https://github.com/kaliforniagator/secshell-go
An implementation of SecShell now written in go with security features like command whitelisting and blacklisting built-in. It also uses sanitizing to ensure commands are clean from most injection attacks.
https://github.com/kaliforniagator/secshell-go
cyber cybersecurity go golang security shell
Last synced: about 2 months ago
JSON representation
An implementation of SecShell now written in go with security features like command whitelisting and blacklisting built-in. It also uses sanitizing to ensure commands are clean from most injection attacks.
- Host: GitHub
- URL: https://github.com/kaliforniagator/secshell-go
- Owner: KaliforniaGator
- License: agpl-3.0
- Created: 2025-03-10T03:47:04.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-03-18T01:06:16.000Z (over 1 year ago)
- Last Synced: 2025-03-18T01:22:05.050Z (over 1 year ago)
- Topics: cyber, cybersecurity, go, golang, security, shell
- Language: Go
- Homepage: https://gatorsecc.com
- Size: 171 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# 🚨 SecShell - Secure Shell for Modern Systems (Go)
**SecShell** is a next-generation secure shell written in Go, engineered for professionals who demand robust security, fine-grained control, and operational transparency. It provides a hardened environment for command execution, featuring advanced whitelisting, process isolation, and real-time job/service management.
---
## 🔑 Key Features
- **Command Whitelisting & Blacklisting**: Only explicitly allowed commands or those in trusted directories can run. Blacklisted commands are strictly blocked.
- **Input Sanitization**: All user input is sanitized to prevent injection and exploitation.
- **Process Isolation**: Each command runs in its own process, minimizing risk.
- **Job Management**: Track, control, and inspect background jobs.
- **Service Management**: Start, stop, restart, and check system services securely.
- **Piped & Background Execution**: Full support for pipes (`|`), redirection (`>`, `<`), and background jobs (`&`).
- **Command History & Search**: Persistent history with interactive and query-based search, including interactive search mode.
- **Environment Variable Control**: Set, unset, and list environment variables.
- **Security Toggle (Admin Only)**: Temporarily bypass security checks with authentication.
- **Pentesting Utilities**: Built-in port, host, and web scanners, reverse shell payload generation, and session management.
- **Encoding/Decoding Tools**: Base64, Hex, URL, Binary encode/decode, and file support.
- **Hashing Utility**: Calculate and compare hashes (MD5, SHA1, SHA256, SHA512) for strings and files.
- **String Extraction**: Extract printable strings from binaries.
- **Script Execution**: Run scripts with automatic interpreter detection.
- **Update & Version Control**: Self-update and version display commands.
- **Comprehensive Logging**: All actions are logged for audit and review.
- **Interactive Paged Output**: View long output with paging and search (`more` command).
- **Built-in Text Editor**: Edit files directly with the `edit` command.
---
## 🛡️ Built-in Commands
________________________________________________________________________________________________________________________________
| Command | Description / Usage |
|------------------------|-----------------------------------------------------------------------------------------------------|
| `allowed` | Show allowed directories, commands, built-ins, or binaries.
Usage: `allowed ` |
| `help` | Show help message or help for a specific command.
Usage: `help [command]` |
| `exit` | Exit the shell (admin only). |
| `services` | Manage system services.
Usage: `services ` |
| `jobs` | Manage background jobs.
Usage: `jobs [pid]` |
| `cd` | Change directory.
Usage: `cd (--prev | -p) [directory]` |
| `history` | Show command history.
Usage: `history [-s | -i | clear]
Supports: !, !!` |
| `export` | Set an environment variable.
Usage: `export VAR=value` |
| `env` | List all environment variables. |
| `unset` | Unset an environment variable.
Usage: `unset VAR` |
| `logs` | List or clear logs.
Usage: `logs ` |
| `blacklist` | List blacklisted commands. |
| `whitelist` | List whitelisted commands. |
| `edit-blacklist` | Edit the blacklist file (admin only). |
| `edit-whitelist` | Edit the whitelist file (admin only). |
| `reload-blacklist` | Reload the blacklist (admin only). |
| `reload-whitelist` | Reload the whitelist (admin only). |
| `download` | Download files from the internet.
Usage: `download [-o output1,output2,...] ` |
| `toggle-security` | Toggle security enforcement (admin only, password required). |
| `time` | Show current time. |
| `date` | Show current date. |
| `--version` | Display current version. |
| `--update` | Update SecShell to the latest version. |
| `features` | List all available features.
Usage: `features` |
| `changelog` | Display the application changelog.
Usage: `changelog` |
| **Pentesting Tools** | |
| `portscan` | Advanced port scanner.
Usage: `portscan [options] `
|
| | Options:
|
| | `-p ` (port range, e.g. 1-1000)
|
| | `-udp` (UDP scan)
|
| | `-t <1-5>` (timing, 1=slowest, 5=fastest)
|
| | `-v` (show service version)
|
| | `-j` (JSON output), `-html` (HTML output)
|
| | `-o ` (output file)
|
| | `-syn` (SYN scan, root only)
|
| | `-os` (OS detection)
|
| | `-e` (enhanced detection)
|
| `hostscan` | Discover hosts in a network.
Usage: `hostscan ` |
| `webscan` | Scan a web target.
Usage: `webscan [options] `
|
| | Options:
|
| | `-t, --timeout `
|
| | `-H, --header `
|
| | `-k, --insecure` (skip SSL verification)
|
| | `-A, --user-agent `
|
| | `--threads `
|
| | `-w, --wordlist `
|
| | `-m, --methods `
|
| | `-v, --verbose`
|
| | `--follow-redirects`
|
| | `--cookie `
|
| | `--auth `
|
| | `-f, --format `
|
| | `-o, --output `
|
| `payload` | Generate reverse shell payload.
Usage: `payload ` |
| `session` | Manage pentest sessions.
|
| | Usage:
|
| | `session -l` (list sessions)
|
| | `session -i ` (interact with session)
|
| | `session -c ` (listen for new session)
|
| | `session -k ` (kill session) |
| **Encoding/Decoding** | |
| `base64` | Encode/decode Base64.
Usage: `base64 [-e|-d] OR base64 [-e|-d] -f [> output_file]` |
| `hex` | Encode/decode Hex.
Usage: `hex [-e|-d] OR hex [-e|-d] -f [> output_file]` |
| `urlencode`, `url` | Encode/decode URL.
Usage: `urlencode [-e|-d] [> output_file]` |
| `binary` | Encode/decode binary.
Usage: `binary [-e|-d] OR binary [-e|-d] -f [> output_file]` |
| **Hashing** | |
| `hash` | Calculate or compare hashes.
Usage: `hash -s|-f [algo] [-c ]
Algo: md5, sha1, sha256, sha512, all` |
| **Analysis** | |
| `extract-strings` | Extract printable strings from binaries.
Usage: `extract-strings [-n min-len] [-o output.json]
(or > output.json)` |
| `type` | Show how a name resolves in SecShell (builtin, alias, keyword, or executable).
Usage: `type [name ...]` |
| `size` | Show file/folder size in selected unit.
Usage: `size <-b|-kb|-mb|-gb|-tb|-pb> ` |
| `meta` | Show file metadata or remove extended metadata.
Usage: `meta [-r] ` |
| `obfu` | Obfuscate text and print encoded output.
Usage: `obfu ` |
| `mini` | Minify file content in place (HTML/CSS/JS/plain text).
Usage: `mini ` |
| **Scripting** | |
| `./` | Execute scripts with automatic interpreter detection. |
| **UI/Display** | |
| `more` | Display text files or command output with interactive paging and search.<br>Usage: `more <file>` or `command | more` or `more < input_file` |
| `edit` | Open a file in the built-in text editor.<br>Usage: `edit <filename>` |
| `colors` | Display all available colors and styles.<br>Usage: `colors` |
| `edit-prompt` | Edit the command prompt.<br>Usage: `edit-prompt` |
| `reload-prompt` | Reload the command prompt configuration.<br>Usage: `reload-prompt` |
| `prompt` | Display the current command prompt configuration and options.<br>Usage: `prompt` |
| `files` | Open interactive file manager.<br>Usage: `files` |
| `sec` | Run the built-in scripting engine (SecEngine).<br>Usage: `sec` |
--------------------------------------------------------------------------------------------------------------------------------
---
## ⚡ Quick Start
### Requirements
- **Go (Golang)** - For building from source
- **systemctl** - For service management features
- **Nano Editor** - For built-in editing features
- **DrawBox** ([DrawBox Repository](https://github.com/KaliforniaGator/DrawBox))
- **PAM Development Library (`libpam0g-dev`)** - For Linux authentication (not required on macOS)
### Installation Options
#### Option 1: Quick Install Script (Recommended)
Install the pre-compiled binary directly:
```bash
curl -fsSL https://raw.githubusercontent.com/KaliforniaGator/SecShell-Go/main/install.sh | bash
```
This will:
- Auto-detect your OS (`Linux`/`Darwin`) and architecture (`x86_64`/`arm64`)
- Fetch the latest version from GitHub releases
- Download the appropriate archive (e.g., `SecShell-Go_Darwin_arm64.tar.gz` for M1/M2 Macs)
- Install the binary and DrawBox dependency
**Supported platforms:**
| OS | Architecture | Archive |
|---|---|---|
| macOS (Darwin) | Apple Silicon (M1/M2) | `SecShell-Go_Darwin_arm64.tar.gz` |
| macOS (Darwin) | Intel (x86_64) | `SecShell-Go_Darwin_x86_64.tar.gz` |
| Linux | x86_64 | `SecShell-Go_Linux_x86_64.tar.gz` |
#### Option 2: Update Existing Installation
Update an existing installation to the latest version:
```bash
curl -fsSL https://raw.githubusercontent.com/KaliforniaGator/SecShell-Go/main/update.sh | bash
```
Or from within SecShell:
```
--update
```
This will:
- Compare your current version with the latest release
- Download only if an update is available
- Update both SecShell-Go and DrawBox
#### Option 3: Manual Build from Source
If you prefer to build from source:
```bash
# Clone the repository
git clone https://github.com/KaliforniaGator/SecShell-Go.git
cd SecShell-Go
# Build the binary
go build -o secshell secshell.go
# Install the binary
sudo mv secshell /usr/bin/ # Linux
# or
sudo mv secshell /usr/local/bin/ # macOS
```
Note: Building from source requires Go to be installed on your system.
---
## 🚀 Usage
Start SecShell:
```bash
secshell
```
### Example Commands
- List files: `ls -l`
- Start a service: `services start nginx`
- Set an environment variable: `export MY_VAR=value`
- Run a command in the background: `sleep 10 &`
- View command history: `history`
- Search history: `history -s nginx`
- Interactive history search: `history -i`
- Download a file: `download https://example.com/file.txt`
- Scan ports: `portscan 192.168.1.1 1-1000`
- View file content page by page: `more /var/log/syslog` or `ls -la | more`
- Edit a file: `edit myfile.txt`
- Toggle security (admin): `toggle-security`
- Encode a string in base64: `base64 -e "Hello"`
- Decode a hex string: `hex -d "48656c6c6f"`
- Calculate SHA256 hash: `hash -s "test" sha256`
- Extract strings from a binary: `extract-strings firmware.bin -n 8`
- Resolve command type: `type ls cd url if`
- Show folder size in MB: `size -mb ./tools`
- Show metadata: `meta ./README.md`
- Remove file metadata: `meta -r image.jpg`
- Obfuscate text: `obfu "my secret token"`
- Minify a JS file: `mini app.js`
- Run a Python script: `./myscript.py arg1 arg2`
---
## ⚙️ Configuration
SecShell uses two config files:
- `.whitelist` — List of allowed commands.
- `.blacklist` — List of disallowed commands.
Edit with `edit-whitelist` or `edit-blacklist` (admin only). Files are auto-created if missing.
---
## 🔒 Security Model
- **Strict Whitelisting**: Only commands in `.whitelist` or trusted directories are allowed.
- **Blacklist Enforcement**: Blacklisted commands are always blocked.
- **Admin Bypass**: Admins can temporarily disable security (with authentication).
- **Network Command Restrictions**: Sensitive network tools (e.g., `wget`, `curl`, `nmap`) are restricted for non-admins.
- **Audit Logging**: All actions are logged for review.
---
## 🤝 Contributing
Contributions are welcome! Please open issues or submit pull requests for improvements, bug fixes, or new features.
---
## 📄 License
SecShell is licensed under the **GNU Affero General Public License (AGPL)**. See [LICENSE](LICENSE) for details.
---
**Serious about security. Built for professionals.**