Why is Golang good for Security Professionals?
This is the start of Go, a statically typed programming language, tutorials series for security professionals or to make offensive security tools. This series is more focused on making use of Golang to get the work done for hackers rather than going to the rabbit hole of making programming skills better. We are going to write some very dirty scripts which work faster than python.
Why not use Python or any other language instead of Golang?
Yes, python can almost satisfy the needs of hackers. It is a scripting language. You can write a script super quick but when it comes to creating stable & advanced tools for long-term uses or for the community it is not that great. When it comes to bug-bounty, Golang is the most used programming language by the offensive security community. You can work with python scripts without knowing anything.
Key feature of Go language:
- Concurrency - Go has rich support for making more than one task simultaneously using Go-routines and channels.
- Fast compilation time - Golang is a compiler-based language. It compiles to a standalone binary. We can compile it for the target users (processor architecture and operating system).
- Excellent community - Golang is quite a new language but the community of many programmers is awesome.
- Simple - Go is not an easy programming language but it has a simple syntax, most of the semantics are simple. It's simple to use other Go language modules and get the work done.
- Garbage collection - Go is good to find memory space that is allocated recently but is no longer needed.
Top open source hacking tools written in Golang.
This is an exclusive list of most effective tools and frameworks written in Golang by other security researchers. You can practice by making similar custom tools to improve your Golang skills.
- OWASP Amass - The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. It is the only tool you need for gathering subdomains. You can add custom techniques and tools with the newly introduced scripting engine tool.
- ProjectDiscovery tools - Actually good automation tools for security researchers by professional security researchers. A collection of 20+ useful tools.
- Tomnomnom tools - He is the one man behind some greatest tool used by almost all Bug bounty hunters.
- scan4all - vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty.
- Bettercap - The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.
- Osmedeus - Osmedeus is a Workflow Engine for Offensive Security. It was designed to build a foundation with the capability and flexibility that allows you to build your own reconnaissance system and run it on a large number of targets. Also check Gospider and Jaeles tools.
- HackBrowserData -
HackBrowserDatais an open-source tool that could help you decrypt data ( password|bookmark|cookie|history|credit card|download|localStorage|extension ) from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.
- Hakrawler and other Hakluke's tools - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.
- CHAOS - Remote Administration Tool that allows generating binaries to control remote operating systems.
- goHackTools - A collection of golang scripts to make your life easier.
- hetty - Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.
- aquatone - A Tool for Domain Flyovers
- gobuster - Directory/File, DNS and VHost busting tool written in Go.
- gitleaks - Scan git repos (or files) for secrets using regex and entropy.
- dalfox - DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang.
- gowitness - gowitness - a golang, web screenshot utility using Chrome Headless.
- gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
- ffuf - Most advanced & fast fuzzing tool that you will ever need to fuzz different endpoints with HTTP requests.
- gowaftest - An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses.
In this article we have learned about the importance of Golang. If you are convinced of Golang, we can now start learning it.