Socat
The abbreviation of the tool name is Socket Cat
Last updated
The abbreviation of the tool name is Socket Cat
Last updated
Connection To a TCP/UDP Port
Attacker Machine
- Stdin
Listening To a TCP/UDP Port
Victim Machine
Transfer File With Socat
Attacker Machine
socat: This is the command itself, which stands for "SOcket CAT". It is a multipurpose relay tool that can create two bidirectional byte streams and transfer data between them.
TCP4: This specifies the address type and protocol to be used. TCP4 indicates that the connection will use the IPv4 protocol with TCP.
<IP>: This is a placeholder for the IP address of the remote host to which you want to connect.
<PORT>: This is a placeholder for the port number on the remote host to which you want to connect.
file.txt: This specifies the second address as a file. The data received from the TCP connection will be written to (or read from) this file. Here, sec.txt is the filename.
create: This option ensures that the file sec.txt is created if it does not already exist. Without this option, if the file does not exist, the command would fail.
Victim Machine
socat: This is the command itself, which stands for "SOcket CAT". It is a utility for data transfer between two bidirectional data streams.
TCP4-LISTEN:<PORT>: This specifies that socat should listen for incoming TCP connections on the specified port (replace <PORT> with the actual port number you want to use).
fork: This option tells socat to fork (create a new process) for each incoming connection. This allows socat to handle multiple connections simultaneously.
file:sec.txt: This specifies that the data received from each connection should be written to the file sec.txt.
The advantage of
Socatis that it allows more than one person to connect to the same port at the same time, and the connection is not separated, which is what distinguishes it fromNC.
- -> Using Standard Input , After This , Waiting for Input
< -> Using Redirect Character , Send Content File
- -> Using Standard Input , After This , Waiting for Input
> -> Using Redirect Character , Store In File (Override)
>> -> If U Want Adding Content In File With Old Value
Socat Bind
Attacker Machine
Victim Machine
socat: The command-line utility for bidirectional data transfer between two independent data channels.
-d -d -d: These flags enable different levels of debugging output. Each -d increases the verbosity of the debug information.
tcp4-listen:<PORT>: This option tells socat to listen for incoming TCP connections on the specified port (<PORT>). The tcp4 part specifies that only IPv4 connections are accepted.
fork: This option tells socat to fork a new process for each incoming connection. This allows multiple clients to connect simultaneously, each handled by its own process.
exec:/bin/bash: This part of the command specifies that when a connection is established, socat should execute /bin/bash. This effectively provides a shell to the connected client.
Attacker Machine
Victim Machine
Let's see this , Using Wireshark :
Here I use a filter to filter the TCP packets because you will find a lot of connections using more than one different protocol, and this is a normal thing within the network.
--
As you can see, as soon as he typed the ls command, the packet and connections started to appear
--
As you can see, this is a behavior that is very clear to anyone monitoring what is happening on the network
--
To hide this, we will encrypt the packet and all communications that occur between us and the other device , Using an encryption key we will create
Generate key.pem
req ⇒ Indicates that we want to use OpenSSL in requests mode, which is used to create or process requests for SSL certificates.
-x509 ⇒ Indicates that we want to create an X.509 certificate, which is a common format for digital certificates.
-newkey rsa:4096 ⇒ OpenSSL says it should generate a new RSA key pair with a length of 4096 bits. The private and public key are generated in this step
-keyout ⇒ Specifies the name of the file in which the private key will be saved. In this case, the private key will be saved in a file called key.pem
-out ⇒ Specifies the name of the file in which the public certificate will be saved. In this case, the public certificate will be saved in a file called cert.pem.
-days ⇒ It determines the validity period of the certificate after its issuance, and here it is set to be valid for one year (365 days).
--
Attacker
Victim
Data is Encrypted Using openssl
Protocol Support
TCP, UDP
TCP, UDP, SCTP, UNIX sockets, and more
Ease of Use
Simple, easy to use
More complex, steeper learning curve
Functionality
Basic networking tasks
Advanced networking capabilities
Port Scanning
Yes
No
Data Transformation
No
Yes
Proxying/Relaying
Basic
Advanced
Debugging
Basic
Detailed
File Transfer
Yes
Yes
Use netcat for simpler, quick networking tasks such as port scanning, basic data transfer, and simple shell setups.
Use socat when you need advanced capabilities such as data transformation, complex proxying, and handling multiple types of sockets and protocols.
Choose the tool based on the complexity of the task and the level of control you need over the network connections and data streams.
Connection Initiator
Target
Attacker
Firewall/NAT Evasion
Easier
Harder
Setup Complexity
More complex on target side
Simpler on target side
Detection Risk
Moderate (outbound connection)
Higher (listening port)
Use Case
When outbound connections are allowed
When the attacker can’t receive connections
Conclusion
Reverse Shell is generally more flexible in bypassing network restrictions.
Bind Shell can be simpler but is more likely to be blocked by network defenses.
Choose the method based on the network environment and specific constraints you are working with. Always ensure you have authorization and understand the legal implications of using these techniques.
