Black Hat Go Go Programming for Hackers and Pentesters (Tom Steele, Chris Patten, Dan Kottmann) (Z-Library)

BLACK HAT GO Go Programming for Hackers and Pentesters by Tom Steele, Chris Patten, and Dan Kottmann San Francisco

BLACK HAT GO. Copyright © 2020 by Tom Steele, Chris Patten, and Dan Kottmann. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-865-9 ISBN-13: 978-1-59327-865-6 Publisher: William Pollock Production Editor: Laurel Chun Cover Illustration: Jonny Thomas Interior Design: Octopod Studios Developmental Editors: Frances Saux and Zach Lebowski Technical Reviewer: Alex Harvey Copyeditor: Sharon Wilkey Compositor: Danielle Foster Proofreader: Brooke Littrel Indexer: Beth Nauman-Montana For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Steele, Tom (Security Consultant), author. | Patten, Chris, author. | Kottmann, Dan, author. Title: Black Hat Go : Go programming for hackers and pentesters / Tom Steele, Chris Patten, and Dan Kottmann. Description: San Francisco : No Starch Press, 2020. | Includes bibliographical references and index. | Summary: "A guide to Go that begins by introducing fundamentals like data types, control structures, and error handling. Provides instruction on how to use Go for tasks such as sniffing and processing packets, creating HTTP clients, and writing exploits."-- Provided by publisher. Identifiers: LCCN 2019041864 (print) | LCCN 2019041865 (ebook) | ISBN 9781593278656 | ISBN 9781593278663 (ebook)

Subjects: LCSH: Penetration testing (Computer security) | Go (Computer program language) Classification: LCC QA76.9.A25 S739 2020 (print) | LCC QA76.9.A25 (ebook) | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2019041864 LC ebook record available at https://lccn.loc.gov/2019041865 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

ABOUT THE AUTHORS Tom Steele has been using Go since the version 1 release in 2012 and was one of the first in his field to leverage the language for offensive tooling. He is a managing principal research consultant at Atredis Partners with over 10 years of experience performing adversarial and research-based security assessments. Tom has presented and conducted training courses at numerous conferences, including Defcon, Black Hat, DerbyCon, and BSides. Outside of tech, Tom is also a Black Belt in Brazilian jiujitsu who competes regularly, both regionally and nationally. He owns and operates his own jiujitsu academy in Idaho. Chris Patten is the founding partner and lead consultant of STACKTITAN, a specialized adversarial services security consultancy. Chris has been practicing in the security industry for more than 25 years in various capacities. He spent the last decade consulting for a number of commercial and government organizations on diverse security issues, including adversarial offensive techniques, threat hunting capabilities, and mitigation strategies. Chris spent his latest tenure leading one of North America’s largest advanced adversarial teams. Prior to formal consulting, Chris honorably served in the US Air Force, supporting the war-fighting effort. He actively served within the Department of Defense Special Operations Intelligence community at USSOCOM, consulting for Special Operations Groups on sensitive cyber warfare initiatives. Following Chris’s military service, he held lead architect positions at numerous Fortune 500 telecommunication companies, working with partners in a research capacity. Dan Kottmann is a founding partner and lead consultant of STACKTITAN. He has played an integral role in the growth and development of the largest North American adversarial consultancy, directly influencing technical tradecraft, process efficiency, customer experience, and delivery quality. With 15 years of experience, Dan has dedicated nearly the entirety of his professional career to cross-industry, customer-direct consulting and consultancy development, primarily focused on information security and application delivery. Dan has presented at various national and regional security conferences, including Defcon, BlackHat Arsenal, DerbyCon, BSides, and more. He has a passion for software development and has created various open-source and proprietary applications, from simple command line tools to complex, three- tier, and cloud-based web applications.

ABOUT THE TECHNICAL REVIEWER Alex Harvey has been working with technology his whole life and got his start with embedded systems, robotics, and programming. He moved into information security about 15 years ago, focusing on security testing and research. Never one to shy away from making a tool for the job, he started using the Go programming language and has not looked back.

BRIEF CONTENTS Foreword by HD Moore Acknowledgments Introduction Chapter 1: Go Fundamentals Chapter 2: TCP, Scanners, and Proxies Chapter 3: HTTP Clients and Remote Interaction with Tools Chapter 4: HTTP Servers, Routing, and Middleware Chapter 5: Exploiting DNS Chapter 6: Interacting with SMB and NTLM Chapter 7: Abusing Databases and Filesystems Chapter 8: Raw Packet Processing Chapter 9: Writing and Porting Exploit Code Chapter 10: Go Plugins and Extendable Tools Chapter 11: Implementing and Attacking Cryptography Chapter 12: Windows System Interaction and Analysis Chapter 13: Hiding Data with Steganography Chapter 14: Building a Command-and-Control RAT Index

CONTENTS IN DETAIL FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION Who This Book Is For What This Book Isn’t Why Use Go for Hacking? Why You Might Not Love Go Chapter Overview 1 GO FUNDAMENTALS Setting Up a Development Environment Downloading and Installing Go Setting GOROOT to Define the Go Binary Location Setting GOPATH to Determine the Location of Your Go Workspace Choosing an Integrated Development Environment Using Common Go Tool Commands Understanding Go Syntax Data Types Control Structures Concurrency Error Handling Handling Structured Data Summary 2 TCP, SCANNERS, AND PROXIES Understanding the TCP Handshake Bypassing Firewalls with Port Forwarding Writing a TCP Scanner Testing for Port Availability Performing Nonconcurrent Scanning Performing Concurrent Scanning Building a TCP Proxy Using io.Reader and io.Writer Creating the Echo Server

Improving the Code by Creating a Buffered Listener Proxying a TCP Client Replicating Netcat for Command Execution Summary 3 HTTP CLIENTS AND REMOTE INTERACTION WITH TOOLS HTTP Fundamentals with Go Calling HTTP APIs Generating a Request Using Structured Response Parsing Building an HTTP Client That Interacts with Shodan Reviewing the Steps for Building an API Client Designing the Project Structure Cleaning Up API Calls Querying Your Shodan Subscription Creating a Client Interacting with Metasploit Setting Up Your Environment Defining Your Objective Retrieving a Valid Token Defining Request and Response Methods Creating a Configuration Struct and an RPC Method Performing Remote Calls Creating a Utility Program Parsing Document Metadata with Bing Scraping Setting Up the Environment and Planning Defining the metadata Package Mapping the Data to Structs Searching and Receiving Files with Bing Summary 4 HTTP SERVERS, ROUTING, AND MIDDLEWARE HTTP Server Basics Building a Simple Server Building a Simple Router Building Simple Middleware Routing with the gorilla/mux Package Building Middleware with Negroni Adding Authentication with Negroni

Using Templates to Produce HTML Responses Credential Harvesting Keylogging with the WebSocket API Multiplexing Command-and-Control Summary 5 EXPLOITING DNS Writing DNS Clients Retrieving A Records Processing Answers from a Msg struct Enumerating Subdomains Writing DNS Servers Lab Setup and Server Introduction Creating DNS Server and Proxy Summary 6 INTERACTING WITH SMB AND NTLM The SMB Package Understanding SMB Understanding SMB Security Tokens Setting Up an SMB Session Using Mixed Encoding of Struct Fields Understanding Metadata and Referential Fields Understanding the SMB Implementation Guessing Passwords with SMB Reusing Passwords with the Pass-the-Hash Technique Recovering NTLM Passwords Calculating the Hash Recovering the NTLM Hash Summary 7 ABUSING DATABASES AND FILESYSTEMS Setting Up Databases with Docker Installing and Seeding MongoDB Installing and Seeding PostgreSQL and MySQL Databases Installing and Seeding Microsoft SQL Server Databases Connecting and Querying Databases in Go Querying MongoDB

Querying SQL Databases Building a Database Miner Implementing a MongoDB Database Miner Implementing a MySQL Database Miner Pillaging a Filesystem Summary 8 RAW PACKET PROCESSING Setting Up Your Environment Identifying Devices by Using the pcap Subpackage Live Capturing and Filtering Results Sniffing and Displaying Cleartext User Credentials Port Scanning Through SYN-flood Protections Checking TCP Flags Building the BPF Filter Writing the Port Scanner Summary 9 WRITING AND PORTING EXPLOIT CODE Creating a Fuzzer Buffer Overflow Fuzzing SQL Injection Fuzzing Porting Exploits to Go Porting an Exploit from Python Porting an Exploit from C Creating Shellcode in Go C Transform Hex Transform Num Transform Raw Transform Base64 Encoding A Note on Assembly Summary 10 GO PLUGINS AND EXTENDABLE TOOLS Using Go’s Native Plug-in System Creating the Main Program Building a Password-Guessing Plug-in

Running the Scanner Building Plug-ins in Lua Creating the head() HTTP Function Creating the get() Function Registering the Functions with the Lua VM Writing Your Main Function Creating Your Plug-in Script Testing the Lua Plug-in Summary 11 IMPLEMENTING AND ATTACKING CRYPTOGRAPHY Reviewing Basic Cryptography Concepts Understanding the Standard Crypto Library Exploring Hashing Cracking an MD5 or SHA-256 Hash Implementing bcrypt Authenticating Messages Encrypting Data Symmetric-Key Encryption Asymmetric Cryptography Brute-Forcing RC2 Getting Started Producing Work Performing Work and Decrypting Data Writing the Main Function Running the Program Summary 12 WINDOWS SYSTEM INTERACTION AND ANALYSIS The Windows API’s OpenProcess() Function The unsafe.Pointer and uintptr Types Performing Process Injection with the syscall Package Defining the Windows DLLs and Assigning Variables Obtaining a Process Token with the OpenProcess Windows API Manipulating Memory with the VirtualAllocEx Windows API Writing to Memory with the WriteProcessMemory Windows API Finding LoadLibraryA with the GetProcessAddress Windows API Executing the Malicious DLL Using the CreateRemoteThread Windows API Verifying Injection with the WaitforSingleObject Windows API

Cleaning Up with the VirtualFreeEx Windows API Additional Exercises The Portable Executable File Understanding the PE File Format Writing a PE Parser Additional Exercises Using C with Go Installing a C Windows Toolchain Creating a Message Box Using C and the Windows API Building Go into C Summary 13 HIDING DATA WITH STEGANOGRAPHY Exploring the PNG Format The Header The Chunk Sequence Reading Image Byte Data Reading the Header Data Reading the Chunk Sequence Writing Image Byte Data to Implant a Payload Locating a Chunk Offset Writing Bytes with the ProcessImage() Method Encoding and Decoding Image Byte Data by Using XOR Summary Additional Exercises 14 BUILDING A COMMAND-AND-CONTROL RAT Getting Started Installing Protocol Buffers for Defining a gRPC API Creating the Project Workspace Defining and Building the gRPC API Creating the Server Implementing the Protocol Interface Writing the main() Function Creating the Client Implant Building the Admin Component Running the RAT Improving the RAT Encrypt Your Communications

Handle Connection Disruptions Register the Implants Add Database Persistence Support Multiple Implants Add Implant Functionality Chain Operating System Commands Enhance the Implant’s Authenticity and Practice Good OPSEC Add ASCII Art Summary INDEX

