Security with Go E-Book

Security with Go

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Acquisition Editors: Dominic Shakeshaft, Suresh M JainProject Editor: Alish FirastaContent Development Editor: Monika SangwanTechnical Editors: Joel D'souza, Bhagyashree RaiCopy Editor: Tom JacobProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Tania DuttaProduction Coordinator: Aparna Bhagat

First published: January 2018

Production reference: 1300118

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-791-7

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

John Daniel Leon is a security expert and developer residing in Houston, TX who currently works at IBM Cloud as the Application Security Architect. John maintains DevDungeon.com, a virtual hackerspace for developers and security experts. He has been programming from a young age and has a B.S. in Computer Science from University of North Texas. He spoke at GopherCon 2016 about packet capturing.

John is a polyglot programmer with a strong interest in Python, Go, and Java. Outside of programming and security, he has a background in music theory, performance, and plays violin and guitar.

About the reviewer

Karthik Gaekwad is a veteran engineer who enjoys building software products from scratch, using cloud and container technologies. He has worked in both large enterprises and startups with his career spanning from National Instruments to Mentor Graphics. He was also the first hired engineer at Signal Sciences, an early engineer at StackEngine (which was acquired by Oracle). Currently, Karthik works at Oracle as a principal engineer to build products in the cloud native space.

Karthik has programmed in many languages, including Java, C, C#, Python, and Ruby. He first learned Golang in 2012, and it has been his language of choice ever since. He has written many production-level applications using Go and appreciates its simplicity and flexibility. Karthik graduated from the University of Arizona in 2007 with an MS in Computer Engineering and currently lives in Austin, Texas with his family. Karthik organizes several conferences, including devopsdays and Container Days, and he has chaired the DevOps tracks for the Agile Conference and All Day DevOps. He is also an accomplished author for LinkedIn Learning and Lynda.com. In his free time, Karthik enjoys to spend time with family, keep up with the latest trends in software, and dabble in new product ideas.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Introduction to Security with Go

About Go

Go language design

The History of Go

Adoption and community

Common criticisms about Go

The Go toolchain

Go mascot

Learning Go

Why use Go?

Why use Go for security?

Why not use Python?

Why not use Java?

Why not use C++?

Development environment

Installing Go on other platforms

Other Linux distributions

Windows

Mac

Setting up Go

Creating your workspace

Setting up environment variables

Editors

Creating your first package

Writing your first program

Running the executable file

Building the executable file

Installing the executable file

Formatting with go fmt

Running Go examples

Building a single Go file

Running a single Go file

Building multiple Go files

Building a folder (package)

Installing a program for use

Summary

The Go Programming Language

Go language specification

The Go playground

A tour of Go

Keywords

Notes about source code

Comments

Types

Boolean

Numeric

Generic numbers

Specific numbers

Unsigned integers

Signed integers

Floating point numbers

Other numeric types

String

Array

Slice

Struct

Pointer

Function

Interface

Map

Channel

Control structures

if

for

range

switch, case, fallthrough, and default

goto

Defer

Packages

Classes

Inheritance

Polymorphism

Constructors

Methods

Operator overloading

Goroutines

Getting help and documentation

Online Go documentation

Offline Go documentation

Summary

Working with Files

File basics

Creating an empty file

Truncating a file

Getting the file info

Renaming a file

Deleting a file

Opening and closing files

Checking whether a file exists

Checking read and write permissions

Changing permissions, ownership, and timestamps

Hard links and symlinks

Reading and writing

Copying a file

Seeking positions in a file

Writing bytes to a file

Quickly writing to a file

Buffered writer

Reading up to n bytes from a file

Reading exactly n bytes

Reading at least n bytes

Reading all bytes of a file

Quickly reading whole files to memory

Buffered reader

Reading with a scanner

Archives

Archive (ZIP) files

Extracting (unzip) archived files

Compression

Compressing a file

Uncompressing a File

Creating temporary files and directories

Downloading a file over HTTP

Summary

Forensics

Files

Getting file information

Finding the largest files

Finding recently modified files

Reading the boot sector

Steganography

Generating an image with random noise

Creating a ZIP archive

Creating a steganographic image archive

Detecting a ZIP archive in a JPEG image

Network

Looking up a hostname from an IP address

Looking up IP addresses from a hostname

Looking up MX records

Looking up nameservers for a hostname

Summary

Packet Capturing and Injection

Prerequisites

Installing libpcap and Git

Installing libpcap on Ubuntu

Installing libpcap on Windows

Installing libpcap on macOS

Installing gopacket

Permission problems

Getting a list of network devices

Capturing packets

Capturing with filters

Saving to the pcap file

Reading from a pcap file

Decoding packet layers

Creating a custom layer

Converting bytes to and from packets

Creating and sending packets

Decoding packets faster

Summary

Cryptography

Hashing

Hashing small files

Hashing large files

Storing passwords securely

Encryption

Cryptographically secure pseudo-random number generator (CSPRNG)

Symmetric encryption

AES

Asymmetric encryption

Generating a public and private key pair

Digitally signing a message

Verifying a signature

TLS

Generating a self-signed certificate

Creating a certificate signing request

Signing a certificate request

TLS server

TLS client

Other encryption packages

OpenPGP

Off The Record (OTR) messaging

Summary

Secure Shell (SSH)

Using the Go SSH client

Authentication methods

Authenticating with a password

Authenticating with private key

Verifying remote host

Executing a command over SSH

Starting an interactive shell

Summary

Brute Force

Brute forcing HTTP basic authentication

Brute forcing the HTML login form

Brute forcing SSH

Brute forcing database login

Summary

Web Applications

HTTP server

Simple HTTP servers

HTTP basic auth

Using HTTPS

Creating secure cookies

HTML escaping output

Middleware with Negroni

Logging requests

Adding secure HTTP headers

Serving static files

Other best practices

CSRF tokens

Preventing user enumeration and abuse

Registration

Login

Resetting the password

User profiles

Preventing LFI and RFI abuse

Contaminated files

HTTP client

The basic HTTP request

Using the client SSL certificate

Using a proxy

Using system proxy

Using a specific HTTP proxy

Using a SOCKS5 proxy (Tor)

