This post covers the release of Merlin v0.8.0 that includes several new features to increase Operations Security (OPSEC) and usability. One of the more notable features was the introduction of the augmented Password Authenticated Key Exchange (aPAKE) OPAQUE protocol. This protocol was discussed in detail in THIS post. Other key updates in this release include:

  • Go’s Gob network traffic encoding
  • JSON Web Tokens (JWT) for authorization
  • JSON Web Encryption (JWE) for payload formatting
  • HTTP/1.1 Support
  • Proxy support
  • Host header modification
  • Go Modules

GOB Encoding

In order support a more efficient message encoding for network traffic, Merlin has switched from using JSON to Gob encoding. The Go language offers the gob message encoding as an efficient way to encode network traffic. This works well when both the client and server are written in Go but not when one of the components isn’t. All Merlin messages are now gob encoded into a byte array that is later sent across the network. Because of this, the HTTP traffic is now using the application/octet-stream content-type header. …


This post will introduce the implementation of the password authenticated key exchange OPAQUE protocol into Merlin to ultimately encrypt message traffic. If you’re not familiar with Merlin, you can read the introductory post here. In short, Merlin is a post-exploit Command and Control (C2) used during authorized penetration tests or red team assessments.

Merlin has relied on Transport Layer Security (TLS) and ephemeral cipher suites with Perfect Forward Secrecy (PFS) to keep the contents of message traffic between the agent and server encrypted. The actual HTTP body has always been a plain-text JSON message. This works OK for traffic moving across the internet but has obstacles when an internal network proxy is introduced. Normally Merlin traffic inspection is not possible with proxies that perform inline SSL/TLS inspection by decrypting traffic with a key. This is due to the use of ephemeral cipher suites that require a session key only known to the client and the server. However, some organizations leverage a SSL/TLS proxy that terminates a TLS connection so that the message contents can be inspected. …


Image for post
Image for post

It has been a while since the last blog post on Merlin, but that doesn’t mean there hasn’t been plenty going on with the application. This post will go through some of new features in this release and also go through some of the features from previous releases that haven’t be covered.

Jump to a specific section

Cross-Platform Native Commands

Community member Alex Flores (@audibleblink) has been hard at work adding in native command functionality. Merlin now contains a cross-platform go implementation of the ls, pwd, and cd commands. The advantage is that the commands all execute natively within the Merlin agent and do not require you to leverage an Operating System shell to execute them. This should cut down on command line logging. For instance, ls is an actual binary program located at /bin/ls on a Linux host. In the past you would need to execute the /bin/ls binary like:
Merlin[agent][2de3c393–38ea-40d7–9a8d-2eb885d564cc]» shell ls…

Russel Van Tuyl

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store