FOREWORD Programming languages have always had an impact on information security. The design constraints, standard libraries, and protocol implementations available within each language end up defining the attack surface of any application built on them. Security tooling is no different; the right language can simplify complex tasks and make the incredibly difficult ones trivial. Go’s cross-platform support, single-binary output, concurrency features, and massive ecosystem make it an amazing choice for security tool development. Go is rewriting the rules for both secure application development and the creation of security tools, enabling faster, safer, and more portable tooling. Over the 15 years that I worked on the Metasploit Framework, the project went through two full rewrites, changed languages from Perl to Ruby, and now supports a range of multilingual modules, extensions, and payloads. These changes reflect the constantly evolving nature of software development; in order to keep up in security, your tools need to adapt, and using the right language can save an enormous amount of time. But just like Ruby, Go didn’t become ubiquitous overnight. It takes a leap of faith to build anything of value using a new language, given the uncertainties of the ecosystem and the sheer amount of effort needed to accomplish common tasks before the standard libraries catch up. The authors of Black Hat Go are pioneers in Go security tool development, responsible for some of the earliest open source Go projects, including BlackSheepWall, Lair Framework, and sipbrute, among many others. These projects serve as excellent examples of what can be built using the language. The authors are just as comfortable building software as tearing it apart, and this book is a great example of their ability to combine these skills. Black Hat Go provides everything necessary to get started with Go development in the security space without getting bogged down into the lesser-used language features. Want to write a ridiculous fast network scanner, evil HTTP proxy, or cross-platform command-and-control framework? This book is for you. If you are a seasoned programmer looking for insight into security tool development, this book will introduce the concepts and trade-offs that hackers of all stripes consider when writing tools. Veteran Go developers who are interested in security may learn a lot from the approaches taken here, as building tools to attack other software requires a different mindset than typical application development. Your design trade-offs will likely be substantially different when your goals include bypassing security controls and evading detection. If you already work in offensive security, this book will help you build utilities that are light-years faster than existing solutions. If you work on the

defense side or in incident response, this book will give you an idea of how to analyze and defend against malware written in the Go language. Happy hacking! HD Moore Founder of the Metasploit Project and the Critical Research Corporation VP of Research and Development at Atredis Partners

ACKNOWLEDGMENTS This book would not be possible had Robert Griesemer, Rob Pike, and Ken Thompson not created this awesome development language. These folks and the entire core Go development team consistently contribute useful updates upon each release. We would have never written this book had the language not been so easy and fun to learn and use. The authors would also like to thank the team at No Starch Press: Laurel, Frances, Bill, Annie, Barbara, and everyone else with whom we interacted. You all guided us through the unchartered territory of writing our first book. Life happens—new families, new jobs—and all the while you’ve been patient but still pushed us to complete this book. The entire No Starch Press team has been a pleasure to work with on this project. I would like to thank Jen for all her support, encouragement, and for keeping life moving forward while I was locked away in my office nights and weekends, working on this never-ending book. Jen, you helped me more than you know, and your constant words of encouragement helped make this a reality. I am sincerely grateful to have you in my life. I must thank “T” (my canine quadra-pet) for holding the floor down in my office while I hacked away and reminding me that “outside” is a real place I should visit. Lastly, and close to my heart, I want to dedicate this book to my pups, Luna and Annie, who passed while I was writing this book. You girls were and are everything to me and this book will always be a reminder of my love for you both. Chris Patten I would like to extend a sincere thank you to my wife and best friend, Katie, for your constant support, encouragement, and belief in me. Not a day goes by when I’m not grateful for everything you do for me and our family. I’d like to thank Brooks and Subs for giving me reason to work so hard. There is no better job than being your father. And to the best “Office Hounds” a guy could ask for—Leo (RIP), Arlo, Murphy, and even Howie (yes, Howie too)—you’ve systematically destroyed my house and periodically made me question my life choices, but your presence and companionship mean the world to me. I’ll give each of you a signed copy of this book to chew on. Dan Kottmann Thank you to the love of my life, Jackie, for your love and encouragement; nothing I do would be possible without your support and everything you do

for our family. Thank you to my friends and colleagues at Atredis Partners and to anyone I’ve shared a shell with in the past. I am where I am because of you. Thank you to my mentors and friends who have believed in me since day one. There are too many of you to name; I am grateful for the incredible people in my life. Thank you, Mom, for putting me in computer classes (these were a thing). Looking back, those were a complete waste of time and I spent most of the time playing Myst, but it sparked an interest (I miss the 90s). Most importantly, thank you to my Savior, Jesus Christ. Tom Steele It was a long road to get here—almost three years. A lot has happened to get to this point, and here we are, finally. We sincerely appreciate the early feedback we received from friends, colleagues, family, and early-release readers. For your patience, dear reader, thank you so, so very much; we are truly grateful and hope you enjoy this book just as much as we enjoyed writing it. All the best to you! Now Go create some amazing code!

INTRODUCTION For about six years, the three of us led one of North America’s largest dedicated penetration-testing consulting practices. As principal consultants, we executed technical project work, including network penetration tests, on behalf of our clients—but we also spearheaded the development of better tools, processes, and methodology. And at some point, we adopted Go as one of our primary development languages. Go provides the best features of other programming languages, striking a balance between performance, safety, and user-friendliness. Soon, we defaulted to it as our language of choice when developing tools. Eventually, we even found ourselves acting as advocates of the language, pushing for our colleagues in the security industry to try it. We felt the benefits of Go were at least worthy of consideration. In this book, we’ll take you on a journey through the Go programming language from the perspective of security practitioners and hackers. Unlike other hacking books, we won’t just show you how to automate third-party or commercial tools (although we’ll touch on that a little). Instead, we’ll delve into practical and diverse topics that approach a specific problem, protocol, or tactic useful to adversaries. We’ll cover TCP, HTTP, and DNS communications, interact with Metasploit and Shodan, search filesystems and databases, port exploits from other languages to Go, write the core functions of an SMB client, attack Windows, cross-compile binaries, mess with crypto, call C libraries, interact with the Windows API, and much, much more. It’s ambitious! We’d better begin . . . WHO THIS BOOK IS FOR This book is for anyone who wants to learn how to develop their own hacking tools using Go. Throughout our professional careers, and particularly as consultants, we’ve advocated for programming as a fundamental skill for penetration testers and security professionals. Specifically, the ability to code

enhances your understanding of how software works and how it can be broken. Also, if you’ve walked in a developer’s shoes, you’ll gain a more holistic appreciation for the challenges they face in securing software, and you can use your personal experience to better recommend mitigations, eliminate false positives, and locate obscure vulnerabilities. Coding often forces you to interact with third-party libraries and various application stacks and frameworks. For many people (us included), it’s hands-on experience and tinkering that leads to the greatest personal development. To get the most out of this book, we encourage you to clone the book’s official code repository so you have all the working examples we’ll discuss. Find the examples at https://github.com/blackhat-go/bhg/. WHAT THIS BOOK ISN’T This book is not an introduction to Go programming in general but an introduction to using Go for developing security tools. We are hackers and then coders—in that order. None of us have ever been software engineers. This means that, as hackers, we put a premium on function over elegance. In many instances, we’ve opted to code as hackers do, disregarding some of the idioms or best practices of software design. As consultants, time is always scarce; developing simpler code is often faster and, therefore, preferable over elegance. When you need to quickly create a solution to a problem, style concerns come secondary. This is bound to anger Go purists, who will likely tweet at us that we don’t gracefully handle all error conditions, that our examples could be optimized, or that better constructs or methods are available to produce the desired results. We’re not, in most cases, concerned with teaching you the best, the most elegant, or 100 percent idiomatic solutions, unless doing so will concretely benefit the end result. Although we’ll briefly cover the language syntax, we do so purely to establish a baseline foundation upon which we can build. After all, this isn’t Learning to Program Elegantly with Go—this is Black Hat Go. WHY USE GO FOR HACKING? Prior to Go, you could prioritize ease of use by using dynamically typed languages—such as Python, Ruby, or PHP—at the expense of performance and safety. Alternatively, you could choose a statically typed language, like C or C++, that offers high performance and safety but isn’t very user-friendly. Go is stripped of much of the ugliness of C, its primary ancestor, making development more user-friendly. At the same time, it’s a statically typed language that produces syntax errors at compile time, increasing your