weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding socat content continued.

Browse Source
This commit is contained in:
webbreacher 2013-12-17 19:12:04 -05:00
parent dad68a2c3b
commit d3313ac9a0
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cats/socat.md
View File

@ -13,3 +13,9 @@ The examples below are mostly copied from the http://www.dest-unreach.org/socat/
| `socat -d -d READLINE,history=$HOME/.http_history \`<br>`TCP4:www.domain.org:www,crnl` | this is similar to the previous example, but you can edit the current line in a bash like manner (READLINE) and use the history file .http_history; socat prints messages about progress (-d -d). The port is specified by service name (www), and correct network line termination characters (crnl) instead of NL are used. |
| `socat TCP4-LISTEN:www TCP4:www.domain.org:www` | installs a simple TCP port forwarder. With TCP4-LISTEN it listens on local port "www" until a connection comes in, accepts it, then connects to the remote host (TCP4) and starts data transfer. It will not accept a econd connection. |
| `socat -d -d -lmlocal2 TCP4-LISTEN:80,bind=myaddr1, \`<br>`su=nobody,fork,range=10.0.0.0/8,reuseaddr \`<br>`TCP4:www.domain.org:80,bind=myaddr2` | TCP port forwarder, each side bound to another local IP address (bind). This example handles an almost arbitrary number of parallel or consecutive connections by fork'ing a new process after each accept() . It provides a little security by su'ing to user nobody after forking; it only permits connections from the private 10 network (range); due to reuseaddr, it allows immediate restart after master process's termination, even if some child sockets are not completely shut down. With -lmlocal2, socat logs to stderr until successfully reaching the accept loop. Further logging is directed to syslog with facility local2. |
| `socat TCP4-LISTEN:5555,fork,tcpwrap=script \`<br>`EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr` | a simple server that accepts connections (TCP4-LISTEN) and fork's a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXEC'uting the program, the child process chroot's to /home/sandbox, su's to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscript's stderr is redirected to stdout, so its error messages are transferred via socat to the connected client. |
| `socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \`<br>`TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512` | mail.sh is a shell script, distributed with socat, that implements a simple SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out). The fdin and fdout options tell socat to use these FDs for communication with the program. Because mail.sh inherits stdin and stdout while socat does not use them, the script can read a mail body from stdin. Socat makes alias1 your local source address (bind), cares for correct network line termination (crnl) and sends at most 512 data bytes per packet (mss). |
| `socat -,raw,echo=0,escape=0x0f /dev/ttyS0,raw,echo=0,crnl` | opens an interactive connection via the serial line, e.g. for talking with a modem. raw and echo set the console's and ttyS0's terminal parameters to practicable values, crnl converts to correct newline characters. escape allows to terminate the socat process with character control-O. Consider using READLINE instead of the first address. |
| `socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \`<br>`SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20` | with UNIX-LISTEN, socat opens a listening UNIX domain socket /tmp/.X11-unix/X1. This path corresponds to local XWindow display :1 on your machine, so XWindow client connections to DISPLAY=:1 are accepted. Socat then speaks with the SOCKS4 server host.victim.org that might permit sourceport 20 based connections due to an FTP related weakness in its static IP filters. Socat pretends to be invoked by socksuser nobody, and requests to be connected to loopback port 6000 (only weak sockd configurations will allow this). So we get a connection to the victims XWindow server and, if it does not require MIT cookies or Kerberos authentication, we can start work. Please note that there can only be one connection at a time, because TCP can establish only one session with a given set of addresses and ports. |
| `socat -u /tmp/readdata,seek-end=0,ignoreeof -` | this is an example for unidirectional data transfer (-u). Socat transfers data from file /tmp/readdata (implicit address GOPEN), starting at its current end (seek-end=0 lets socat start reading at current end of file; use seek=0 or no seek option to first read the existing data) in a "tail -f" like mode (ignoreeof). The "file" might also be a listening UNIX domain socket (do not use a seek option then). |
| `(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1)` &#124; <br>`socat - EXEC:'ssh -l user server',pty,setsid,ctty` | EXEC'utes an ssh session to server. Uses a pty for communication between socat and ssh, makes it ssh's controlling tty (ctty), and makes this pty the owner of a new process group (setsid), so ssh accepts the password from socat. |