Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
gob
encoding for network trafficThe compressed files have a password of
merlin
View the blog post for additional details
Cross-Platform Native Commands
Agent Kill Date
Status Command & UTC Timestamp
Compiling with Hard-coded URL
Docker File
Extended Modules
Minidump
Auto Generated X.509 Certificates
Shellcode Execution
Shellcode Reflective DLL Injection (sRDI)
View the CHANGELOG for additional details
The compressed files have a password of
merlin
This release adds the ability to execute shellcode through an Agent (Windows only). Check the Wiki for examples
data/bin
directoryThe compressed files have a password of
merlin
The most significant part of this release is adding support for QUIC as C2 protocol.
-proto
command line flag for both the agent and server with a value of h2
for HTTP/2 and hq
for QUIC. The default is h2
.sessions
and info
commands will now tell you the status of the agent (Active, Delayed, or Dead).remove
command to clear a dead agent from the server.-i
command line flag.The compressed files have a password of
merlin
.
Version numbers changed drastically to start following semantic versioning. Merlin now ships with the pre-compiled agent binary files with each Merlin Server download in the data/bin
directory. You no longer need to download the agents separately. Support was added for a DLL version of the Merlin Agent. See the Agent Execution Quick Start Guide wiki page for examples. Added an Invoke-Merlin.ps1 script to reflectively load the merlin.dll
into memory, but is not considered stable. Added Merlin's official logo to main README. Significant updates to Wiki for better support.
The compressed files have a password of
merlin
.
Several features added by community members @ahhh and @twigatech to allow agent file upload and downloads along with checkin time skew. Basic support for modules has been added. The Merlin JavaScript agent is also included. A brand new and easier to use menu system. Check the CHANGELOG for additional information.
The compressed files have a password of
merlin
This is the first public release of Merlin. Code is stable enough to be used and documentation is adequate enough to get started. An Introductory blog post is available here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a
The compressed files have a password of
merlin
.
Updated agent to include a random padding of up to 4096 bytes per message to help prevent detection based off consistent message size. Added in a Makefile to make building the server and agent easier. Added in new libraries to help with displaying information in formatted tables. Added in tab completion for commands issued on the server.
This release marks a stable BETA version of Merlin. Both the server and the agent cross-compile to Windows, Linux, and MacOS. The 64 bit version of the agent binaries for all 3 platform can be found in data\bin
. The 32 bit binaries are not provided, but could be compiled if you desire. Check the README in the data\bin
directory. To run this release, download Merlin_v0.1Beta.zip
and unzip the contents. Next, download the applicable binary for your platform (i.e. merlinserver_windows_x64.exe
) and place it in the root of that unzipped folder. The binary can be run from the command line. Alternatively, Merlin can be run directly as a go script with go run cmd\merlinserver.go
.