This post covers the release of Merlin v0.8.0 that includes several new features to increase Operations Security (OPSEC) and usability. One of the more notable features was the introduction of the augmented Password Authenticated Key Exchange (aPAKE) OPAQUE protocol. This protocol was discussed in detail in THIS post. Other key updates in this release include:

  • Go’s Gob network traffic encoding
  • JSON Web Tokens (JWT) for authorization
  • JSON Web Encryption (JWE) for payload formatting
  • HTTP/1.1 Support
  • Proxy support
  • Host header modification
  • Go Modules

GOB Encoding

In order support a more efficient message encoding for network traffic, Merlin has switched from using JSON to…

This post will introduce the implementation of the password authenticated key exchange OPAQUE protocol into Merlin to ultimately encrypt message traffic. If you’re not familiar with Merlin, you can read the introductory post here. In short, Merlin is a post-exploit Command and Control (C2) used during authorized penetration tests or red team assessments.

Merlin has relied on Transport Layer Security (TLS) and ephemeral cipher suites with Perfect Forward Secrecy (PFS) to keep the contents of message traffic between the agent and server encrypted. The actual HTTP body has always been a plain-text JSON message. This works OK for traffic moving…

Image for post
Image for post

It has been a while since the last blog post on Merlin, but that doesn’t mean there hasn’t been plenty going on with the application. This post will go through some of new features in this release and also go through some of the features from previous releases that haven’t be covered.

Jump to a specific section

Cross-Platform Native Commands

Community member Alex Flores (@audibleblink) has been hard at work adding in native command functionality. Merlin now…

Beta version 0.6.0 of Merlin has been released on July 29, 2018 and is packed with many changes. Take a look at the CHANGELOG for a complete list of them. The biggest new feature of this version is support for the QUIC protocol as a C2 channel and is detailed in a separate blog post.

x.509 Certificates

Merlin is distributed with the data/x509/server.crt and data/x509/server.key certificate files. The idea is to make trying Merlin out for the first time very simple and easy. However, the certificates should be replaced with new files generated by the user and preferable issued by a trusted…


Support for the Quick UDP Internet Connection (QUIC) protocol was added to Merlin in version 0.6.0 to provide an additional C2 channel to evade detection and can be downloaded from GitHub.


Support for the Quick UDP Internet Connection (QUIC) protocol has been added to Merlin as communication protocol. This continues my muse for Google and their developments such as the Go programming language and HTTP/2 (formerly known as SPDY). QUIC was started by Google and is implemented in the Chrome web browser. The protocol is currently being standardized by an IETF Working Group and is in its fourteenth Internet-Draft at…

tl;dr Merlin now ships with an Agent DLL to enable support for TTPs that leverage a DLL. The DLL has also been embedded in an Invoke-Merlin.ps1 for in-memory execution to stay off Disk.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang .Go is powerful because you can write one program and cross-compile it to many other platforms. One of my original goals with Merlin was to create a DLL to facilitate in-memory loading. In fact, this is one of the reasons why it took so long for a public release because I wasn’t…

tl;dr Version 0.1.4 was released on March 2, 2018. It includes module support, a new menu system, and a JavaScript agent. Grab it from the Releases page.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. I’ve been slowly working on the project over the past couple of months and have added a bunch of features. Community members like Dan Borges and @twigatech have made significant contributions as well. A quick highlight of the new features in this release include:

  • Time skew
  • Agent IP address information
  • Agent file upload and download functionality
  • Modules
  • JavaScript…

tl;dr Merlin added support for basic modules, written in JSON, in the v0.1.4 release.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. One of the things that makes a tool valuable is the ability to extend its functionality. This is commonly done through modules. In fact, one of the first issues created for Merlin was requesting support for modules. I wanted to implement support for modules, but the task of doing so seemed rather big.

One problem I was faced with, is that I didn’t want to pack the Merlin Agent executable files…

tl;dr Merlin now has a JavaScript agent that can run in web browsers capable of HTTP/2.

The Merlin JavaScript Agent is only in the dev branch and can be found at

Introduction to Merlin JavaScript Agent

Web browsers can be found running on a multitude of devices such as laptops, cars, phones, point-of-sale systems, TVs, tablets, and gaming consoles. Developers leverage JavaScript to run code inside a browser to do things like listen to mouse events or asynchronously gather data from other applications. In general, most web browsers are also capable of communicating over HTTP/2. With all of these factors combined, it made sense to create a Merlin Agent written in JavaScript that can run in a browser.

I wrote…

tl;dr Evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect. Merlin is post-exploitation tool that is easily cross-compiled to run on any platform to achieve command and control of a host.

Merlin is available on GitHub:


Skip background section…

HTTP/2 is a newly ratified protocol documented under RFC 7540 that aims to solve some of the problems with HTTP/1.x and provide functionality to support current web application operations. HTTP/2 communications are multiplexed, bi-direction connections that do not end after one request and response. Additionally, HTTP/2 is a binary protocol that makes it more compact, easy to parse, and not human readable without the use of an interpreting tool.

An HTTP/2 connection can be setup by upgrading a HTTP/1.x connection using the `Upgrade` header or during the negotiation of a TLS…

Russel Van Tuyl

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store