Whether you’re a penetration tester refining your craft, a bug bounty hunter, or a developer switching to a versatile new language, Go (aka Golang) has the power to elevate your tools and workflows. Its simplicity, performance, and ease of use make it an ideal choice for building fast and reliable CLI tools.
Get ready to unlock the potential of Go as we dive deep into its features, applications, and practical implementations.
Who Invented Go and Who Owns It Today?
Go was officially announced in 2009, but development began in 2007 at Google by a trio of legendary software engineers:
- Robert Griesemer
- Rob Pike
- Ken Thompson (also one of the creators of UNIX).
Their goal was to design a language that combined the efficiency of C with the simplicity of Python, while addressing modern programming challenges like concurrency and scalable development.
Today, Google remains the principal owner and maintainer of the Go programming language. However, its development is community-driven, with an open-source model supported by contributors worldwide under the stewardship of the Go Team at Google.
Building a Simple Tool
Start small. Write a simple Go program that takes input from the command line, performs some logic, and outputs results. Go’s robust standard library makes it easy to get started.
To conclude, I’ll also walk you through creating a simple passive port scanner in Go that integrates advanced features like rate limit handling, Shodan API queries, and the usage of AllOrigins as a proxy. This scanner not only demonstrates Go’s concurrency and API handling but also serves as a great starting point for building more advanced tools.
Step 1: Download Go
Your first quest starts at the official Go download page. Here you’ll find the latest shiny releases and some pre-release goodies for the brave.
Step 2: Check Your Computer’s Architecture
Before grabbing your Go, let’s ensure you’re picking the right flavor. Open a terminal and summon the following spell:
$ uname -m
This reveals your machine’s processor architecture. Go supports x86, x86–64, ARM (various flavors), and even the mysterious ppc64le and s390x.
Step 3: Download the Go Archive
Head back to the Go download page and grab the tarball matching your architecture. You can use a browser or a CLI tool like wget or curl.
Step 4: Verify the Archive Hash
Never trust blindly — verify! Compare the SHA256 hash of your download with the one on the website. In the terminal, cast:
$ sha256sum go1.*.*.linux-amd64.tar.gz
If the hash matches, you’re good to proceed. If not, you might have stumbled into the realm of corrupted downloads or tampered files. Try again, brave soul!
Step 5: Unleash the Archive
Use the tar command to unleash Go from its tarball prison:
tar -xzvf go1.*.*.linux-amd64.tar.gz
A directory named go will appear like magic in your current directory. That’s your treasure chest.
Step 6: Set Your PATH
To wield Go from anywhere, you must update your PATH environment variable. Open your .bashrc or .bash_profile (whichever your system prefers) and add this line:
export PATH=$PATH:/path/to/go/bin
Replace /path/to/go with the actual path to the go directory. Save your changes.
Step 7: Reload Your Shell
Refresh your terminal’s magic spells by reloading your profile:
$ source ~/.zshrc
Now Go’s commands should work globally. You’re almost ready to rule.
Here’s a one-liner bash script that downloads the latest version of Go, installs it, and sets up the environment variables.
This script assumes you’re running on Linux or macOS:
curl -s https://go.dev/VERSION?m=text | xargs -I {} sh -c 'wget https://go.dev/dl/{}.linux-amd64.tar.gz -O go.tar.gz && sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go.tar.gz && rm go.tar.gz && echo "export PATH=\$PATH:/usr/local/go/bin" | tee -a ~/.zshrc && source ~/.zshrc && echo -en "Go {} installed successfully!"'
Step 8: Test Your Installation
Let’s ensure everything is working. Run:
$ go version
If Go responds with its version and your system details, congratulations! You’re officially a Go adventurer.
Step 9: Understand Go Environment Variables
Go has a few key environment variables that shape your development journey. Here are the MVPs:
- GOPATH: Where your Go workspace lives.
- GOROOT: Where Go is installed (hands off this one!).
- GOBIN: Where your compiled binaries land.
To see them all, try:
$ go env
This can be your guide when debugging setup issues.
Let’s Write a Go Program!
Here’s your first Go— a simple Hello, World! program:
package main
import "fmt"
func main() {
fmt.Println("Hello, World!")
}
Save it as main.go and run it with:
$ go run main.go
You should see “Hello, World!” greet you from the console.
Ready to level up? Let’s compile it into a binary:
$ go build -o HelloWorld main.go
Now you have an executable! No more dependencies — share it with your friends or enemies.
Why Go is a Pentester’s Best Friend
Go’s magic lies in its simplicity, speed, and cross-compilation abilities. CLI tools built with Go are fast, lightweight, and can be compiled for any platform — perfect for pentesters who need portable, efficient tools.
- Concurrency: Go’s goroutines make handling multiple tasks simultaneously a breeze.
- Static Binaries: Ship your tools without worrying about dependencies.
- Performance: Go’s speed rivals C/C++ but with modern ease of use.
Gois not just a general-purpose programming language; it has become an invaluable tool for developers, security professionals, and even malware creators due to its unique features. Here’s why Go stands out in various domains:
1. Tool Development
Go is ideal for creating robust, efficient command-line tools that can be cross-compiled and used across multiple operating systems. This makes it perfect for developing tools used in cybersecurity and other fields.
- Performance: Go offers performance close to C/C++ but with modern features that simplify development.
- Static Binaries: Go produces single, self-contained binaries, eliminating dependency issues. This makes Go tools portable and easy to distribute.
- Concurrency: Go’s lightweight goroutines enable handling thousands of simultaneous tasks, ideal for scanning, brute-forcing, or processing large datasets.