Summary

Web Scraping

Web scraping fundamentals

Finding strings in HTTP responses with the strings package

Using regular expressions to find email addresses in a page

Extracting HTTP headers from an HTTP response

Setting cookies with an HTTP client

Finding HTML comments in a web page

Finding unlisted files on a web server

Changing the user agent of a request

Fingerprinting web application technology stacks

Fingerprinting based on HTTP response headers

Fingerprinting web applications

How to prevent fingerprinting of your applications

Using the goquery package for web scraping

Listing all hyperlinks in a page

Finding documents in a web page

Listing page title and headings

Crawling pages on the site that store the most common words

Printing a list of external JavaScript files in a page

Depth-first crawling

Breadth-first crawling

How to protect against web scraping

Summary

Host Discovery and Enumeration

TCP and UDP sockets

Creating a server

Creating a client

Port scanning

Grabbing a banner from a service

Creating a TCP proxy

Finding named hosts on a network

Fuzzing a network service

Summary

Social Engineering

Gathering intel via JSON REST API

Sending phishing emails with SMTP

Generating QR codes

Base64 encoding data

Honeypots

TCP honeypot

The TCP testing tool

HTTP POST form login honeypot

HTTP form field honeypots

Sandboxing

Summary

Post Exploitation

Cross compiling

Creating bind shells

Creating reverse bind shells

Creating web shells

Finding writable files

Changing file timestamp

Changing file permissions

Changing file ownership

Summary

Conclusions

Recapping the topics you have learned

More thoughts on the usage of Go

What I hope you take away from the book

Be aware of legal, ethical, and technical boundaries

Where to go from here

Getting help and learning more

Another Book You May Enjoy

Leave a review – let other readers know what you think

Preface

This book covers the Go programming language and explains how to apply it in the cybersecurity industry. The topics covered are useful for red and blue teams, as well as for developers who want to write secure code, and for networking and operations engineers who want to secure their networks, hosts, and intellectual property. The source code examples are all fully functional programs. The examples are intended to be practical applications that you will likely want to incorporate into your own toolkit. Moreover, this book serves as a practical cookbook for building your own custom applications. I have also shared other security best practices and tricks that I learned.

This book will walk you through examples of code that are useful in a variety of computer security situations. As you work through the book, you will build a cookbook of practical applications and building blocks to use in your own security tools for use in your organization and engagements. It will also cover some tips and trivia regarding the Go programming language and provide many useful reference programs to boost your own Go cookbook.

This book will cover several blue team and red team use cases and various other security-related topics. Blue team topics, namely steganography, forensics, packet capturing, honeypots, and cryptography, and red team topics, namely brute forcing, port scanning, bind and reverse shells, SSH clients, and web scraping, will be covered. Each chapter relates to a different security topic and walks through code examples pertaining to that topic. If you follow this book, you will have a cookbook full of useful security tools and building blocks to create your own custom tools all in Go.

This book is not an in-depth tutorial on using the Go language. One chapter is dedicated to explaining Go; however, it only scratches the surface as compared to Alan Donovan and Brian Kernighan's almost 400-page The Go Programming Language. Fortunately, Go is a very easy language to pick up and has a quick learning curve. Some resources on learning Go are provided, but the reader may need to do some supplemental reading if not familiar with Go.

This book will not explore cutting-edge security techniques or vulnerabilities that are not already well documented. There are no zero-days or grand techniques unveiled. Each chapter is dedicated to a different security topic. Each one of these topics could have a book written about them. There are experts who specialize in each of these fields, so the book does not go in depth on any particular topic. The reader will have a solid foundation to explore any topic deeper when complete. 

Who this book is for

This book is for programmers who are already familiar with the Go programming language. Some knowledge of Go is needed, but the reader does not need to be a Go expert. The content is aimed at newcomers to Go, but it will not teach you everything about using Go. Those new to Go will get to explore and experiment with various aspects of Go, while applying it toward security practices. We will start with smaller and simpler examples before moving on to examples that make use of more advanced Go language features.

The reader is not expected to be an advanced security expert, but at least should have a basic understanding of core security concepts. The goal is to work through security topics as an experienced developer or security expert who is looking to improve their toolset and grow a library of Go reference code. Readers who like to build cookbooks full of useful tools will enjoy working through these chapters. People who want to build custom tools in Go related to security, networking, and other fields will benefit from the examples. Developers, penetration testers, SOC analysts, DevOps engineers, social engineers, and network engineers can all make use of the contents in this book.

What this book covers

Chapter 1, Introduction to Security with Go, covers the history of Go and discusses why Go is a good choice for security applications, how to set up a development environment, and run your first program. 

Chapter 2, The Go Programming Language, presents the basics of programming with Go. It reviews the keywords and data types along with the notable features of Go. It also contains information for getting help and reading documentation.

Chapter 3, Working with Files, helps you explore various ways of manipulating, reading, writing, and compressing files with Go.

Chapter 4, Forensics, talks about basic file forensics, steganography, and network forensics techniques.

Chapter 5, Packet Capturing and Injection, covers various aspects of packet capturing with the gopacket package. Topics include getting a list of network devices, capturing packets from a live network device, filtering packets, decoding packet layers, and sending custom packets.

Chapter 6, Cryptography, explains hashing, symmetric encryption such as AES, and asymmetric encryption such as RSA, digital signatures, verifying signatures, TLS connections, generating keys and certificates, and other cryptography packages.

