Black Hat Rust: Applied offensive security with the Rust programming language

Copyright....9

Your early access bonuses....10

Contact....11

Preface....12

Introduction....15

Types of attacks....16

Phases of an attack....18

Profiles of attackers....19

Attribution....20

The Rust programming language....21

History of Rust....21

Rust is awesome....22

Setup....25

Our first Rust program: A SHA-1 hash cracker....27

Mental models for approaching Rust....33

A few things I’ve learned along the way....35

Summary....43

Multi-threaded attack surface discovery....44

Passive reconnaissance....44

Active reconnaissance....45

Assets discovery....45

Our first scanner in Rust....47

Error handling....47

Enumerating subdomains....48

Scanning ports....49

Multithreading....50

Fearless concurrency in Rust....51

The three causes of data races....54

The three rules of ownership....54

The two rules of references....54

Other concurrency problems....55

Adding multithreading to our scanner....55

Alternatives....57

Going further....58

Summary....59

Going full speed with async....60

Why....60

Cooperative vs Preemptive scheduling....61

Future....62

Streams....62

What is a runtime....63

Introducing tokio....63

Avoid blocking the event loops....66

Sharing data....67

Combinators....71

Porting our scanner to async....84

How to defend....89

Summary....89

Adding modules with trait objects....90

Generics....91

Traits....93

Traits objects....98

Command line argument parsing....102

Logging....103

Adding modules to our scanner....104

Tests....112

Other scanners....115

Summary....115

Crawling the web for OSINT....116

OSINT....116

Tools....116

Search engines....117

IoT & network Search engines....119

Social media....119

Maps....120

Videos....120

Government records....120

Crawling the web....121

Why Rust for crawling....122

Associated types....123

Atomic types....124

Barrier....126

Implementing a crawler in Rust....126

The spider trait....127

Implementing the crawler....127

Crawling a simple HTML website....131

Crawling a JSON API....133

Crawling a JavaScript web application....135

How to defend....138

Going further....139

Summary....140

Finding vulnerabilities....141

What is a vulnerability....141

Weakness vs Vulnerability (CWE vs CVE)....141

Vulnerability vs Exploit....142

0 Day vs CVE....142

Web vulnerabilities....142

Injections....143

HTML injection....143

SQL injection....144

XSS....146

Server Side Request Forgery (SSRF)....149

Cross-Site Request Forgery (CSRF)....151

Open redirect....152

(Sub)Domain takeover....153

Arbitrary file read....155

Denial of Service (DoS)....157

Arbitrary file write....158

Memory vulnerabilities....159

Buffer overflow....159

Use after free....160

Double free....161

Other vulnerabilities....162

Remote Code Execution (RCE)....162

Integer overflow (and underflow)....163

Logic error....165

Race condition....165

Additional resources....166

Bug hunting....166

The tools....168

Automated audits....169

Summary....174

Exploit development....175

Where to find exploits....175

Creating a crate that is both a library and a binary....176

libc....177

Building an exploitation toolkit....178

CVE-2019-11229 && CVE-2019-89242....178

CVE-2021-3156....178

Summary....183

Writing shellcodes in Rust....184

What is a shellcode....184

Sections of an executable....185

Rust compilation process....186

no_std....187

Using assembly from Rust....188

The never type....190

Executing shellcodes....190

Our linker script....191

Hello world shellcode....192

An actual shellcode....195

Reverse TCP shellcode....201

Summary....205

Phishing with WebAssembly....206

Social engineering....206

Nontechnical hacks....210

Phishing....211

Watering holes....212

Telephone....215

WebAssembly....215

Sending emails in Rust....216

Implementing a phishing page in Rust....220

Architecture....220

Cargo Workspaces....220

Deserialization in Rust....222

A client application with WebAssembly....222

Evil twin attack....231

How to defend....234

Summary....236

A modern RAT....237

Architecture of a RAT....237

C&C channels & methods....239

Existing RAT....241

Why Rust....242

Designing the server....243

Designing the agent....253

Docker for offensive security....254

Let’s code....255

Optimizing Rust’s binary size....275

Dockerizing the server....275

Some limitations....277

Summary....277

Securing communications with end-to-end encryption....278

The C.I.A triad....278

Threat modeling....280

Cryptography....280

Hash functions....281

Message Authentication Codes....281

Key derivation functions....283

Block ciphers....283

Authenticated encryption (AEAD)....284

Asymmetric encryption....286

Diffie–Hellman key exchange....287

Signatures....287

End-to-end encryption....288

Who uses cryptography....297

Common problems and pitfalls with cryptography....298

A little bit of TOFU?....299

The Rust cryptography ecosystem....299

Summary....301

Our threat model....301

Designing our protocol....302

Implementing end-to-end encryption in Rust....306

Some limitations....316

To learn more....317

Summary....318

Going multi-platforms....319

Why multi-platform....319

Cross-platform Rust....320

Supported platforms....321

Cross-compilation....322

cross....323

Custom Dockerfiles....324

Cross-compiling to aarch64 (arm64)....325

More Rust binary optimization tips....326

Packers....327

Persistence....328

Single instance....332

Going further....333

Summary....333

Turning our RAT into a worm to increase reach....334

What is a worm....334

Spreading techniques....335

Cross-platform worm....337

Spreading through SSH....338

Vendoring dependencies....339

Implementing a cross-platform worm in Rust....340

Install....340

Spreading....342

More advanced techniques for your RAT....346

Summary....350

Conclusion....351

What we didn’t cover....351

The future of Rust....353

Leaked repositories....353

How bad guys get caught....353

Your turn....354

Build your own RAT....357

Other interesting blogs....358

Contact....358

Whether in movies or mainstream media, hackers are often romanticized: they are painted as black magic wizards, nasty criminals, or, in the worst cases, as thieves with a hood and a crowbar.

In reality, the spectrum of the profile of the attackers is extremely large, from the bored teenager exploring the internet to sovereign State's armies as well as the unhappy former employee.What are the motivations of the attackers? How can they break seemingly so easily into any network? What do they do to their victims?We will put on our black hat and explore the world of offensive security, whether it be cyber attacks, cybercrimes, or cyberwar.Scanners, exploits, phishing toolkit, implants... From theory to practice, we will explore the arcane of offensive security and build our own offensive tools with the Rust programming language, Stack Overflow's most loved language for five years in a row.Which programming language allows to craft shellcodes, build servers, create phishing pages? Before Rust, none! Rust is the long-awaited one-size-fits-all programming language meeting all those requirements thanks to its unparalleled guarantees and feature set. Here is why.