Post Exploitation

Merlin – Cross-Platform Post-Exploitation HTTP/2 Command & Control Server

Merlin is a cross-platform post-exploitation framework that leverages HTTP/2 communications to evade inspection. HTTP/2 is a relatively new protocol that requests Perfect Forward Secrecy (PFS) encryption cipher suites are used. The use of these cipher suites makes it incredibly difficult to capture all of the keying material required to decrypt traffic for inspection. Additionally, many security technologies are not equipped with HTTP/2 protocol dissectors and are therefore not able to evaluate traffic even if keying material is provided. The magic of Merlin is found in its HTTP/2 protocol coupled with the use of the Go programming language and its easy to use cross-compiling capabilities.

Merlin is composed of two parts, the server and the agent. Due to the power of Go, both components can be compiled to run on any platform or can be run “like” a script. A server compiled to run on Linux, or any platform, can handle agents compiled for all other platforms.

Merlin Server

The Merlin Server component should be run in a location where all agents can reach it. The interface and port Merlin Server listens on can be configured using command line flags, but defaults to interface 0.0.0.0 and port 443. By default, the server utilizes the x.509 certificates shipped with the program using the hard coded relative path of `data/x509/server.crt` and `data/x509/server.key`. I strong recommend that you generate your own x.509 key pair to replace these. The x.509 certificates can also be specified with command line options.

 

Merlin Agent

The Merlin Agent can be cross-compiled to run on any platform. Agents can be compiled with a hard-coded string to connect to Merlin Server or the Merlin Server’s address can be specified on the command line with the `-url` flag (i.e. -url https://acme.com:443/). By default, Merlin Agent connects to https://127.0.0.1:443/. Interacting with the agents is done via the Merlin Server.

 

Getting Started

The quickest and easiest way to start using Merlin is download the pre-compiled binary files found in the Releases section. The files are compressed into 7z archives and are password protected to prevent Anti-Virus inspection when downloading. The password is merlin.

 

Install GO

In order to run Merlin from source, or to compile Merlin yourself, the Go programing language must be installed on the system. However, if you just want to run a pre-compiled version, you do not need to install Go.

Download and install GO: https://golang.org/doc/install

 

Merlin Server Usage

  -debug - Enable debug output
  -i string - The IP address of the interface to bind to (default "0.0.0.0")
  -p int - Merlin Server Port (default 443)
  -v  - Enable verbose output
  -x509cert string - The x509 certificate for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.crt")
  -x509key string - The x509 certificate key for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.key")

 

Merlin Server Commands

Merlin is equipped with a tab completion system that can be used to see what commands are available at any given time. Hit double tab to get a list of all available commands.

exit    Exit and close Merlin
help   Show Merlin help menu
quit    Exit and close Merlin
?      Show Merlin help menu

 

Agent Commands

These are the commands to control an agent from the server. Tab completion can be used to select an Agent’s identifier.

agent cmd <agent id> <command>       A command to run on a remote agent
agent control <agent id> <command>  Configure/Control a remote agent (not the host) [kill,sleep,padding,maxretry]
agent info <agent id>               Display all information for an agent
agent list                          List agents

Download Merlin

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: