ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Notes
  • Control Sockets (config)
  • Command Line Method
  • Configuration File Method (~/.ssh/ssh_config)
  • Manipulate SSH Config for Master Control Socket
  • Making SSH Control Sockets Persistent

Was this helpful?

  1. Maneuver

Control Sockets

Notes

Benefits:

Multiplexing - Create more than one connection through an already established secure channel

Data exfiltration - Downloading through an already established secure connection

Less logging - Creates a special type of log file (socket file) that shows you are already logged in to the SSH Server. As long as that PID (window is open) stays alive, you can open as many new sessions to that server as you want because you are already pre-authenticated.

Only the first connection where the control socket was created and is the only connection that has a respective established connection and authentication log entry.

As long as each connection comes from the same source system, no further connections or authentication log entries will be generated on the remote system.

Control Sockets (config)

Two main ways to configure:

Command Line Method

ssh -M -S /tmp/s root@<ip> <-R or -L>
ssh -S /tmp/s user@<ip>
scp -o 'ControlPath=/tmp/s' user@<ip>:<Path>

Configuration File Method (~/.ssh/ssh_config)

HostName *

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

ControlPersist 10m

Manipulate SSH Config for Master Control Socket

Making SSH Control Sockets Persistent

Configure the following settings in either or both the

system-wide config ** /etc/ssh/ssh_config

per-user config ** ~/.ssh/config,

The per-user config file will take precedence over the system wide SSH client configuration file.

If you are using control sockets to specific systems, create entries for each host:

HostName host.example.org

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

ControlPersist 10m

The socket is created in the "~/.ssh/controlsmasters/" and is named user@host:port

%r - remote user name

%h - remote host name

%p - remote port

ControlMaster accepts five different values:

no (default) New sessions will not try to connect to an established master session, but additional sessions can still multiplex by connecting explicitly to an existing socket.

yes Creates a new master session each time, unless overridden. The new master session will listen for connections.

ask Creates a new master session each time, unless overridden, which listens for connections. If overridden, ssh-askpass(1) will ask the master session owner to approve or deny the request. If the request is denied, then the session being created falls back to being a regular, standalone session.

auto Creates a master session automatically but if there is a master session already available, subsequent sessions are automatically multiplexed.

autoask Automatically assumes that if a master session exists, that subsequent sessions should be multiplexed, but asks first before adding a session.

Refused connections are logged to the master session.

ControlPersist specifies whether to keep the control socket active when idle, or for how long.

The options are 'yes', 'no' or a time interval.

If a 'time interval' is given, the default is in seconds. Units can extend the time to minutes, hours, days, weeks or a combination.

If 'yes' the master connection stays in the background indefinitely.

To make SSH user control sockets for all SSH connections, a wildcard can be specified with the Host option:

Host *

ControlMaster auto

ControlPath ~/.ssh/cm_socket/%r@%h:%p

` mkdir ~/.ssh/cm_socket
PreviousSSHNextRDP

Last updated 1 year ago

Was this helpful?

🚗