Merlin
Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go.
Highlighted features:
- Supported C2 Protocols: http/1.1 clear-text, http/1.1 over TLS, HTTP/2, HTTP/2 clear-text (h2c), http/3 (http/2 over QUIC)
- Server and Agent: Windows, Linux, macOS (Darwin), MIPS, ARM or anything Go can natively build
- Domain Fronting
- Execute .NET assemblies in-process with
invoke-assemblyor in a sacrificial process withexecute-assembly - Execute arbitrary Windows executables (PE) in a sacrificial process with
execute-pe - Various shellcode execution techniques: CreateThread, CreateRemoteThread, RtlCreateUserThread, QueueUserAPC
- OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE)
- Encrypted JWT for authentication
- Agent traffic is an encrypted JWE using PBES2 (RFC 2898) with HMAC SHA-512 as the PRF and AES Key Wrap (RFC 3394) using 256-bit keys for the encryption scheme. (PBES2_HS512_A256KW)
- Integrated Donut, sRDI, and SharpGen support
- C2 traffic message padding to combat beaconing detections based on a fixed message size
- Dynamically change the Agent's JA3 hash
- Mythic support
- Documentation & Wiki
An introductory blog post can be found here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a
Quick Start
-
Download the latest compiled version of Merlin Server from the releases section
The Server package contains a compiled Agent for all the major operating systems in the
data/bindirectory -
Extract the files with 7zip using the
xfunction The password is:merlin -
Start Merlin
-
Configure a listener
-
Deploy an agent. See Agent Execution Quick Start Guide for examples
-
Pwn, Pivot, Profit
mkdir /opt/merlin;cd /opt/merlin wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z sudo ./merlinServer-Linux-x64
Agents
The Merlin Agent is kept in its own repository so that it can easily be retrieved and compiled:
go get github.com/Ne0nd0g/merlin-agent
The Windows DLL Agent is also kept in a separate repository. See the DLL Agent documentation for building instructions.
Mythic
The Merlin server is a self-contained command line program that requires no installation. You just simply download it and run it. The command-line interface only works great if it will be used by a single operator at a time. The Merlin agent can be controlled through Mythic, which features a web-based user interface that enables multiplayer support, and a slew of other features inherent to the project.
Visit the Merlin repository in the MythicAgents organizaiton to get started.
Misc.
- The latest development build of Merlin can be downloaded from AppVeyor
- To compile Merlin from source, view the Custom Build page
- For a full list of available commands:
- View the Frequently Asked Questions page
- View the Blog Posts page for additional information
Slack
Join the #merlin channel in the BloodHoundGang Slack to ask questions,
troubleshoot, or provide feedback.
JetBrains
Thanks to JetBrains for kindly sponsoring Merlin by providing a Goland IDE Open Source license
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
