Applied offensive security with the Rust programming language

Overview

Black Hat Rust logo

Black Hat Rust

Applied offensive security with the Rust programming language

Buy the book now!

While the Rust Book does an excellent job teaching What is Rust, a book about Why and How to Rust was missing.

Summary

Whether in movies or mainstream media, hackers are often romanticized: they are painted as black magic wizards, nasty criminals, or, in the worst cases, as thieves with a hood and a crowbar. In reality, the spectrum of the profile of the attackers is extremely large, from the bored teenager exploring the internet to sovereign State's armies as well as the unhappy former employee.

What are the motivations of the attackers? How can they break seemingly so easily into any network? What do they do to their victims? We will put on our black hat and explore the world of offensive security, whether it be cyber attacks, cybercrimes, or cyberwar. Scanners, exploits, phishing toolkit, implants... From theory to practice, we will explore the arcane of offensive security and build our own offensive tools with the Rust programming language, Stack Overflow's most loved language for five years in a row.

Which programming language allows to craft shellcodes, build servers, create phishing pages? Before Rust, none! Rust is the long-awaited one-size-fits-all programming language meeting all those requirements thanks to its unparalleled guarantees and feature set. Here is why.

Free Updates and DRM Free, of course :)

Who this book is for

This is NOT a 1000th tutorial about sqlmap and Metasploit, nor will it teach you the fundamentals of programming.

Instead, it's a from-theory-to-practice guide and you may enjoy it if any of the following:

  • You keep screaming "show me the code!" when reading about cyber attacks and malwares
  • You are a developer and want to learn security
  • You are a security engineer and want to learn Rust programming
  • You want to learn real-world and idiomatic rust practices
  • You believe that the best defense is thinking like an attacker
  • You learn by building and love to look under the hood
  • You value simplicity and pragmatism
  • You develop your own tools and exploits with Python, Ruby, C, Java...
  • You want to learn real-world offensive security, not just pentesting
  • You want to start making money with bug bounty programs
  • You prefer getting things done over analysis paralysis

But I repeat, this book is NOT a computer science book.

Buy the book now!

Black Hat Week

Black Hat Rust is out of beta :)

In order to thank all the people who will help me make this book a reality, all the supporters buying the book during the Black Hat Week will also receive the following bonus:

  • A curated list of advanced malware analyses. You will find inside great inspiration when developing your own offensive tools.

Buy the book now!

Table of contents

1 - Introduction

Part I: Reconnaissance

2 - Multi-threaded attack surface discovery

How to perform effective reconnaissance? In this chapter, we will build a multi-threaded scanner in order to automate the mapping of the target.

3 - Going full speed with async

Unfortunately, when a program spends most of its time in I/O operations, multi-threading is not a panacea. We will learn how async makes Rust code really, really fast and refactor our scanner to async code.

4 - Adding modules with Trait objects

We will add more heterogeneous modules to our scanner and will learn how Rust's type system helps create properly designed large software projects.

5 - Crawling the web for OSINT

Leveraging all we learned previously, we will build an extremely fast web crawler to help us find the needles in the haystack the web is.

Part II: Exploitation

6 - Finding vulnerabilities

Once the external reconnaissance performed, it's time to find entry points. In this chapter we will learn how automated fuzzing can help us to find vulnerabilities that can be exploited to then gain access to our target's systems.

7 - Exploit development

Rust may not be as fast as python when it comes to iterating on quick scripts such as exploits, but as we will see, its powerful type and modules system make it nonetheless a weapon of choice.

8 - Writing shellcodes in Rust

Shellcode development is an ungrateful task. Writing assembly by hand is definitely not sexy. Fortunately for us, Rust, one more time, got our back! In this chapter we will learn how to write shellcodes in plain Rust with no_std.

9 - Phishing with WebAssembly

When they can't find exploitable hardware or software vulnerability, attackers usually fall back to what is often the weakest link in the chain: Humans. Again, Rust comes handy and will let us create advanced phishing pages by compiling to WebAssembly.

Part III: Implant development

10 - A modern RAT

A RAT (for Remote Access Tool), also known as implant or beacon, is a kind of software used to perform offensive operations on a target's machines. In this chapter we will build our own RAT communicating to a remote server and database.

11 - Securing communications with end-to-end encryption

The consequences of our own infrastructure being compromised or seized can be disastrous. We will add end-to-end encryption to our RAT's communication in order to secure its communications and avoid leaving traces on our servers.

12 - Going multi-platforms

Today's computing landscape is extremely fragmented. From Windows to macOS, we can't target only one Operating System to ensure the success of our operations. In this section we will see how Rust's ecosystem is extremely useful when it comes to cross-compilation.

13 - Turning into a worm to increase reach

Once the initial targets compromised, we will capitalize on Rust's excellent reusability to incorporate some parts of our initial scanner to turn our RAT into a worm and reach more targets only accessible from the target's internal network.

14 Conclusion

Now it's your turn to get things done!

Buy the book now!

FAQ

Are there other means of payment available?

Payments by cards are secured by Stripe.

Also, I need a unified list of purchases on Stripe for accounting reasons, at least during the early-access phase.

Please join the discussion on GitHub (Alternative means of payment (Bitcoin, PayPal...)) if payment by card is absolutely not an option for you, I will do my best to add more means of payments once the book is completed.

What to do if I don't have a VAT number?

A European VAT number is optional, and you can skip the field or leave it empty if asked.

Community

Hey! Welcome you to the Black Hat Rustaceans gang! If you think something in the book or the code can be improved, please open an issue. Pull requests are also welcome :)

Newsletter

Want to stay updated? I'll write you once a week about avoiding complexity, hacking, and entrepreneurship.

https://kerkour.com/subscribe

I hate spam even more than you do. I'll never share your email, and you can unsubscribe at anytime. Also, there is no tracking or ads.

Changelog

You'll find all the updates in the Changelog: https://github.com/skerkour/black-hat-rust/blob/main/CHANGELOG.md

Comments
  • Chapter 3: tricoder error in some cases

    Chapter 3: tricoder error in some cases

    Try to scan ports of twitch.tv(or ya.ru/google.com)

    Error:

    cargo run --release -- twitch.tv
        Finished release [optimized] target(s) in 0.20s
         Running `target/release/tricoder twitch.tv`
    thread 'main' panicked at 'port scanner: Creating socket address: Os { code: 16, kind: ResourceBusy, message: "Device or resource busy" }', src/ports.rs:49:10
    

    Maybe this is related to https://github.com/rust-lang/rust/issues/47955 because I have same error(EMFILE). Increase open file limit is not help me.

    Any thoughts?

    opened by balroggg 8
  • Suggestions for possible library to include in chapter 5

    Suggestions for possible library to include in chapter 5

    Chapter 5 is about web crawling, right? Well one library I've found to be really helpful for that is thirtyfour, a Selenium/WebDriver library for rust. WebDriver is a great technique to use for scraping websites that are SPAs or other apps that load content with JavaScript. Just thought I'd share.

    opened by EthanYidong 7
  • Some artifacts in the 2021.41 version

    Some artifacts in the 2021.41 version

    It seems that some mistakes were made during the md -> pdf conversion :

    • listings are overflowing on the right side for every console command
    • chapter referencing is off by several chapters, e.g. talking about chapter 5 is actually talking about chapter 7 and so on

    I'll update the list while I'm going through the book

    opened by NightlySide 6
  • Ch. 7.5 CVE 2019 11229 CSRF Token is Invalid

    Ch. 7.5 CVE 2019 11229 CSRF Token is Invalid

    The code to retrieve the CSRF token is not quite correct. It does not properly decode the percent encoding, thus the requests will fail. It can easily be fixed by adjusting the import in the Cargo.toml:

    cookie = {version = "0.15", features = ["percent-encode"]}
    

    and by adjusting line 216 in main.rs:

    .filter_map(|cookie| Cookie::parse_encoded(cookie).ok())
    
    opened by ChosunOne 5
  • Would you be interested in some kind of community?

    Would you be interested in some kind of community?

    I've received many request to create some kind of community about Rust x Hacking.

    To be clear I don't have the bandwidth today to do that.

    But as this is a really interesting thing that I could set up in the future, I want to gather some feedback before.

    The biggest advantage of a community is peer-to-peer learning, where everyone can share their discoveries.

    The biggest disadvantages of a community around security are identities and potential scams.

    To be honest, I'm not a fan of chat communities (Discord, Matrix...): The knowledge is quickly lost, and it's very easy to mix a lot of conversations.

    I would prefer a forum, which provide a searchable archive.

    What do you think about it? What would you prefer, and why?

    opened by skerkour-dev 5
  • About the latest post of build a web-app with rust & wasm

    About the latest post of build a web-app with rust & wasm

    I was not familiar with yew and wasm, so I'm learning from your post, thank you for your great post. But, the problem is, it seems like there are huge changes between yew-0.18 and yew-0.19, it's almost impossible to follow your instructions. So, I don't know if you have to plan to use the new yew and update the post or something like that... Or maybe, I will follow the docs to get familiar with yew (the slow way). Anyway, a big thanks.

    opened by azusachino 3
  • Ch2. serde Deserialize feature not explicit

    Ch2. serde Deserialize feature not explicit

    info: The currently active `rustc` version is `rustc 1.63.0-nightly (cd282d7f7 2022-05-18)`
    
    [dependencies]
    anyhow = "1.0.57"
    rayon = "1.5.3"
    serde = "1.0.137"
    thiserror = "1.0.31"
    

    My model.rs file is the same as https://github.com/skerkour/black-hat-rust/blob/main/ch_02/tricoder/src/model.rs yet the compiler complains

    error: cannot find derive macro `Deserialize` in this scope
      --> src/model.rs:15:17
       |
    15 | #[derive(Debug, Deserialize, Clone)]
       |                 ^^^^^^^^^^^
       |
    note: `Deserialize` is imported here, but it is only a trait, without a derive macro
      --> src/model.rs:1:5
       |
    1  | use serde::Deserialize;
       |     ^^^^^^^^^^^^^^^^^^
    

    Your repo shows this import as a feature inclusion;

    serde = { version = "1", features = ["derive"] }
    

    but this is never mentioned in the book afaict.

    opened by tylerhjones 3
  • Book Typos?

    Book Typos?

    Hey Sylvain,

    I've just started the book and the introduction has been really excited! Looking forward to an awesome read.

    I found a typo in the black hat book (section 5.3.2), where do I file the edit?

    opened by moomoolive 3
  • question: what I need to know before I read the book?

    question: what I need to know before I read the book?

    rust is my first programming language I am still trying to figure out my way in programing I did read few books and each one tackled subject I had no prior experience in and I did not get the most of the books but I tried to get as much as I can from them I was wandering if the "rust black hat" is required to have prior knowledge in some topics and if there are some what are thy

    PS: forgive me for my bad English its not my first language

    opened by falcongx 3
  • Letter 'e' is disturbing to read in .pdf format

    Letter 'e' is disturbing to read in .pdf format

    Hi!

    Thanks for creating this book. I have just started reading the pdf version and i noticed the letter 'e' is undistinguishable from 'c' letter which makes it a bit hard to read. Would it be possible to change that?

    Screenshot from 2021-09-27 11-35-52

    I am facing no difficulties with reading any other text on internet so this must be something with the formatting of this book.

    Thanks!

    opened by legezam 3
  • Code block font size too large

    Code block font size too large

    I think the book would benefit from a smaller font size for code blocks. In both the PDF and epub versions (didn’t look at mobi), the code block font looks larger than the body text font. To minimize wrapping of code blocks, I think a smaller monospace font size would look better. It would also look more harmonious with the body font size.

    (Same comment applies to your blog posts IMO).

    For example, here is a screenshot from the Rust Book, which I think has the right proportion of body font size to code block size:

    IMG_0391

    opened by pkazmier 3
  • Refactor to understand

    Refactor to understand

    Hello! This pull request is not meant to merged. I just bought access to your black hat rust course, and I've been using rust for two years now but I know nothing about cybersecurity (but want to!). I figured the best way for me to understand the security part was to go through section by section refactoring code until it made sense to me. Obviously my little refactor incorporates parts of Rust you don't want to bother the reader with yet, but I do have some small suggestions and questions.

