Efficient Remote File Transfers: Using SCP and SSH with a Master Control Socket

As a penetration tester, one of the most important aspects of our work is efficient remote file transfers. In order to do this, we need to be familiar with the Secure Copy Protocol (SCP) and Secure Shell (SSH). In this article, we’ll explore how we can use SCP and SSH with a master control socket to streamline remote file transfers.

What is a Master Control Socket?

A master control socket is a feature of SSH that allows multiple SSH sessions to share a single SSH connection. This means that once the master control socket is established, subsequent SSH sessions can reuse the same connection, rather than establishing a new connection each time.

The master control socket is established by running the SSH command with the -M option. For example:

$ ssh -M -S /tmp/ssh-control-socket user@remote-host

This command sets up a master control socket at /tmp/ssh-control-socket and connects to the remote host as the user user.

Using the master control socket with SCP and SSH can be beneficial for a red teamer in several ways:

1. Reduced logging and detection: By establishing a single SSH connection through the master control socket, red teamers can reduce the number of connections made to the target system, which can reduce logging and detection of their activities. This can be particularly important when attempting to maintain a low profile and avoid detection by defenders or security personnel. By reducing the number of connections made, red teamers can decrease their chances of being detected or triggering security alerts, making it easier to maintain their access and execute their objectives.
2. Faster file transfers: When transferring large files or multiple files, the master control socket can significantly speed up the transfer process by reusing the existing SSH connection.
3. Reduced load on remote hosts: By reusing the existing SSH connection, the master control socket can reduce the load on remote hosts, which can be particularly important when transferring large or sensitive files.
4. Improved security: Using the master control socket with SCP and SSH can improve security by encrypting the transfer of sensitive files and reducing the exposure of login credentials.
5. Improved efficiency: The master control socket can improve the efficiency of remote file transfers by reducing the need to establish new SSH connections and allowing multiple transfers to occur simultaneously.

Overall, the use of a master control socket can help a red teamer be more efficient, effective, and secure in their file transfer operations. By leveraging this powerful feature of SSH, red teamers can streamline their workflow and make the most of their time and resources.

Diagram of Master Control Socket

In this diagram, the SSH client initiates a connection to the SSH server, and a control channel is established between them. The client and server then negotiate the creation of a data channel for either a shell or a file transfer (such as using scp).

The local shell and remote shell are each attached to their respective data channels, allowing the user to interact with the remote system via a terminal emulator. Similarly, the local file and remote file are each attached to their respective data channels, allowing the user to transfer files between the local and remote systems.

All of these data channels are tunneled through the control channel, which is implemented using a single SSH Control Socket. This allows the user to manage multiple sessions over a single SSH connection, improving performance and efficiency.

Process Overview

Setting up the Master Control Socket

The first step is to set up the master control socket. The master control socket is a Unix domain socket that is used to share an SSH connection between multiple SSH sessions. To set up the master control socket, we use the -M option with the SSH command. Here’s an example:

$ ssh -M -S /tmp/ssh-control-socket user@remote-host

This command sets up a master control socket at /tmp/ssh-control-socket and connects to the remote host as the user user. If the master control socket already exists, this command will connect to it.

Using the Master Control Socket with SCP

Once we have set up the master control socket, we can use it with SCP to transfer files between hosts. To use the master control socket with SCP, we use the -o option with the SCP command to specify the control socket file. Here’s an example:

$ scp -o ControlPath=/tmp/ssh-control-socket local-file user@remote-host:/remote/path

This command transfers the file local-file to the remote host at /remote/path using the master control socket at /tmp/ssh-control-socket. The SCP command will reuse the SSH connection established by the master control socket, which can significantly speed up the transfer and reduce the load on the remote host.

We can also use the master control socket with SCP to copy files between two remote hosts. Here’s an example:

$ scp -o ControlPath=/tmp/ssh-control-socket user1@remote-host1:/path/to/file user2@remote-host2:/path/to/destination

This command copies the file /path/to/file from remote-host1 to remote-host2 using the master control socket at /tmp/ssh-control-socket. Again, the SCP command will reuse the SSH connection established by the master control socket, which can speed up the transfer and reduce the load on the remote hosts.

This process diagram includes the following numbered and labeled steps:

1. The local user system establishes a TCP connection to remote-host1.
2. An SSH connection is initiated from the local user system to remote-host1.
3. remote-host1 establishes a TCP connection to remote-host2.
4. An SSH connection is established from remote-host1 to remote-host2.
5. The local user system establishes a TCP connection to remote-host2.
6. An SSH connection is initiated from the local user system to remote-host2.
7. The file transfer takes place using the SCP protocol over the established SSH connections.
8. An SSH connection is closed between remote-host1 and remote-host2.
9. The TCP connection between remote-host1 and remote-host2 is closed.

Closing the Master Control Socket

When we’re finished using the master control socket, we can close it by using the -O option with the SSH command. Here’s an example:

$ ssh -S /tmp/ssh-control-socket -O exit user@remote-host

This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote host.

Real-World Examples

Let’s look at some real-world examples of how we can use SCP and SSH with a master control socket.

Example 1: Transferring a Large File

Suppose we want to transfer a large file from our local machine to a remote server. Without using the master control socket, we would need to establish a new SSH connection every time we want to transfer a file, which can be slow and put unnecessary load on the remote server.

To use the master control socket, we first need to set it up by running the following command:

$ ssh -M -S /tmp/ssh-control-socket user@remote-server

This command sets up the master control socket at /tmp/ssh-control-socket and connects to the remote server as the user user.

