One of the most important aspects of penetration testing is efficient remote file transfers. To do this, we need to be familiar with the Secure Copy Protocol (SCP) and Secure Shell (SSH). This article’ll explore how we can use SCP and SSH with a master control socket to streamline remote file transfers.
What is a Master Control Socket?
A master control socket is a feature of SSH that allows multiple SSH sessions to share a single connection. Once the master control socket is established, subsequent SSH sessions can reuse the same connection rather than establishing a new connection each time.
The master control socket is established by running the SSH command with the -M option. For example:
$ ssh -M -S /tmp/ssh-control-socket user@remote-host
This command sets up a master control socket at /tmp/ssh-control-socket and connects to the remote host as the user user.
Using the master control socket with SCP and SSH can be beneficial for a red teamer in several ways:
- Reduced logging and detection: By establishing a single SSH connection through the master control socket, red teamers can reduce the number of connections made to the target system, which can minimize logging and detection of their activities. This can be particularly important when attempting to maintain a low profile and avoid detection by defenders or security personnel. By reducing the number of connections made, red teamers can decrease their chances of being detected or triggering security alerts, making it easier to maintain access and execute their objectives.
- Faster file transfers: When transferring large or multiple files, the master control socket can significantly speed up the transfer process by reusing the existing SSH connection.
- Reduced load on remote hosts: By reusing the existing SSH connection, the master control socket can reduce the load on remote hosts, which can be particularly important when transferring large or sensitive files.
- Improved security: Using the master control socket with SCP and SSH can enhance security by encrypting the transfer of sensitive files and reducing the exposure of login credentials.
- Improved efficiency: The master control socket can enhance the efficiency of remote file transfers by reducing the need to establish new SSH connections and allowing multiple transfers to occur simultaneously.
Overall, using a master control socket can help a red teamer be more efficient, effective, and secure in their file transfer operations. By leveraging this powerful feature of SSH, red teamers can streamline their workflow and make the most of their time and resources.
Diagram of Master Control Socket
In this diagram, the SSH client initiates a connection to the SSH server, and a control channel is established between them. The client and server then negotiate creating a data channel for either a shell or a file transfer (such as using scp).
The local shell and remote shell are each attached to their respective data channels, allowing users to interact with the remote system via a terminal emulator. Similarly, the local and remote files are each attached to their respective data channels, allowing the user to transfer files between the local and remote systems.
These data channels are tunneled through the control channel, which is implemented using a single SSH Control Socket. This allows the user to manage multiple sessions over a single SSH connection, improving performance and efficiency.
Process Overview
Setting up the Master Control Socket
The first step is to set up the master control socket. The master control socket is a Unix domain socket that shares an SSH connection between multiple SSH sessions. To set up the master control socket, we use the -M option with the SSH command. Here’s an example:
$ ssh -M -S /tmp/ssh-control-socket user@remote-host
This command sets up a master control socket at /tmp/ssh-control-socket and connects to the remote host as the user user. If the master control socket already exists, this command will connect to it.
Using the Master Control Socket with SCP
Once we have set up the master control socket, we can use it with SCP to transfer files between hosts. To use the master control socket with SCP, we use the -o option with the SCP command to specify the control socket file. Here’s an example:
$ scp -o ControlPath=/tmp/ssh-control-socket local-file user@remote-host:/remote/path
This command transfers the file local-file
to the remote host at /remote/path
using the master control socket at /tmp/ssh-control-socket
. The SCP command will
reuse the SSH connection established by the master control socket, which can
significantly speed up the transfer and reduce the load on the remote host.
We can also use the master control socket with SCP to copy files between two remote hosts. Here’s an example:
$ scp -o ControlPath=/tmp/ssh-control-socket user1@remote-host1:/path/to/file user2@remote-host2:/path/to/destination
This command copies the file /path/to/file from remote-host1 to remote-host2 using the master control socket at /tmp/ssh-control-socket. Again, the SCP command will reuse the SSH connection established by the master control socket, which can speed up the transfer and reduce the load on the remote hosts.
This process diagram includes the following numbered and labeled steps:
- The local user system establishes a TCP connection to
remote-host1
. - An SSH connection is initiated from the local user system to
remote-host1
. remote-host1
establishes a TCP connection toremote-host2
.- An SSH connection is established from
remote-host1
toremote-host2
. - The local user system establishes a TCP connection to
remote-host2
. - An SSH connection is initiated from the local user system to
remote-host2
. - The file transfer takes place using the SCP protocol over the established SSH connections.
- An SSH connection is closed between
remote-host1
andremote-host2
. - The TCP connection between
remote-host1
andremote-host2
is closed.
Closing the Master Control Socket
When we’re finished using the master control socket, we can close it by using the -O option with the SSH command. Here’s an example:
$ ssh -S /tmp/ssh-control-socket -O exit user@remote-host
This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote host.
Real-World Examples
Let’s examine some real-world examples of how to use SCP and SSH with a master control socket.
Example 1: Transferring a Large File
We want to transfer a large file from our local machine to a remote server. Without using the master control socket, we would need to establish a new SSH connection whenever we want to transfer a file, which can be slow and put unnecessary load on the remote server.
To use the master control socket, we first need to set it up by running the following command:
$ ssh -M -S /tmp/ssh-control-socket user@remote-server
This command sets up the master control socket at /tmp/ssh-control-socket and connects to the remote server as the user user.