    Questions:

    1. What's the deal with this?
    let socket_addrs: Vec<SocketAddr> =
                format!("{}:1024", subdomain).to_socket_addrs()?.collect();
    
    1. If you were trying to avoid detection as mentioned in the text by pinging these over a longer period of time, how long would that be? Say generate a random wait between 60 - 360 seconds, or 2 - 5 hours, etc.

    Suggestions:

    1. You should probably scan for open ports before constructing a Subdomain struct. Initializing the open_ports field with an empty vec creates a struct which doesn't reflect reality. My version places scanning for open ports in the struct's constructor by implementing the from trait, but you could just wait to instantiate the Subdomain structs until you've found the open ports.
    2. Having both a port struct with a field indicating whether the port is open and the field "open_ports" on the subdomain struct is a little strange, and risks representing an invalid state (the subdomain.open_ports vec could contain a port with port.is_open set to false). Whether or not a port is open should be indicated in one place only.
    3. Since you've introduced the anyhow and thiserror crates, there's really no reason to be unwrapping anywhere.
    opened by bcpeinhardt 0
  • question: will this book be available in print once it's completed?

    question: will this book be available in print once it's completed?

    hi! i like to read physical copies of programming books so that i can mark them up and keep them on my shelf. will https://academy.kerkour.com/black-hat-rust?coupon=BLOG be available in print form once it's completed? i didn't see an obvious answer on the marketing website or on this github repo, please let me know if i missed something. thanks very much, best of luck with the book, looks really cool!

    opened by jrheard 7
Owner
Sylvain Kerkour
(Ab)using technology for fun & profit: Programming, Hacking & Entrepreneurship - https://kerkour.com
Sylvain Kerkour
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
Security advisory database for Rust crates published through crates.io

RustSec Advisory Database The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.

RustSec 682 Jan 1, 2023
Automate device security provisioning with edge intelligence.

UNiD Automate device security provisioning with edge intelligence Features Decentralized PKI(DPKI), DIDs, DKMS, and Credential Management End-to-End E

UNiD 101 Oct 21, 2022
A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.

arch-audit pkg-audit-like utility for Arch Linux. Based on data from security.archlinux.org collected by the awesome Arch Security Team. Installation

Andrea Scarpino 316 Nov 22, 2022
The Swiss Army Knife for Binary (In)security

binsec Swiss Army Knife for Binary (In)security binsec is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O execu

Alan 15 Dec 16, 2022
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Jan 2, 2023
Minimal and persistent key-value store designed with security in mind

microkv Minimal and persistent key-value store designed with security in mind. Introduction microkv is a persistent key-value store implemented in Rus

Alan 17 Jan 2, 2023
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
irulescan is a static security analyzer for iRules

irulescan is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.

Simon Kowallik 2 Dec 18, 2022
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
subscout is a simple, nimble subdomain enumeration tool written in Rust language

subscout is a simple, nimble subdomain enumeration tool written in Rust language. It is designed to help bug bounty hunters, security professionals and penetration testers discover subdomains of a given target domain.

Dom Sec 5 Apr 5, 2023
A high level language for SELinux policy

Introduction Cascade is a project to build a new high level language for defining SELinux policy. The overall structure of the language is essentially

Daniel Burgener 42 Dec 14, 2022
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210 A program that lists statistics related to the usa

Rust Secure Code Working Group 1.1k Jan 4, 2023
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
Rust bindings for libinjection

libinjection-rs Rust bindings for libinjection. How to use Add libinjection to dependencies of Cargo.toml: libinjection = "0.2" Import crate: extern c

ArvanCloud 35 Sep 24, 2022
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 548 Dec 26, 2022
tcp connection hijacker, rust rewrite of shijack

rshijack tcp connection hijacker, rust rewrite of shijack from 2001. This was written for TAMUctf 2018, brick house 100. The target was a telnet serve

null 377 Jan 1, 2023
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust ?? Releases ✨ Example Usage ✨ Contributing ✨ Documentation ?? ?? What the heck is a f

epi 3.6k Dec 30, 2022