🧙‍ Merlin Adds Module Support 🔌
tl;dr Merlin added support for basic modules, written in JSON, in the v0.1.4 release.
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. One of the things that makes a tool valuable is the ability to extend its functionality. This is commonly done through modules. In fact, one of the first issues created for Merlin was requesting support for modules. I wanted to implement support for modules, but the task of doing so seemed rather big.
One problem I was faced with, is that I didn’t want to pack the Merlin Agent executable files with all of the modules that existed. This meant I needed to send arbitrary things to the agent and it needed to be able to execute them. My first inclination was to write modules in Go. I soon realized that this would require the agent to have a Go interpreter in order for it to receive uncompiled Go code, compile it, and then execute it. This was less than ideal. I decided that it would be better to simply send the agent a list of commands that it could in-turn understand and execute natively. This is very basic functionality, but it lays the foundation for future work.
Additionally, I wanted the capability for a user to dynamically add modules that didn’t require compiling any code or restarting Merlin Server to identify and use the modules. I rested on implementing module definitions in Java Script Object Notation (JSON). This is text based format that provides plenty of structure, is well known, and compliments the rest of Merlin’s HTTP/2 functionality. Merlin ships with a template that can be used when creating a module. The format and structure is likely to change as development continues and unaccounted for situations arise. The README file located in data/modules documents a description and example for all of the fields along with a description of how to use variables in a module and configuring module options.
Modules are stored in the data/modules folder in a structure that starts with operating system (i.e. windows), architecture x64, followed by language (i.e. powershell), and then type (i.e. credentials). The important thing to know is that at any point in time you can drop a .json file in the data/modules directory and it will automatically be picked up by Merlin Server and ready for use. You do not need to restart Merlin Server to start using the module. If you have some trade craft you want to keep between you and your team, you can simply distribute the .json files and paste them into the directory. As with most things in Merlin, using modules is equipped with tab completion to make finding a module easier and reduce the amount you need to type.
Here is an example of module that leverages work done by Matt Nelson for lateral movement using DCOM in a script written by Stephan Borosh Invoke-DCOM.ps1.
Adding support for modules greatly increases the value of Merlin and increases the amount of things its users can do with it. If there is something you would like to see a module for, please take the time and submit a pull request for your work on creating a module. Community member Dan Borges has even recently submitted a module to troll users with! Let me know your thoughts in the comments below.
-Happy Hacking
