details. The definitions of "threat" in Ch 1 are really describing attacks or risks. On p 98, the authors should say that closed ports reply with RST ACK, not just RST. I don't think the authors understand idle scanning (pp 102-3), and their examples of fingerprinting on p 106 are taken directly from Fyodor's 1998 paper (without credit)! On p 351 PTAND propagates the myth that SSIDs "are like shared passwords," and poorly claims that broadcasting SSIDs is a "mistake".

I liked many of the case studies in this book, but several had problems. In Ch 14, the authors should have just used Metasploit instead of using shell code from Metasploit to perpetrate their case study. Their case study in Ch 10 uses Macof to overflow a switch CAM table (pp 343-4), but on p 129 the authors previously stated they found such techniques unreliable. Ch 10 fails to mention that CDP is not a routable protocol, so it cannot be used remotely. Ch 10 also calls IDS' "intruder detection systems".

On the typo side, replace 1996 on p 25 with 1986, and remember that FTP data does not use port 21 TCP. With active FTP, source port 20 is used. With passive FTP, nothing can be said a priori about the ports that might be used.

If you are an absolute pen testing beginner, you may find this book valuable. I don't see any advantage to reading this book when texts like Hacking Exposed are available. (If you think my Foundstone history makes me biased about the HE books, check out my earlier reviews of that series.) I did like the use of case studies in each chapter, and the explanations of how to mostly use Cisco IDS to detect certain classes of attack. The defensive recommendations were also decent.

Those looking for solid pen testing recommendations might find Pete Herzog's free Open Source Security Testing Methodology Manual to be valuable.

Other Reviews

• A Cisco book not limited to cisco devices.
• Four stars if published in fall 2003 instead of fall 2005
• Penetration Testing and Network Defense (Cisco Press Networking Technology)