Monday, October 6, 2008

Some useful socat commands

To link serial port ttyS0 to another serial port:

socat /dev/ttyS0,raw,echo=0,crnl /dev/ttyS1,raw,echo=0,crnl

To get time from time server:

socat TCP:time.nist.gov:13 -

To forward local http port to remote http port:

socat TCP-LISTEN:80,fork TCP:www.domain.org:80

To forward terminal to the serial port COM1:

socat READLINE,history=$HOME/.cmd_history /dev/ttyS0,raw,echo=0,crnl

Simple file-transfer:

On the server-side: socat TCP-LISTEN:port filename
To send file fro the server: socat TCP:hostname:port filename

socat - TCP4:www.domain.org:80

Transfers data between STDIO (-) and a TCP4 connection to port 80 of host www.domain.org. This example results in an interactive connection similar to telnet or netcat. The stdin terminal parameters are not changed, so you may close the relay with ^D or abort it with ^C.

socat -d -d READLINE,history=$HOME/.http_history \
TCP4:www.domain.org:www,crnl

This is similar to the previous example, but you can edit the current line in a bash like manner (READLINE) and use the history file .http_history; socat prints messages about progress (-d -d). The port is specified by service name (www), and correct network line termination characters (crnl) instead of NL are used.

socat TCP4-LISTEN:www TCP4:www.domain.org:www

Installs a simple TCP port forwarder. With TCP4-LISTEN it listens on local port "www" until a connection comes in, accepts it, then connects to the remote host (TCP4) and starts data transfer. It will not accept a second connection.


socat -d -d -lmlocal2 \
TCP4-LISTEN:80,bind=myaddr1,su=nobody,fork,range=10.0.0.0/8,reuseaddr \
TCP4:www.domain.org:80,bind=myaddr2

TCP port forwarder, each side bound to another local IP address (bind). This example handles an almost arbitrary number of parallel or consecutive connections by forking a new process after each accept(). It provides a little security by sudoing to user nobody after forking; it only permits connections from the private 10 network (range); due to reuseaddr, it allows immediate restart after master processes termination, even if some child sockets are not completely shut down. With -lmlocal2, socat logs to stderr until successfully reaching the accept loop. Further logging is directed to syslog with facility local2.


socat TCP4-LISTEN:5555,fork,tcpwrap=script \
EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr

A simple server that accepts connections (TCP4-LISTEN) and forks a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXECuting the program, the child process chroots to /home/sandbox, sus to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscripts stderr is redirected to stdout, so its error messages are transferred via socat to the connected client.

socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \
TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512

mail.sh is a shell script, distributed with socat, that implements a simple SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out). The fdin and fdout options tell socat to use these FDs for communication with the program. Because mail.sh inherits stdin and stdout while socat does not use them, the script can read a mail body from stdin. Socat makes alias1 your local source address (bind), cares for correct network line termination (crnl) and sends at most 512 data bytes per packet (mss).


socat - /dev/ttyS0,raw,echo=0,crnl

Opens an interactive connection via the serial line, e.g. for talking with a modem. raw and echo set ttyS0's terminal parameters to practicable values, crnl converts to correct newline characters. Consider using READLINE instead of `-'.


socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \
SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20

With UNIX-LISTEN, socat opens a listening UNIX domain socket /tmp/.X11-unix/X1. This path corresponds to local XWindow display :1 on your machine, so XWindow client connections to DISPLAY=:1 are accepted. Socat then speaks with the SOCKS4 server host.victim.org that might permit sourceport 20 based connections due to an FTP related weakness in its static IP filters. Socat pretends to be invoked by socksuser nobody, and requests to be connected to loopback port 6000 (only weak sockd configurations will allow this). So we get a connection to the victims XWindow server and, if it does not require MIT cookies or Kerberos authentication, we can start work. Please note that there can only be one connection at a time, because TCP can establish only one session with a given set of addresses and ports.


socat -u /tmp/readdata,seek-end=0,ignoreeof -


This is an example for unidirectional data transfer (-u). Socat transfers data from file /tmp/readdata (implicit address GOPEN), starting at its current end (seek-end=0 lets socat start reading at current end of file; use seek=0 or no seek option to first read the existing data) in a "tail -f" like mode (ignoreeof). The "file" might also be a listening UNIX domain socket (do not use a seek option then).

(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
socat - EXEC:'ssh -l user server',pty,setsid,ctty

EXECutes an ssh session to server. Uses a pty for communication between socat and ssh, makes it ssh's controlling tty (ctty), and makes this pty the owner of a new process group (setsid), so ssh accepts the password from socat.


socat -u TCP4-LISTEN:3334,reuseaddr,fork \
OPEN:/tmp/in.log,creat,append


Implements a simple network based message collector. For each client connecting to port 3334, a new child process is generated (option fork). All data sent by the clients are appended to the file /tmp/in.log. If the file does not exist, socat creats it. Option reuseaddr allows immediate restart of the server process.


socat READLINE,noecho='[Pp]assword:' EXEC:'ftp ftp.server.com',pty,setsid,ctty


Wraps a command line history (READLINE) around the EXECuted ftp client utility. This allows editing and reuse of FTP commands for relatively comfortable browsing through the ftp directory hierarchy. The password is echoed! pty is required to have ftp issue a prompt. Nevertheless, there may occur some confusion with the password and FTP prompts.


socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,waitslave exec:'


Generates a pseudo terminal device (PTY) on the client that can be reached under the symbolic link $HOME/dev/vmodem0. An application that expects a serial line or modem can be configured to use $HOME/dev/vmodem0; its traffic will be directed to a modemserver via ssh where another socat instance links it with /dev/ttyS0.


socat TCP4-LISTEN:2022,reuseaddr,fork \
PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass

starts a forwarder that accepts connections on port 2022, and directs them through the proxy daemon listening on port 3128 (proxyport) on host proxy, using the CONNECT method, where they are authenticated as "user" with "pass" (proxyauth). The proxy should establish connections to host www.domain.org on port 22 then.


echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000


creates a 100GB sparse file; this requires a file system type that supports this (ext2, ext3, reiserfs, jfs; not minix, vfat). The operation of writing 1 byte might take long (reiserfs: some minutes; ext2: "no" time), and the resulting file can consume some disk space with just its inodes (reiserfs: 2MB; ext2:16KB).


socat tcp-l:7777,reuseaddr,fork system:filan -i 0 -s >&2,nofork

listens for incoming TCP connections on port 7777. For each accepted connection, invokes a shell. This shell has its stdin and stdout directly connected to the TCP socket (nofork). The shell starts filan and lets it print the socket addresses to stderr (your terminal window).

echo -e

functions as primitive binary editor: it writes the 4 bytes 000 014 000 000 to the executable /usr/bin/squid at offset 0x00074420 (this is a real world patch to make the squid executable from Cygwin run under Windows, actual per May 2004).


socat - tcp:www.blackhat.org:31337,readbytes=1000

connect to an unknown service and prevent being flooded.

12 comments:

  1. Great post, but I have a question. Say I issue this command:

    socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:10.0.0.1:80,
    socksport=9050

    When I try to use those ports for another host, lets say:

    socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:11.1.1.1:80,
    socksport=9050

    I get an error saying the ports are in use (presumably from my first command).

    So is there a way to reset, or unset the ports that are being used?

    ReplyDelete
  2. Most likely your computer has a service running that uses the port 8080. Try netstat to see what application is using it.

    ReplyDelete
  3. It's very helpful.

    If I have a socket file, do you know how I can find out which process uses it, which port is used, and how I can listen to it?

    Thanks.

    ReplyDelete
  4. Interesting stuff, I must say. Thank you!

    ReplyDelete
  5. This post is just a copy from the official documentation of Socat.... nothing new, no investigative work

    ReplyDelete
  6. Hi! How do i use socat to forward the serial data that is suppose to send out from serial port to the ethernet port instead?

    ReplyDelete
    Replies
    1. Example: to forward serial data on device ttyUSB2 to telnet port 8081

      socat /dev/ttyUSB2 tcp4-listen:8081

      Delete
    2. To prevent the socat to terminate when we terminate the telnet session (or whatever client app), pass parameter "fork" to tell the socat to fork a child per connection.

      e.g:

      socat /dev/ttyUSB0 tcp-listen:8081,fork

      Delete
  7. Hi. What about forwarding from a telnet connection with login ? I want to forward telnet data to a virtual serial port but only after having provided user/pass... something like netcat, echo, then socat ?

    ReplyDelete
    Replies
    1. See one of examples above that use param "READLINE" and "EXEC:"

      Delete
    2. Sorry I did'nt explain very well. In my case the login is yet present on a remote device (a cisco router, in which the aux port is connected to an UPS serial port). When I telnet to the router it asks for a login and then passes flux to the serial port. If I try to do socat to bind tcp connection to a local pty, it fails (of course). Probably there's no way to login within socat. I will try to remove login from the router. Thanks anyway I will bookmark this page for the next socat need.

      Delete