Socat Reverse Shell Relay

by Vince
in Blog
Hits: 2816

From the man pages:  "Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them."  Think of Socat as another tool like Netcat, Chisel, or anything else that can do port forwarding and such.  Where Socat comes in handy is when we've pivoted into an environment and we want to funnel traffic back out.  For this post, let's say we want to catch a reverse shell but we're one or two segments deep.

Before I move on, here are a couple of links to the binaries:



Forgive the crude drawing, this is just a quick sketch up in MindNode.  This is the scenario -- I phish a user and I pivot to the DC01 domain controller.  I can't access the domain controller directly but the domain controller can see my attacking machine.  In another segment, there's another domain and another domain controller.  That domain controller cannot see my attacking machine but DC01 and CORP-DC01 can see each other.  

If I were to execute a reverse shell from CORP-DC01 back to my attacking machine, it would fail.  Again, just to reiterate, it can't see past the firewall.  This is where Socat comes into play.  We setup the connection from left to right.  When we setup our listener on the attacking machine and we add the socat connection on DC01, nothing happens.  In other words, if we were using Netcat, it would actually connect.  But what causes the connection in Socat is that connection on the right.  Until that occurs, Socat just sits and listens.  As soon as we fire up that final connection, it passes through the center and we catch our shell.  

What makes this even more interesting is that we can do this multiple times.  Again, working from left to right, we continue setting up our connections until we get to that final connection.  Once we get it setup, it passes through the first, the second, and then we catch our shell.