Book review: Ninja Hacking – unconventional penetration testing tactics and techniques

Ninja Hacking - book coverBe in no doubt, credibility is high for this book.

Authors of “Ninja Hacking”, Thomas Wilhelm and Jason Andress, certainly have expertise in the field of computer security, with particular focus on penetration testing. They also have experience in both the academic and corporate environments.

The subtitle “Unconventional penetration testing tactics and techniques” is however a little misleading. Do not expect a standard ‘tool box’ for penetration testers.

Rather than being a show-and-tell collection, Ninja Hacking is best explained as an expansion of Schneiers’ “The Security Mindset.”

The book attempts to tie the skills of the Ninja to that of a penetration tester. This kind of comparison is indeed a popular theme in computer security publications, with many loosely referencing Eastern cultures: ‘Ninja this’ or ‘Tao of that’.

Ninja Hacking however does indeed provide a rich vein of Japanese (and Chinese) history and culture, which is weaved through the book successfully.

The authors also manage to avoid romanticising the unequal societies that allowed for the formation of Ninja and Samurai cultures. These inequalities seem to me at least to be referenced appropriately.

The authors divide the book (of 17 chapters) in to six sections:

  • Ninjas and hacking
    Why the ninja paradigm works for penetration testers, and shows how these testers sit in the grey area between the white and black hat hackers
  • Tactics
    How the strategies espoused by Sun Tzu and ninja writing can be made relevant when designing a project to pen test a system.
  • Disguise and impersonation
    How to elicit trust from the ´victim´ of a pen test (research and preparation are emphasised here).
  • Stealth and entering methods
    The areas covered here are numerous: bypassing physical and logical gateways; choosing the right time of day to perform a pen test; looking for weak points in the infrastructure; and using physical distractions to bypass detection. Some of the distraction mentioned are more likely to be used at government or military levels, e.g. torching the CSO’s car to distract them prior to launching a penetration hack.
  • Espionage
    How to get into devices and extract data without being detected; eavesdropping tools; intelligence gathering; surveillance; and sabotage (queue Beastie Boys’ track, 1994)
  • Escape and concealment
    Shows the similarities between Ninjas, who pride themselves on not getting caught, and commercial pen testers who only want to reveal their findings after they complete the test. Knowing how people hide is often a way to catch them.

All in all, while the writing style is light, the content is, for lack of a better term, meaty. This is definitely not recommended as an entry level book, but it is an excellent resource for penetration testers and those thinking of commissioning pen tests on their systems.

signed copy of Ninja Hacking
Review: 4/5 stars
Buy or Expense: Expense 🙂

Disclaimer: When this book was released in October 2010, there was a hacking competition (involving deciphering some puzzles). The prize was a copy of the book.

I was one of the 6 successful competitors and was awarded this prize.

NOTE: If you would like your book to be considered for review by the Naked Security team, email us at