Socat — the tool of choice for proxies and networking pipes.
In prior blogs, our team has written about tools like netcat, Nmap, and Zeek that network security engineers widely use. Security analysts and threat hunters use these tools to help with their daily tasks. So this time let’s talk about socat. Socat is the tool of choice if you are creating your own proxies or networking pipes.
What is socat?
Socat is a multi-purpose relay tool, which means it is a more comprehensive tool than netcat. Netcat’s design allows it to be a simple TCP and UDP client or server, while socat is more of a feature-rich proxy and multi-directional data transfer tool that supports multiple options and methods of invocation. You can run any network server that prints the output of a particular command once someone connects to the socket.
Socat is not just a proxy or a communication toolkit, and it is a full-fledged networking tool chest with a wide variety of crypto and networking primitives built into it. It seems to be more about networking than crypto, but I’ve added an example below that you can use to run OpenSSL secure communications with socat.
Basic examples
A simple HTTP connect line.
$ socat - TCP:127.0.0.1:80
The connect line above will connect you to your local Nginx server running on your Linux machine, and you can run simple HTTP verbs like GET or HEAD and so on. This is similar to the netcat command (see the previous netcat blog).
$ nc -v 127.0.0.1 80
Socat is also very clever when it comes to detecting data, keeping connections open, or detecting the close of a socket.
For instance, this command prints the date, think of it as a simple datetime protocol at port 137.
$ socat - system:/bin/date
Or even
$ socat - exec:/usr/games/fortune
Creating an encrypted communication channel between two socat instances
For more serious purposes, such as creating an encrypted channel with two socat instances, we would also want to use OpenSSL. So first, let’s create a certificate that is self-signed for your FQDN. Here is the cert generation process first:
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -x509 -days 365 -out server.crt
For this walkthrough, we will name it localhost. Then do this:
$ cat server.key server.cert > server.pem
$ chmod 0600 server.pem server.key
Now we are ready to run a secure SSL/TLS encrypted communication channel between two socat instances. One acts as an SSL server and one as the client, which the server prints out a command output. The client connects, reads the output on an encrypted channel, and then returns. This process is just one example of what we can achieve. You can also ask the client to read from standard input or echo what the client sends to store the client data on a file.
On a tmux split terminal type this:
$ socat ssl-l:2443,reuseaddr,fork,cert=server.pem,cafile=server.crt,verify=1 exec:'/bin/date’
On the other terminal please invoke the client:
$ socat - ssl:localhost:2443,cert=server.pem,cafile=server.crt
I get this as output.
Tue Jun 30 13:17:23 IST 2020
Now to echo:
$ socat echo -
You can type something which will get returned.
3-way Communication and Further
This article explained how to use socat either as a client, server, or both.
Socat is feature-rich. I showed you examples about so you can get started. You can also set up a 3-way communication using it, so try it out!
Here are some additional phrases you might be interested in:
- INIT
- CONNECT
- TRASNFER
- CLOSE
So, how do security analysts use the tool? For security analysts, they enjoy using it as debugging and logging. It’s some of their preferred network tools as socat takes the Linux command line wonder across the network. How would you like to use it?
Did you enjoy this content? Follow our LinkedIn page!