Socat works by opening two bidirectional data streams (read/write), opening each one-by-one (blocking), and transfer data between the two. Data is only transferred when one stream has new data (read) and the other is accepting input (write). Otherwise, the new data is not read until the other stream accepts input.
Confusing Syntax Warning!
socat command arguments seem very non-intuitive to me at first.
Protocol names are case-insensitive
Protocol names, directives like EXEC, etc are all upper-case for consistency in the cheatsheet, however it is not required for socat to function.
Connect to Remote
Listen on Host
TCP4-LISTEN
can be substituted for TCP4-L
or even TCP-L
File
fileuploadfiledownload On file source
On file destination
reverse shell
revshell On host (attacker)
On remote
Encrypted bind shell
On remote, use this OpenSSL command to generate a certificate & key pair for encryption first and combine them into a single .pem
file, which socat
requires.
-nodes
: key stored without password-x509
: self-signed certificate, i.e. this will not be a certificate request
Then, start the listener on remote
cmd.exe
If the shell is cmd.exe, then an additional
pipes
option is needed (e.g.,EXEC:cmd.exe,pipes
)
On host
Encrypted reverse shell
revshell On host, generate certificate (see Encrypted Bind Shell)
On host, start listener
On remote
cmd.exe
If the shell is cmd.exe, then an additional
pipes
option is needed (e.g.,EXEC:cmd.exe,pipes
)
SSLify Server
Port Forwarding
See: port forwarding Assuming socat has been transferred onto the compromised machine:
socat TCP4-LISTEN:1234,fork TCP4:1.1.1.1:4321
This allows the attacker to forward traffic in the following way:
graph LR
A[Attacker Port X] ---> B[Compromised Host Port 1234] ---> C[Target Host Port 4321]