Having done the four beginner Kioptrix boxes, I decided to go back into reading to see if I could expand on what I had learned so far. This lead me to reading The Hacker Playbook 2: Practical Guide to Penetration Testing by Peter Kim this week. This book is not intended for the pure beginner, and Kim recommeneds that it is better suited for intemediate penetration testers with a solid grasp of the basics.
For those curious about the proposed prerequisites for this book; Kim recommends:
- Experience with Microsoft Active Directory
- A strong understanding of Linux
- A networking background
- Some coding experience (Bash, Python, Perl, Ruby, PHP, C)
- Use and familiarity with security tools (vulnerability scanners and exploit tools)
As I’ll discuss later, this book focuses almost entirely on security tools. As such, I feel like most of these requirements are not particularly necessary, but would still be beneficial (think beyond the scope of this book!) In terms of the coding experience, there is no need to write code, but the ability to read and understand code is required. Especially the programming language Python, of which there was a lot more than I initially expected.
It’s important to note that this review is entirely my opinion, and is written from the perspective of a penetration testing student aiming for the OSCP course. Because of this, I’ll follow the same format as the last review and provide ratings on the same metrics, to try quantify how useful this book was for me in my current state.
This book takes the reader through all stages of a penetration test, and does so by comparing stages of a penetration test with ‘plays’ that are found in American Football.
These ‘plays’ are:
- Pregame – equipment and lab setup
- Before the Snap – Scanning and Enumeration
- The Drive – Exploitation
- The Throw – Web application attacks
- The Lateral Pass – Moving through the network, privilege escalation
- The Screen – Social Engineering
- The Onside Kick – Physical attacks
- The Quarterback Sneak – Bypassing Antivirus
- Special Teams – An assortment of tips and tricks
- Two Minute Drill – A quick run through of a full penetration test
- Post-Game Analysis – Reporting
As you can see, this book covers an extensive amount of material. However, The Hacker Playbook 2 is a relatively short 340 pages, with many of the pages being more than half occupied by screenshots. The result is the content feeling quite thin at times, lacking in a bit of detail. Some chapters were much shorter than others and were underdeveloped as a result. In saying that, I did feel that for such a massive field like Penetration Testing, Kim did a good job in writing a truly end-to-end guidebook.
Material Rating: 7/10
Tools and Processes
To be completely honest, I did not expect this book to be so heavy on tools and processes. Almost the entire book contains information about security tools, detailing how and why you would use them. Kim also makes an effort to keep the tools open source where possible, meaning anyone can pick this book up and make use of one (or more) tool straight away. Having read this book, I am now familiar with an extremely wide variety of tools that can be used, and no doubt I will be coming back to this book in the future when I need to actually use one of them.
This book would be perfect for penetration testers to take with them on tests, as you could quickly flip through the pages to find the relevant tool that fits your need in any situation. The only downside is the book will begin to age, and may not stand the test of time as new versions and tools replace the ones detailed in this book.
Tools and Processes Rating: 9/10
Following on from my comment above, it has been noted that The Hacker Playbook 2 has an expected shelf life of 5 years since it’s publication date. This book is now 3 years old, indicating this book will only remain relevant for another 2 years at most. As with all print media, staying relevant is aa practicall impossible task and this is something to keep in mind when considering what books are worth committing time and money to. Kim recently released a new book in The Hacker Playbook line, but my understanding is that it is a completely different book rather than a version upgrade to this one. The description for The Hacker Playbook 3 reads; “The main purpose of this book is to answer questions as to why things are still broken.” However, I may be mistaken in this assumption and depending on when you are reading this review, it may be more worthwhile to pick up and read The Hacker Playbook 3 instead.
Unfortunately, another drawback with the amount of dedication Kim has put in writing about security tools is that the book quickly began to lose relevance to what I was personally looking for. The OSCP exam quite heavily restricts the use of security tools, so much of what I was reading about will not be relevant to me until after I’ve passed the OSCP course and examination. Although I do still think it was useful to go back over the stages of a penetration test and learn about alternative methods to accomplish a task, much of what is written in this book is not applicable to the OSCP exam I am preparing for.
Relevance Score: 3/10
This book contains a generous amount of screenshots, with many of the pages being more image than text. This makes for an easy to read and easy to follow book that does not drag or confront the reader with extensive walls of text. The content is often highly technical, and at times can be a little too concise or vague in it’s descriptions, but overall the book made for a very easy read. The Hacker Playbook 2 is essentially a rewrite of the original The Hacker Playbook, and it shows. With the feedback he received from the original, Peter Kim has done a fantastic job to make The Hacker Playbook 2 flow and read easily.
Readability Score: 8/10
Overall, I feel this book is better suited to a different audience. It is without a doubt a good book, just not quite the book I need right now. One day in the future, I’m sure I will revisit this book and gain far more than what I did this time around. When that happens, I’ll write another review with my updated thoughts. For those looking to progress themselves as professionals though, I expect this book will be highly valuable in expanding your toolset.
Final Rating: 6/10