SSH Multiplexing and Master Control Sockets: Advanced Techniques for Red Team Operations

One of the most important aspects of penetration testing is efficient remote file transfers. To do this, we need to be familiar with the Secure Copy Protocol (SCP) and Secure Shell (SSH). This article’ll explore how we can use SCP and SSH with a master control socket to streamline remote file transfers.

What is SSH Multiplexing and Master Control Sockets?

SSH multiplexing is a feature that allows multiple SSH sessions to share a single underlying TCP connection. This is implemented through a master control socket, which acts as a persistent connection that other SSH sessions can reuse.

Understanding SSH Beyond “Encrypted Telnet”

Many people think of SSH as simply “encrypted telnet,” but SSH is actually a sophisticated protocol suite that provides much more than just encrypted terminal access. SSH consists of several components:

• SSH Transport Layer: Handles the encrypted connection and key exchange
• SSH Authentication Layer: Manages user authentication (password, key-based, etc.)
• SSH Connection Layer: Provides multiple channels over a single connection

This layered architecture allows SSH to support various services beyond just shell access:

• SCP (Secure Copy Protocol): File transfer using SSH
• SFTP (SSH File Transfer Protocol): Interactive file transfer with SSH
• Port Forwarding: Tunneling other protocols through SSH
• Dynamic SOCKS Proxying: Creating SOCKS proxies for web browsing
• Reverse Tunnels: Establishing connections from remote to local
• X11 Forwarding: Forwarding graphical applications
• Agent Forwarding: Sharing SSH keys across connections

All of these services can benefit from master control sockets, allowing you to establish the initial connection once and then use it for multiple purposes without the overhead of re-authentication.

How SSH Multiplexing Works

When you establish a normal SSH connection, the process involves:

1. TCP handshake (3-way handshake)
2. SSH protocol negotiation and authentication
3. Session establishment

This process creates significant overhead, especially when making multiple connections to the same server. SSH multiplexing solves this by:

1. Master Connection: The first SSH connection establishes a master session with a control socket
2. Control Socket: A Unix domain socket file is created that represents the persistent connection
3. Multiplexed Sessions: Subsequent SSH sessions connect through the control socket, bypassing the connection establishment overhead

Master Control Socket Implementation

The master control socket is established by running the SSH command with the -M (master) option:

ssh -M -S ~/.ssh/control-target-server-22-pentester target-server

This command:

• -M: Enables master mode, creating a persistent connection
• -S: Specifies the path for the control socket file
• Creates a Unix domain socket at ~/.ssh/control-target-server-22-pentester

Once established, other SSH sessions can reuse this connection using the -S option:

ssh -S ~/.ssh/control-target-server-22-pentester target-server

[!NOTE] You only need to use -M once to establish the master control socket. Subsequent SSH or SCP commands can reuse the connection with just the -S option.

Using the master control socket with SCP and SSH can be beneficial for a red teamer in several ways:

1. Reduced logging and detection: By establishing a single SSH connection through the master control socket, red teamers can reduce the number of connections made to the target system, which can minimize logging and detection of their activities. This can be particularly important when attempting to maintain a low profile and avoid detection by defenders or security personnel. By reducing the number of connections made, red teamers can decrease their chances of being detected or triggering security alerts, making it easier to maintain access and execute their objectives.
2. Faster file transfers: When transferring large or multiple files, the master control socket can significantly speed up the transfer process by reusing the existing SSH connection.
3. Reduced load on remote hosts: By reusing the existing SSH connection, the master control socket can reduce the load on remote hosts, which can be particularly important when transferring large or sensitive files.
4. Improved security: Using the master control socket with SCP and SSH can enhance security by encrypting the transfer of sensitive files and reducing the exposure of login credentials.
5. Improved efficiency: The master control socket can enhance the efficiency of remote file transfers by reducing the need to establish new SSH connections and allowing multiple transfers to occur simultaneously.

Overall, using a master control socket can help a red teamer be more efficient, effective, and secure in their file transfer operations. By leveraging this powerful feature of SSH, red teamers can streamline their workflow and make the most of their time and resources.

Diagram of SSH Multiplexing

graph TD
    A[SSH Client] -->|Master Connection| B[SSH Server]
    A -->|Control Socket File| C[Unix Domain Socket]
    
    D[SSH Session 1] -->|Via Control Socket| C
    E[SSH Session 2] -->|Via Control Socket| C
    F[SCP Session] -->|Via Control Socket| C
    
    C -->|Multiplexed| B
    
    style A fill:#e1f5fe
    style B fill:#f3e5f5
    style C fill:#fff3e0
    style D fill:#e8f5e8
    style E fill:#e8f5e8
    style F fill:#e8f5e8

This diagram illustrates how SSH multiplexing works:

1. Master Connection: The initial SSH connection establishes a persistent TCP connection to the server
2. Control Socket: A Unix domain socket file is created locally that represents this persistent connection
3. Multiplexed Sessions: Multiple SSH sessions (shell, SCP, etc.) connect through the control socket
4. Shared Transport: All sessions share the same underlying TCP connection, eliminating connection overhead

The key benefit is that subsequent sessions bypass the connection establishment overhead, making them much faster to establish.

Process Overview

Setting up the Master Control Socket

The first step is to set up the master control socket. The master control socket is a Unix domain socket that shares an SSH connection between multiple SSH sessions. To set up the master control socket, we use the -M option with the SSH command. Here’s an example:

ssh -M -S /tmp/ssh-control-socket user@remote-host

This command sets up a master control socket at /tmp/ssh-control-socket and connects to the remote host as the user user. If the master control socket already exists, this command will connect to it.

Using the Master Control Socket with SCP

Once we have set up the master control socket, we can use it with SCP to transfer files between hosts. To use the master control socket with SCP, we use the -o ControlMaster= option with the SCP command to specify the control socket file. Here’s an example:

scp -o ControlMaster=auto -o ControlPath=~/.ssh/control-target-server-22-pentester local-file target-server:/remote/path

This command transfers the file local-file to the remote host at /remote/path using the master control socket at ~/.ssh/control-target-server-22-pentester. The SCP command will reuse the SSH connection established by the master control socket, which can significantly speed up the transfer and reduce the load on the remote host.

The master control socket works by keeping the initial SSH connection open and allowing additional SSH sessions (like SCP) to be multiplexed over that same connection. This eliminates the overhead of establishing new SSH connections for each file transfer.

We can also use the master control socket with SCP to copy files between two remote hosts. Here’s an example:

scp -o ControlMaster=auto -o ControlPath=~/.ssh/control-target-server-22-pentester user1@remote-host1:/path/to/file user2@remote-host2:/path/to/destination

This command copies the file /path/to/file from remote-host1 to remote-host2 using the master control socket at ~/.ssh/control-target-server-22-pentester. Again, the SCP command will reuse the SSH connection established by the master control socket, which can speed up the transfer and reduce the load on the remote hosts.

sequenceDiagram
    participant LU as Local User
    participant RH1 as remote-host1
    participant RH2 as remote-server2
    
    LU->>RH1: (1) SSH Connection with Master Socket
    LU->>RH1: (2) Execute SCP Command
    RH1->>RH2: (3) SSH Connection from RH1
    RH1->>RH2: (4) SCP File Transfer
    RH2-->>RH1: (5) Transfer Complete
    RH1-->>LU: (6) Command Output

This process diagram shows the correct flow when using a master control socket:

1. The local user establishes an SSH connection with master control socket to remote-host1.
2. The local user executes an SCP command through the master socket connection.
3. remote-host1 establishes its own SSH connection to remote-server2.
4. The file transfer occurs between the two remote servers.
5. remote-server2 confirms the transfer completion to remote-host1.
6. The command output is returned through the master socket connection.

Optional: Automating Master Socket Setup with SSH Config

For recurring use, you can configure OpenSSH to automatically manage a master control socket by adding this to your ~/.ssh/config:

Host target-server
    HostName 192.168.1.100
    User pentester
    ControlMaster auto
    ControlPath ~/.ssh/control-%h-%p-%r
    ControlPersist 10m
    ServerAliveInterval 60
    ServerAliveCountMax 3

Closing the Master Control Socket

When we’re finished using the master control socket, we can close it by using the -O option with the SSH command. Here’s an example:

ssh -S ~/.ssh/control-target-server-22-pentester -O exit target-server

This command closes the master control socket at ~/.ssh/control-target-server-22-pentester and disconnects from the remote host.

