Merlin: A cross-platform command and control server and agent written in Go

 3 years ago
source link: https://www.tuicool.com/articles/hit/VvAv2qJ
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Merlin (BETA)


Merlin is a cross-platform post-exploitation HTTP/2 Command & Control  server and agent written in golang.

An introductory blog post can be found here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a


Quick Start

  1. Download the latest version of Merlin Server from the releases section
  2. Extract the files with 7zip using the x function. The password is: merlin
  3. Start Merlin
  4. Deploy an agent. See Agent Execution Quick Start Guide for examples
  5. Pwn, Pivot, Profit
mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z
7z x merlinServer-Linux-x64-v0.1.4.7z
sudo ./merlinServer-Linux-x64


Merlin Server Command Line Flags

./merlinServer-Linux-x64 -h

        Enable debug output
  -i string
        The IP address of the interface to bind to (default "")
  -p int
        Merlin Server Port (default 443)
  -v    Enable verbose output
  -x509cert string
        The x509 certificate for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.crt")
  -x509key string
        The x509 certificate key for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.key")

Merlin Agent Command Line Flags

./merlinAgent-Linux-x64 -h

        Enable debug output
  -sleep duration
        Time for agent to sleep (default 10s)
  -skew int
        Variable time skew for agent to sleep
  -url string
        Full URL for agent to connect to (default "")
  -v    Enable verbose output

TLS Certificates

WARNING: You should generate your own TLS certificates and replace the default certificates that ship with Merlin

To facilitate ease of use, a TLS X.509 private and public certificate is distributed with Merlin. This allows a user to start using Merlin right away. However, this key is widely distributed and is considered public knowledge. You should generate your own certificates and replace the default certificates that ship with Merlin. The default location for the certificates is the data/x509 directory. The openssl command can be used from a Linux system to generate a key pair.

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK