Contents in Detail 1. Cover Page 2. Title Page 3. Copyright Page 4. About the Authors 5. BRIEF CONTENTS 6. CONTENTS IN DETAIL 7. FOREWORD 8. ACKNOWLEDGMENTS 9. INTRODUCTION 1. Who This Book Is For 2. What This Book Isn’t 3. Why Use Go for Hacking? 4. Why You Might Not Love Go 5. Chapter Overview 10. 1 GO FUNDAMENTALS 1. Setting Up a Development Environment 2. Understanding Go Syntax 3. Summary 11. 2 TCP, SCANNERS, AND PROXIES 1. Understanding the TCP Handshake 2. Bypassing Firewalls with Port Forwarding 3. Writing a TCP Scanner 4. Building a TCP Proxy 5. Summary 12. 3 HTTP CLIENTS AND REMOTE INTERACTION WITH TOOLS 1. HTTP Fundamentals with Go 2. Building an HTTP Client That Interacts with Shodan 3. Interacting with Metasploit 4. Parsing Document Metadata with Bing Scraping 5. Summary HivaNetwork.Com 13. 4 HTTP SERVERS, ROUTING, AND MIDDLEWARE 1. HTTP Server Basics 2. Credential Harvesting 3. Keylogging with the WebSocket API 4. Multiplexing Command-and-Control 5. Summary 14. 5 EXPLOITING DNS 1. Writing DNS Clients 2. Writing DNS Servers 3. Summary 15. 6 INTERACTING WITH SMB AND NTLM 1. The SMB Package 2. Understanding SMB 3. Guessing Passwords with SMB 4. Reusing Passwords with the Pass-the-Hash Technique 5. Recovering NTLM Passwords 6. Summary 16. 7 ABUSING DATABASES AND FILESYSTEMS 1. Setting Up Databases with Docker 2. Connecting and Querying Databases in Go 3. Building a Database Miner 4. Pillaging a Filesystem 5. Summary 17. 8 RAW PACKET PROCESSING 1. Setting Up Your Environment 2. Identifying Devices by Using the pcap Subpackage 3. Live Capturing and Filtering Results 4. Sniffing and Displaying Cleartext User Credentials 5. Port Scanning Through SYN-flood Protections 6. Summary 18. 9 WRITING AND PORTING EXPLOIT CODE 1. Creating a Fuzzer 2. Porting Exploits to Go 3. Creating Shellcode in Go 4. Summary 19. 10 GO PLUGINS AND EXTENDABLE TOOLS 1. Using Go’s Native Plug-in System 2. Building Plug-ins in Lua 3. Summary 20. 11 IMPLEMENTING AND ATTACKING CRYPTOGRAPHY 1. Reviewing Basic Cryptography Concepts 2. Understanding the Standard Crypto Library 3. Exploring Hashing 4. Authenticating Messages 5. Encrypting Data 6. Brute-Forcing RC2 7. Summary 21. 12 WINDOWS SYSTEM INTERACTION AND ANALYSIS 1. The Windows API’s OpenProcess() Function 2. The unsafe.Pointer and uintptr Types 3. Performing Process Injection with the syscall Package 4. The Portable Executable File 5. Using C with Go 6. Summary 22. 13 HIDING DATA WITH STEGANOGRAPHY 1. Exploring the PNG Format 2. Reading Image Byte Data 3. Writing Image Byte Data to Implant a Payload 4. Encoding and Decoding Image Byte Data by Using XOR 5. Summary 6. Additional Exercises 23. 14 BUILDING A COMMAND-AND-CONTROL RAT 1. Getting Started 2. Defining and Building the gRPC API 3. Creating the Server 4. Creating the Client Implant 5. Building the Admin Component 6. Running the RAT 7. Improving the RAT 8. Summary 24. Index 1. i 2. ii 3. iii 4. iv 5. v 6. vi 7. vii 8. viii 9. ix 10. x 11. xi 12. xii 13. xiii 14. xiv 15. xv 16. xvi 17. xvii 18. xviii 19. xix 20. xx 21. xxi 22. xxii 23. xxiii 24. xxiv 25. xxv 26. xxvi 27. 1 28. 2 29. 3 30. 4 31. 5 32. 6 33. 7 34. 8 35. 9 36. 10 37. 11 38. 12 39. 13 40. 14 41. 15 42. 16 43. 17 44. 18 45. 19 46. 20 47. 21 48. 22 49. 23 50. 24 51. 25 52. 26 53. 27 54. 28 55. 29 56. 30 57. 31 58. 32 59. 33 60. 34 61. 35 62. 36 63. 37 64. 38 65. 39 66. 40 67. 41 68. 42 69. 43 70. 44 71. 45 72. 46 73. 47 74. 48 75. 49 76. 50 77. 51 78. 52 79. 53 80. 54 81. 55 82. 56 83. 57 84. 58 85. 59 86. 60 87. 61 88. 62 89. 63 90. 64 91. 65 92. 66 93. 67 94. 68 95. 69 96. 70 97. 71 98. 72 99. 73 100. 74 101. 75 102. 76 103. 77 104. 78 105. 79 106. 80 107. 81 108. 82 109. 83 110. 84 111. 85 112. 86 113. 87 114. 88 115. 89 116. 90 117. 91 118. 92 119. 93 120. 94 121. 95 122. 96 123. 97 124. 98 125. 99 126. 100 127. 101 128. 102 129. 103 130. 104 131. 105 132. 106 133. 107 134. 108 135. 109 136. 110 137. 111 138. 112 139. 113 140. 114 141. 115 142. 116 143. 117 144. 118 145. 119 146. 120 147. 121 148. 122 149. 123 150. 124 151. 125 152. 126 153. 127 154. 128 155. 129 156. 130 157. 131 158. 132 159. 133 160. 134 161. 135 162. 136 163. 137 164. 138 165. 139 166. 140 167. 141 168. 142 169. 143 170. 144 171. 145 172. 146 173. 147 174. 148 175. 149 176. 150 177. 151 178. 152 179. 153 180. 154 181. 155 182. 156 183. 157 184. 158 185. 159 186. 160 187. 161 188. 162 189. 163 190. 164 191. 165 192. 166 193. 167 194. 168 195. 169 196. 170 197. 171 198. 172 199. 173 200. 174 201. 175 202. 176 203. 177 204. 178 205. 179 206. 180 207. 181 208. 182 209. 183 210. 184 211. 185 212. 186 213. 187 214. 188 215. 189 216. 190 217. 191 218. 192 219. 193 220. 194 221. 195 222. 196 223. 197 224. 198 225. 199 226. 200 227. 201 228. 202 229. 203 230. 204 231. 205 232. 206 233. 207 234. 208 235. 209 236. 210 237. 211 238. 212 239. 213 240. 214 241. 215 242. 216 243. 217 244. 218 245. 219 246. 220 247. 221 248. 222 249. 223 250. 224 251. 225 252. 226 253. 227 254. 228 255. 229 256. 230 257. 231 258. 232 259. 233 260. 234 261. 235 262. 236 263. 237 264. 238 265. 239 266. 240 267. 241 268. 242 269. 243 270. 244 271. 245 272. 246 273. 247 274. 248 275. 249 276. 250 277. 251 278. 252 279. 253 280. 254 281. 255 282. 256 283. 257 284. 258 285. 259 286. 260 287. 261 288. 262 289. 263 290. 264 291. 265 292. 266 293. 267 294. 268 295. 269 296. 270 297. 271 298. 272 299. 273 300. 274 301. 275 302. 276 303. 277 304. 278 305. 279 306. 280 307. 281 308. 282 309. 283 310. 284 311. 285 312. 286 313. 287 314. 288 315. 289 HivaNetwork.Com 316. 290 317. 291 318. 292 319. 293 320. 294 321. 295 322. 296 323. 297 324. 298 325. 299 326. 300 327. 301 328. 302 329. 303 330. 304 331. 305 332. 306 333. 307 334. 308 335. 309 336. 310 337. 311 338. 312 339. 313 340. 314 341. 315 342. 316 343. 317 344. 318 345. 319 346. 320 347. 321 348. 322 349. 323 350. 324 351. 325 352. 326 353. 327 354. 328 355. 329 356. 330 357. 331 358. 332 359. 333 360. 334 361. 335 362. 336 363. 337 364. 338 365. 339 366. 340 367. 341 368. 342 BLACK HAT GO Go Programming for Hackers and Pentesters by Tom Steele, Chris Patten, and Dan Kottmann San Francisco BLACK HAT GO. Copyright © 2020 by Tom Steele, Chris Patten, and Dan Kottmann. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-865-9 ISBN-13: 978-1-59327-865-6 Publisher: William Pollock Production Editor: Laurel Chun Cover Illustration: Jonny Thomas Interior Design: Octopod Studios Developmental Editors: Frances Saux and Zach Lebowski Technical Reviewer: Alex Harvey Copyeditor: Sharon Wilkey Compositor: Danielle Foster Proofreader: Brooke Littrel Indexer: Beth Nauman-Montana For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Steele, Tom (Security Consultant), author. | Patten, Chris, author. | Kottmann, Dan, author. Title: Black Hat Go : Go programming for hackers and pentesters / Tom Steele, Chris Patten, and Dan Kottmann. Description: San Francisco : No Starch Press, 2020. | Includes bibliographical references and index. | Summary: "A guide to Go that begins by introducing fundamentals like data types, control structures, and error handling. Provides instruction on how to use Go for tasks such as sniffing and processing packets, creating HTTP clients, and writing exploits."-- Provided by publisher. Identifiers: LCCN 2019041864 (print) | LCCN 2019041865 (ebook) | ISBN 9781593278656 | ISBN 9781593278663 (ebook) Subjects: LCSH: Penetration testing (Computer security) | Go (Computer program language) Classification: LCC QA76.9.A25 S739 2020 (print) | LCC QA76.9.A25 (ebook) | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2019041864 LC ebook record available at https://lccn.loc.gov/2019041865 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. ABOUT THE AUTHORS Tom Steele has been using Go since the version 1 release in 2012 and was one of the first in his field to leverage the language for offensive tooling. He is a managing principal research consultant at Atredis Partners with over 10 years of experience performing adversarial and research-based security assessments. Tom has presented and conducted training courses at numerous conferences, including Defcon, Black Hat, DerbyCon, and BSides. Outside of tech, Tom is also a Black Belt in Brazilian jiujitsu who competes regularly, both regionally and nationally. He owns and operates his own jiujitsu academy in Idaho. Chris Patten is the founding partner and lead consultant of STACKTITAN, a specialized adversarial services security consultancy. Chris has been practicing in the security industry for more than 25 years in various capacities. He spent the last decade consulting for a number of commercial and government organizations on diverse security issues, including adversarial offensive techniques, threat hunting capabilities, and mitigation strategies. Chris spent his latest tenure leading one of North America’s largest advanced adversarial teams. Prior to formal consulting, Chris honorably served in the US Air Force, supporting the war-fighting effort. He actively served within the Department of Defense Special Operations Intelligence community at USSOCOM, consulting for Special Operations Groups on sensitive cyber warfare initiatives. Following Chris’s military service, he held lead architect positions at numerous Fortune 500 telecommunication companies, working with partners in a research capacity. Dan Kottmann is a founding partner and lead consultant of STACKTITAN. He has played an integral role in the growth and development of the largest North American adversarial consultancy, directly influencing technical tradecraft, process efficiency, customer experience, and delivery quality. With 15 years of experience, Dan has dedicated nearly the entirety of his professional career to cross-industry, customer-direct consulting and consultancy development, primarily focused on information security and application delivery. Dan has presented at various national and regional security conferences, including Defcon, BlackHat Arsenal, DerbyCon, BSides, and more. He has a passion for software development and has created various open-source and proprietary applications, from simple command line tools to complex, three-tier, and cloud-based web applications. ABOUT THE TECHNICAL REVIEWER Alex Harvey has been working with technology his whole life and got his start with embedded systems, robotics, and programming. He moved into information security about 15 years ago, focusing on security testing and research. Never one to shy away from making a tool for the job, he started using the Go programming language and has not looked back. BRIEF CONTENTS Foreword by HD Moore Acknowledgments Introduction Chapter 1: Go Fundamentals Chapter 2: TCP, Scanners, and Proxies Chapter 3: HTTP Clients and Remote Interaction with Tools Chapter 4: HTTP Servers, Routing, and Middleware Chapter 5: Exploiting DNS Chapter 6: Interacting with SMB and NTLM Chapter 7: Abusing Databases and Filesystems Chapter 8: Raw Packet Processing Chapter 9: Writing and Porting Exploit Code Chapter 10: Go Plugins and Extendable Tools Chapter 11: Implementing and Attacking Cryptography Chapter 12: Windows System Interaction and Analysis Chapter 13: Hiding Data with Steganography Chapter 14: Building a Command-and-Control RAT Index