This post will introduce the implementation of the password authenticated key exchange OPAQUE protocol into Merlin to ultimately encrypt message traffic. If you’re not familiar with Merlin, you can read the introductory post here. In short, Merlin is a post-exploit Command and Control (C2) used during authorized penetration tests or red team assessments.

Merlin has relied on Transport Layer Security (TLS) and ephemeral cipher suites with Perfect Forward Secrecy (PFS) to keep the contents of message traffic between the agent and server encrypted. The actual HTTP body has always been a plain-text JSON message. This works OK for traffic moving…

It has been a while since the last blog post on Merlin, but that doesn’t mean there hasn’t been plenty going on with the application. This post will go through some of new features in this release and also go through some of the features from previous releases that haven’t be covered.

Jump to a specific section

• Cross-Platform Native Commands
• Agent Kill Date
• Status Command & UTC Timestamp
• Compiling with Hard-coded URL
• Docker File
• Extended Modules
• Minidump
• Auto Generated X.509 Certificates
• Shellcode Execution
• Shellcode Reflective DLL Injection (sRDI)

Cross-Platform Native Commands

Community member Alex Flores (@audibleblink) has been hard at work adding in native command functionality. Merlin now…

Beta version 0.6.0 of Merlin has been released on July 29, 2018 and is packed with many changes. Take a look at the CHANGELOG for a complete list of them. The biggest new feature of this version is support for the QUIC protocol as a C2 channel and is detailed in a separate blog post.

x.509 Certificates

Merlin is distributed with the data/x509/server.crt and data/x509/server.key certificate files. The idea is to make trying Merlin out for the first time very simple and easy. However, the certificates should be replaced with new files generated by the user and preferable issued by a trusted…

tl;dr

Support for the Quick UDP Internet Connection (QUIC) protocol was added to Merlin in version 0.6.0 to provide an additional C2 channel to evade detection and can be downloaded from GitHub.

Background

Support for the Quick UDP Internet Connection (QUIC) protocol has been added to Merlin as communication protocol. This continues my muse for Google and their developments such as the Go programming language and HTTP/2 (formerly known as SPDY). QUIC was started by Google and is implemented in the Chrome web browser. The protocol is currently being standardized by an IETF Working Group and is in its fourteenth Internet-Draft at…

tl;dr Merlin now ships with an Agent DLL to enable support for TTPs that leverage a DLL. The DLL has also been embedded in an Invoke-Merlin.ps1 for in-memory execution to stay off Disk.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang .Go is powerful because you can write one program and cross-compile it to many other platforms. One of my original goals with Merlin was to create a DLL to facilitate in-memory loading. In fact, this is one of the reasons why it took so long for a public release because I wasn’t…

tl;dr Version 0.1.4 was released on March 2, 2018. It includes module support, a new menu system, and a JavaScript agent. Grab it from the Releases page.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. I’ve been slowly working on the project over the past couple of months and have added a bunch of features. Community members like Dan Borges and @twigatech have made significant contributions as well. A quick highlight of the new features in this release include:

• Time skew
• Agent IP address information
• Agent file upload and download functionality
• Modules
• JavaScript…

tl;dr Merlin added support for basic modules, written in JSON, in the v0.1.4 release.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. One of the things that makes a tool valuable is the ability to extend its functionality. This is commonly done through modules. In fact, one of the first issues created for Merlin was requesting support for modules. I wanted to implement support for modules, but the task of doing so seemed rather big.

One problem I was faced with, is that I didn’t want to pack the Merlin Agent executable files…

tl;dr Merlin now has a JavaScript agent that can run in web browsers capable of HTTP/2.

The Merlin JavaScript Agent is only in the dev branch and can be found at https://github.com/Ne0nd0g/merlin/blob/dev/data/html/scripts/merlin.js

Introduction to Merlin JavaScript Agent

Web browsers can be found running on a multitude of devices such as laptops, cars, phones, point-of-sale systems, TVs, tablets, and gaming consoles. Developers leverage JavaScript to run code inside a browser to do things like listen to mouse events or asynchronously gather data from other applications. In general, most web browsers are also capable of communicating over HTTP/2. With all of these factors combined, it made sense to create a Merlin Agent written in JavaScript that can run in a browser.

I wrote…