Black Hat Rust

I will begin my library excursion through a book I've read a little of, and am excited to get through and hopefully be able to fully explain as I go along. Chapter 1. Core Concepts in cybersecurity -

Most programming languages have trade offs between speed and safety, I like writing C code personally but I'm sure I wouldnt be too gunghoe if my code was resposible for keeping patients in a hospital alive, for that I would much rather write python (maybe not). but just as well python would be a poor choice for a time sensative and mission critial software that steers a rocket landing on a moon. Rust so far has proven to be a perfect trade off between all these paradigms, and since I agree, I have been trying to learn rust for a couple months now.

This first chapter starts out by covering various vocabulary which I will now also get out of the way. Pen tests are means of which hackers or cyber security experts try to discover vulnerabilities within their infrastructures. Red teams are hackers-for-hire that are appointed by companies to intentionally attempt a hack on their systems and discover whatever vulnerablities that lie among them, whether that be open ports, gullible employees, or simply not locking their server rooms. Bug bounties are payments often made to security testers that have found vulnerabilities on a companies system, whether intentionally or not, as to persuade those bugs to be reported instead of exploited. Cybercrime is pretty much what it sounds like, exploiting systems, stealing and selling data, running botnets, spreading malware, etc. Industrial spying, as companies' assets become evermore digitized, shady companies may actually hire hackers to infeltrate their competitions in means of gaining a competative advantage.

Now we cover the general layout and phases on a cyberattack. Reconnaissance is about searching for as much info of a target before any action is taken, for private citizens this might involve a search through their social media, public records, even scanning their network. For companies it's getting their employee listings, scanning for internet-facing machines, these are all examples of both passive and active reconnaissance. Exploitation is an attempt of intial breach, such as attempting phishing campaigns, social engineering your way in, sending them malware, cracking their network hash, etc. Lateral movement (or pivoting) is an attempt to remain presistant within their networks and gaining access to more data while staying stealthy as to avoid detection for as long as possible. Data exfiltration is the process of offloading copies of their data onto foreign machines, this is likely where you'll get caught as a large ammount of data moving out of the network may trigger an endpoint detection system or weary system administators. Clean up is to attempt to cover your tracks after stealing data, tmp files, log files, website history, maybe custom tcp sockets left behind.

So who does the hacking? There are many desciptions that can fit here for sure but here we mean techies with offensive skills to be leveraged in order to exploit vulnerabilites. Exploiters are both developers and security experts able to build customized malware to exploit discovered bugs, they can be distiguished from hackers here as hackers could just as easily use those tools provided without having to have built these tools in the first place. If you can develop, it is often wise to build custom tools as publicly available and common tools have a higher risk of getting detected. Knowing about system administration is a boon aswell as they will be the ones to know how to respond to insecure infrasructure to reduce damage done, and here we would want to the the opposite.

Attribution is the act of attempting to identify the attackers, an attack can come in waves correlating to timezones, the tools could be written in specific languages, the defenders could attempt to send false data in order to bait out mistakes, the attackers could post about their accomplishments on various forums. All of these could also raise false positives however in attempts to spoof a false identity.

The writter spends a bit of time gassing up rust and calling python and java cringe, and crying about how hard it is to write safe usable code in C / C++, all of which I agree with lol. So why is rust so cool? First off the compiler (I assume they mean Cargo) is strict, for the most part if the code is trash, it will simply fail to compile and yell at you. "How is that any different from the C compiler?" Well if it weren't any different, Clownstrike wouldn't have fucked over millions of machines July 19, 2024. They apparently pushed a live update onto KERNEL-LEVEL software that contained a null pointer, causing a boot loop and almost bricked tons of systems. I have no idea how this made it through their testing (there was probably no testing) but this code is written in C++, which means this wouldn't even have made it past the COMPILER in rust let alone be pushed out onto millions of machines. The secret to the compiler's strictness lies in its implementation of a "borrow-checker" and "lifetimes". I knew a little about how variables are passed around in rust and borrowing, but not much about lifetimes, but I won't attempt a deep dive here as I'm sure we'll get into it more in later chapters. The next best thing about rust is "enums" which is like a struct that can be in one of many phases, when each phase of the enum is being matched, the compiler will cry if you don't handle every single case, making careless typing almost impossible. It is also easy to modularize your code, turning bits into "crates" that are easy to work with within the rust package manager. Rust code is also somewhat easy to read once you get the hang of it, making code reviews a breeze. And finally the community is awesome, it's not even hard to get started with the language as the main documentation is a literal book having you start out with the common "Hello World" and ending with building a literal entire web server.

After Setting up rustup, docker, and a code editor we begin writting our first program, a simple SHA1-Cracker. SHA1, as the name would indicate, is an early version of the hashing algorithm designed to take input, and create a hash code that is meant to be irreversable back to its original form. One purspose of which is to hash user passwords in order to safely keep within a database so it's not just cleartext that anyone with eyes has easy access to private user info. At this point SHA1 is considered unsecure, but you could still find it floating around here and there, escpecially in old websites.

The program -


    use std::env;
    
    fn main() {
        let args: Vec = env::args().collect();
    }
    TODO: I'll get back to this once i build the software again, eventhough I already did previously.