This post covers the release of Merlin v0.8.0 that includes several new features to increase Operations Security (OPSEC) and usability. One of the more notable features was the introduction of the augmented Password Authenticated Key Exchange (aPAKE) OPAQUE protocol. This protocol was discussed in detail in THIS post. …

This post will introduce the implementation of the password authenticated key exchange OPAQUE protocol into Merlin to ultimately encrypt message traffic. If you’re not familiar with Merlin, you can read the introductory post here. …

It has been a while since the last blog post on Merlin, but that doesn’t mean there hasn’t been plenty going on with the application. …

Beta version 0.6.0 of Merlin has been released on July 29, 2018 and is packed with many changes. Take a look at the CHANGELOG for a complete list of them. …

tl;dr Support for the Quick UDP Internet Connection (QUIC) protocol was added to Merlin in version 0.6.0 to provide an additional C2 channel to evade detection and can be downloaded from GitHub. Background Support for the Quick UDP Internet Connection (QUIC) protocol has been added to Merlin as communication protocol. This continues…

tl;dr Merlin now ships with an Agent DLL to enable support for TTPs that leverage a DLL. The DLL has also been embedded in an Invoke-Merlin.ps1 for in-memory execution to stay off Disk. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang .Go is…

tl;dr Version 0.1.4 was released on March 2, 2018. It includes module support, a new menu system, and a JavaScript agent. Grab it from the Releases page. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. I’ve been slowly working on the project over…

tl;dr Merlin added support for basic modules, written in JSON, in the v0.1.4 release. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. One of the things that makes a tool valuable is the ability to extend its functionality. This is commonly done through…

tl;dr Merlin now has a JavaScript agent that can run in web browsers capable of HTTP/2. Merlin JavaScript Agent Recorded by Ne0nd0gasciinema.org The Merlin JavaScript Agent is only in the dev branch and can be found at https://github.com/Ne0nd0g/merlin/blob/dev/data/html/scripts/merlin.js Introduction to Merlin JavaScript Agent Web browsers can be found running on a multitude of devices such as laptops, cars, phones, point-of-sale systems, TVs, tablets, and gaming consoles. Developers leverage JavaScript to run code inside a browser to do…