- Cross-Platform Compilation: Build your tools for Windows, Linux, or macOS effortlessly using Go’s
GOOSandGOARCHoptions.
Examples of Tools Built in Go
- Amass: Subdomain enumeration and OSINT tool.
- Gobuster: Directory and DNS brute-forcing.
- Subfinder: Subdomain discovery.
2. Malware Development
Go’s increasing adoption has extended to less ethical use cases, such as malware development. Here’s why Go is gaining traction in this space:
- Cross-Compilation: Malware authors can compile binaries for any platform, increasing the malware’s reach.
- Static Binaries: The inclusion of all dependencies makes detection harder, as malware doesn’t rely on external libraries.
- Obfuscation and Size: Go binaries are often larger, but this can sometimes bypass simplistic signature-based detection mechanisms.
- Concurrency: Go’s goroutines simplify tasks like scanning networks or managing large botnets.
While Rust is often chosen for advanced, performance-critical scenarios, Go remains a favorite for its simplicity and rapid development cycle.
Go vs. Rust in Malware Development
Rust has an inherent advantage when it comes to protecting binaries from reverse engineering:
- LLVM Optimizations: Rust’s compiler applies aggressive optimizations that generate highly optimized, hard-to-read machine code, making it difficult for reverse engineers to understand the underlying logic.
- Lack of Decompilers: While Go has mature decompilers and debuggers, Rust lacks comprehensive decompilation tools, providing an additional layer of security for binaries.
- Complex Binary Output: The intricate nature of Rust’s memory safety features (like borrow checking and lifetimes) results in binaries that are harder to analyze compared to those written in Go.
- Code Obfuscation: Rust’s community has begun integrating advanced obfuscation techniques into build processes, further complicating analysis.
Go
Advantages:
- Ease of Development: Simple syntax and rapid prototyping.
- Cross-Platform: Effortless compilation for multiple OS.
- Concurrency: Efficient multitasking with goroutines.
- Mature Ecosystem: Abundant libraries and debugging tools.
Disadvantages:
- Large Binaries: Statically linked, ~10–20 MB.
- Easier to Reverse Engineer: Well-developed decompilers.
- Limited Obfuscation: Less protection for binaries.
Rust
Advantages:
- Anti-Reversibility: LLVM optimizations, complex binaries, limited decompilers.
- High Performance: Minimal runtime overhead, memory safety.
- Obfuscation: Emerging tools enhance security.
Disadvantages:
- Steep Learning Curve: Borrow checker and syntax require more effort.
- Slower Prototyping: Complex development process.
These features make Rust particularly appealing for use cases where code confidentiality and resistance to reverse engineering are critical, such as:
- Proprietary software.
- Advanced malware development.
- Secure tools for penetration testing.
Choosing Between Go and Rust
- Use Go when simplicity, speed of development, and ease of distribution are priorities. It’s excellent for creating tools quickly without compromising performance.
- Use Rust when performance, security, and anti-reversibility are critical. For projects requiring low-level control or protection against reverse engineering, Rust is unmatched.
3. Penetration Testing
Go has made a significant impact on penetration testing due to its versatility and efficiency. Here’s why it’s a pentester’s best friend:
Key Advantages
- Concurrency for Efficiency:
- Tasks like network scans, brute-forcing, and multi-threaded operations can be implemented with ease using goroutines and channels.
- Example: Tools like Gobuster and Subfinder leverage Go’s concurrency to achieve exceptional speed.
2. Static Binaries for Portability:
- Compile your tools into self-contained binaries that work on any OS. This is critical when deploying tools in restricted or resource-limited environments.
- Example: Pentesters can create single executables for Linux, macOS, and Windows without modifying the source code.
3. High Performance:
- Go delivers the speed of C/C++ with a more modern and developer-friendly language.
- This performance is critical in time-sensitive pentesting tasks like fuzzing or large-scale enumeration.
4. Broader Use Cases:
- Systems Programming: With its low-level capabilities, Go is increasingly used for systems-level tasks such as building container runtimes (e.g., Docker).
- Cloud and DevOps: Go is the backbone of tools like Kubernetes and Terraform, making it an industry standard for cloud and infrastructure development.
- Web and API Development: Its fast HTTP server capabilities make it an excellent choice for APIs and microservices.
- Data Processing: Concurrency in Go is a game-changer for large-scale data processing pipelines.
Popular Penetration Testing Tools in Go
- ffuf: Fast web fuzzer.
- httpx: HTTP probing and reconnaissance.
- Hakrawler: Web spidering and content discovery.
Go Basics: Variables, Constants, and More
Let’s expand our horizons. Here’s a Go program showcasing variables and constants:
package main
import "fmt"
func main() {
var age int32 = 37
const pi = 3.14159
var salary = 100000.0
var width, height int = 100, 50
var name string
name = "anonymous"
surname := "anonymous"
fmt.Println("Age:", age)
fmt.Println("Pi:", pi)
fmt.Println("Salary:", salary)
fmt.Println("Width:", width)
fmt.Println("Height:", height)
fmt.Println("Name:", name)
fmt.Println("Surname:", surname)
}
The Highlights:
- Variables: Declared with
varor shorthand:=. - Constants: Declared with
constand immutable. - Type Inference: Go guesses types when not explicitly stated.
Run the program, and you’ll see all your variables printed to the console.