Real-World Examples

Let’s examine some real-world examples of how to use SCP and SSH with a master control socket.

Example 1: Transferring a Large File

We want to transfer a large file from our local machine to a remote server. Without using the master control socket, we would need to establish a new SSH connection whenever we want to transfer a file, which can be slow and put unnecessary load on the remote server.

To use the master control socket, we first need to set it up by running the following command:

ssh -M -S ~/.ssh/control-target-server-22-pentester target-server

This command sets up the master control socket at ~/.ssh/control-target-server-22-pentester and connects to the remote server as the specified user.

Next, we can transfer the file using SCP and the master control socket by running the following command:

scp -o ControlMaster=auto -o ControlPath=~/.ssh/control-target-server-22-pentester large-file target-server:/path/to/destination

This command transfers the file large-file to the remote server at /path/to/destination using the master control socket at ~/.ssh/control-target-server-22-pentester.

Because the master control socket is already established, the SCP command can reuse the existing SSH connection, significantly speeding up the transfer and reducing the load on the remote server.

Once we’re finished transferring files, we can close the master control socket by running the following command:

ssh -S ~/.ssh/control-target-server-22-pentester -O exit target-server

This command closes the master control socket at ~/.ssh/control-target-server-22-pentester and disconnects from the remote server.

Example 2: Transferring a File Between Two Remote Servers

We need to transfer a file from one remote server to another remote server. Without using the master control socket, we would need to download the file to our local machine and then upload it to the second remote server, which can be slow and inefficient.

To use the master control socket, we can establish a connection to the first server and then use that connection to transfer files to the second server:

# First, establish master socket to the first server
ssh -M -S ~/.ssh/control-remote-server1-22-pentester user1@remote-server1

# Then use the master socket to execute scp from the first server to the second
ssh -S ~/.ssh/control-remote-server1-22-pentester user1@remote-server1 "scp /path/to/file user2@remote-server2:/path/to/destination"

This approach works by:

1. Establishing a master control socket connection to remote-server1
2. Using that existing connection to execute an SCP command on remote-server1
3. The SCP command runs on remote-server1 and transfers the file directly to remote-server2

The master control socket keeps the SSH connection to remote-server1 open, allowing us to multiplex additional commands over the same connection without establishing new SSH sessions each time.

Example 3: Transferring a File Between Two Remote Servers via a Third Remote Server

Suppose we need to transfer a file from remote-server1 to remote-server2. However, remote-server2 is only accessible to remote-server1, and we can only SSH into remote-server1. In this case, we can use port forwarding to access remote-server2 and transfer the file using SCP.

To use port forwarding with SSH, we can run the following command on our local machine:

ssh -M -S ~/.ssh/control-remote-server1-22-pentester -L 2222:remote-server2:22 user@remote-server1

This command establishes the master control socket, sets up port forwarding from port 2222 on our local machine to port 22 on remote-server2 via remote-server1, and connects to remote-server1 as the user user.

Next, we can transfer the file using SCP and port forwarding by running the following command:

scp -P 2222 user@localhost:/path/to/file user@remote-server2:/path/to/destination

This command transfers the file /path/to/file from remote-server1 to remote-server2 using port forwarding on port 2222. Note that we don’t use the -o ControlMaster= option here because we’re connecting to localhost through the forwarded port.

Because the master control socket is already established, port forwarding is set up, and the SCP command can use the forwarded connection, the file transfer can be done quickly and easily.

Once we’re finished transferring files, we can close the master control socket by running the following command:

ssh -S ~/.ssh/control-remote-server1-22-pentester -O exit user@remote-server1

This command closes the master control socket at ~/.ssh/control-remote-server1-22-pentester and disconnects from remote-server1.

Process Diagram

sequenceDiagram
    participant LM as Local Machine
    participant RS1 as remote-server1
    participant RS2 as remote-server2
    
    LM->>RS1: (1) SSH Connection with Master Socket
    LM->>RS1: (2) Port Forward Setup (2222->RS2:22)
    LM->>LM: (3) SCP via localhost:2222
    LM->>RS1: (4) Forwarded Connection
    RS1->>RS2: (5) SSH Connection
    RS2-->>RS1: (6) File Transfer
    RS1-->>LM: (7) Forwarded Response

In this diagram, the first SSH command establishes an SSH connection with master control socket from the local machine to remote-server1 and sets up a local port forwarding rule to forward connections from port 2222 on the local machine to port 22 on remote-server2.

