Merlin v2.0 releases: cross-platform post-exploitation HTTP/2 Command & Control server and agent
Merlin
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
An introductory blog post can be found here.
Evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to understand or inspect. Merlin is post-exploitation tool that is easily cross-compiled to run on any platform to achieve command and control of a host.
HTTP/2 is a newly ratified protocol documented under RFC 7540 that aims to solve some of the problems with HTTP/1.x and provide functionality to support current web application operations. HTTP/2 communications are multiplexed, bi-direction connections that do not end after one request and response. Additionally, HTTP/2 is a binary protocol that makes it more compact, easy to parse, and not human readable without the use of an interpreting tool.
An HTTP/2 connection can be setup by upgrading a HTTP/1.x connection using the `Upgrade` header or during the negotiation of a TLS encrypted channel. Application-Layer Protocol Negotiation (ALPN) is a TLS 1.2 extension that is required to setup a HTTP/2 connection identified with the `h2` protocol string. TLS versions less than 1.2 are not equipped to negotiate a HTTP/2 connection. Oddly enough, the client will perform one final check to ensure that the server can speak HTTP/2 by sending the string PRISM. This reminds me of the NSA PRISM program.
Encryption
The HTTP/2 RFC also requires the use of Perfect Forward Secrecy (PFS) cipher suites and recommends that all non-PFS-enable cipher suites are black listed. The RFC reads: “An HTTP/2 implementation MAY treat the negotiation of any of the following cipher suites with TLS 1.2 as a connection error of type INADEQUATE_SECURITY”. The list of adequate cipher suites are comprised of Elliptic Curve Diffie-Helman Exchange (ECDHE) and ephemeral Diffie-Helman Exchange (DHE) key exchange methods that benefit from PFS. When PFS cipher suites are used, captured traffic cannot be decrypted using only the server’s private key. In order to decrypt the traffic, the client’s session keying information is required. If you don’t control the client or you’re not using a client built on the NSS library (i.e. Firefox or cURL), this information can be hard to obtain.
Evasion
HTTP/2 communications are expected to take place over TLS encrypted channels using PFS enabled cipher suites. Therefore, inspecting HTTP/2 traffic proves difficult. Another obstacle is that currently available WAF/IDS/IPS solutions are incapable of understanding the HTTP/2 protocol even if they were able to decrypt traffic for inspection. This combination of encryption and the lack of protocol support from inspecting tools, provide a great opportunity to evade inspection. Some possible solutions are to terminate HTTP/2 connections and downgrade them to HTTP/1.1, but that would remove all of the efficiencies gained with using HTTP/2. Additional options include downgrading the encryption to a non-PFS enable cipher suite or use a terminating proxy.
You can find additional information on HTTP/2 in a paper I wrote titled Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2.
Changelog v2.0
Added
- Peer-to-Peer Agent communications
- gRPC Server for Merlin CLI
- Default interface/port is
127.0.0.1:50051
and default password ismerlin
-addr
the address to listen for gRPC connections from the Merlin CLI-password
the password for CLI RPC clients to connect to the Merlin server-secure
require client TLS certificate verification-tlsCA
TLS Certificate Authority file path to verify client certificates-tlsCert
TLS certificate file path for the Merlin server-tlsKey
TLS private key file path for the Merlin server
- Default interface/port is
- Structured logging in JSON format to STDOUT using log/slog package
-debug
enable debug output-extra
enable extra debug output (e.g., HTTP requests/responses)-trace
enable trace output to see stepping through functions
- New SMB/UDP/TCP listeners
- Used to configure how the listener process Agent traffic
- Listeners DO NOT bind to interfaces/ports on the Merlin server, used for Agent configuration/generation ONLY
- Delegate message types and functions for processing them
- Configurable listener authentication methods for Agent communications: OPAQUE & none
- Configurable listener transforms for Agent communications: aes, base64-byte, base64-string, hex-byte, hex-string, gob-base, gob-string, jwe, rc4, and xor
- The last transform in the list MUST be
gob-base
- The last transform in the list MUST be
- GitHub Actions for building and testing the Merlin Agent
Changed
- Refactored some areas to align with DDD and SOLID to alleviate circular dependencies implementing peer-to-peer comms
- Implemented base “entity” structures and “aggregates”
- Implemented the “Repository” pattern for Agents, Delegates, Groups, Listeners, Servers
- Implemented the “Services” patter for interacting with Agents, Listeners, & Base messages
- Configurable JWT key value for HTTP listeners
- Upgraded quic-go to v0.40.0
- The Minimum supported Go version is now 1.21
- Listeners are now handled by a UUID and no longer by a name as a string
- Moved the
build
string out ofmain.go
and intopkg/merlin.go
- Removed PWNBoard from
main.go
- Removed wiki documentation from
docs
to a new repository at https://github.com/Ne0nd0g/merlin-documentation - Replaced
github.com/satori/go.uuid
withgithub.com/google/uuid
- Replaced
github.com/square/go-jose
withgithub.com/go-jose/go-jose
- Replaced
github.com/Ne0nd0g/merlin/pkg/messages
withgithub.com/Ne0nd0g/merlin-message
- Removes the need to depend on or import the Merlin Server package
Removed
- Removed the interactive CLI menu to Merlin CLI
- Uses gRPC to communicate with the Merlin server
Getting Started
The quickest and easiest way to start using Merlin is to download the pre-compiled binary files found in the Releases section. The files are compressed into 7z archives and are password protected to prevent Anti-Virus inspection when downloading. The password is merlin.
USAGE
Copyright (C) 2017 Ne0nd0g
Source: https://github.com/Ne0nd0g