Programming Language Go - Developing Penetration Testing Tools

Programming Language Go

Developing Penetration Testing Tools

Ralph Meier
by Ralph Meier
on June 10, 2021
time to read: 8 minutes

Keypoints

These Features are available with Go for Penetration Testing Tools

  • There is no best suited programming language for pentesting tools
  • Go brings easy concurrency and cross-platform compilation
  • Fuzzing coming soon to standard library
  • Interesting existing open source tools in Go

Each programming language brings its own features and benefits, so there is no best programming language for developing penetration testing tools. Python, Perl, Ruby but also PowerShell as well as other programming languages are often used in this area.

Go is often referred to as Golang, this is due to the domain of the programming language: golang.org. The Go project was started in 2007 by Robert Griesemer, Ken Thompson and Rob Pike. In 2009 they presented the Go programming language, the concept and their ideas behind it. The first stable version Go 1 was released three years later in March 2012. Originally, Go was created out of dissatisfaction with other programming languages like C++ or Java regarding topics like cluster and cloud computing but also scalable network services.

Go is strongly based on C syntax, but like Java it has a garbage collector. The main goals in the development of Go were: Supporting concurrency with native language elements, easy handling of large code bases, and achieving high translation speed.

Object orientation is possible in Go, but not through classes and their inheritance, but through the use of interfaces and mixins.

package main
import "fmt"

func main() {
   fmt.Println("Hello World")
}

Binary as a Final Product and Cross Compilation

A Go project is compiled with the go build command. This compiles all packages and dependencies into one binary. go build supports a wide range of target systems. After executing a single command, a binary for the desired platform is ready. Thus, it is easy to build a binary for Windows 10 64-bit on macOS. To do this, the build command must be given the information GOOS (target operating system) and GOARCH (target architecture). There are three different types, whereby only the first variant works with Go 1.16:

1. Via the command line:

GOOS="windows" GOARCH="amd64" go build hello.go

2. By a comment in the code:

// +build windows,amd64

3. By a special format in the file name:

hello_windows_amd64.go

Cross-compilation is nothing new in itself, but very convenient and easy to implement in Go.

Simple Concurrency with Goroutines

Go, besides being an easy way to create binaries for other platforms, also has a way for fast and easy implementation of concurrency, called goroutines. Compared to normal threads, goroutines require much less resources to create.

To create a goroutine, you call the desired function with a go in front of it, it is that simple. In the case of moving the print of Hello World to its own function, it would look like this:

func hello() {
   fmt.Println("Hello World")
}

Calling the hello() function using go hello(). By so-called channels goroutines can communicate and be synchronized.

Go Standard Library will soon get a Fuzzing Module

The fuzzing module was released for beta testers at the beginning of June this year. Fuzzing is a method to find errors, crashes and other peculiarities of applications by automatically adjusting inputs. By using fuzzing, test coverage can be increased and existing security vulnerabilities can be discovered.

Open Source Penetration Testing Tools in Go

Conclusion

Go offers many advantages, especially the ease of adding concurrency and the speed itself, which can be crucial in penetration testing. If curiosity and interest are now aroused in you, we may recommend the book Black Hat Go. Go looks very promising, so I will follow it.

About the Author

Ralph Meier

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
Dynamic Analysis of Android Apps

Dynamic Analysis of Android Apps

Ralph Meier

Burp Bambdas & BChecks

Burp Bambdas & BChecks

Ralph Meier

Disk Cloning

Disk Cloning

Ralph Meier

The BIOS

The BIOS

Ralph Meier

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here