Merlin – Cross Platform Post Exploitation Tool With HTTP/2 Communications Command and Control Tool

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin server

Finally we found one Post Exploitation Tool, this tool is cross platform it mean this tool work with windows, MacOS and Linux. Merlin is written with Go Programming Language and coded by Ne0nd0g.

Merlin Post Exploitation Tool

Merlin is a cross-platform post-exploitation framework that leverages HTTP/2 communications to evade inspection. HTTP/2 is a relatively new protocol that requests Perfect Forward Secrecy (PFS) encryption cipher suites are used. The use of these cipher suites makes it incredibly difficult to capture all of the keying material required to decrypt traffic for inspection. Additionally, many security technologies are not equipped with HTTP/2 protocol dissectors and are therefore not able to evaluate traffic even if keying material is provided. The magic of Merlin is found in its HTTP/2 protocol coupled with the use of the Go programming language and its easy to use cross-compiling capabilities.

Merlin is composed of two parts, the server and the agent. Due to the power of Go, both components can be compiled to run on any platform or can be run “like” a script. A server compiled to run on Linux, or any platform, can handle agents compiled for all other platforms. It recommended to download the pre-compiled binaries found under the “Releases” tab on GitHub.

Merlin Server

The Merlin Server component should be run in a location where all agents can reach it. The interface and port Merlin Server listens on can be configured using command line flags, but defaults to interface 0.0.0.0 and port 443. By default, the server utilizes the x.509 certificates shipped with the program using the hard coded relative path of `data/x509/server.crt` and `data/x509/server.key`. I strong recommend that you generate your own x.509 key pair to replace these. The x.509 certificates can also be specified with command line options. Detailed information on how to interact with a server can be found on the Merlin Wiki.

Here is an image of starting the Merlin Server and subsequently having three new agents check in :

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent list
Merlin Agent Check in And List Of Agent

Merlin Server is enabled with tab completion. This is useful when you don’t know what command to type next. Just hit the tab key and all available options will show.

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin server main menu
Merlin Server Menu Tab

All agents are given a Universally Unique Identifier (UUID). In order to execute commands on a specific agent, the user must type in this identifier. Before you get too excited about typing in a really long unique identifier, just know that tab completion works here too. This means you only have to type enough unique characters and then hit tab to auto complete the rest of the agent identifier.

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent info command
Merlin Server Agent Info Command
Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent information
Merlin Agent Information

Merlin Agent

The Merlin Agent can be cross-compiled to run on any platform. The images above show agents checking in for Windows, Linux, and MacOS (Darwin). Agents can be compiled with a hard-coded string to connect to Merlin Server or the Merlin Server’s address can be specified on the command line with the `-url` flag (i.e. -url https://acme.com:443/). By default, Merlin Agent connects to https://127.0.0.1:443/. Interacting with the agents is done via the Merlin Server. Detailed information on how to interact with an agent can be found on the GitHub Wiki page.

You can execute any binary file that is with the target system’s PATH variable. This means that on a Windows agent, command can be run with cmd.exe or powershell.exe, and are not limited to one or the other. Here is an example of executing a PowerShell command on a Windows host:

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent windows powersehell command
Merlin Agent Windows PowerShell Command

You can execute Python commands on a Linux host as well :

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent linux python command
Merlin Agent Linux Python Command

Here is a peek at the /etc/passwd file on a Mac :

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent macos command
Merlin Agent MacOS Command

Agents have a number of other configurations such as sleep time, max retries, kill, and padding that can be adjusted from the server. The padding setting is used in an attempt to evade detection by ensuring message traffic is not same size. A random value is selected between 0 and the value of the Message Padding Max is selected and appended to the end of every message. If for some reason the server is not available, the agent will continue to try and check in until the Agent Max Retries value is reached and then it will exit. If the agent was communicating with the server and then it suddenly becomes unavailable, agents will be considered orphaned. The orphaned agents will be re-initialized once the server is available again provided they haven’t exceeded the Agent Max Retries value :

Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent merlin agent list linux and macos
Merlin Orphaned Agents Re-Initializing

Quick Start

  1. Download the latest compiled version of Merlin Server from the releases section
  2. Extract the files with 7zip using the x function. The password is: merlin
  3. Start Merlin
  4. Deploy an agent. See Agent Execution Quick Start Guide for examples
  5. Pwn, Pivot, Profit

mkdir /opt/merlin;cd /opt/merlin

wget https://github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z

7z x merlinServer-Linux-x64-v0.1.4.7z

sudo ./merlinServer-Linux-x64


Misc.

Slack

Join the #merlin channel in the BloodHoundGang Slack to chat about Merlin.


Merlin Cross Platform Post Exploitation Tool With HTTP2 Communications Command and Control Server Agent
Previous Post

No more post

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 3 =