Never Ending Security

It starts all here

MeterSSH – Meterpreter over SSH

MeterSSH – Meterpreter over SSH

As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.


MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.


  1. Meterpreter over SSH
  2. Ability to configure different IP’s, addresses, etc. without the need to ever change the shellcode.
  3. Monitor for the SSH connection and automatically spawn the shell


MeterSSH is easy – simply edit the file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel.

There are two files, and

  • – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell.
  • – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller.

There are two files, and

Fields you need to edit inside

user = "sshuser"
# password for SSH
password = "sshpw"
# this is where your SSH server is running
rhost = ""
# remote SSH port - this is the attackers SSH server
port = "22"
  • user – this is the user account for the attackers SSH server (do not use root, does not need root)
  • password – this is the password for the attackers SSH server
  • rhost – this is the attackers SSH server IP address
  • port – this is the attackers SSH server port

Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify.

More information can be found at:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s