socat
Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.
socat connect to http-server (port 80 on 'google.com')
connect to https-server (port 443 on 'google.com' with tls)
Sleep is necessary to prevent socat closing socket before data received
tcp-listener (port 1337), output as hexdump (-x) and fork for new connetions
Use: to see output
Exampel using -d -d vs -v -v to show the difference on the listener side
```bash socat -d -d -x tcp-listen:1337,fork - 2026/03/04 01:25:14 socat[32575] N listening on AF=2 0.0.0.0:1337 2026/03/04 01:25:16 socat[32575] N accepting connection from AF=2 127.0.0.1:37404 on AF=2 127.0.0.1:1337 2026/03/04 01:25:16 socat[32575] N forked off child process 32578 2026/03/04 01:25:16 socat[32575] N listening on AF=2 0.0.0.0:1337 2026/03/04 01:25:16 socat[32578] N reading from and writing to stdio 2026/03/04 01:25:16 socat[32578] N starting data transfer loop with FDs [6,6] and [0,1] > 2026/03/04 01:25:16.000350525 length=37 from=0 to=36 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 2e 31 0d 0a 0d 0a GET / HTTP/1.1 Host: 192.168.1.1
2026/03/04 01:25:16 socat[32578] N socket 1 (fd 6) is at EOF
2026/03/04 01:25:16 socat[32578] N exiting with status 0
2026/03/04 01:25:16 socat[32575] N childdied(): handling signal 17
```
* -v -v example
```bash
socat -v -v -x tcp-listen:1337,fork -
> 2026/03/04 01:25:10.000249733 length=37 from=0 to=36
47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 2e Host: 192.168.1.
31 0d 0a 1..
0d 0a ..
--
GET / HTTP/1.1
Host: 192.168.1.1
```
* default example, no -d -d and no -v -v
```bash
/mnt/usb/www/www.nr1.nu/docs $ socat -x tcp-listen:1337,fork -
> 2026/03/04 01:27:17.000968904 length=37 from=0 to=36
47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 39 32 2e 31 36 38 2e 31 2e 31 0d 0a 0d 0a
GET / HTTP/1.1
Host: 192.168.1.1
```
* without -x on listener
```bash
socat tcp-listen:1337,fork -
GET / HTTP/1.1
Host: 192.168.1.1
```
Connect to tcp-listener
http to https Proxy (for an webserver without TLS-Support)
port forwarding (e.g. own port 1337 to port 22 on target
TOR-forwarding (needs tor-daemon on port 9050 running)
network (port 1337) to serial bridge (/dev/ttyUSB0 baudrate: 115200)
Host a simple html page
Host a simple txt file
Bind Shell
In this scenario socat will listen to a port in the victim(server) and wait for any new connection.
This will open port 1337 and listen on it and upon a new connection the /bin/bash will be executed, giving this way a remote shell to the attacker.
In order to set this up we need to run the following command
Connect to our victim with socat
- On our attacker machine now we run socat with the following command so it can connect to the victim. Do remember that the IP of the victim is the
192.168.1.64.
See example below
It is also possible to connect to a listening shell by /dev/tcp....
Same as above but in a while loop
Reverse Shell
In this scenario the victim (server) will initiate the connection back to the attacker instead of listening for incoming connections.
This means the attacker must first open a listening port. When the victim connects to that port, /bin/bash will be executed and attached to the outgoing connection, giving the attacker a remote shell.
In order to set this up we first need to listen on our attacker machine
Now on the victim machine we run the following command to connect back to the attacker
- Do remember that the IP of the attacker is
192.168.1.100.
Some versions of netcat (e.g. OpenBSD nc) do not support the -e option
In that case you can use the following FIFO-based method instead:
See example below
It is also possible to initiate a reverse shell using /dev/tcp
Same as above but in a while loop
Resource(s)