Every week I get 8-10 notifications about a new pen test tool that has just been released. I look at the description for 4-5, think they look neat so I download them and set them up on a vm on my computer. Then when I try to run them I usually end up pulling half my hair out trying to get them to work. One of the pitfalls of open source is the documentation for these applications stink. Most open source pen test tool instructions just tell you the command and options available to run. What they forget is any dependencies for the application to run, other programs that need to be installed, and any tweaks needed to get them to work against particular targets.
Penetration Tester’s Open Source Toolkit
Penetration Tester’s Open Source Toolkit is a very good start at putting some practical steps and documentation around these tools. Programmers writing the tools should make note of this book as a guide for how to give a little bit of instruction to those of who pen test as a hobby but not their full time job. The book also gives some great examples of how to use the tools to conduct a pen test and the kinds of systems and tests that can be done. Following the quote attributed to Lincoln “If I had 8 hours to cut a tree I would spend 4 sharpening my axe.” I would have actually like to have had fewer tools reviewed but gone into more depth. This would result in a good understanding of a core set of pen test tools that a starting pentester can build on.
The book also shows each step of a pen test engagement from reconnaissance through report writing and what tools you should be using at each step. This provides a great blueprint for those that have not done a pen test before.
In the end you will not become a master pentester after reading this book. Only flight time and practice will get you there. Setting up a lab with targets and testing systems is the only way to get that hands on experience. This will give you a good starting toolbox to work with to setup your own lab and tinker with different scenarios. The book will walk you through how to do it and it does work as described.
As with anything technology related by the time the book is published it is out of date. A few of the tools in the book have had updates and revisions that slightly change how they work. Working from the book however gives any would be pen tester good experience with a good start.