Next, we can transfer the file using SCP and the master control socket by running the following command:

$ scp -o ControlPath=/tmp/ssh-control-socket large-file user@remote-server:/path/to/destination

This command transfers the file large-file to the remote server at /path/to/destination using the master control socket at /tmp/ssh-control-socket.

Because the master control socket is already established, the SCP command can reuse the existing SSH connection, which can significantly speed up the transfer and reduce the load on the remote server.

Once we’re finished transferring files, we can close the master control socket by running the following command:

$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server

This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote server.

Example 2: Transferring a File Between Two Remote Servers

Suppose we need to transfer a file from one remote server to another remote server. Without using the master control socket, we would need to download the file to our local machine and then upload it to the second remote server, which can be slow and inefficient.

To use the master control socket, we can run the following command:

$ ssh -M -S /tmp/ssh-control-socket user1@remote-server1 "cat /path/to/file" | ssh -S /tmp/ssh-control-socket user2@remote-server2 "cat >/path/to/destination"

This command transfers the file /path/to/file from remote-server1 to remote-server2 using the master control socket at /tmp/ssh-control-socket.

The first part of the command establishes the master control socket and uses SSH to execute the cat command on remote-server1 to read the contents of the file /path/to/file.

The output of the cat command is piped to the second part of the command, which uses SSH and the master control socket to execute the cat command on remote-server2 and write the contents to the file /path/to/destination.

Because the master control socket is already established, the command can reuse the existing SSH connection, which can significantly speed up the transfer and reduce the load on the remote servers.

Example 3: Transferring a File Between Two Remote Servers via a Third Remote Server

Suppose we need to transfer a file from remote-server1 to remote-server2. However, remote-server2 is only accessible to remote-server1, and we can only SSH into remote-server1. In this case, we can use port forwarding to access remote-server2 and transfer the file using SCP.

To use port forwarding with SSH, we can run the following command on our local machine:

$ ssh -M -S /tmp/ssh-control-socket -L 2222:remote-server2:22 user@remote-server1

This command establishes the master control socket, sets up port forwarding from port 2222 on our local machine to port 22 on remote-server2 via remote-server1, and connects to remote-server1 as the user user.

Next, we can transfer the file using SCP and port forwarding by running the following command:

$ scp -o ControlPath=/tmp/ssh-control-socket -P 2222 user@localhost:/path/to/file user@remote-server2:/path/to/destination

This command transfers the file /path/to/file from remote-server1 to remote-server2 using the master control socket at /tmp/ssh-control-socket, port forwarding on port 2222, and the SCP command.

Because the master control socket is already established, port forwarding is set up, and the SCP command can reuse the existing SSH connection, the file transfer can be done quickly and easily.

Once we’re finished transferring files, we can close the master control socket by running the following command:

$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server1

This command closes the master control socket at /tmp/ssh-control-socket and disconnects from remote-server1.

Process Diagram

In this diagram, the first ssh command establishes an SSH connection from the local machine to remote-server1 and sets up a local port forwarding rule to forward connections from port 2222 on the local machine to port 22 on remote-server2.

The scp command uses the SSH Control Socket created by the ssh command to establish a connection to the local machine on port 2222 (using the -P option to specify the port), and copies the file located at /path/to/file to remote-server2 at the location /path/to/destination.

During the process, multiple TCP connections are established, as indicated by the numbered arrows in the diagram. The SSH connections are also numbered and labeled for clarity.

Example 4: Using a SOCKS Proxy

Suppose we need to browse the web securely while on an untrusted network. We can use the -D option of SSH with a master control socket to create a SOCKS proxy that encrypts our web traffic and sends it through the SSH tunnel to a remote server.

To create the SOCKS proxy, we can run the following command:

$ ssh -M -S /tmp/ssh-control-socket -D 1080 user@remote-server

This command establishes the master control socket, sets up a SOCKS proxy on port 1080, and connects to the remote server as the user user.

Next, we need to configure our web browser to use the SOCKS proxy. In Firefox, we can do this by going to Preferences > General > Network Settings and selecting “Manual proxy configuration”. We then enter localhost for the SOCKS host and 1080 for the port.

Once the proxy is set up, all web traffic from our browser will be encrypted and sent through the SSH tunnel to the remote server, making it more secure and private.

Because the master control socket is already established, we can reuse the existing SSH connection, which can save time and reduce the load on the remote server.

Once we’re finished browsing the web, we can close the master control socket by running the following command:

$ ssh -S /tmp/ssh-control-socket -O exit user@remote-server

This command closes the master control socket at /tmp/ssh-control-socket and disconnects from the remote server.

Using the -D option of SSH with a master control socket can be a useful technique for red teamers who need to browse the web securely while on an untrusted network. By establishing a SOCKS proxy through the SSH tunnel, we can encrypt our web traffic and keep it private, even on public or unsecured networks. This technique can be particularly valuable for red teamers who need to maintain operational security and avoid detection while conducting their activities.

Conclusion

In conclusion, using SCP and SSH with a master control socket can be a powerful technique for red teamers and penetration testers looking to streamline their file transfer operations and maintain a high level of security. By establishing a master control socket, we can reuse SSH connections between multiple sessions, which can speed up file transfers and reduce the load on remote servers. Additionally, by leveraging port forwarding and SOCKS proxies with the master control socket, we can establish secure connections between hosts and transfer files and browse the web quickly and easily, even when there are access restrictions in place. With this knowledge, red teamers can work more efficiently, effectively, and securely, helping them achieve their objectives while minimizing their risk of detection or compromise.