Applied offensive security with Rust

Overview

Black Hat Rust logo

Black Hat Rust - Early Access

Deep dive into offensive security with the Rust programming language

Buy the book now!

Summary

Whether in movies or mainstream media, hackers are often romanticized: they are painted as black magic wizards, nasty criminals, or, in the worst cases, as thieves with a hood and a crowbar. In reality, the spectrum of the profile of the attackers is extremely large, from the bored teenager exploring the internet to sovereign State's armies as well as the unhappy former employee.

What are the motivations of the attackers? How can they break seemingly so easily into any network? What do they do to their victims? We will put on our black hat and explore the world of offensive security, whether it be cyber attacks, cybercrimes, or cyberwar. Scanners, exploits, phishing toolkit, implants... From theory to practice, we will explore the arcane of offensive security and build our own offensive tools with the Rust programming language, Stack Overflow's most loved language for five years in a row.

The security programming field is defined by its extremely large scope (from shellcodes to servers and web apps). Rust is the long-awaited one-size-fits-all programming language meeting all those requirements thanks to its unparalleled guarantees and feature set. Here is why.

Free Updates and DRM Free, of course :)

Who this book is for

This is NOT a 1000th tutorial about sqlmap and Metasploit, nor will it teach you the fundamentals of programming.

Instead, it's a from-theory-to-practice manual and you may enjoy it if any of the following:

  • You keep screaming "show me the code!" when reading about cyber attacks and malwares
  • You want to learn real-world and idiomatic rust practices
  • You believe that the best defense is thinking like an attacker
  • You learn by building and love to look under the hood
  • You develop your own tools and exploits with Python, Ruby, C, Java...
  • You want to learn real-world offensive security, not just pentesting
  • You want to start your career in bug bounties or offensive security

Buy the book now!

Early access

As of today, the book is a work in progress. It is available in the context of an Early Access program which means that the chapters will be sent to you as soon as they are written, and feedback is very much appreciated.

estimated final publication: July 2021

estimated number of pages: ~320

In order to thank all the people who will help me make this book a reality, all early access buyers will also receive the following bonus:

  • A curated list of advanced malware analyses. You will find inside great inspiration when developing your own offensive tools.

Buy the book now!

Table of contents

1 - Introduction โœ…

Part I: Reconnaissance

2 - Multi-threaded attack surface discovery ๐Ÿ•’

How to perform effective reconnaissance? In this chapter, we will build a multi-threaded scanner in order to automate the mapping of the target.

3 - Going full speed with async ๐Ÿ•’

Unfortunately, when a program spends most of its time in I/O operations, multi-threading is not a panacea. We will learn how async makes Rust code really, really fast and refactor our scanner to async code.

4 - Adding modules with Trait objects ๐Ÿ•’

We will add more heterogeneous modules to our scanner and will learn how Rust's type system helps create properly designed large software projects.

5 - Crawling the web for OSINT ๐Ÿ•’

Leveraging all we learned previously, we will build an extremely fast web crawler to help us find the needles in the haystack the web is.

Part II: Exploitation

6 - Finding vulnerabilities with Fuzzing ๐Ÿ•’

Once the external reconnaissance performed, it's time to find entry points. In this chapter we will learn how automated fuzzing can help us to find vulnerabilities that can be exploited to then gain access to our target's systems.

7 - Exploit development ๐Ÿ•’

Rust may not be as fast as python when it comes to iterating on quick scripts such as exploits, but as we will see, its powerful type and modules system make it nonetheless a weapon of choice.

8 - Writing shellcodes in Rust ๐Ÿ•’

Shellcode development is an ungrateful task. Writing assembly by hand is definitely not sexy. Fortunately for us, Rust, one more time, got our back! In this chapter we will learn how to write shellcodes in plain Rust with no_std.

9 - Phishing with WebAssembly ๐Ÿ•’

When they can't find exploitable hardware or software vulnerability, attackers usually fall back to what is often the weakest link in the chain: Humans. Again, Rust comes handy and will let us create advanced phishing pages by compiling to WebAssembly.

Part III: Implant development

10 - A modern RAT ๐Ÿ•’

A RAT (for Remote Access Tool), also known as implant or beacon, is a kind of software used to perform offensive operations on a target's machines. In this chapter we will build our own RAT communicating to a remote server and database.

11 - Securing communications with end-to-end encryption ๐Ÿ•’

The consequences of our own infrastructure being compromised or seized can be disastrous. We will add end-to-end encryption to our RAT's communication in order to secure its communications and avoid leaving traces on our servers.

12 - Going multi-platforms ๐Ÿ•’

Today's computing landscape is extremely fragmented. From Windows to macOS, we can't target only one Operating System to ensure the success of our operations. In this section we will see how Rust's ecosystem is extremely useful when it comes to cross-compilation.

13 - Turning into a worm to increase reach ๐Ÿ•’

Once the initial targets compromised, we will capitalize on Rust's excellent reusability to incorporate some parts of our initial scanner to turn our RAT into a worm and reach more targets only accessible from the target's internal network.

Buy the book now!

Community

Hey! Welcome you to the Black Hat Rustaceans gang! If you think something in the book or the code can be improved, please open an issue. Pull requests are also welcome :)

If you have any questions or ideas, feel free to join the discussion on the Forum!

Newsletter

Want to stay updated? I'll write you once a week about avoiding complexity, hacking, and entrepreneurship.

https://kerkour.com/subscribe

I hate spam even more than you do. I'll never share your email, and you can unsubscribe at anytime. Also, there is no tracking or ads.

Changelog

You'll find all the updates in the Changelog: https://github.com/skerkour/black-hat-rust/blob/main/CHANGELOG.md

Comments
  • Chapter 3: tricoder error in some cases

    Chapter 3: tricoder error in some cases

    Try to scan ports of twitch.tv(or ya.ru/google.com)

    Error:

    cargo run --release -- twitch.tv
        Finished release [optimized] target(s) in 0.20s
         Running `target/release/tricoder twitch.tv`
    thread 'main' panicked at 'port scanner: Creating socket address: Os { code: 16, kind: ResourceBusy, message: "Device or resource busy" }', src/ports.rs:49:10
    

    Maybe this is related to https://github.com/rust-lang/rust/issues/47955 because I have same error(EMFILE). Increase open file limit is not help me.

    Any thoughts?

    opened by balroggg 8
  • Suggestions for possible library to include in chapter 5

    Suggestions for possible library to include in chapter 5

    Chapter 5 is about web crawling, right? Well one library I've found to be really helpful for that is thirtyfour, a Selenium/WebDriver library for rust. WebDriver is a great technique to use for scraping websites that are SPAs or other apps that load content with JavaScript. Just thought I'd share.

    opened by EthanYidong 7
  • Some artifacts in the 2021.41 version

    Some artifacts in the 2021.41 version

    It seems that some mistakes were made during the md -> pdf conversion :

    • listings are overflowing on the right side for every console command
    • chapter referencing is off by several chapters, e.g. talking about chapter 5 is actually talking about chapter 7 and so on

    I'll update the list while I'm going through the book

    opened by NightlySide 6
  • Ch. 7.5 CVE 2019 11229 CSRF Token is Invalid

    Ch. 7.5 CVE 2019 11229 CSRF Token is Invalid

    The code to retrieve the CSRF token is not quite correct. It does not properly decode the percent encoding, thus the requests will fail. It can easily be fixed by adjusting the import in the Cargo.toml:

    cookie = {version = "0.15", features = ["percent-encode"]}
    

    and by adjusting line 216 in main.rs:

    .filter_map(|cookie| Cookie::parse_encoded(cookie).ok())
    
    opened by ChosunOne 5
  • Would you be interested in some kind of community?

    Would you be interested in some kind of community?

    I've received many request to create some kind of community about Rust x Hacking.

    To be clear I don't have the bandwidth today to do that.

    But as this is a really interesting thing that I could set up in the future, I want to gather some feedback before.

    The biggest advantage of a community is peer-to-peer learning, where everyone can share their discoveries.

    The biggest disadvantages of a community around security are identities and potential scams.

    To be honest, I'm not a fan of chat communities (Discord, Matrix...): The knowledge is quickly lost, and it's very easy to mix a lot of conversations.

    I would prefer a forum, which provide a searchable archive.

    What do you think about it? What would you prefer, and why?

    opened by skerkour-dev 5
  • About the latest post of build a web-app with rust & wasm

    About the latest post of build a web-app with rust & wasm

    I was not familiar with yew and wasm, so I'm learning from your post, thank you for your great post. But, the problem is, it seems like there are huge changes between yew-0.18 and yew-0.19, it's almost impossible to follow your instructions. So, I don't know if you have to plan to use the new yew and update the post or something like that... Or maybe, I will follow the docs to get familiar with yew (the slow way). Anyway, a big thanks.

    opened by azusachino 3
  • Ch2. serde Deserialize feature not explicit

    Ch2. serde Deserialize feature not explicit

    info: The currently active `rustc` version is `rustc 1.63.0-nightly (cd282d7f7 2022-05-18)`
    
    [dependencies]
    anyhow = "1.0.57"
    rayon = "1.5.3"
    serde = "1.0.137"
    thiserror = "1.0.31"
    

    My model.rs file is the same as https://github.com/skerkour/black-hat-rust/blob/main/ch_02/tricoder/src/model.rs yet the compiler complains

    error: cannot find derive macro `Deserialize` in this scope
      --> src/model.rs:15:17
       |
    15 | #[derive(Debug, Deserialize, Clone)]
       |                 ^^^^^^^^^^^
       |
    note: `Deserialize` is imported here, but it is only a trait, without a derive macro
      --> src/model.rs:1:5
       |
    1  | use serde::Deserialize;
       |     ^^^^^^^^^^^^^^^^^^
    

    Your repo shows this import as a feature inclusion;

    serde = { version = "1", features = ["derive"] }
    

    but this is never mentioned in the book afaict.

    opened by tylerhjones 3
  • Book Typos?

    Book Typos?

    Hey Sylvain,

    I've just started the book and the introduction has been really excited! Looking forward to an awesome read.

    I found a typo in the black hat book (section 5.3.2), where do I file the edit?

    opened by moomoolive 3
  • question: what I need to know before I read the book?

    question: what I need to know before I read the book?

    rust is my first programming language I am still trying to figure out my way in programing I did read few books and each one tackled subject I had no prior experience in and I did not get the most of the books but I tried to get as much as I can from them I was wandering if the "rust black hat" is required to have prior knowledge in some topics and if there are some what are thy

    PS: forgive me for my bad English its not my first language

    opened by falcongx 3
  • Letter 'e' is disturbing to read in .pdf format

    Letter 'e' is disturbing to read in .pdf format

    Hi!

    Thanks for creating this book. I have just started reading the pdf version and i noticed the letter 'e' is undistinguishable from 'c' letter which makes it a bit hard to read. Would it be possible to change that?

    Screenshot from 2021-09-27 11-35-52

    I am facing no difficulties with reading any other text on internet so this must be something with the formatting of this book.

    Thanks!

    opened by legezam 3
  • Code block font size too large

    Code block font size too large

    I think the book would benefit from a smaller font size for code blocks. In both the PDF and epub versions (didnโ€™t look at mobi), the code block font looks larger than the body text font. To minimize wrapping of code blocks, I think a smaller monospace font size would look better. It would also look more harmonious with the body font size.

    (Same comment applies to your blog posts IMO).

    For example, here is a screenshot from the Rust Book, which I think has the right proportion of body font size to code block size:

    IMG_0391

    opened by pkazmier 3
  • Refactor to understand

    Refactor to understand

    Hello! This pull request is not meant to merged. I just bought access to your black hat rust course, and I've been using rust for two years now but I know nothing about cybersecurity (but want to!). I figured the best way for me to understand the security part was to go through section by section refactoring code until it made sense to me. Obviously my little refactor incorporates parts of Rust you don't want to bother the reader with yet, but I do have some small suggestions and questions.

    Questions:

    1. What's the deal with this?
    let socket_addrs: Vec<SocketAddr> =
                format!("{}:1024", subdomain).to_socket_addrs()?.collect();
    
    1. If you were trying to avoid detection as mentioned in the text by pinging these over a longer period of time, how long would that be? Say generate a random wait between 60 - 360 seconds, or 2 - 5 hours, etc.

    Suggestions:

    1. You should probably scan for open ports before constructing a Subdomain struct. Initializing the open_ports field with an empty vec creates a struct which doesn't reflect reality. My version places scanning for open ports in the struct's constructor by implementing the from trait, but you could just wait to instantiate the Subdomain structs until you've found the open ports.
    2. Having both a port struct with a field indicating whether the port is open and the field "open_ports" on the subdomain struct is a little strange, and risks representing an invalid state (the subdomain.open_ports vec could contain a port with port.is_open set to false). Whether or not a port is open should be indicated in one place only.
    3. Since you've introduced the anyhow and thiserror crates, there's really no reason to be unwrapping anywhere.
    opened by bcpeinhardt 0
  • question: will this book be available in print once it's completed?

    question: will this book be available in print once it's completed?

    hi! i like to read physical copies of programming books so that i can mark them up and keep them on my shelf. will https://academy.kerkour.com/black-hat-rust?coupon=BLOG be available in print form once it's completed? i didn't see an obvious answer on the marketing website or on this github repo, please let me know if i missed something. thanks very much, best of luck with the book, looks really cool!

    opened by jrheard 7
Owner
Sylvain Kerkour
https://kerkour.com/subscribe
Sylvain Kerkour
An implementation of Messaging Layer Security (RFC 9420)

mls-rs โ€ƒ An implementation of the IETF Messaging Layer Security end-to-end encryption (E2EE) protocol. What is MLS? MLS is a new IETF end-to-end encry

Amazon Web Services - Labs 3 Nov 9, 2023
First Git on Rust is reimplementation with rust in order to learn about rust, c and git.

First Git on Rust First Git on Rust is reimplementation with rust in order to learn about rust, c and git. Reference project This project refer to the

Nobkz 1 Jan 28, 2022
A stupid macro that compiles and executes Rust and spits the output directly into your Rust code

inline-rust This is a stupid macro inspired by inline-python that compiles and executes Rust and spits the output directly into your Rust code. There

William 19 Nov 29, 2022
Learn-rust - An in-depth resource to learn Rust ๐Ÿฆ€

Learning Rust ?? Hello friend! ?? Welcome to my "Learning Rust" repo, a home for my notes as I'm learning Rust. I'm structuring everything into lesson

Lazar Nikolov 7 Jan 28, 2022
A highly modular Bitcoin Lightning library written in Rust. Its Rust-Lightning, not Rusty's Lightning!

Rust-Lightning is a Bitcoin Lightning library written in Rust. The main crate, lightning, does not handle networking, persistence, or any other I/O. Thus, it is runtime-agnostic, but users must implement basic networking logic, chain interactions, and disk storage. More information is available in the About section.

Lightning Dev Kit 850 Jan 3, 2023
Telegram bot help you to run Rust code in Telegram via Rust playground

RPG_BOT (Rust Playground Bot) Telegram bot help you to run Rust code in Telegram via Rust playground Bot interface The bot supports 3 straightforward

TheAwiteb 8 Dec 6, 2022
`Debug` in rust, but only supports valid rust syntax and outputs nicely formatted using pretty-please

dbg-pls A Debug-like trait for rust that outputs properly formatted code Showcase Take the following code: let code = r#" [ "Hello, World!

Conrad Ludgate 12 Dec 22, 2022
Playing with web dev in Rust. This is a sample Rust microservice that can be deployed on Kubernetes.

Playing with web dev in Rust. This is a sample Rust microservice that can be deployed on Kubernetes.

Andrรฉ Gomes 10 Nov 17, 2022
๐Ÿ€ Building a federated alternative to reddit in rust

Lemmy A link aggregator / Reddit clone for the fediverse. Join Lemmy ยท Documentation ยท Report Bug ยท Request Feature ยท Releases ยท Code of Conduct About

LemmyNet 7.2k Jan 3, 2023
Rholang runtime in rust

Rholang Runtime A rholang runtime written in Rust.

Jerry.Wang 17 Sep 23, 2022
Easy-to-use optional function arguments for Rust

OptArgs uses const generics to ensure compile-time correctness. I've taken the liberty of expanding and humanizing the macros in the reference examples.

Jonathan Kelley 37 Nov 18, 2022
A language server for lua written in rust

lua-analyzer lua-analyzer is a lsp server for lua. This is mostly for me to learn the lsp protocol and language analysis so suggestions are helpful. T

null 61 Dec 11, 2022
Rust library that can be reset if you think it's slow

GoodbyeKT Rust library that can be reset if you think it's slow

null 39 Jun 16, 2022
Cargo - The Rust package manager

Cargo downloads your Rust projectโ€™s dependencies and compiles your project.

The Rust Programming Language 9.5k Jan 4, 2023
A copypastable guide to implementing simple derive macros in Rust.

A copypastable guide to implementing simple derive macros in Rust. The goal Let's say we have a trait with a getter trait MyTrait {

Imbolc 131 Dec 27, 2022
Rust ABI safe code generator

CGlue offers an easy way to ABI (application binary interface) safety. Just a few annotations and your trait is ready to go!

Auri 142 Jan 2, 2023
An example project demonstrating integration with Rust for the ESP32-S2 and ESP32-C3 microcontrollers.

Rust ESP32 Example An example project demonstrating integration with Rust for the ESP32-S2 and ESP32-C3 microcontrollers.

Espressif Systems 303 Jan 4, 2023
Notion Offical API client library for rust

Notion API client library for rust.

Jake Swenson 65 Dec 26, 2022
Rust library for program synthesis of string transformations from input-output examples ๐Ÿ”ฎ

Synox implements program synthesis of string transformations from input-output examples. Perhaps the most well-known use of string program synthesis in end-user programs is the Flash Fill feature in Excel. These string transformations are learned from input-output examples.

Anish Athalye 21 Apr 27, 2022