Socat Magic: Intranet Penetration

Original link:

Today there is a need like this:

  • We provide HTTP services to another team. During joint debugging, the client can only initiate requests from the server;
  • We want to deploy the service on a local laptop for debugging, but there are NAT and firewalls between the server and the laptop, and the client on the server can only access the server, not our laptop;
  • But our notebook can also be a document server;

This is a typical requirement for intranet penetration. I found out today that socat can do such a thing.

As shown in the figure below: the IP of on the server side can be accessed, but the IP on the laptop cannot.

socat intranet penetration principle

The idea is:

  • We open two socat processes, one on the local notebook and the other on the server side;
  • The socat on the Cerver side does one thing: Listen to port 8075 Once a connection is established, it starts to listen to port 5678 , and then copies all the content received by port 8075 to 5678 , and copies the content of 5678 to 8075 ;
  • The socat on the client side does one thing: keep trying to connect to the address . Once the connection can be established, it will establish a connection with (or ), and then upload the content of Copy to , copy the contents of to ;

The command run by the client is:

 socat -d -d -d -v tcp:,forever,intervall=1,fork,reuseaddr tcp:

The command run on the server side is:

 socat -d -d -d tcp-l:8075, reuseaddr, bind=, fork tcp-l:5678, bind=, reuseaddr, retry=10

In this way, the service running locally at is exposed through . When a user accesses , it is the same as accessing :

  1. The user establishes a TCP connection with , and sends the request to . At this time, it is actually the Socat process on the Server side that receives the HTTP request;
  2. Socat on the server side starts to listen ;
  3. Socat on the client side keeps trying to connect to (according to the above parameters, it tries once every 1s). At this time, because of step (2), the connection between Socat on the client and is successfully established, so Socat on the client side also established a connection with ;
  4. Socat on the server side sends the HTTP request to Socat on the client side;
  5. Socat on the client side sends the HTTP request to ;
  6. When the HTTP Server on the notebook sends the HTTP Response, Socat on the client side sends the HTTP Response to , and it is Socat on the server side that receives this response;
  7. Socat on the server side sends the HTTP response to the client;
  8. Client receives HTTP Response.

refer to:

This article is transferred from:
This site is only for collection, and the copyright belongs to the original author.