Chapter 7, Secure Shell (SSH), covers the Go SSH package, how to use the client to authenticate with a password and with a key pair. It also covers how to execute commands on a remote host using SSH and running an interactive shell.

Chapter 8, Brute Force, includes examples of multiple brute force attack clients including HTTP basic authentication, HTML login form, SSH, MongoDB, MySQL, and PostgreSQL.

Chapter 9, Web Applications, explains how to build secure web applications with secure cookies, sanitized output, security headers, logging, and other best practices. It also covers writing secure web clients that utilize client certificates, HTTP proxies, and SOCKS5 proxies such as Tor.

Chapter 10, Web Scraping, discusses basic scraping techniques such as string matching, regular expressions, and fingerprinting. It also covers the goquery package, a powerful tool for extracting data from structured web pages.

Chapter 11, Host Discovery and Enumeration, covers port scanning, banner grabbing, TCP proxies, simple socket server and client, fuzzing, and scanning networks for named hosts.

Chapter 12, Social Engineering, provides examples for gathering intel via a JSON REST API such as Reddit, sending phishing emails with SMTP, and generating QR codes. It also covers Honeypots along with TCP and HTTP honeypot examples.

Chapter 13, Post Exploitation, covers various post exploitation techniques such as cross-compiling bind shells, reverse bind shells, and web shells. It also provides examples of searching for writable files and modifying timestamp, ownership, and permissions.

Chapter 14, Conclusions, is a recap of topics, showing you where you can go from here, and also has considerations for applying the techniques learned in this book.

To get the most out of this book

Readers should have basic programming knowledge and understanding of at least one programming language.

To run the examples the reader needs a computer with Go installed. Installation instructions are covered in the book. The recommended operating system is Ubuntu Linux, but examples should also run on macOS, Windows, and other Linux distributions.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packtpub.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of one of these:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub athttps://github.com/PacktPublishing/Security-with-Go. We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: " Themake()function will create a slice of a certain type with a certain length and capacity."

A block of code is set as follows:

package mainimport ( "fmt")func main() { // Basic for loop for i := 0; i < 3; i++ { fmt.Println("i:", i) } // For used as a while loop n := 5 for n < 10 { fmt.Println(n) n++ }}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

package mainimport ( "fmt")func main() { // Basic for loop for i := 0; i < 3; i++ {

fmt.Println("i:", i)

} // For used as a while loop n := 5 for n < 10 { fmt.Println(n) n++ }}

Any command-line input or output is written as follows:

sudo apt-get install golang-go

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "In Windows 10, this can be found by navigating toControl Panel|System|Advanced System Settings|Environment Variables."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Introduction to Security with Go

Security and privacy, as practical matters, have continued to gain interest, especially in the technology industry. The cybersecurity market is booming and continuing to grow. The industry moves fast with innovations and research coming out constantly. Not only has the interest and speed of security picked up, but the scale of applications along with the risk have also grown by orders of magnitude. The industry needs a programming language that is simple to learn, cross-platform, and efficient on a large scale. Go is the perfect fit, having an extremely powerful standard library, short learning curve, and blazing speed.

In this chapter, we will cover the following topics:

Go's history, language design, criticisms, community, and learning tips

Why use Go for security

Setting up a development environment and writing your first program

Running the example programs

About Go

Go is an open source programming language that was created by Google and distributed under a BSD-style license. A BSD license allows anyone to use Go free of charge, as long as the copyright notice is retained and the Google name is not used for endorsement or promotion. Go is heavily influenced by C, but has simpler syntax, and better memory safety and garbage collection. Sometimes, Go is described as a modern-day C++. I think that is too much of a simplification, but Go is definitely a simple but modern language.

Go language design

The original goal of Go was to create a new language that is simple, reliable, and efficient. As mentioned, Go is heavily influenced by C programming language. The language itself is very simple, with only 25 keywords. It was built to integrate well with IDEs, but not to be dependent on them. In my experience, anyone who has tried Go has found it very user-friendly with a short learning curve.

