Red Team Operations Guide
This guide covers operational security (OPSEC) considerations for using Muti Metroo in authorized red team engagements, penetration testing, and security assessments.
This documentation is intended for authorized security professionals conducting legitimate penetration tests, red team exercises, or security research. Always ensure you have proper written authorization before deploying Muti Metroo in any environment. Use of Muti Metroo is subject to the Terms of Service.
Operational Overview
Muti Metroo is a covert mesh networking tool designed for red team operations. It creates encrypted tunnels across multiple nodes, enabling secure command and control (C2) infrastructure that resists detection and attribution.
What It Does
Deploy agents across compromised hosts to create a self-organizing mesh network. Traffic flows through multiple hops with end-to-end encryption - intermediate nodes relay traffic but cannot inspect it. Operate through the mesh via SOCKS5 proxy or direct shell/file transfer commands.
Use Cases
Segmented Network Access Reach isolated network segments by chaining through multiple compromised hosts. Deploy an exit agent in the target segment, connect through transit agents, and access internal resources as if you were local.
Attribution Resistance Route traffic through multiple hops across different networks and jurisdictions. Each hop only sees its neighbors - compromise of a single agent doesn't expose the full path or operator location.
Persistent Covert Channel Maintain long-term access with agents installed as system services. Traffic blends with normal HTTPS (HTTP/2, WebSocket) or uses QUIC on standard ports. Configurable protocol identifiers can be disabled for stealth.
Topology Compartmentalization Encrypt mesh topology with management keys so compromised field agents cannot reveal the network structure. Only operator nodes with the private key can view the full mesh.
Cross-Platform C2 Execute commands and transfer files across Linux, macOS, and Windows targets from a single interface. Full interactive shell support including Windows PowerShell via ConPTY.
Core Capabilities
| Capability | Description |
|---|---|
| Multi-hop routing | Automatic path discovery, traffic routed through multiple nodes |
| E2E encryption | X25519 + ChaCha20-Poly1305 per-stream, transit nodes cannot decrypt |
| Remote shell | Interactive PTY (bash, PowerShell, cmd) and streaming command execution |
| File transfer | Upload/download files and directories with streaming and compression |
| Topology protection | Management key encryption hides mesh structure from compromised agents |
| Transport options | QUIC, HTTP/2, WebSocket - with HTTP proxy support for WebSocket |
| Cross-platform | Linux, macOS, Windows with full PTY support (ConPTY on Windows) |
| Persistence | System service installation (systemd, launchd, Windows Service) |
Binary Characteristics
| Platform | Binary Size |
|---|---|
| Linux amd64 | ~4 MB |
| Linux arm64 | ~3.5 MB |
| macOS arm64 | ~13 MB |
| macOS amd64 | ~14 MB |
| Windows amd64 | ~4 MB |
| Windows arm64 | ~13 MB |
The binary is statically compiled with no runtime dependencies. Key characteristics:
- Standard Go executable (no shellcode or injection)
- No external DLL requirements on Windows
- Can be renamed to blend with environment
- Pre-built binaries available at Download
Guide Contents
This red team operations guide is organized into the following sections:
- OPSEC Configuration - Protocol identifiers, HTTP endpoint hardening, environment variables
- Transport Selection - Choosing transports for different environments (QUIC, HTTP/2, WebSocket)
- C2 Capabilities - Remote command execution, file operations, multi-hop routing
- Management Keys - Topology protection with cryptographic compartmentalization
- Example Configurations - Ready-to-use configs for transit, C2, and ingress nodes
- Persistence - System service installation across platforms
- Detection Avoidance - Network and host indicator mitigation
- Operational Procedures - Cleanup, checklists, and legal considerations
For technical security details, see: