[LAB] Secure Copy


2.1.e Use SCP for file transfer.

For this lab session I’ll be using:

Ubuntu Desktop 19.04
Cisco 7200 series Router


Out of the box the 7200 series Router that I’m using doesn’t have any flash or disk space available, but you can add them. Under ‘Configuration’ >  ‘Memories and disks’ an option to add PCMCIA disks is available.

Here they are on boot-up:

Router config:

R1(config)# ip domain-name layerunknown.com
R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username admin privilege 15 secret cisco
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)# ip scp server enable

Host machines are getting IP addresses via DHCP from the Router. The Router’s address is

Testing and verifying SSH.

You might be wondering why I’m specifying the cipher. If I don’t I’ll receive the following error:

Unable to negotiate with port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Lets actually check the fingerprint. On the Router enter the following command:  show ip ssh

Copy from ssh-rsa to the end of the string and put it into a file. Remove any unnecessary white space and newlines and save the file, I saved it as test.pub.

Then execute the following command: ssh-keygen -lf test.pub

-f filename
Specifies the filename of the key file.

-l Show fingerprint of specified public key file. For RSA and DSA keys
ssh-keygen tries to find the matching public key file and prints its fin‐
gerprint. If combined with -v, a visual ASCII art representation of the
key is supplied with the fingerprint.

Comparing the output from that command to the RSA fingerprint we received when making the initial SSH connection we can see they match.

We’ve verified we’re connecting to the right device and that SSH is working. Lets test the PCMCIA disks work.

copy running-config disk0:

dir disk0:

Now for SCP.

I’ll first copy the running-config we just saved to disk0 from the router to my local machine. The following commands are being executed from the Ubuntu host.

scp -c aes256-cbc admin@ /home/admin/Desktop

This command is logging into the remote host at with the username admin then copying the file ‘running-config’ from disk0 and placing it onto my Desktop.

Then I’ll test the other direction by uploading test.pub from my local machine to disk0 on the router.

scp -c aes256-cbc ~/Desktop/test.pub admin@

See the results in the screenshot below:

Using the dir and more commands on the router we can verify this.

SCP lab complete.

Now that we’ve done that, here’s the bad news. Recently, multiple SCP vulnerabilities have been discovered. See here.

Obtaining Cisco software directly from a Server

Recently I’ve been updating Cisco ASA FirePOWER modules and I ran into a situation where I was attempting to do this tethered to my phone. Pushing GBs of files over my weak 4G signal wasn’t going to cut it. I’m vaguely familiar with Wget having used it on the odd occasion over the years and simply searched for “wget cisco”. This awesome blog post by Nick Bettison provided the solution I was looking for. I’m posting this here simply for posterity.

Old method:
Cisco -> My local machine -> Server -> ASA

New method:
Cisco -> Server -> ASA

Instead of downloading images to my local machine then uploading it to a server and eventually the ASAs, I would skip the first step and obtain the Cisco software from my server instead. This is where Wget comes into play.

It’s a bit of hacky solution but it works well. Go through the download process like you typically would, once you’ve initiated the download you can then obtain the download link. Nick recommends using Firefox for this as Chrome doesn’t seem to provide that information. On the Downloads page simply right click on whatever it is you’re downloading and select “copy download link”. From this point you can cancel the download then move onto your *nix box. (Unfortunately you can’t simply copy and paste a download link directly from Cisco as you have to agree to Cisco’s terms and conditions as a prerequisite to the download becoming available. Even then there’s no direct link, it just launches the download). On your *nix box execute the following command:

wget -O name-of-file.pkg "https://link-you-have-just-copied.cisco.com"

  • The double quotes are important!

I also stumbled upon another solution using curl:

curl -JLO http://www.vim.org/scripts/download_script.php?src_id=9750

-O uses the remote name, and -J forces the -O to get that name from the content-disposition header rather than the URL, and -L follows redirects if needed.

If anyone has a better suggestion please let me know.