background

according to A report Show ,golang To become a successor python After that, the most popular tool language for hackers . And and python The gap is narrowing .golang Have some python The advantages of ： Development block , Cross platform ; At the same time, there are python Have no advantage ： High operational efficiency , In violent cracking , Port scanning , Reptiles and other scenes , The efficiency of programming language is still very important .

This article from several well-known golang From the perspective of safety projects , have a look golang Usage scenarios and specific in the security field .

Intranet through

The well-known tool here is frp and ngrok,gost. The usage scenarios of these two tools can not be classified as security scope 【 Although intranet penetration also has security problems , Easily exploited by hackers 】, The users of both tools are for this purpose ： In a complex Intranet environment , I want to put a server in the intranet ip Exposed to the public network . such tunnel Type of service , The principle is simple , similar nginx Reverse agents like that , It's just that the agent mainly initiated , Request to be represented . The specific process is as follows :

sequenceDiagram
 Intranet ClientA->>tunnel service :  Please represent me for my local service A
tunnel service ->> Intranet ClientA: OK
 Internet users ->>tunnel service :  I want to visit  A  service 
tunnel service ->> Intranet ClientA:  Someone wants to visit , Forward to you 
 Intranet ClientA->>tunnel service :  service A Response
tunnel service ->> Internet users :  service A Response

• ngrok It's an old tool , At present already 5 It was updated at the end of the year . The principle is similar to the flow chart above , The remote tunnel The service is ngrokd, Local use ngrok client; There are still some free tunnel service , Users only need to use it locally ngrok Register for free public tunnel Service , You can access your own internal services through an assigned domain name , Of course, there are great security risks in this way , It is easy to receive the man in the middle attack described in the following section .
• frp It is more popular now , More features supported , It is also being maintained and updated .frp Not only support http Forwarding , And support tcp/udp/dns Wait for the request to be forwarded . To ensure safety , Support management interface ,token/OIDC authentication

agent / Man-in-the-middle attack

• gost It's a proxy tool , The design is relatively simple , But the core capabilities provided http/https/sock5/quic And so on , It also supports iptables The transparent agent of .
  • gost An important concept in is Node, One ProxyNode Represents a link in a forwarding link ,Node It can be different Protocol and Transport.Node It is divided into LocalNode and ChainNode,chain node It's remote , Need one Transporter and One Connector; and Local Node It is used to accept local requests , Need one Listener and One Handler, These are all for different agreements , Make a difference .
  • The actual operation process is as follows ：LocalNode.Listener.Accept => LocalNode.Handle => find Chain One of the inside Node, use Inside Client【 namely Transporter/Connector 】 Connect to proxy

// Transporter is responsible for handshaking with the proxy server.
type Transporter interface {
	Dial(addr string, options ...DialOption) (net.Conn, error)
	Handshake(conn net.Conn, options ...HandshakeOption) (net.Conn, error)
	// Indicate that the Transporter supports multiplex
	Multiplex() bool
}

// Connector is responsible for connecting to the destination address.
type Connector interface {
	// Deprecated: use ConnectContext instead.
	Connect(conn net.Conn, address string, options ...ConnectOption) (net.Conn, error)
	ConnectContext(ctx context.Context, conn net.Conn, network, address string, options ...ConnectOption) (net.Conn, error)
}

// Listener is a proxy server listener, just like a net.Listener.
type Listener interface {
	net.Listener
}

// Handler is a proxy server handler
type Handler interface {
	Init(options ...HandlerOption)
	Handle(net.Conn)
}

• dnscrypt-proxy It's a support encrypted DNS Agreed dns agent
• chisel It's also a proxy tool , Functional ratio gost It's simpler , Mainly used to pass through http Forward intranet tcp/udp Traffic to penetrate the firewall .

Due to different needs , There are many kinds of agents , But there are also some crises hidden in the agency , The most important one is man in the middle attack . in fact , Many agents are designed , Just to be a man in the middle attack / go fishing . Such agents are generally TLS-terminating forward proxies, That is, he wants to analyze tls Agreed , In this way, we can get https Information in transit . It parses user requests , Accessing the remote server , Agreement out https return , Do it again tls confidential . The proxy can be modified at will during transmission / Steal user or server data , For example, modify cookie/ cros Related options, etc . The items of the two examples are muraena and Modlishka

• muraena: Acting as a proxy for man in the middle attacks
• Modlishka： and muraena similar , But more mature , It can be used to forge phishing websites , For example, some well-known websites

Reverse Shell

Reverse shell differ ssh And so on , Usually the attacker runs on the victim's host , Actively connect to a server , Accept instructions from the server and execute . This method is very similar to that used in Intranet penetration , The advantage is that it can penetrate the firewall .

sequenceDiagram
 The victim host ->> Attacker host :  Is there any command to execute 
 Attacker host ->> The victim host :  Execute these orders 

hershell It's a go The language is simple reverse shell Tools . Run on the server socat/ncat/openssl server module And other tools can create server To wait for hershell The connection of ; Except for the simple reverse shell,hershell It also supports injection shellcode, docking meterpreter The ability to attack .

#  Server side 
$ ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 1234
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 172.16.122.105.
Ncat: Connection from 172.16.122.105:47814.
[hershell]> whoami
desktop-3pvv31a\lab

#  client 【 That is, the attacked end 】
* ./hershell

chashell Is a similar reverse shell, The difference is chashell client/server Both ends are implemented by themselves , He USES dns communicate 【dns Tunnel , This kind of communication is more difficult to be recognized by the firewall 】,dns With a custom protobuf Agreement information .

Network scanning

• goscan Is an intranet scanning tool , He will scan the intranet ip Space , send out arp package , Get host's ip, mac Address , Host name , Manufacturer and other information
• xray It is a domain name OSINT【 Open source intelligence 】 Tools for information collection . The specific principle is ：
  • For a given domain name , Scan the subdomain first , The scanning method is a combination of wordlist and dns request
  • For finding multiple subdomains /ip Use Shodan Of api Collect information （ Like ports ）
  • Yes, I found it ip port , Collect information , For example, collection. http header/https certificate /html title/dns version.hostname/ mysql/ssh Etc
• bettercap: Support for wifi, bluetooth , Wireless devices, etc

more

• pspy: One doesn't need root Permissions can monitor linux Process tools
• cameradar: RTSP( Real time streaming protocol , Many camera devices such as security monitoring support this protocol ) Attack tools
• hetty: It can be seen as a reverse proxy for security auditing
• gocrack: Password cracking task management tool
• x-crack: Weak password cracking tool
• GoAT: Use Twitter As C&C server Of Trojan Trojan horse

Reference resources

• Offensive_Go