A sophisticated attack technique: Tunnelling Meterpreter traffic via SSH to evade detection!
Introduction: The Cat-and-Mouse Game of Cybersecurity
In the ever-evolving landscape of cybersecurity, penetration testers and red team operators constantly seek new ways to test organizational defenses. One of the biggest challenges? Modern antivirus (AV) and Endpoint Detection and Response (EDR) products have become incredibly sophisticated at detecting malicious network traffic – often catching threats before they even reach their target.
But what if we could use legitimate Windows features to hide our testing activities? The Trovent Security team has discovered an elegant solution: tunneling Meterpreter traffic through SSH connections using tools that come pre-installed on modern Windows systems.
Understanding the challenge: The Reason why Traditional Approaches Fail
The Problem with Standard Meterpreter Connections
Meterpreter is a powerful penetration testing tool that provides remote access to compromised systems. However, its traffic patterns are well-known to security products. Even when using encryption like mTLS, connections can be flagged if:
- The certificate isn’t from a trusted authority
- The organization performs full traffic interception
- Traffic patterns match known malicious signatures
Enter “Living Off the Land”
The concept of “living off the land” involves using legitimate system tools and features to accomplish objectives – making detection significantly harder. Our research revealed that OpenSSH (both server and client) ships with all latest Windows 10 and Windows 11 builds. This led to an intriguing question:
What if we tunnel all Meterpreter traffic through a legitimate SSH connection?
The Technical Implementation: Building the SSH Tunnel
Step 1: Configuring the Meterpreter Handler
The first challenge involves setting up Meterpreter to work with local connections. Since our handler
needs to listen on localhost (due to the SSH tunnel), we must configure two critical parameters:
ReverseListenerBindAddressReverseListenerBindPort
These parameters ensure the handler can properly send the econd stage payload back to the target through our tunnel.
Configuring the Meterpreter handler with advanced options for SSH tunnel compatibility
The Metasploit framework provides detailed documentation about these parameters, explaining how LHOST must always remain the IP/host that is routable from the target, while ReverseListenerBindAddress tells the handler which interface to bind to:
Metasploit’s advanced configuration parameters set
Step 2: Establishing the SSH Tunnel
On the target Windows system, we create an SSH tunnel using the built-in OpenSSH client. This involves:
1. Generating an SSH key pair
2. Adding the public key to the attacker’s authorized_keys
3. Establishing local port forwarding
Setting up SSH local port forwarding from Windows to redirect traffic through the tunnel
Step 3: Payload Delivery and Execution
First, we need to generate our payload using msfvenom on the attacker’s Kali system:
Creating a Meterpreter payload configured for localhost connection through our SSH tunnel with msfvenom
The generated payload file (local443met.txt) is then transferred to the Windows target machine.
For this proof of concept, we used our custom tool tRWXi (available on GitHub) to handle payload injection. The tool:
- Enumerates RWX (Read, Write, Execute) memory regions
- Identifies suitable injection targets
- Writes the payload to memory
- Executes the shellcode
The execution process happens in several precise steps:
tRWXi tool discovering writable and executable memory regions in running processes
Target process identified with suitable RWX memory region for injection
Payload successfully injected into the target memory space
Verification that the payload bytes were correctly written to memory
Successful shellcode execution launching the Meterpreter connection
The Results: Successful Bypass of Windows Defender
The most significant finding? Windows Defender completely ignored our attack. By routing the Meterpreter connection through localhost via the SSH tunnel, we avoided triggering security alerts. The connection appeared legitimate because:
- SSH is a standard, trusted protocol
- The initial connection is to localhost, not an external server
- Traffic encryption happens at the SSH layer, masking payload signatures
Active Meterpreter session established through SSH tunnel – Windows Defender shows no alerts
Key Advantages of This Approach
1. Smaller, More Efficient Payloads
Using fully encrypted SSH tunnels allows for more concise payloads like reverse_tcp instead of bulkier options like reverse_https.
2. Flexible Injection Options
Stagers are much smaller than full unstaged payloads, providing more potential injection points in RWX
memory regions or running applications.
3. Legitimate Traffic Patterns
SSH traffic is common in enterprise environments, making this approach blend in with normal network activity.
4. Built-in Tools
No need to upload suspicious binaries—everything needed already exists on modern Windows systems.
Implications for Security Teams
This technique demonstrates several important security considerations:
1. Trust Boundaries Matter: Security products often trust localhost connections, creating potential blind spots.
2. Living Off the Land is Powerful: Attackers using built-in tools are much harder to detect than those using custom malware.
3. Defense in Depth is Critical: Organizations need multiple layers of security, as bypassing one control (like network monitoring) shouldn’t compromise the entire system.
4. Monitor SSH Usage: Unusual SSH connections, especially with port forwarding, warrant investigation.
Conclusion: The Evolution of Security Testing
This proof of concept illustrates how creative use of legitimate system features can bypass modern security controls. For penetration testers and red teams, it provides a stealthy method for establishing command and control channels. For defenders, it highlights the importance of comprehensive security monitoring that goes beyond simple signature-based detection.
As security products continue to evolve, so too must the techniques used to test them. By understanding and documenting these methods, we help organizations better prepare for real-world attacks that use similar tactics.
The full source code for tRWXi and additional technical details are available on our GitHub repository, empowering security professionals to test their own environments and develop appropriate countermeasures.
Sergey Makarov has been part of the Trovent team since 2020. As a Senior Security Specialist and Penetration Tester, he ensures secure IT environments for our customers. As a certified Red Team Operator/Lead, he knows exactly how cyberattacks work and how companies can protect themselves against them. Sergey is also an enthusiastic software developer. The tools he has developed – including YAETWi, tRWXi, tWATa, and tKMD – are available as open source projects on GitHub.