If-Else Magic
Go’s control structures are clean and powerful. Here’s a basic if-else example:
package main
import "fmt"
func main() {
x := 133
y := 7
if x > y {
fmt.Println("x is greater than y")
} else {
fmt.Println("y is greater than x")
}
}
Want to go deeper? Nest those conditions:
package main
import "fmt"
func main() {
x, y, z := 10, 5, 15
if x > y {
if x > z {
fmt.Println("x is the greatest")
} else {
fmt.Println("z is the greatest")
}
} else {
if y > z {
fmt.Println("y is the greatest")
} else {
fmt.Println("z is the greatest")
}
}
}
Switch Statements
Switch statements are another type of control statement in Golang that allows you to specify a set of conditions and the code that should be executed based on those conditions. They provide a concise way to test multiple values.
Syntax and Examples
Here is the syntax for a switch statement:
switch expression {
case value1:
// code to execute if expression == value1
case value2:
// code to execute if expression == value2
...
default:
// code to execute if no case matches
}
Example:
package main
import "fmt"
func main() {
x := 10
switch x {
case 1:
fmt.Println("x is 1")
case 10:
fmt.Println("x is 10")
default:
fmt.Println("x is not 1 or 10")
}
}
Multiple Values in a Case
You can specify multiple values in a single case:
package main
import "fmt"
func main() {
x := 10
switch x {
case 1, 5, 10:
fmt.Println("x is 1, 5, or 10")
case 100:
fmt.Println("x is 100")
default:
fmt.Println("x is not 1, 5, 10, or 100")
}
}
Using Switch as a Shorter If-Else
You can omit the expression in a switch statement to use it as a shorter if-else construct:
package main
import "fmt"
func main() {
x := true
switch {
case x == true:
fmt.Println("x is true")
case x == false:
fmt.Println("x is false")
}
}
Fallthrough Keyword
The fallthrough keyword forces execution of the subsequent case:
package main
import "fmt"
func main() {
x := 10
switch x {
case 1:
fmt.Println("x is 1")
fallthrough
case 10:
fmt.Println("x is 10")
case 100:
fmt.Println("x is 100")
default:
fmt.Println("x is not 1, 10, or 100")
}
}
For Loops
For loops are used to repeat a block of code a specific number of times.
Syntax and Basic Examples
for initialization; condition; post {
// code to execute
}
Example:
package main
import "fmt"
func main() {
for i := 0; i < 5; i++ {
fmt.Println(i)
}
}
Using For as a While Loop
Omit initialization and post statements to create a while loop:
package main
import "fmt"
func main() {
i := 0
for i < 5 {
fmt.Println(i)
i++
}
}
Using Range with For Loops
The range keyword iterates over collections:
package main
import "fmt"
func main() {
numbers := []int{1, 2, 3, 4, 5}
for i, num := range numbers {
fmt.Println("Index:", i, "Value:", num)
}
}
Break and Continue
The break statement exits a loop early, while continue skips the current iteration.
Break Example
package main
import "fmt"
func main() {
for i := 0; i < 5; i++ {
if i == 3 {
break
}
fmt.Println(i)
}
}
Continue Example
package main
import "fmt"
func main() {
for i := 0; i < 5; i++ {
if i == 3 {
continue
}
fmt.Println(i)
}
}
Functions in Golang
Functions are reusable blocks of code that perform specific tasks, enabling better organization and efficiency.
Definition and Purpose
A function is a block of code designed to perform a task. Functions in Golang can:
- Perform repetitive tasks
- Break down complex problems
- Promote code reusability
Golang functions support features like multiple return values, closures, and variadic parameters.
Syntax and Structure
Define a function using the func keyword:
func myFunction() {
// code to execute
}
Function Signature and Parameters
Functions can take parameters and return values:
func add(a int, b int) int {
return a + b
}
Multiple Return Values
func swap(a, b string) (string, string) {
return b, a
}
Shorthand Notation
For parameters of the same type:
func add(a, b int) int {
return a + b
}
Calling Functions
Invoke a function by its name:
result := add(2, 3)
Capture multiple return values:
first, second := swap("Hello", "World")
Function Scope
Variables defined inside a function are locally scoped:
var globalVariable int
func myFunc() {
localVariable := 2
// do something with localVariable
}
Anonymous Functions
Functions without a name can be immediately invoked:
package main
import "fmt"
func main() {
func() {
fmt.Println("Hello, World!")
}()
}
Closures
Closures retain access to variables in their defining scope:
func sayHello() func() string {
hey := "Hello"
return func() string {
return hey
}
}
Closures are useful for callbacks, event handlers, and more.
Variadic Functions
First, let’s talk about variadic functions. A variadic function is a function that can accept a variable number of arguments. You can define a variadic function in Golang by using the ... in the type of the last parameter. For example:
func sum(numbers ...int) int {
total := 0
for _, num := range numbers {
total += num
}
return total
}
Here, the numbers parameter is of type []int and can accept any number of integer arguments. You can call the function with zero or more arguments:
fmt.Println(sum()) // Output: 0
fmt.Println(sum(1, 2, 3)) // Output: 6
Variadic functions are especially useful for implementing utility functions like fmt.Printf.
Defer Keyword
The defer keyword schedules a function call to be executed right before the surrounding function returns. This is particularly useful for resource cleanup. Here’s an example:
func readFile(filename string) {
file, err := os.Open(filename)
if err != nil {
log.Fatal(err)
}
defer file.Close()
// Process the file
content, _ := ioutil.ReadAll(file)
fmt.Println(string(content))
}
The defer statement ensures the file is closed even if an error occurs during processing.
Recursion
Recursion is a technique where a function calls itself to solve smaller instances of a problem. It’s important to define a base case to prevent infinite recursion.
Example 1: Factorial
func factorial(n int) int {
if n == 0 {
return 1
}
return n * factorial(n-1)
}
Example 2: Fibonacci Sequence
func fibonacci(n int) int {
if n <= 1 {
return n
}
return fibonacci(n-1) + fibonacci(n-2)
Recursion is elegant but may not always be the most efficient solution due to potential stack overflow or performance issues.
Higher-Order Functions
Higher-order functions are functions that accept other functions as arguments or return them. This is a powerful feature for creating reusable abstractions.
Example: Map Function
func mapFunc(arr []int, fn func(int) int) []int {
result := make([]int, len(arr))
for i, v := range arr {
result[i] = fn(v)
}
return result
}
func main() {
nums := []int{1, 2, 3}
squared := mapFunc(nums, func(x int) int { return x * x })
fmt.Println(squared) // Output: [1 4 9]
}
Higher-order functions provide a declarative way to work with data transformations.
Interfaces
Interfaces define a set of method signatures and provide a way to achieve polymorphism in Go.
Example: Polymorphism with Interfaces
type Shape interface {
Area() float64
}
type Circle struct {
Radius float64
}
func (c Circle) Area() float64 {
return math.Pi * c.Radius * c.Radius
}
type Rectangle struct {
Width, Height float64
}
func (r Rectangle) Area() float64 {
return r.Width * r.Height
}
func printArea(s Shape) {
fmt.Println(s.Area())
}
func main() {
c := Circle{Radius: 5}
r := Rectangle{Width: 4, Height: 6}
printArea(c) // Output: 78.54
printArea(r) // Output: 24
}
Interfaces allow us to write flexible and reusable code.
Custom Error Types
Go’s error handling can be extended by creating custom error types.
Example: Custom Error Type
type AppError struct {
Code int
Message string
}
func (e *AppError) Error() string {
return fmt.Sprintf("Error %d: %s", e.Code, e.Message)
}
func doSomething(flag bool) error {
if !flag {
return &AppError{Code: 123, Message: "Something went wrong"}
}
return nil
}
func main() {
if err := doSomething(false); err != nil {
fmt.Println(err)
}
}
Custom error types provide more context for debugging.
Buffered Channels
Buffered channels can hold a limited number of values without requiring a receiver to be ready.
Example: Buffered Channel
func main() {
ch := make(chan string, 2)
ch <- "hello"
ch <- "world"
fmt.Println(<-ch) // Output: hello
fmt.Println(<-ch) // Output: world
}
Buffered channels are useful when you want to decouple the sender and receiver.
Testing in Go
Go has a built-in testing package for writing unit tests.
Example: Writing a Test
package main
import "testing"
func Add(a, b int) int {
return a + b
}
func TestAdd(t *testing.T) {
result := Add(2, 3)
if result != 5 {
t.Errorf("Expected 5, got %d", result)
}
}
Run tests with:
go test
Testing ensures code reliability and simplifies maintenance.
Some popular frameworks for web development include Gin, Echo, and Beego.
Gin is known for its speed and low memory usage, while Echo is known for its simplicity and flexibility.
Beego is a full-stack web framework that provides ORM, routing, and other features out of the box.
For microservices, you might consider frameworks like Go Micro or KrakenD.
Gin example:
package main
import (
"github.com/gin-gonic/gin"
"net/http"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"message": "Welcome to Gin Framework!"})
})
r.Run(":8080")
}
Echo example:
package main
import (
"github.com/labstack/echo/v4"
"net/http"
)
func main() {
e := echo.New()
e.GET("/", func(c echo.Context) error {
return c.String(http.StatusOK, "Welcome to Echo Framework!")
})
e.Logger.Fatal(e.Start(":1323"))
}
Beego example:
package main
import (
"fmt"
"github.com/astaxie/beego"
"github.com/astaxie/beego/orm"
_ "github.com/go-sql-driver/mysql"
)
type User struct {
Id int
Name string
}
func init() {
orm.RegisterDataBase("default", "mysql", "root:password@/test?charset=utf8", 30)
orm.RegisterModel(new(User))
}
func main() {
o := orm.NewOrm()
user := User{Name: "new_user"}
id, err := o.Insert(&user)
if err != nil {
fmt.Println("Insert Error:", err)
} else {
fmt.Println("User ID:", id)
}
}
As you can see, each framework has its strengths and weaknesses. You should consider your project’s requirements and choose the framework that best fits your needs.
Next, let’s talk about Golang package managers and dependency managers. Effective dependency management is essential for maintaining a robust Golang project. Tools like go get and go mod allow you to easily handle your project's dependencies—whether installing, updating, or removing packages.
Example:
# Using go mod (modern and recommended)
$ go mod init github.com/example/mymodule # Initialize a new module
$ go get github.com/gin-gonic/gin # Add a dependency
# Legacy Tools (Not Recommended)
# Using dep
$ dep ensure
# Using Glide
$ glide get github.com/gin-gonic/gin
# Using Godep
$ godep get github.com/gin-gonic/gin
Dependency managers help ensure your project’s dependencies remain consistent and manageable. They streamline the process of integrating external libraries into your codebase, saving time and reducing potential errors.
Finally, let’s talk about some other popular Golang tools and frameworks. If you need to write tests for your Golang code, you might consider using the testing package or a testing framework like Ginkgo.
For logging and monitoring, you might consider using frameworks like Zap or Prometheus.
And if you need to work with databases, you might consider using a package like GORM or a framework like Buffalo.
Ginkgo example:
package main
import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("Calculator", func() {
Context("Addition", func() {
It("adds two numbers correctly", func() {
sum := 2 + 3
Expect(sum).To(Equal(5))
})
})
})
Zap example:
package main
import (
"go.uber.org/zap"
)
func main() {
logger, _ := zap.NewProduction()
defer logger.Sync()
sugar := logger.Sugar()
sugar.Infof("Logging example with Zap Framework")
}
Prometheus example:
package main
import (
"net/http"
"github.com/prometheus/client_golang/prometheus/promhttp"
)
func main() {
http.Handle("/metrics", promhttp.Handler())
http.ListenAndServe(":8080", nil)
}
GORM example:
package main
import (
"fmt"
"gorm.io/driver/mysql"
"gorm.io/gorm"
)
type User struct {
gorm.Model
Name string
}
func main() {
dsn := "user:password@tcp(localhost:3306)/mydb?charset=utf8&parseTime=True&loc=Local"
db, err := gorm.Open(mysql.Open(dsn), &gorm.Config{})
if err != nil {
panic("failed to connect database")
}
db.AutoMigrate(&User{})
db.Create(&User{Name: "Alice"})
var user User
db.First(&user, 1)
fmt.Println(user.Name)
db.Model(&user).Update("Name", "Bob")
db.Delete(&user)
}
Buffalo example:
package main
import (
"github.com/gobuffalo/buffalo"
)
func main() {
app := buffalo.New(buffalo.Options{})
app.GET("/", func(c buffalo.Context) error {
return c.Render(200, r.String("Hello from Buffalo!"))
})
app.Serve()
}
As you can see, Golang offers a wide range of tools and frameworks that can simplify your development process. By choosing the right framework for your project and using package managers and dependency managers effectively, you can write high-quality code more efficiently.
In summary, Golang tools and frameworks can simplify development by providing useful functionalities out of the box, and package managers and dependency managers can make it easy to manage third-party libraries and dependencies.
When choosing a library or framework for your project, consider its compatibility with your project’s requirements and the level of support and community behind it.
What is a struct in Go?
A struct is a composite data type that groups together zero or more values of any type. Think of a struct like a container that can hold different pieces of information — kind of like a class in object-oriented programming.
How to define a struct in Go:
In Go, you define a struct using the type keyword followed by the name of your struct and then a set of curly braces containing the fields of your struct. Here’s an example:
type Person struct {
Name string
Age int
}
How to use a struct in Go:
To use a struct in Go, you first need to create an instance of the struct. Here’s an example:
person := Person{Name: "John", Age: 30}
Accessing fields of a struct:
fmt.Println(person.Name)
fmt.Println(person.Age)
Struct initialization:
alice := &Person{Name: "Alice", Age: 25}
fmt.Println(alice)
Embedded structs:
type Address struct {
City string
State string
}
type Person struct {
Name string
Age int
Address Address
}
Using pointers with structs:
func updateAge(p *Person, newAge int) {
p.Age = newAge
}
person := Person{Name: "Eve", Age: 20}
updateAge(&person, 25)
fmt.Println(person.Age)
Customizing struct field names:
type Person struct {
Name string `json:"name"`
Age int `json:"age"`
}
Anonymous structs:
person := struct {
Name string
Age int
}{Name: "Anonymous", Age: 999}
fmt.Println(person)
Nested structs:
type Person struct {
Name string
Age int
Address struct {
City string
State string
}
}
person := Person{
Name: "Lyn",
Age: 23,
Address: struct {
City string
State string
}{City: "LA", State: "California"},
}
fmt.Println(person.Address.City)
File I/O in Golang:
Opening a file for reading:
file, err := os.Open("input.txt")
if err != nil {
log.Fatal(err)
}
defer file.Close()
Reading file line by line:
package main
import (
"bufio"
"fmt"
"log"
"os"
)
func main() {
// Open the file
file, err := os.Open("example.txt")
if err != nil {
log.Fatalf("Failed to open file: %v", err)
}
defer file.Close()
// Create a scanner to read the file line by line
scanner := bufio.NewScanner(file)
for scanner.Scan() {
fmt.Println(scanner.Text()) // Print each line to the console
}
// Check for errors during scanning
if err := scanner.Err(); err != nil {
log.Fatalf("Error reading file: %v", err)
}
}
In this example, we open the file example.txt and use a bufio.Scanner to read its contents line by line. Each line is printed using fmt.Println(). Finally, we handle any errors encountered during the scanning process.
Writing to a File:
package main
import (
"fmt"
"log"
"os"
)
func main() {
// Create or open a file for writing
file, err := os.Create("output.txt")
if err != nil {
log.Fatalf("Failed to create file: %v", err)
}
defer file.Close()
// Write a string to the file
_, err = file.WriteString("This is a sample text written to the file.\n")
if err != nil {
log.Fatalf("Failed to write to file: %v", err)
}
fmt.Println("Data written to file successfully!")
}
In this example, a new file output.txt is created (or overwritten if it already exists). The WriteString method writes a sample text to the file, and any errors are handled appropriately.
Error Handling in Golang
Errors in Golang are represented by the error interface, which has a single method, Error(), returning a string describing the error. Functions encountering an error can return it as a value.
Here’s an example of returning an error from a function:
func divide(x, y float64) (float64, error) {
if y == 0 {
return 0, fmt.Errorf("division by zero")
}
return x / y, nil
}
In this example, the divide function checks if y is zero. If true, it returns an error using fmt.Errorf. Otherwise, it performs the division.
When calling functions that may return errors, we handle them using the if err != nil construct:
result, err := divide(10.0, 0.0)
if err != nil {
log.Fatal(err)
}
fmt.Println(result)
Here, we attempt to divide 10.0 by 0.0. If there’s an error, it’s logged and the program exits. If there’s no error, the result is printed.
We can also use defer with anonymous functions for cleanup and error handling. For example:
file, err := os.Open("ba.sh")
if err != nil {
log.Fatal(err)
}
defer func() {
if err := file.Close(); err != nil {
log.Fatal(err)
}
}()
In this snippet, we open ba.sh for reading and use defer to ensure the file is closed after use. The anonymous function inside defer handles potential errors from file.Close().
Best Practices for Golang Programming
Writing Clean and Readable Code
Clean code is easy to read, understand, and maintain. Follow consistent formatting, use proper naming conventions, and avoid unnecessary complexity.
Poorly Formatted Code:
func add(x,y,z int)int{
result:=x+y+z
return result
}
Properly Formatted Code:
func add(x, y, z int) int {
result := x + y + z
return result
}
Tips for Clean Code
1. Use Consistent Formatting:
func main() {
var x int = 5
if x > 0 {
fmt.Println("x is positive")
} else {
fmt.Println("x is non-positive")
}
}
2. Follow Naming Conventions: Use camelCase for variables and PascalCase for functions and struct names.
type User struct {
ID int
FirstName string
LastName string
}
func NewUser(id int, firstName, lastName string) *User {
return &User{ID: id, FirstName: firstName, LastName: lastName}
}
3. Avoid Unnecessary Complexity:
func addNumbers(nums []int) int {
sum := 0
for _, num := range nums {
sum += num
}
return sum
}
Writing Efficient Golang Code
Efficient code improves performance and scalability. Here are tips for optimization:
- Use Channels and Goroutines:
func slowFunction() {
time.Sleep(5 * time.Second)
fmt.Println("Slow function finished")
}
func fastFunction(done chan bool) {
go slowFunction()
done <- true
}
func main() {
done := make(chan bool)
go fastFunction(done)
<-done
}
2. Avoid Unnecessary Memory Allocation: Use slices and pointers efficiently.
func sum(nums []int) int {
total := 0
for _, num := range nums {
total += num
}
return total
}
3. Leverage Built-In Functions:
func main() {
nums := []int{1, 2, 3, 4, 5}
fmt.Println(len(nums))
}
Secure Golang Coding Practices
Security is critical in programming. Here are examples of common vulnerabilities and their fixes.
1. Remote Code Execution
Vulnerable Code:
func executeCommand(cmd string) {
exec.Command("sh", "-c", cmd).Run()
}
func main() {
executeCommand(os.Args[1])
}
Secure Code:
func executeCommand(cmd string, args []string) error {
return exec.Command(cmd, args...).Run()
}
func main() {
cmd := "ls"
args := []string{"-l"}
if err := executeCommand(cmd, args); err != nil {
log.Fatal(err)
}
}
- Fix: Avoid accepting untrusted input as commands. Validate and sanitize inputs.
2. SQL Injection
Vulnerable Code:
func getUserData(userID string) {
query := "SELECT * FROM users WHERE id = '" + userID + "'"
db.Query(query)
}
Secure Code:
func getUserData(userID string) {
query := "SELECT * FROM users WHERE id = ?"
db.Query(query, userID)
}
- Fix: Use parameterized queries to prevent injection attacks.
Common Mistakes to Avoid
1. Not Initializing Variables
Mistake:
func main() {
var x int
fmt.Println(x)
}
Fixed:
func main() {
var x int = 0
fmt.Println(x)
}
2. Using Global Variables
Mistake:
var x int = 0
func main() {
fmt.Println(x)
}
Fixed:
func main() {
x := 0
fmt.Println(x)
}
3. Not Handling Errors
Mistake:
func main() {
f, err := os.Open("file.md")
fmt.Println(f.Name())
}
Fixed:
func main() {
f, err := os.Open("file.md")
if err != nil {
log.Fatal(err)
}
defer f.Close()
fmt.Println(f.Name())
}
How to Learn Go (Golang) Effectively
Mastering Go requires a combination of foundational knowledge, practical implementation, and deep dives into advanced concepts. Here’s a comprehensive roadmap to learning Go:
1. Learning the Basics
Videos and Tutorials
Free Resources:
Tech with Tim — Golang Playlist: A concise, beginner-friendly playlist to start with Go. Great for quick learning sessions.
Paid Resources:
- Udemy Course by Todd McLeod — “How to Code: Google’s Go”: Ideal for learners who enjoy detailed, story-driven teaching. While longer, this course dives deep into Go’s foundational concepts.
Self-Learning Platforms
- Tour of Go: An interactive introduction to Go concepts. Recommended for those who prefer a hands-on, self-paced learning experience.
- Go by Example: A practical resource with numerous examples for each Go concept. Use it alongside the “Tour of Go” for deeper insights.
Books for In-Depth Learning
- The Go Programming Language by Alan A. A. Donovan and Brian W. Kernighan: A classic for learning Go fundamentals and best practices.
- Concurrency in Go by Katherine Cox-Buday: A must-read for understanding Go’s powerful concurrency model.
2. Advanced Concepts
Concurrency
Go’s concurrency features, such as goroutines and channels, are among its most powerful tools. Mastering them is key to building scalable systems.
Channels:
- Basic Channels Tutorial (Video): Explains how to use channels effectively.
- Blog on Handling Go Concurrency: A comprehensive look at implementing concurrency pipelines.
Wait Groups:
- Wait Groups Basics (Video): Learn how to coordinate multiple goroutines.
Mutexes:
- Mutexes in Go (Video): An introduction to mutex usage for avoiding race conditions.
API Development
Popular Go frameworks for API development:
1. Gorilla Mux: A beginner-friendly router and web framework.
- Tutorial: Building a REST API with Gorilla Mux.
2. Fiber: High-performance framework inspired by Express.js.
- Tutorial: Fiber API Basics.
3. Gin: Known for its speed and simplicity.
4. Tutorial: Building a RESTful API with Gin.
3. Practical Learning through Projects
Beginner Projects
- Build a basic TODO CLI using Cobra.
- Create a URL Shortener.
- Develop a Simple Web App with Gorilla or Gin.
Intermediate Projects
- Integrate APIs like the Reddit API or Weather API.
- Implement file upload and download with concurrency.
- Build a restaurant backend API with authentication and database integration.
- Add a queue system to handle asynchronous tasks.
Advanced Projects
- Upgrade the restaurant API to microservices architecture with an API Gateway.
- Implement two-phase commit protocols with robust corner-case handling.
- Develop a distributed task manager for parallel computation across multiple servers.
- Create the Bully Algorithm for leader election in distributed systems, with test coverage.
4. Supplementary Resources
Repositories for Learning and Inspiration
- Tanner Gabriel — Learning Go: A curated repository with structured exercises.
- Karan Pratap Singh — Go Resources: A vast collection of Go-related learning materials.
Gophercises Projects
- Gophercises: A set of free, practical exercises for Go developers. Perfect for hands-on experience.
5. Best Practices for Learning
- Practice Regularly: Solve challenges on platforms like Hackerrank, Exercism and LeetCode using Go.
- Engage with the Community: Join forums like GoLang Reddit and attend local Go meetups or conferences.
- Build Real-World Applications: Move beyond tutorials by creating real-world tools and applications.
- Contribute to Open Source: Explore GitHub and contribute to Go projects to enhance your skills.
- Stay Updated: Follow Go’s official blog for the latest updates and features.
By combining structured learning with practical projects, you can effectively master Go and build robust, high-performance applications.
A Practical Example: Simple Port Scanner
As I promised before, I will walk you through building a passive port scanner in Go. This scanner integrates advanced features like rate limit handling, Shodan API queries, and the use of AllOrigins as a proxy to bypass API restrictions efficiently.
It demonstrates Go’s concurrency and API handling in action:
package main
import (
"bufio"
"context"
"encoding/json"
"errors"
"flag"
"fmt"
"io"
"log"
"net/http"
"net/url"
"os"
"os/signal"
"regexp"
"strings"
"sync"
"syscall"
"time"
)
type ShodanResponse struct {
Ports []int `json:"ports"`
ASN string `json:"asn"`
Hostnames []string `json:"hostnames"`
}
const (
shodanRateLimit = time.Second // 1 request per second
)
// Fetch IPs using Shodan facets with AllOrigins proxy
func fetchIPsUsingFacets(query string) ([]string, error) {
proxyURL := fmt.Sprintf("https://api.allorigins.win/get?url=%s", url.QueryEscape(fmt.Sprintf("https://www.shodan.io/search/facet?query=%s&facet=ip", query)))
resp, err := http.Get(proxyURL)
if err != nil {
return nil, fmt.Errorf("failed to fetch data from Shodan facets via AllOrigins: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("AllOrigins proxy API error (%d): %s", resp.StatusCode, string(body))
}
var proxyResponse struct {
Contents string `json:"contents"`
}
if err := json.NewDecoder(resp.Body).Decode(&proxyResponse); err != nil {
return nil, fmt.Errorf("failed to parse AllOrigins proxy response: %w", err)
}
re := regexp.MustCompile(`<strong>([^<]+)</strong>`)
matches := re.FindAllStringSubmatch(proxyResponse.Contents, -1)
ipRe := regexp.MustCompile(`\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b`)
var ips []string
for _, match := range matches {
if len(match) > 1 && ipRe.MatchString(match[1]) {
ips = append(ips, match[1])
}
}
return removeDuplicates(ips), nil
}
// Remove duplicate IPs
func removeDuplicates(ips []string) []string {
uniqueIPs := make(map[string]struct{})
for _, ip := range ips {
uniqueIPs[ip] = struct{}{}
}
var dedupedIPs []string
for ip := range uniqueIPs {
dedupedIPs = append(dedupedIPs, ip)
}
return dedupedIPs
}
// Fetch Shodan data for an IP
func fetchShodanData(ipAddress, apiKey string) (*ShodanResponse, error) {
url := fmt.Sprintf("https://api.shodan.io/shodan/host/%s?key=%s", ipAddress, apiKey)
resp, err := http.Get(url)
if err != nil {
return nil, fmt.Errorf("failed to fetch data from Shodan: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusTooManyRequests {
retryAfter := resp.Header.Get("Retry-After")
delay, err := time.ParseDuration(retryAfter + "s")
if err == nil {
time.Sleep(delay)
return fetchShodanData(ipAddress, apiKey)
}
return nil, errors.New("rate limit reached, retry later")
}
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("Shodan API error (%d): %s", resp.StatusCode, string(body))
}
var shodanResponse ShodanResponse
if err := json.NewDecoder(resp.Body).Decode(&shodanResponse); err != nil {
return nil, fmt.Errorf("failed to parse Shodan response: %w", err)
}
return &shodanResponse, nil
}
// Helper function to build Shodan queries
func buildShodanQuery(domain, query, additionalQueries string, sslFlag bool) string {
domainQuery := fmt.Sprintf("hostname:%s", url.QueryEscape(domain))
if sslFlag {
domainQuery = fmt.Sprintf("ssl.cert.subject.cn:\"%s\"", domain)
}
if query != "" {
domainQuery = fmt.Sprintf("%s+%s", domainQuery, url.QueryEscape(query))
}
if additionalQueries != "" {
domainQuery = fmt.Sprintf("%s+%s", domainQuery, additionalQueries)
}
return domainQuery
}
func main() {
var sslFlag bool
flag.BoolVar(&sslFlag, "ssl", false, "Use SSL certificate search")
flag.Usage = func() {
fmt.Println("Usage: cat input | ./portscanner [options] <Shodan_API_Key>")
flag.PrintDefaults()
}
flag.Parse()
// Check for API key in environment variables
apiKey := os.Getenv("SHODAN_API_KEY")
if apiKey == "" && flag.NArg() > 0 {
apiKey = flag.Arg(0)
}
if apiKey == "" {
fmt.Println("Error: Shodan API key not provided.")
fmt.Println("Set it using the SHODAN_API_KEY environment variable or pass it as a command-line argument.")
flag.Usage()
os.Exit(1)
}
ctx, cancel := context.WithCancel(context.Background())
signalChan := make(chan os.Signal, 1)
signal.Notify(signalChan, os.Interrupt, syscall.SIGTERM)
go func() {
<-signalChan
fmt.Println("\nGracefully shutting down...")
cancel()
os.Exit(0)
}()
scanner := bufio.NewScanner(os.Stdin)
var wg sync.WaitGroup
throttle := time.Tick(shodanRateLimit)
for scanner.Scan() {
select {
case <-ctx.Done():
return
default:
}
input := strings.TrimSpace(scanner.Text())
if input == "" {
continue
}
wg.Add(1)
go func(domain string) {
defer wg.Done()
query := buildShodanQuery(domain, "", "", sslFlag)
ips, err := fetchIPsUsingFacets(query)
if err != nil {
log.Printf("Error fetching IPs for %s: %v\n", domain, err)
return
}
for _, ip := range ips {
<-throttle
data, err := fetchShodanData(ip, apiKey)
if err != nil {
log.Printf("Error processing %s: %v\n", ip, err)
continue
}
fmt.Printf("IP: %s\n", ip)
fmt.Printf("Open Ports: %v\n", data.Ports)
if len(data.Hostnames) > 0 {
fmt.Printf("Hostnames: %s\n", strings.Join(data.Hostnames, ", "))
}
if data.ASN != "" {
fmt.Printf("ASN: %s\n", data.ASN)
}
fmt.Println()
}
}(input)
}
wg.Wait()
if err := scanner.Err(); err != nil {
log.Printf("Error reading input: %v\n", err)
}
}
This tool takes input domains via stdin, queries Shodan using its API, and retrieves open ports, subdomains and related metadata. It also uses the AllOrigins proxy to bypass certain restrictions, showcasing how external APIs and proxies can enhance tools.
Usage Example:
You can use the scanner as follows:
echo input | scanner $SHODAN_API_KEY
Example output:
IP: 13.37.31.13
Open Ports: [80 443 1337]
Hostnames: 13.37.31.13.bc.googleusercontent.com, wg.example.com
ASN: AS12345
IP: 37.31.13.37
Open Ports: [443 22]
Hostnames: canary-certificate-for-noop.example.com
ASN: AS1234
IP: 10.10.10.10
Open Ports: [21 80 443]
Hostnames: download.example.com, upgrade.example.com
ASN: AS54321
Key Topics Covered:
- Port Scanning: Discovering open ports for reconnaissance.
- Shodan: Integrating Shodan’s API to fetch data like open ports and hostnames.
- AllOrigins: Use AllOrigins to bypass direct API restrictions, ensuring high-efficiency scans without blocking.
Why This Port Scanner is Powerful
- Passive Scanning: Since this scanner is passive, you can scan over 1,000 hosts in just minutes, making it highly efficient for large-scale reconnaissance.
- Flexible Expansion: You can integrate tools like Nmap CLI into this scanner for active scanning, enabling detailed analysis of thousands of hosts quickly and effectively.
More Ideas for This Project
- Automation Pipelines: Integrate this scanner into automation pipelines for continuous reconnaissance and monitoring.
- Combine Passive and Active Scanning: Implement a hybrid mode where the tool first queries Shodan (passive) and then confirms results or scans for additional ports using active techniques.
- Service Detection: Use libraries like
github.com/Ullaakut/nmapto parse service information. - Threat Intelligence: Combine this scanner with threat intelligence platforms to enrich the data collected, helping identify vulnerable or high-risk targets.
- Output Format: Use structured output formats (e.g., JSON or CSV) for easier integration with other tools.
- Custom Filters: Add filters to prioritize results, such as only displaying ports related to specific services or protocols.
- Dashboard Integration: Visualize results using a web dashboard or export them to SIEM tools for better analysis.
- Cloud Adaptation: Deploy this tool in the cloud to scale it across multiple instances, increasing efficiency for massive scans.
- AI-Driven Analysis: Leverage machine learning models to analyze port scan results and highlight unusual patterns or potential anomalies.
- Error Handling Enhancements: Provide more detailed error messages or write errors to a log file for post-run analysis.
This is just the beginning. The world of Go offers endless possibilities for creating efficient and scalable tools.
Dive deeper, experiment more, and let your creativity flow!