Skip to Main Content
November 14, 2014

MeterSSH - Meterpreter over SSH

Written by David Kennedy
Penetration Testing Security Testing & Analysis
As penetration testers, it's crucial to identify what types of attacks are detected and what's not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based "next generation" product lines. MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe. MeterSSH is easy - simply edit the file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel. Here we launch our initial meterssh payload:
Next we launch which monitors or the SSH connection and automatically launches Metasploit for you. Once it detects the SSH connection and shell, it kicks off Metasploit for you:
Next, Metasploit is launched and notice that we are tunneling through localhost to the victim machine.
There are two files, and - run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell. - this is what you would deploy to the victim machine - note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller. Fields you need to edit inside user = "sshuser" # password for SSH password = "sshpw" # this is where your SSH server is running rhost = "" # remote SSH port - this is the attackers SSH server port = "22" user - this is the user account for the attackers SSH server (do not use root, does not need root) password - this is the password for the attackers SSH server rhost - this is the attackers SSH server IP address port - this is the attackers SSH server port Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify. You can download meterssh from our github page: Download MeterSSH from Github