The scp command connects to localhost:2222, which is forwarded through the SSH tunnel to remote-server2, allowing the file transfer to occur through the established tunnel.

Example 4: Using a SOCKS Proxy

We need to browse the web securely while on an untrusted network. We can use the -D option of SSH with a master control socket to create a SOCKS proxy that encrypts our web traffic and sends it through the SSH tunnel to a remote server.

To create the SOCKS proxy, we can run the following command:

ssh -M -S ~/.ssh/control-remote-server-22-pentester -D 1080 user@remote-server

This command establishes the master control socket, sets up a SOCKS proxy on port 1080, and connects to the remote server as the user user.

Next, we must configure our web browser to use the SOCKS proxy. In Firefox, we can do this by going to Preferences > General > Network Settings and selecting “Manual proxy configuration.” We then enter localhost for the SOCKS host and 1080 for the port.

Once the proxy is set up, all web traffic from our browser will be encrypted and sent through the SSH tunnel to the remote server, making it more secure and private.

Because the master control socket is already established, we can reuse the existing SSH connection, saving time and reducing the load on the remote server.

Once we’re finished browsing the web, we can close the master control socket by running the following command:

ssh -S ~/.ssh/control-remote-server-22-pentester -O exit user@remote-server

This command closes the master control socket at ~/.ssh/control-remote-server-22-pentester and disconnects from the remote server.

Using the -D option of SSH with a master control socket can be helpful for red teamers who need to browse the web securely while on an untrusted network. By establishing a SOCKS proxy through the SSH tunnel, we can encrypt our web traffic and keep it private, even on public or unsecured networks. This technique can be valuable for red teamers who need to maintain operational security and avoid detection while conducting their activities.

Security Considerations and Best Practices

When using master control sockets in red teaming operations, consider these security implications:

Socket File Permissions

Always ensure proper permissions on control socket files:

# Set restrictive permissions on control socket directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/control-*

# Clean up old socket files
find ~/.ssh -name "control-*" -mtime +1 -delete

Connection Persistence

The ControlPersist option in SSH config can keep connections alive, but this may increase detection risk:

# In ~/.ssh/config
Host target-server
    ControlPersist 5m  # Keep connection alive for 5 minutes after last use
    ControlMaster auto
    ControlPath ~/.ssh/control-%h-%p-%r

Error Handling

Implement proper error handling for connection failures:

#!/bin/bash
set -euo pipefail

# Function to check if master socket exists and is working
check_master_socket() {
    local socket_path="$1"
    if [[ -S "$socket_path" ]]; then
        ssh -S "$socket_path" -O check localhost >/dev/null 2>&1
        return $?
    fi
    return 1
}

# Establish master socket with error handling
establish_master_socket() {
    local socket_path="$1"
    local target="$2"
    
    if ! check_master_socket "$socket_path"; then
        echo "Establishing master socket to $target..."
        ssh -M -S "$socket_path" -f -N "$target"
        sleep 1
        
        if ! check_master_socket "$socket_path"; then
            echo "Failed to establish master socket"
            exit 1
        fi
    fi
}

# Usage example
establish_master_socket ~/.ssh/control-target-server-22-pentester target-server
scp -o ControlMaster=auto -o ControlPath=~/.ssh/control-target-server-22-pentester file.txt target-server:/tmp/

Detection Avoidance

• Use different socket paths for different targets to avoid pattern detection
• Implement connection timeouts to prevent long-lived connections
• Monitor for failed connection attempts that might indicate detection

Conclusion

In conclusion, using SCP and SSH with a master control socket can be a powerful technique for red teamers and penetration testers looking to streamline their file transfer operations and maintain high security. By establishing a master control socket, we can reuse SSH connections between multiple sessions, speeding up file transfers and reducing the load on remote servers. Additionally, by leveraging port forwarding and SOCKS proxies with the master control socket, we can establish secure connections between hosts, transfer files, and browse the web quickly and easily, even when access restrictions are in place. With this knowledge, red teamers can work more efficiently, effectively, and securely, helping them achieve their objectives while minimizing their risk of detection or compromise.