When I first decided I would begin this journey of learning penetration testing, I did some research on where the best place to start would be. It wasn’t long before I stumbled across a book titled Penetration Testing: A Hands-on Introduction to Hacking by Georgia Weidman. As someone who had next to no prior knowledge of penetration testing, I decided that this would be as good of a place to start as any. Penetration testing and information security can be daunting fields for newcomers, with what can feel like an overwhelming barrier to entry. I was therefore drawn to the books vision of being an introductory resource for beginners. Something I could use to learn the core concepts of penetration testing in a hands-on way.
After considerable time and effort, I am thrilled to have finally finished working my way through this book. Although I struggled at times, the knowledge I gained has been invaluable as a complete beginner and I wouldn’t hesitate to recommend this book to those in a similar situation to my own. In this review, I will discuss the books effectiveness based on various metrics that I believe are relevant for beginner penetration testers, particularly for those aiming for the OSCP like I am. Hopefully you can gain an understanding of this books strengths and weaknesses, and temper your expectations accordingly.
The book starts from the absolute basics of penetration testing, going as far to explain in detail what a virtual machine is and how to set one up. As I mentioned earlier, Georgia wrote this book with the total beginner in mind and as a result she spares no expense in her explanations or examples.
Split into 5 parts, the book covers all stages of a penetration test. These parts are:
- Exploit Development/Post Exploitation
- Mobile Hacking
I found the ‘Basics’ and ‘Assessment’ sections the most useful, as these concepts can be transferred to any penetration test. On the other hand, I felt that the ‘Attack’ and ‘Exploit Development’ sections were too specific to particular vulnerabilities, and as such are not as transferable to other penetration tests.
However, on the whole the material covered in the book is highly useful for people who want to learn penetration testing. The way Georgia covers all relevant steps and concepts required for a penetration test provide a solid platform to begin increasing your knowledge and expertise as you progress beyond the book.
Material Rating: 8/10
Tools and Processes
There are many tools and processes covered in the book, all of which are valuable weapons in a penetration testers arsenal. Most of these tools are still used by penetration testers today, especially the command line tools on Kali Linux such as Nmap or netcat. These tools and processes act as the core knowledge that can be drawn upon for any penetration test. Understanding why these tools and processes are useful in a range of situations is invaluable learning and can really improve your skills as a versatile penetration tester.
By far the most used tool throughout the book is the metasploit framework. It is used in almost every chapter to develop, test and execute exploits at all stages of a penetration test. While metasploit is extremely useful for penetration testers, I personally felt there was an over reliance on the tool and not enough content was dedicated to the manual exploitation of a vulnerability. This resulted in sections throughout the book where I felt more like a script-kiddie than a penetration tester, as the actual ‘work’ was being done by metasploit after I simply pointed it in the correct direction.
Tools and Processes Rating: 7/10
Like I previously touched upon, A Hands on Introduction to Hacking was first published in 2014. Inevitably, this means the book is now a few years outdated. The landscape is constantly changing in information security, at an even faster rate than what general information technology already does. To her credit, Georgia recognizes this and made conscious efforts throughout her book to future-proof the content as much as possible, but the age of the book still shows. Some of the applications and tools she uses are no longer available, or have been updated and are no longer compatible with other tools or systems used throughout. Certain tools or systems had also been updated so many times since the book release that they were almost indistinguishable from the screenshots provided, with Kali Linux itself being a prime example of this. Despite my best efforts, it was not possible to complete everything in the book and I had to rely solely on her explanations or other 3rd party sources to learn about certain topics.
For people like myself who are focusing their study on the OSCP course and exam, it is also worth noting that the reliance on metasploit means it may not be the most effective preparation resource. In the OSCP exam, the use of metasploit is restricted and you will not be able to lean on this framework as much as A Hands on Introduction to Hacking does. Keep this in mind when going through the book and try to focus on why certain exploits are successful rather than the way they are executed.
Relevance Score: 6/10
A Hands on Introduction to Hacking is beautifully written. It is incredibly easy to read, and Georgia manages to explain complex technical concepts in simple to understand ways. This is no easy feat, and the ability to write about technical concepts in layman’s terms is something that I am personally trying to improve on. As this is a book dedicated for the beginner, making the book easy to read and understand was perhaps the biggest challenge Georgia faced and she did so incredibly well. The book contains a generous amount of screenshots alongside detailed annotations to explain every aspect and step of the penetration testing process. Explanations and descriptions are comprehensive yet concise and it was never a chore to read through the chapters.
There is also a video series created by Georgia available on Cybrary which I recommend people use alongside her book, simply to reinforce the learning in another format other than written text. The videos are good, but are a little harder to follow than the book due to her delivery and pacing being less than ideal. Nevertheless, they are still a complement to the book and do not detract from the quality of the book itself.
The online Cybrary course can be found here:
Readability Score: 10/10
Being the first piece of infosec literature I’ve read, A Hands-on Introduction to Hacking will always hold a special place on my bookshelf. A quote on the back of the book reads “if you would like to become a penetration tester, this book is perfect for you” and it is not hard to see why. Despite it’s struggles to remain relevant 4 years after it’s release, A Hands-on Introduction to Hacking remains a fantastic resource for beginners. For those who simply need a place to start, do not hesitate to give this book a try.
Final Rating: 8/10