SOCAT as a Polymorphic Networking Tool

November 19, 2016 | Views: 5224

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Introduction

Socat (SOcket CAT) is a networking tool which transfers data between two locations. These locations can be sockets such TCP, UDP, IPv4, ssl-sockets or even an open file. In this article, the various uses of Socat will be discussed including its use as a proxy, securing communications with Socat, using Socat as a client and server and finally crafting packets with Socat.

Example of Socat Usage

A Socat command to pipe connections from one end point to another can be represented as follows:

socat TCP4-LISTEN:1234,reuseaddr,fork TCP:www.dest-unreach.org:80

The computer running the above command is listening for all connections on port 1234. A connection to port 1234 will be transferred to www.dest-unreach.org, the homepage of socat. The reuseaddr option ensures that socat will be kept in a listening state even if the connection is restarted, while fork allows socat to handle multiple client connections. Next using socat as a proxy will be covered.

Socat as a Proxy

Socat can be used to function as a proxy which enables it to be used to view the traffic generated by plaintext network protocols such as HTTP. The below command resembles the previous command (under Example of Socat Usage), except it includes the -v flag. This ensures that any traffic which is sent from port 1234 to www.dest-unreach.org on port 80 is dumped to the terminal.

socat -v TCP4-LISTEN:1234,reuseaddr,fork TCP:www.dest-unreach.org:80

Telnet can be used to connect to the socat instance on port 1234. If the connection to the socat instance is being done from another computer, the argument to telnet should be the ip address of the computer running the socat instance. In this example, the telnet connection is being made on the same computer running socat, hence a connection to localhost is made. An HTTP GET request is then sent, along with the host header.


user@user-pc:~$ telnet localhost 1234

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

GET / HTTP/1.1

Host:www.dest-unreach.org

After the HTTP GET has been sent, the following dump will be displayed on the Socat terminal. Lines with ‘>’ represents traffic from the client, while lines with ‘<’ represent traffic from the server.

 > 2016/11/01 21:08:29.256526 length=16 from=0 to=15 
GET / HTTP/1.1r > 2016/11/01 21:08:36.695835 length=27 from=16 to=42 
Host:www.dest-unreach.orgr > 2016/11/01 21:08:37.032248 length=2 from=43 to=44 r 
< 2016/11/01 21:08:37.391547 length=523 from=0 to=522
HTTP/1.1 200 OKr 
Date: Tue, 01 Nov 2016 19:08:29 GMTr
Server: Apache/2.4.10 (Debian)r
Last-Modified: Thu, 06 Aug 2009 19:41:53 GMTr 
ETag: "10f-4707e4fbfc240"r 
Accept-Ranges: bytesr
Content-Length: 271r
Vary: Accept-Encodingr
Content-Type: text/htmlr r
<html><head><title>Welcome to dest-unreach.org!</title></head>
<body>
<p><b>dest-unreach</b></p> 
<h1>Welcome to dest-unreach.org!</h1>
<h2>Projects:</h2><p> 
<table> 
<tr><td><a href="socat/"><b>socat:</b></a></td> <td>multipurpose relay</td></tr>
</table> </body> </html> 

The above output shows the server’s host headers along with the HTML code and is viewable in cleartext. Securing communications to address this will be discussed next.

Securing Communications with Socat

Besides Socat being able to function as a proxy, it can also be used to encrypt the communication channels using OpenSSL. In order to run an SSL Socat server, a server certificate will need to be created as follows:

Create the private key:

openssl genrsa -out socat.key

Create the self signed certificate:

openssl req -new -key socat.key -x509 -days 365 -out socat.crt

You will then be asked to fill in certificate information. Follow the prompts.

Next, a PEM file will be required for Socat and can be created by concatenating the private key and certificate:

cat socat.key socat.crt > socat.pem

Now the socat ssl server can be started:

socat OPENSSL-LISTEN:4433,reuseaddr,cert=socat.pem,verify=0 STDIO

In the above command the SSL service is listening on port 4433, cert= points to where the Socat.pem file is located. verify=0 is included as a self-signed certificate is used.

And to run the client:

socat STDIO OPENSSL-CONNECT:192.168.2.1:4433,verify=0

Running the above command will create an encrypted connection from the client to the server and STDIO enables input entered on the client to be displayed on the terminal of Socat ssl server.

Socat also provides options to improve its security. su=nobody ensures that forked processes will run as the nobody low-privileged account, while range=192.168.2.1/32 will only allow the 192.168.2.1 host to connect to Socat on port 1234.

socat TCP4-LISTEN:1234,su=nobody,range=192.168.2.1/32,reuseaddr,fork TCP:www.dest-unreach.org:80

Additional examples of using Socat as a client and a server will be discussed below.

Socat as a Client and Server

In addition to redirecting data, Socat can also be used as a client or server.

Socat TCP4-LISTEN:1234 EXEC:/bin/bash

Socat STDIO TCP4:192.168.2.1:1234

The first command creates a server, listening on port 1234, while EXEC:/bin/bash spawns a bash shell. The second command allows the client to connect to the Socat server and run commands remotely in a shell. Running a command such as ls -la on the client, will display the files on the server.

Socat can also be used to run a syslog server for gathering alerts from devices on the network. In the below command, a UDP service is started on port 514. The sudo command is necessary as port 514 cannot be bound as a normal user. The -u flag uses unidirectional mode, as alerts are being sent to the Socat server. Each time a connection is received on port 514, an alert will be appended to the syslog.log file.

sudo socat -u UDP4-LISTEN:514,reuseaddr,fork OPEN:syslog.log,creat,append

Crafting packets with Socat will be discussed next.

Crafting Packets with Socat

Socat can also be used to craft TCP or UDP packets. The below command will create a UDP packet which will be sent to a syslog service and logged on port 514 (such as the one which was mentioned earlier on under Socat as a Client and Server).

echo “This is a UDP packet” | Socat STDIO UDP4-DATAGRAM:192.168.2.1:514

Regarding TCP communications, the following command sends an SMTP packet containing HELO yourdomain.com to smtp.live.com on port 25. Socat also acts as a banner grabber in this instance, as information such as the version number is returned by the SMTP server.

user@user-pc:~$ echo “HELO yourdomain.com” | Socat STDIO TCP4:smtp.live.com:25

220 BLU436-SMTP165.smtp.hotmail.com Microsoft ESMTP MAIL Service, Version: 8.0.9200.16384 ready at Wed, 2 Nov 2016 11:19:43 -0700

Conclusion

Socat is a multi-purpose networking tool which can be used in a variety of ways. It can be used as a proxy to observe the traffic of plaintext networking protocols. Socat also has built-in OpenSSL support which allows it to secure communications. It can also be used to create a client or server socket or even be used to craft arbitrary packets. What was discussed in this article was just a small part of what Socat has to offer and there are many other ways one could use Socat.


References

  • http://www.cyberciti.biz/faq/linux-unix-tcp-port-forwarding/

  • http://www.volkerschatz.com/net/socatproc.html

  • http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html

  • http://www.blackbytes.info/2012/07/socat-cheatsheet/

  • https://blog.rootshell.be/2010/10/31/socat-another-network-swiss-army-knife/

  • https://discourse.criticalengineering.org/t/howto-crafting-arbitrary-network-packets-with-socat/51

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. This tool’s powerful indeed…

  2. Very nice, thank you for this.

  3. This was very informative! Thank you very much!

  4. Very informative and very well writen.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 333 / December 14, 2019
How do I Get MTA Certified?
Views: 925 / December 12, 2019
How much does your PAM software really cost?
Views: 1378 / December 10, 2019
How Do I Get into Android Development?
Views: 1756 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel