Summary:
Whether in movies or mainstream media, hackers are often romanticized: they are painted as black magic wizards, nasty criminals, or, in the worst cases, as thieves with a hood and a crowbar.
In reality, the spectrum of the profile of the attackers is extremely large, from the bored teenager exploring the internet to sovereign State's armies as well as the unhappy former employee.
What are the motivations of the attackers? How can they break seemingly so easily into any network? What do they do to their victims?
We will put on our black hat and explore the world of offensive security, whether it be cyber attacks, cybercrimes, or cyberwar.
Scanners, exploits, phishing toolkit, implants... From theory to practice, we will explore the arcane of offensive security and build our own offensive tools with the Rust programming language, Stack Overflow's most loved language for five years in a row.
Which programming language allows to craft shellcodes, build servers, create phishing pages? Before Rust, none! Rust is the long-awaited one-size-fits-all programming language meeting all those requirements thanks to its unparalleled guarantees and feature set. Here is why.
Author(s): Sylvain Kerkour
Edition: v2022.56
Year: 2022
Language: English
Pages: 358
Copyright
Your early access bonuses
Contact
Preface
Introduction
Types of attacks
Phases of an attack
Profiles of attackers
Attribution
The Rust programming language
History of Rust
Rust is awesome
Setup
Our first Rust program: A SHA-1 hash cracker
Mental models for approaching Rust
A few things I’ve learned along the way
Summary
Multi-threaded attack surface discovery
Passive reconnaissance
Active reconnaissance
Assets discovery
Our first scanner in Rust
Error handling
Enumerating subdomains
Scanning ports
Multithreading
Fearless concurrency in Rust
The three causes of data races
The three rules of ownership
The two rules of references
Other concurrency problems
Adding multithreading to our scanner
Alternatives
Going further
Summary
Going full speed with async
Why
Cooperative vs Preemptive scheduling
Future
Streams
What is a runtime
Introducing tokio
Avoid blocking the event loops
Sharing data
Combinators
Porting our scanner to async
How to defend
Summary
Adding modules with trait objects
Generics
Traits
Traits objects
Command line argument parsing
Logging
Adding modules to our scanner
Tests
Other scanners
Summary
Crawling the web for OSINT
OSINT
Tools
Search engines
IoT & network Search engines
Social media
Maps
Videos
Government records
Crawling the web
Why Rust for crawling
Associated types
Atomic types
Barrier
Implementing a crawler in Rust
The spider trait
Implementing the crawler
Crawling a simple HTML website
Crawling a JSON API
Crawling a JavaScript web application
How to defend
Going further
Summary
Finding vulnerabilities
What is a vulnerability
Weakness vs Vulnerability (CWE vs CVE)
Vulnerability vs Exploit
0 Day vs CVE
Web vulnerabilities
Injections
HTML injection
SQL injection
XSS
Server Side Request Forgery (SSRF)
Cross-Site Request Forgery (CSRF)
Open redirect
(Sub)Domain takeover
Arbitrary file read
Denial of Service (DoS)
Arbitrary file write
Memory vulnerabilities
Buffer overflow
Use after free
Double free
Other vulnerabilities
Remote Code Execution (RCE)
Integer overflow (and underflow)
Logic error
Race condition
Additional resources
Bug hunting
The tools
Automated audits
Summary
Exploit development
Where to find exploits
Creating a crate that is both a library and a binary
libc
Building an exploitation toolkit
CVE-2019-11229 && CVE-2019-89242
CVE-2021-3156
Summary
Writing shellcodes in Rust
What is a shellcode
Sections of an executable
Rust compilation process
no_std
Using assembly from Rust
The never type
Executing shellcodes
Our linker script
Hello world shellcode
An actual shellcode
Reverse TCP shellcode
Summary
Phishing with WebAssembly
Social engineering
Nontechnical hacks
Phishing
Watering holes
Telephone
WebAssembly
Sending emails in Rust
Implementing a phishing page in Rust
Architecture
Cargo Workspaces
Deserialization in Rust
A client application with WebAssembly
Evil twin attack
How to defend
Summary
A modern RAT
Architecture of a RAT
C&C channels & methods
Existing RAT
Why Rust
Designing the server
Designing the agent
Docker for offensive security
Let’s code
Optimizing Rust’s binary size
Dockerizing the server
Some limitations
Summary
Securing communications with end-to-end encryption
The C.I.A triad
Threat modeling
Cryptography
Hash functions
Message Authentication Codes
Key derivation functions
Block ciphers
Authenticated encryption (AEAD)
Asymmetric encryption
Diffie–Hellman key exchange
Signatures
End-to-end encryption
Who uses cryptography
Common problems and pitfalls with cryptography
A little bit of TOFU?
The Rust cryptography ecosystem
Summary
Our threat model
Designing our protocol
Implementing end-to-end encryption in Rust
Some limitations
To learn more
Summary
Going multi-platforms
Why multi-platform
Cross-platform Rust
Supported platforms
Cross-compilation
cross
Custom Dockerfiles
Cross-compiling to aarch64 (arm64)
More Rust binary optimization tips
Packers
Persistence
Single instance
Going further
Summary
Turning our RAT into a worm to increase reach
What is a worm
Spreading techniques
Cross-platform worm
Spreading through SSH
Vendoring dependencies
Implementing a cross-platform worm in Rust
Install
Spreading
More advanced techniques for your RAT
Summary
Conclusion
What we didn’t cover
The future of Rust
Leaked repositories
How bad guys get caught
Your turn
Build your own RAT
Other interesting blogs
Contact
