MeterSSH – Meterpreter over SSH

December 3, 2017 haxf4rall2017 metasploit ssh login, metasploit ssh tunnel, meterpreter over ssh, meterpreter ssh, meterssh

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.

The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpreter in this case) by the shellcode over SSH back to the attacker’s machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

Features:

Meterpreter over SSH
Ability to configure different IP’s, addresses, etc. without the need to ever change the shellcode.
Monitor for the SSH connection and automatically spawn the shell

Usage:

There are two files, monitor.py and meterssh.py.

monitor.py – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell. meterssh.py – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller.

Fields you need to edit inside meterssh.py

user = "sshuser"
# password for SSH
password = "sshpw"
# this is where your SSH server is running
rhost = "192.168.1.1"
# remote SSH port - this is the attackers SSH server
port = "22"

user – this is the user account for the attackers SSH server (do not use root, does not need root) password – this is the password for the attackers SSH server rhost – this is the attackers SSH server IP address port – this is the attackers SSH server port

You don’t need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify.