Security with Go

Security with Go

by John Daniel Leon
Released January 2018
Publisher(s): Packt Publishing
ISBN: 9781788627917

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The first stop for your security needs when using Go, covering host, network, and cloud security for ethical hackers and defense against intrusion

About This Book

  • First introduction to Security with Golang
  • Adopting a Blue Team/Red Team approach
  • Take advantage of speed and inherent safety of Golang
  • Works as an introduction to security for Golang developers
  • Works as a guide to Golang security packages for recent Golang beginners

Who This Book Is For

Security with Go is aimed at developers with basics in Go to the level that they can write their own scripts and small programs without difficulty. Readers should be familiar with security concepts, and familiarity with Python security applications and libraries is an advantage, but not a necessity.

What You Will Learn

  • Learn the basic concepts and principles of secure programming
  • Write secure Golang programs and applications
  • Understand classic patterns of attack
  • Write Golang scripts to defend against network-level attacks
  • Learn how to use Golang security packages
  • Apply and explore cryptographic methods and packages
  • Learn the art of defending against brute force attacks
  • Secure web and cloud applications

In Detail

Go is becoming more and more popular as a language for security experts. Its wide use in server and cloud environments, its speed and ease of use, and its evident capabilities for data analysis, have made it a prime choice for developers who need to think about security.

Security with Go is the first Golang security book, and it is useful for both blue team and red team applications. With this book, you will learn how to write secure software, monitor your systems, secure your data, attack systems, and extract information.

Defensive topics include cryptography, forensics, packet capturing, and building secure web applications.

Offensive topics include brute force, port scanning, packet injection, web scraping, social engineering, and post exploitation techniques.

Style and approach

John Leon has divided the book into two parts which present the team playing defense against anyone breaking into servers and the team playing (ethical!) offense to perform said attacks. All Go scripts and programs are workable solutions that can be easily understood and expanded upon by anyone with a system administrator's level view of networking and cloud-based systems. Golang developers will profit from a swift and incisive approach to security.

Table of contents

  1. Introduction to Security with Go
    1. About Go
      1. Go language design
      2. The History of Go
      3. Adoption and community
      4. Common criticisms about Go
      5. The Go toolchain
      6. Go mascot
      7. Learning Go
      8. Why use Go?
    2. Why use Go for security?
      1. Why not use Python?
      2. Why not use Java?
      3. Why not use C++?
    3. Development environment
      1. Installing Go on other platforms
        1. Other Linux distributions
        2. Windows
        3. Mac
      2. Setting up Go
      3. Creating your workspace
      4. Setting up environment variables
      5. Editors
      6. Creating your first package
      7. Writing your first program
        1. Running the executable file
        2. Building the executable file
        3. Installing the executable file
      8. Formatting with go fmt
    4. Running Go examples
      1. Building a single Go file
      2. Running a single Go file
      3. Building multiple Go files
      4. Building a folder (package)
      5. Installing a program for use
    5. Summary
  2. The Go Programming Language
    1. Go language specification
    2. The Go playground
    3. A tour of Go
    4. Keywords
    5. Notes about source code
    6. Comments
    7. Types
      1. Boolean
      2. Numeric
        1. Generic numbers
        2. Specific numbers
          1. Unsigned integers
          2. Signed integers
          3. Floating point numbers
          4. Other numeric types
      3. String
      4. Array
      5. Slice
      6. Struct
      7. Pointer
      8. Function
      9. Interface
      10. Map
      11. Channel
    8. Control structures
      1. if
      2. for
      3. range
      4. switch, case, fallthrough, and default
      5. goto
    9. Defer
    10. Packages
    11. Classes
      1. Inheritance
      2. Polymorphism
      3. Constructors
      4. Methods
      5. Operator overloading
    12. Goroutines
    13. Getting help and documentation
      1. Online Go documentation
      2. Offline Go documentation
    14. Summary
  3. Working with Files
    1. File basics
      1. Creating an empty file
      2. Truncating a file
      3. Getting the file info
      4. Renaming a file
      5. Deleting a file
      6. Opening and closing files
      7. Checking whether a file exists
      8. Checking read and write permissions
      9. Changing permissions, ownership, and timestamps
      10. Hard links and symlinks
    2. Reading and writing
      1. Copying a file
      2. Seeking positions in a file
      3. Writing bytes to a file
      4. Quickly writing to a file
      5. Buffered writer
      6. Reading up to n bytes from a file
      7. Reading exactly n bytes
      8. Reading at least n bytes
      9. Reading all bytes of a file
      10. Quickly reading whole files to memory
      11. Buffered reader
      12. Reading with a scanner
    3. Archives
      1. Archive (ZIP) files
      2. Extracting (unzip) archived files
    4. Compression
      1. Compressing a file
      2. Uncompressing a File
    5. Creating temporary files and directories
    6. Downloading a file over HTTP
    7. Summary
  4. Forensics
    1. Files
      1. Getting file information
      2. Finding the largest files
      3. Finding recently modified files
      4. Reading the boot sector
    2. Steganography
      1. Generating an image with random noise
      2. Creating a ZIP archive
      3. Creating a steganographic image archive
      4. Detecting a ZIP archive in a JPEG image
    3. Network
      1. Looking up a hostname from an IP address
      2. Looking up IP addresses from a hostname
      3. Looking up MX records
      4. Looking up nameservers for a hostname
    4. Summary
  5. Packet Capturing and Injection
    1. Prerequisites
      1. Installing libpcap and Git
        1. Installing libpcap on Ubuntu
        2. Installing libpcap on Windows
        3. Installing libpcap on macOS
      2. Installing gopacket
      3. Permission problems
    2. Getting a list of network devices
    3. Capturing packets
    4. Capturing with filters
    5. Saving to the pcap file
    6. Reading from a pcap file
    7. Decoding packet layers
    8. Creating a custom layer
    9. Converting bytes to and from packets
    10. Creating and sending packets
    11. Decoding packets faster
    12. Summary
  6. Cryptography
    1. Hashing
      1. Hashing small files
      2. Hashing large files
      3. Storing passwords securely
    2. Encryption
      1. Cryptographically secure pseudo-random number generator (CSPRNG)
      2. Symmetric encryption
        1. AES
      3. Asymmetric encryption
        1. Generating a public and private key pair
        2. Digitally signing a message
        3. Verifying a signature
      4. TLS
        1. Generating a self-signed certificate
        2. Creating a certificate signing request
        3. Signing a certificate request
        4. TLS server
        5. TLS client
      5. Other encryption packages
        1. OpenPGP
        2. Off The Record (OTR) messaging
    3. Summary
  7. Secure Shell (SSH)
    1. Using the Go SSH client
      1. Authentication methods
        1. Authenticating with a password
        2. Authenticating with private key
        3. Verifying remote host
      2. Executing a command over SSH
      3. Starting an interactive shell
    2. Summary
  8. Brute Force
    1. Brute forcing HTTP basic authentication
    2. Brute forcing the HTML login form
    3. Brute forcing SSH
    4. Brute forcing database login
    5. Summary
  9. Web Applications
    1. HTTP server
      1. Simple HTTP servers
      2. HTTP basic auth
      3. Using HTTPS
      4. Creating secure cookies
      5. HTML escaping output
      6. Middleware with Negroni
        1. Logging requests
        2. Adding secure HTTP headers
        3. Serving static files
      7. Other best practices
        1. CSRF tokens
        2. Preventing user enumeration and abuse
          1. Registration
          2. Login
          3. Resetting the password
          4. User profiles
        3. Preventing LFI and RFI abuse
          1. Contaminated files
    2. HTTP client
      1. The basic HTTP request
      2. Using the client SSL certificate
      3. Using a proxy
        1. Using system proxy
        2. Using a specific HTTP proxy
        3. Using a SOCKS5 proxy (Tor)
    3. Summary
  10. Web Scraping
    1. Web scraping fundamentals
      1. Finding strings in HTTP responses with the strings package
      2. Using regular expressions to find email addresses in a page
      3. Extracting HTTP headers from an HTTP response
      4. Setting cookies with an HTTP client
      5. Finding HTML comments in a web page
      6. Finding unlisted files on a web server
      7. Changing the user agent of a request
      8. Fingerprinting web application technology stacks
        1. Fingerprinting based on HTTP response headers
        2. Fingerprinting web applications
        3. How to prevent fingerprinting of your applications
    2. Using the goquery package for web scraping
      1. Listing all hyperlinks in a page
      2. Finding documents in a web page
      3. Listing page title and headings
      4. Crawling pages on the site that store the most common words
      5. Printing a list of external JavaScript files in a page
      6. Depth-first crawling
      7. Breadth-first crawling
    3. How to protect against web scraping
    4. Summary
  11. Host Discovery and Enumeration
    1. TCP and UDP sockets
      1. Creating a server
      2. Creating a client
    2. Port scanning
    3. Grabbing a banner from a service
    4. Creating a TCP proxy
    5. Finding named hosts on a network
    6. Fuzzing a network service
    7. Summary
  12. Social Engineering
    1. Gathering intel via JSON REST API
    2. Sending phishing emails with SMTP
    3. Generating QR codes
      1. Base64 encoding data
    4. Honeypots
      1. TCP honeypot
        1. The TCP testing tool
      2. HTTP POST form login honeypot
      3. HTTP form field honeypots
    5. Sandboxing
    6. Summary
  13. Post Exploitation
    1. Cross compiling
    2. Creating bind shells
    3. Creating reverse bind shells
    4. Creating web shells
    5. Finding writable files
    6. Changing file timestamp
    7. Changing file permissions
    8. Changing file ownership
    9. Summary
  14. Conclusions
    1. Recapping the topics you have learned
    2. More thoughts on the usage of Go
    3. What I hope you take away from the book
    4. Be aware of legal, ethical, and technical boundaries
    5. Where to go from here
    6. Getting help and learning more
  15. Another Book You May Enjoy
    1. Leave a review – let other readers know what you think

Product information

  • Title: Security with Go
  • Author(s): John Daniel Leon
  • Release date: January 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788627917