SOCAT as a Polymorphic Networking Tool
Socat (SOcket CAT) is a networking tool which transfers data between two locations. These locations can be sockets such TCP, UDP, IPv4, ssl-sockets or even an open file. In this article, the various uses of Socat will be discussed including its use as a proxy, securing communications with Socat, using Socat as a client and server and finally crafting packets with Socat.
Example of Socat Usage
A Socat command to pipe connections from one end point to another can be represented as follows:
socat TCP4-LISTEN:1234,reuseaddr,fork TCP:www.dest-unreach.org:80
The computer running the above command is listening for all connections on port 1234. A connection to port 1234 will be transferred to www.dest-unreach.org, the homepage of socat. The reuseaddr option ensures that socat will be kept in a listening state even if the connection is restarted, while fork allows socat to handle multiple client connections. Next using socat as a proxy will be covered.Socat as a Proxy
Socat can be used to function as a proxy which enables it to be used to view the traffic generated by plaintext network protocols such as HTTP. The below command resembles the previous command (under Example of Socat Usage), except it includes the -v flag. This ensures that any traffic which is sent from port 1234 to www.dest-unreach.org on port 80 is dumped to the terminal.socat -v TCP4-LISTEN:1234,reuseaddr,fork TCP:www.dest-unreach.org:80
Telnet can be used to connect to the socat instance on port 1234. If the connection to the socat instance is being done from another computer, the argument to telnet should be the ip address of the computer running the socat instance. In this example, the telnet connection is being made on the same computer running socat, hence a connection to localhost is made. An HTTP GET request is then sent, along with the host header.
user@user-pc:~$ telnet localhost 1234Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.GET / HTTP/1.1Host:www.dest-unreach.org
After the HTTP GET has been sent, the following dump will be displayed on the Socat terminal. Lines with ‘>’ represents traffic from the client, while lines with ‘<’ represent traffic from the server.
The above output shows the server’s host headers along with the HTML code and is viewable in cleartext. Securing communications to address this will be discussed next.Securing Communications with Socat
> 2016/11/01 21:08:29.256526 length=16 from=0 to=15 GET / HTTP/1.1r > 2016/11/01 21:08:36.695835 length=27 from=16 to=42 Host:www.dest-unreach.orgr > 2016/11/01 21:08:37.032248 length=2 from=43 to=44 r < 2016/11/01 21:08:37.391547 length=523 from=0 to=522HTTP/1.1 200 OKr Date: Tue, 01 Nov 2016 19:08:29 GMTrServer: Apache/2.4.10 (Debian)rLast-Modified: Thu, 06 Aug 2009 19:41:53 GMTr ETag: "10f-4707e4fbfc240"r Accept-Ranges: bytesrContent-Length: 271rVary: Accept-EncodingrContent-Type: text/htmlr r<html><head><title>Welcome to dest-unreach.org!</title></head><body><p><b>dest-unreach</b></p> <h1>Welcome to dest-unreach.org!</h1><h2>Projects:</h2><p> <table> <tr><td><a href="socat/"><b>socat:</b></a></td> <td>multipurpose relay</td></tr></table> </body> </html>
Besides Socat being able to function as a proxy, it can also be used to encrypt the communication channels using OpenSSL. In order to run an SSL Socat server, a server certificate will need to be created as follows:Create the private key:openssl genrsa -out socat.key Create the self signed certificate:openssl req -new -key socat.key -x509 -days 365 -out socat.crt
You will then be asked to fill in certificate information. Follow the prompts.Next, a PEM file will be required for Socat and can be created by concatenating the private key and certificate:cat socat.key socat.crt > socat.pemNow the socat ssl server can be started:socat OPENSSL-LISTEN:4433,reuseaddr,cert=socat.pem,verify=0 STDIOIn the above command the SSL service is listening on port 4433, cert= points to where the Socat.pem file is located. verify=0 is included as a self-signed certificate is used.And to run the client:socat STDIO OPENSSL-CONNECT:192.168.2.1:4433,verify=0Running the above command will create an encrypted connection from the client to the server and STDIO enables input entered on the client to be displayed on the terminal of Socat ssl server.Socat also provides options to improve its security. su=nobody ensures that forked processes will run as the nobody low-privileged account, while range=192.168.2.1/32 will only allow the 192.168.2.1 host to connect to Socat on port 1234.
socat TCP4-LISTEN:1234,su=nobody,range=192.168.2.1/32,reuseaddr,fork TCP:www.dest-unreach.org:80
Additional examples of using Socat as a client and a server will be discussed below.
Socat as a Client and ServerIn addition to redirecting data, Socat can also be used as a client or server.
Socat TCP4-LISTEN:1234 EXEC:/bin/bashSocat STDIO TCP4:192.168.2.1:1234
The first command creates a server, listening on port 1234, while EXEC:/bin/bash spawns a bash shell. The second command allows the client to connect to the Socat server and run commands remotely in a shell. Running a command such as ls -la on the client, will display the files on the server.
Socat can also be used to run a syslog server for gathering alerts from devices on the network. In the below command, a UDP service is started on port 514. The sudo command is necessary as port 514 cannot be bound as a normal user. The -u flag uses unidirectional mode, as alerts are being sent to the Socat server. Each time a connection is received on port 514, an alert will be appended to the syslog.log file.sudo socat -u UDP4-LISTEN:514,reuseaddr,fork OPEN:syslog.log,creat,appendCrafting packets with Socat will be discussed next.Crafting Packets with Socat
Socat can also be used to craft TCP or UDP packets. The below command will create a UDP packet which will be sent to a syslog service and logged on port 514 (such as the one which was mentioned earlier on under Socat as a Client and Server).
echo “This is a UDP packet” | Socat STDIO UDP4-DATAGRAM:192.168.2.1:514
Regarding TCP communications, the following command sends an SMTP packet containing HELO yourdomain.com to smtp.live.com on port 25. Socat also acts as a banner grabber in this instance, as information such as the version number is returned by the SMTP server.
user@user-pc:~$ echo “HELO yourdomain.com” | Socat STDIO TCP4:smtp.live.com:25220 BLU436-SMTP165.smtp.hotmail.com Microsoft ESMTP MAIL Service, Version: 8.0.9200.16384 ready at Wed, 2 Nov 2016 11:19:43 -0700 Conclusion
Socat is a multi-purpose networking tool which can be used in a variety of ways. It can be used as a proxy to observe the traffic of plaintext networking protocols. Socat also has built-in OpenSSL support which allows it to secure communications. It can also be used to create a client or server socket or even be used to craft arbitrary packets. What was discussed in this article was just a small part of what Socat has to offer and there are many other ways one could use Socat.