One of the main goals of Go was to deal with some of the negative aspects of C++ and Java code, while retaining the performance. The language needed to be simple and consistent to manage very large development teams.

Variables are statically typed, and applications are compiled quickly to statically linked binaries. Having a single statically linked binary makes it very easy to create lightweight containers. The final applications run fast as well, running close to C++ and Java performance and much faster than interpreted languages such as Python. There are pointers, but there is no pointer arithmetic allowed. Go does not tout itself as an object-oriented programming language, and it does not formally have classes in the traditional sense; however, it does contain a number of mechanisms that closely resemble an object-oriented programming language. This is discussed in more depth in the following chapter. Interfaces are used heavily, and composition is the equivalent of inheritance.

Go has many interesting features. One feature that stands out is the built-in concurrency. Just put the word "go" before any function call, and it will spawn a lightweight thread to execute the function. Another feature that is quite important is the dependency management, which is very efficient. The dependency management is part of the reason Go compiles incredibly fast. It does not re-include the same header files multiple times, the way C++ does. Go also has built-in memory safety, and a garbage collector handles clean-up of unused memory. The standard library in Go is pretty impressive too. It is modern and contains networking, HTTP, TLS, XML, JSON, database, image manipulation, and cryptography packages. Go also supports Unicode, allowing all kinds of characters to be used in source code.

The Go toolchain is central to the ecosystem. It provides tools to download and install remote dependencies, run unit tests and benchmarks, generate code, and format code according to the Go formatting standards. It also includes the compiler, linker, and assembler, which compile very quickly and also allow for easy cross-compiling by simply changing the GOOS and GOARCH environment variables.

Some features were excluded from the Go language. Generics, inheritance, assertions, exceptions, pointer arithmetic, and implicit type conversions were all left out of Go. Many features were omitted intentionally, namely generics, assertions, and pointer arithmetic. The authors left out some features because they wanted to maintain performance, keep the language specification as simple as possible, or they could not agree on the best way to implement, or because a feature was too controversial. Inheritance was also left out intentionally in favor of using interfaces and composition instead. Some other features, such as generics, were left out because there was too much debate concerning their proper implementation, but they may show up in Go 2.0. The authors recognized that it is much easier to add a feature to a language than to take one away.

The History of Go

Go is a relatively young language, with its inception in 2007 and open sourcing in 2009. It started at Google as a 20% project with Robert Griesemer, Rob Pike, and Ken Thompson. A 20% project means that the project's developers spent 20% of their time working on it as an experimental side project. Go 1.0 was officially released in March 2012. It was planned from the beginning to be an open source language. Until Go 1.5, the compiler, linker, and assembler were written in C. After version 1.5, everything was written in Go.

Google initially launched Go for Linux and macOS, and the community drove the effort for other platforms, namely Windows, FreeBSD, OpenBSD, NetBSD, and Solaris. It has even been ported to IBM z Systems mainframes. Bill O'Farrell of IBM gave a talk at GopherCon 2016 in Denver titled Porting Go to the IBM z Architecture (https://www.youtube.com/watch?v=z0f4Wgi94eo).

Google is known to use Python, Java, and C++. It is understandable why they chose those languages too. They each fill certain roles and have their own strengths and weaknesses. Go was an attempt to create a new language that fits the needs of Google. They needed software that could perform extremely well under heavy loads, support concurrency, and that was easy to read and write, and compile quickly.

The triggering event for starting the Go project was dealing with a massive C++ code base that took hours to build because of the way C++ handles dependencies and re-includes headers (https://www.youtube.com/watch?v=bj9T2c2Xk_s (37:15)). This is why one of Go's main goals was to compile quickly. Go helped turn hours of compile time to seconds because it handles dependencies much more efficiently than C++.

Discussions for Go 2.0 have begun, but they are still in the conceptual stages. There is no timeline for a release, and there is no rush to release a new major version.

Adoption and community

Go is still a young language, but it has seen growing adoption rates and has continued to increase in popularity. Go was the TIOBE Language of the year in 2009 and 2016:

One of the expectations expressed by the Go team was the anticipation that Go would draw a lot of C/C++ and Java developers, but they were surprised when a large number of the users came from scripting languages such as Python and Ruby. Others, like myself, found Go to be a natural complement to Python, a great language. However, which language do you go to when you need something much more powerful? Some large companies have demonstrated that Go is stable for large-scale production use, including Google, Dropbox, Netflix, Uber, and SoundCloud.

The first Go conference, named GopherCon, was held in 2014. Since then, GopherCon has been held every year. Read more about GopherCon at https://gophercon.com. I had the privilege of speaking at the 2016 GopherCon about packet capturing and had a great experience (https://www.youtube.com/watch?v=APDnbmTKjgM).

Common criticisms about Go

There are a few criticisms that show up repeatedly in the community. Probably the most notorious and most-discussed criticism is the lack of generics. This leads to repeated code to handle different data types. Interfaces can be used to some extent to alleviate this problem. We might see generics in a future release, as the authors have shown openness to generics, but they did not rush through an important design decision.

The next criticism often heard is the lack of exceptions. The developer must explicitly handle or ignore each error. Personally, I found this to be a refreshing change. It's not really that much more work, and you have full control over the code flow. Sometimes with exceptions you are not positive where it will get caught as it bubbles up. With Go, you can easily follow the error-handling code.

Go has a garbage collector that handles memory cleanup. The garbage collector has been upgraded over time and continues to improve. The garbage collector does have a minor performance impact, but saves the developer a lot of thinking and worrying. Go was originally described as a systems programming language, and the lack of control over the memory was restrictive for very low-level applications. Since then, they have pivoted away from calling Go a systems programming language. If you need low-level control over memory, then you will have to write portions of code in C.

The Go toolchain

The go executable is the main application of the Go toolchain. You can pass a command to go, and it will take the appropriate action. The toolchain has tools to run, compile, format source code, download dependencies, and more. Let's look at the full list, which is obtained as an output from the go help command or just go by itself:

build

: This compiles packages and dependencies

clean

: This removes object files

doc

: This shows documentation for a package or symbol

env

: This prints Go environment information

generate

: This is the code generator

fix

: This upgrades Go code when a new version is released

fmt

: This runs 

gofmt

on package sources

get

: This downloads and installs packages and dependencies

help

: This provides more help on a specific topic

install

: This compiles and installs packages and dependencies

list

: This lists packages

run

: This compiles and runs Go programs

test

: This runs unit tests and benchmarks

vet

: This examines source code for bugs

version

: This shows the Go version

More information about these commands is available at https://golang.org/cmd/.

Go mascot

Everyone knows that the best swords have names, and the best programming languages have mascots. Go's mascot is the gopher. The gopher has no name. It has a jelly bean shaped body, microscopic limbs, gigantic eyes, and two teeth. It was designed by Renee French, and its copyright comes under the Creative Commons Attribution 3.0 license. This means that you can play with the images, but you must give credit to their creator, Renee French, wherever they are used.

Renee French gave a talk at GopherCon 2016 in Denver, entitled The Go Gopher: A Character Study, explaining how the gopher came to be, the various mediums and forms it has taken, and the tips on drawing it in various situations (https://www.youtube.com/watch?v=4rw_B4yY69k).

You can generate a custom gopher avatar at https://gopherize.me/ and read more about the Go gopher at https://blog.golang.org/gopher.

Learning Go

If you have never used Go before, have no fear. It has a gentle learning curve and is simple enough to learn in just a day or two. The best place to start is https://tour.golang.org/. This is a basic tour of the Go programming language. If you have already gone through the tour, then you should already have the foundation to make it through this book just fine. If you are working through this book and have not taken the tour, you may come across a concept you are not familiar with that is not explained here. The tour is a good place to learn and practice.

Since there are only 25 reserved keywords in the language specification, it is short enough to be understood by "mortals". You can read more about the specs at https://golang.org/ref/spec.

You must be already be familiar with most of these keywords. These are: if, else, goto, for, import, return, var, continue, break, range, type, func, interface, package, const, map, struct, select, case, switch, go, defer, chan, fallthrough, and default.

The tour will help you learn the keywords, syntaxes, and basics of the data structures. The playground in the tour lets you practice writing and running code in the browser.

Why use Go?

There are several aspects that appeal to me about Go. Concurrency, speed, and simplicity are the most important things to me. The language is very simple and easy to learn. There are no try, catch, and exception flows. Though several people cite the tedious error handling as a criticism, I find it refreshing to have a simple language that does not hide a lot of magic behind the scenes and does exactly what it says. The go fmt tool standardizes formatting, making it easy to read code from others, and eliminates the burden of defining your own standard.

Go provides a feeling of scalability and reliability and is actually an enjoyable experience. Before Go, the primary option for fast, compiled code was C++, and it was no simple task to manage the header files and build processes for different platforms. C++ has become a very complicated language over the years and is not nearly as approachable as Go for most people.

Why use Go for security?

I think we all understand that there is no such thing as the best programming language, but there are different tools for different jobs. Go excels in performance and concurrency. Some of its other benefits include the ability to compile down to a single executable and cross-compile easily. It also has a modern standard library well-suited for networked applications.

The ease of cross-compiling makes for some interesting use cases in the security field. Here are a couple of use cases for cross-compiling in security:

Penetration testers can use a Raspberry Pi to compile custom Go reverse shells for Windows, macOS, and Linux, and attempt to deploy them.

Network defenders can have one central database to store all honeypot information provided from honeypot servers, and then cross-compile the honeypot servers. This would allow them to easily deploy a consistent application across all platforms, including Windows, mac, and Linux.

Network defenders could deploy incredibly lightweight honeypots throughout their network in the form of a Docker container with a single statically linked binary. Containers would be quick to create and destroy, using minimal bandwidth and server resources.

When you ask yourself whether Go is a good language choice, it may help to compare Go with some of the other top language choices.

Why not use Python?

Python is a popular language in the security field. This is most likely because of its ubiquity, short learning curve, and plethora of libraries. There are already several useful tools for security written in Python, namely Scapy for packet capturing, Scrapy for web scraping, Immunity for debugging, Beautiful Soup for parsing HTML, and Volatility for memory forensics. Many vendors and service providers also provide API examples in Python.

Python is easy to learn, and there are plenty of resources. Go is also easy to write and has a gentle learning curve. The learning curve and the ease of programming is not a major differentiating factor between Go and Python in my opinion. This biggest distinction, and where Python falls short, is performance. Python cannot compete with Go in terms of performance. Part of it is the interpreted nature of Python, but a larger factor is the global interpreter lock or GIL. The GIL prevents the interpreter from using more than one CPU worth of processing power, even with multiple threads executing. There are some ways to get around this, such as using multiprocessing, but this has its own drawbacks and limitations, as it actually forks a new process. Other options are using Jython (Python on Java) or IronPython (Python on .NET), and these have no GIL.

Why not use Java?

One of Java's greatest strengths is the ability to write once, run anywhere (WORA). This is incredibly valuable if you have to do anything involving GUI, graphics, or audio. Go certainly does not beat Java in its ability to create GUIs, but it is cross-platform and supports cross-compiling.

Java is mature and widely adopted with lots of resources available. There are more options with Java libraries than Go packages. Java is the more verbose of the two languages. The Java ecosystem is more complex with several options for build tools and package managers. Go is much simpler and more standardized. These differences could simply be attributed to the age difference between the languages, but it may still affect your language choice.

In certain situations, the Java virtual machine (JVM) can be too resource intensive in terms of memory or startup time. If you need to pipe together several command-line Java applications, the startup time for the JVM just to run a series of short-lived programs can be a significant performance hit. In terms of memory, if you need to run several instances of the same application, then the memory required to run each JVM can add up. The JVM can also be restricting since it creates a sandbox and limits your access to the host machine. Go compiles down to native machine code and thus has no need for a virtual machine layer.

Go is well-documented and the community continues to grow and provide more resources. It is an easy language to learn, especially for experienced programmers. Concurrency is a bit simpler and built into the language, as opposed to a library package.

Why not use C++?

C++ does offer a little more control since the developer is in charge of memory management and there is no garbage collector. For this same reason, C++ will have slightly better performance. In some cases, Go can actually outperform C++.

C++ is very mature and has a large set of third-party libraries. Libraries are not always cross-platform and can have complex makefiles. Cross-compiling is much simpler in Go and can be done with the Go toolchain.

Go compiles with more efficiency because it has better dependency management. C++ can re-include the same header file multiple times and cause compilation times to balloon. The package system is more consistent and standardized in Go. Threads and concurrency are native to Go and require platform-specific libraries in C++.

The maturity of C++ has also led to the language growing and becoming more complicated over time. Go is a refreshing change with a simple-yet-modern language. C++ is not as friendly to beginners as Go.

Development environment

All of the examples in this book will run across major platforms, Windows, macOS, and Linux. Having said that, the examples were primarily written and developed on Ubuntu Linux, and this is the recommended platform for the following examples.

Ubuntu Linux is available for free at https://www.ubuntu.com/download/desktop. The download page may ask for a donation, but you can choose to download for free. Ubuntu is not required, but the book will be easier to follow if you have the same environment. Other Linux distributions should work equally well, but I strongly recommend that you use a Debian-based distribution. Most of the Go code examples in this book will work on Windows, Linux, and Mac without any modification. Certain examples may be Linux- and Mac-specific, such as file permissions, which are not treated similarly in Windows. Any example that is specific to a platform is mentioned.

You can install Ubuntu for free inside a virtual machine or as your primary operating system. As long as your system has enough CPU, RAM, and disk space, I recommend that you use a virtual machine with Oracle VirtualBox, which is available at https://www.virtualbox.org/. VMWare Player is an alternative to VirtualBox and is available at https://www.vmware.com/products/player/playerpro-evaluation.html.

Download and install VirtualBox, and then, download the Ubuntu desktop ISO file. Create a virtual machine, have it boot the Ubuntu ISO, and choose the Install option. Once you have installed Ubuntu and logged in as your user, you can install the Go programming language. Ubuntu makes this incredibly easy by providing a package. Just open a Terminal window and run the following command:

sudo apt-get install golang-go

Using sudo elevates your privileges in order to install and may ask you for your password. If everything was successful, you will now have access to the go executable, which contains the whole toolchain. You can run go help or go by itself for usage instructions.

If you are not using Ubuntu or want to install the latest version, you can download the latest version from https://golang.org/dl. The Windows and Mac installer will take care of updating your PATH environment variable, but in Linux you will have to move the extracted contents to a desired location, such as /opt/go, and then update your PATH environment variable manually to include the location. Consider this example:

# Extract the downloaded Go tar.gz

tar xzf go1.9.linux-amd64.tar.gz

# Move the extracted directory to /opt

sudo mv go /opt

# Update PATH environment variable to include Go's binaries

echo "export PATH=$PATH:/opt/go/bin" >> ~/.bashrc

Now restart your Terminal for the changes to take effect. If you are using a shell other than Bash, you will need to update the proper RC file for your shell.

Installing Go on other platforms

If you are not using Ubuntu, you can still install Go easily. The Go website provides multiple installation formats on the Downloads page at https://golang.org/dl/.

Other Linux distributions