Next, we can transfer the file using SCP and the master control socket by running the following command:
$ scp -o ControlPath=/tmp/ssh-control-socket large-file user@remote-server:/path/to/destination
This command transfers the file large-file to the remote server at /path/to/destination using the master control socket at /tmp/ssh-control-socket.
Because the master control socket is already established, the SCP command can reuse the existing SSH connection, significantly speeding up the transfer and reducing the load on the remote server.
Once we’re finished transferring files, we can close the master control socket by running the following command:
$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server
This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote server.
Example 2: Transferring a File Between Two Remote Servers
We need to transfer a file from one remote server to another remote server. Without using the master control socket, we would need to download the file to our local machine and then upload it to the second remote server, which can be slow and inefficient.
To use the master control socket, we can run the following command:
$ ssh -M -S /tmp/ssh-control-socket user1@remote-server1 "cat /path/to/file" | ssh -S /tmp/ssh-control-socket user2@remote-server2 "cat >/path/to/destination"
This command transfers the file /path/to/file
from remote-server1 to
remote-server2
using the master control socket at /tmp/ssh-control-socket.
The first part of the command establishes the master control socket and uses SSH
to execute the cat command on remote-server1
to read the contents of the file
/path/to/file
.
The output of the cat
command is piped to the second part of the command, which
uses SSH and the master control socket to execute the cat command on
remote-server2
and write the contents to the file /path/to/destination
.
Because the master control socket is already established, the command can reuse the existing SSH connection, significantly speeding up the transfer and reducing the load on the remote servers.
Example 3: Transferring a File Between Two Remote Servers via a Third Remote Server
Suppose we need to transfer a file from remote-server1
to remote-server2
.
However, remote-server2
is only accessible to remote-server1
, and we can only
SSH into remote-server1
. In this case, we can use port forwarding to access
remote-server2
and transfer the file using SCP.
To use port forwarding with SSH, we can run the following command on our local machine:
$ ssh -M -S /tmp/ssh-control-socket -L 2222:remote-server2:22 user@remote-server1
This command establishes the master control socket, sets up port forwarding from port 2222 on our local machine to port 22 on remote-server2 via remote-server1, and connects to remote-server1 as the user user.
Next, we can transfer the file using SCP and port forwarding by running the following command:
$ scp -o ControlPath=/tmp/ssh-control-socket -P 2222 user@localhost:/path/to/file user@remote-server2:/path/to/destination
This command transfers the file /path/to/file from remote-server1 to remote-server2 using the master control socket at /tmp/ssh-control-socket, port forwarding on port 2222, and the SCP command.
Because the master control socket is already established, port forwarding is set up, and the SCP command can reuse the existing SSH connection, the file transfer can be done quickly and easily.
Once we’re finished transferring files, we can close the master control socket by running the following command:
$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server1
This command closes the master control socket at /tmp/ssh-control-socket and disconnects from remote-server1.
Process Diagram
In this diagram, the first SSH command establishes an SSH connection from the
local machine to remote-server1 and sets up a local port forwarding rule to
forward connections from port 2222 on the local machine to port 22
on
remote-server2.
The scp command uses the SSH Control Socket created by the SSH command to establish a connection to the local machine on port 2222 (using the -P option to specify the port) and copies the file located at /path/to/file
to
remote-server2
at the location /path/to/destination
.
Multiple TCP connections are established during the process, as indicated by the numbered arrows in the diagram. The SSH connections are also numbered and labeled for clarity.
Example 4: Using a SOCKS Proxy
We need to browse the web securely while on an untrusted network. We can use the -D option of SSH with a master control socket to create a SOCKS proxy that encrypts our web traffic and sends it through the SSH tunnel to a remote server.
To create the SOCKS proxy, we can run the following command:
$ ssh -M -S /tmp/ssh-control-socket -D 1080 user@remote-server
This command establishes the master control socket, sets up a SOCKS proxy on
port 1080, and connects to the remote server as the user user
.
Next, we must configure our web browser to use the SOCKS proxy. In Firefox, we can do this by going to Preferences > General > Network Settings and selecting “Manual proxy configuration.” We then enter localhost for the SOCKS host and 1080 for the port.
Once the proxy is set up, all web traffic from our browser will be encrypted and sent through the SSH tunnel to the remote server, making it more secure and private.
Because the master control socket is already established, we can reuse the existing SSH connection, saving time and reducing the load on the remote server.
Once we’re finished browsing the web, we can close the master control socket by running the following command:
$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server
This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote server.
Using the -D option of SSH with a master control socket can be helpful for red teamers who need to browse the web securely while on an untrusted network. By establishing a SOCKS proxy through the SSH tunnel, we can encrypt our web traffic and keep it private, even on public or unsecured networks. This technique can be precious for red teamers who need to maintain operational security and avoid detection while conducting their activities.
Conclusion
In conclusion, using SCP and SSH with a master control socket can be a powerful technique for red teamers and penetration testers looking to streamline their file transfer operations and maintain high security. By establishing a master control socket, we can reuse SSH connections between multiple sessions, speeding up file transfers and reducing the load on remote servers. Additionally, by leveraging port forwarding and SOCKS proxies with the master control socket, we can establish secure connections between hosts, transfer files, and browse the web quickly and easily, even when access restrictions are in place. With this knowledge, red teamers can work more efficiently, effectively, and securely, helping them achieve their objectives while minimizing their risk of detection or compromise.