Book review The Hacker Playbook 3

The Hacker Playbook 3
Authors: Peter Kim
Content: Main focus is on Red Teaming
Career: Penetration Tester
Level: Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.


Content:

  • Difference between pentesting and red teaming
  • MITRE ATT&CK framework
  • Tools setup
  • Reconnaissance phase
  • optional lab setup & exercises
  • about web attacks like node.js, nosql injections, deserializiation attacks and more
  • hacking the (windows) network for example with responder, password spraying
  • privilege escalation with misconfigured services, exploit suggester and more
  • mimikatz magic of course
  • attacks on macs with empire
  • bloodhound and sharphound
  • lateral movement using different techniques
  • pivoting
  • social engineering campaings & physical attacks
  • recompile meterpreter dlls for avoiding detection
  • password cracking
  • write your own droppers

I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.

Book Review Hands-on Bug Hunting for Penetration Testers

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

The main audience of Bug Hunting for Penetration Testers are coders and penetration testers interested in bug bounties. The book goes through bug bounty programs, penetration testing and the usual web security vulnerabilites like XSS, SQL injections, XEE and so on.

As the title sais, the book was written for people with prior knowledge in penetration testing. So the vulnerabtilies are not explained in depth, but nevertheless it is suitable also for beginners if they are willing to go deeper later and using other sources, after each chapter there are some recommendations for it.

For me the perspective as a bug hunter is pretty interesting, and the book is going into automatisation of some tasks and which vulnerabilites are usually interesting for bug bounty programs and how to report them. For getting an impression about the coding have a look here, unfortunatelly the code base is for python 2.7 and not python 3. The books is also informing about information gathering and bug bounty strategies. What I also like are the end-to-end examples, from finding and exploiting a vulnerability to a short example report. Later reporting is explained into more detail.

If you are interested in Bug Bounty programs you should have a look into this book.