Finally we found one Post Exploitation Tool, this tool is cross platform it mean this tool work with windows, MacOS and Linux. Merlin is written with Go Programming Language and coded by Ne0nd0g.
Merlin Post Exploitation Tool
Merlin is a cross-platform post-exploitation framework that leverages HTTP/2 communications to evade inspection. HTTP/2 is a relatively new protocol that requests Perfect Forward Secrecy (PFS) encryption cipher suites are used. The use of these cipher suites makes it incredibly difficult to capture all of the keying material required to decrypt traffic for inspection. Additionally, many security technologies are not equipped with HTTP/2 protocol dissectors and are therefore not able to evaluate traffic even if keying material is provided. The magic of Merlin is found in its HTTP/2 protocol coupled with the use of the Go programming language and its easy to use cross-compiling capabilities.
Merlin is composed of two parts, the server and the agent. Due to the power of Go, both components can be compiled to run on any platform or can be run “like” a script. A server compiled to run on Linux, or any platform, can handle agents compiled for all other platforms. It recommended to download the pre-compiled binaries found under the “Releases” tab on GitHub.
The Merlin Server component should be run in a location where all agents can reach it. The interface and port Merlin Server listens on can be configured using command line flags, but defaults to interface 0.0.0.0 and port 443. By default, the server utilizes the x.509 certificates shipped with the program using the hard coded relative path of `data/x509/server.crt` and `data/x509/server.key`. I strong recommend that you generate your own x.509 key pair to replace these. The x.509 certificates can also be specified with command line options. Detailed information on how to interact with a server can be found on the Merlin Wiki.
Here is an image of starting the Merlin Server and subsequently having three new agents check in :
Merlin Server is enabled with tab completion. This is useful when you don’t know what command to type next. Just hit the tab key and all available options will show.
All agents are given a Universally Unique Identifier (UUID). In order to execute commands on a specific agent, the user must type in this identifier. Before you get too excited about typing in a really long unique identifier, just know that tab completion works here too. This means you only have to type enough unique characters and then hit tab to auto complete the rest of the agent identifier.
The Merlin Agent can be cross-compiled to run on any platform. The images above show agents checking in for Windows, Linux, and MacOS (Darwin). Agents can be compiled with a hard-coded string to connect to Merlin Server or the Merlin Server’s address can be specified on the command line with the `-url` flag (i.e. -url https://acme.com:443/). By default, Merlin Agent connects to https://127.0.0.1:443/. Interacting with the agents is done via the Merlin Server. Detailed information on how to interact with an agent can be found on the GitHub Wiki page.
You can execute any binary file that is with the target system’s PATH variable. This means that on a Windows agent, command can be run with cmd.exe or powershell.exe, and are not limited to one or the other. Here is an example of executing a PowerShell command on a Windows host:
You can execute Python commands on a Linux host as well :
Here is a peek at the /etc/passwd file on a Mac :
Agents have a number of other configurations such as sleep time, max retries, kill, and padding that can be adjusted from the server. The padding setting is used in an attempt to evade detection by ensuring message traffic is not same size. A random value is selected between 0 and the value of the Message Padding Max is selected and appended to the end of every message. If for some reason the server is not available, the agent will continue to try and check in until the Agent Max Retries value is reached and then it will exit. If the agent was communicating with the server and then it suddenly becomes unavailable, agents will be considered orphaned. The orphaned agents will be re-initialized once the server is available again provided they haven’t exceeded the Agent Max Retries value :
- Download the latest compiled version of Merlin Server from the releases section
- Extract the files with 7zip using the
xfunction. The password is:
- Start Merlin
- Deploy an agent. See Agent Execution Quick Start Guide for examples
- Pwn, Pivot, Profit
- The latest development build of Merlin can be downloaded from AppVeyor
- To compile Merlin from source, view the Building or Running from Source wiki page
- For a full list of available commands view the Main Menu, Agent Menu, and Module Menu wiki pages
- View the FAQ wiki page for Frequently Asked Questions
- View the Blog Posts page for additional information
#merlin channel in the BloodHoundGang Slack to chat about Merlin.