# Merlin ## Merlin ## [Merlin](https://github.com/Ne0nd0g/merlin#merlin) ![](/files/OQHj1lIsrmja5QAOd2fx) Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go. Highlighted features: * Supported C2 Protocols: http/1.1 clear-text, http/1.1 over TLS, HTTP/2, HTTP/2 clear-text (h2c), http/3 (http/2 over QUIC) * Server and Agent: Windows, Linux, macOS (Darwin), MIPS, ARM or anything Go can [natively build](https://golang.org/doc/install/source#environment) * [Windows DLL Agent](https://github.com/Ne0nd0g/merlin-agent-dll) * Domain Fronting * Execute .NET assemblies in-process with `invoke-assembly` or in a sacrificial process with `execute-assembly` * Execute arbitrary Windows executables (PE) in a sacrificial process with `execute-pe` * Various shellcode execution techniques: CreateThread, CreateRemoteThread, RtlCreateUserThread, QueueUserAPC * [OPAQUE](https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-00) Asymmetric Password Authenticated Key Exchange (PAKE) * Encrypted JWT for authentication * Agent traffic is an encrypted JWE using PBES2 (RFC 2898) with HMAC SHA-512 as the PRF and AES Key Wrap (RFC 3394) using 256-bit keys for the encryption scheme. ([PBES2\_HS512\_A256KW](https://tools.ietf.org/html/rfc7518#section-4.8)) * Integrated [Donut](https://github.com/Binject/go-donut), [sRDI](https://github.com/monoxgas/sRDI), and [SharpGen](https://github.com/cobbr/SharpGen) support * C2 traffic message [padding](https://merlin-c2.readthedocs.io/en/latest/server/menu/agents.html#padding) to combat beaconing detections based on a fixed message size * Dynamically change the Agent's [JA3](https://merlin-c2.readthedocs.io/en/latest/server/menu/agents.html#ja3) hash * [Mythic](https://github.com/Ne0nd0g/merlin#mythic) support * [Documentation & Wiki](https://merlin-c2.readthedocs.io/en/latest/) An introductory blog post can be found here: ### [Quick Start](https://github.com/Ne0nd0g/merlin#quick-start) 1. ``` Download the latest compiled version of Merlin Server from the [releases](https://github.com/Ne0nd0g/merlin/releases) section ``` ``` > > > > The Server package contains a compiled Agent for all the major operating systems in the `data/bin` directory > ``` 2\. ``` Extract the files with 7zip using the `x` function **The password is: `merlin`** ``` 3\. ``` Start Merlin ``` 4\. ``` Configure a [listener](https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html) ``` 5\. ``` Deploy an agent. See [Agent Execution Quick Start Guide](https://merlin-c2.readthedocs.io/en/latest/quickStart/agent.html) for examples ``` 6\. ```` Pwn, Pivot, Profit ``` mkdir /opt/merlin;cd /opt/merlin wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z sudo ./merlinServer-Linux-x64 ``` ```` ### [Agents](https://github.com/Ne0nd0g/merlin#agents) The [Merlin Agent](https://github.com/Ne0nd0g/merlin-agent) is kept in its own repository so that it can easily be retrieved and compiled: ``` go get github.com/Ne0nd0g/merlin-agent ``` The [Windows DLL Agent](https://github.com/Ne0nd0g/merlin-agent-dll) is also kept in a separate repository. See the [DLL Agent](https://merlin-c2.readthedocs.io/en/latest/agent/dll.html) documentation for building instructions. ### [Mythic](https://github.com/Ne0nd0g/merlin#mythic) The Merlin server is a self-contained command line program that requires no installation. You just simply download it and run it. The command-line interface only works great if it will be used by a single operator at a time. The Merlin agent can be controlled through [Mythic](https://github.com/its-a-feature/Mythic), which features a web-based user interface that enables multiplayer support, and a slew of other features inherent to the project. Visit the [Merlin](https://github.com/MythicAgents/merlin) repository in the MythicAgents organizaiton to get started. ### [Misc.](https://github.com/Ne0nd0g/merlin#misc) * The latest development build of Merlin can be downloaded from [AppVeyor](https://ci.appveyor.com/project/Ne0nd0g/merlin-i9c58/build/artifacts) * To compile Merlin from source, view the [Custom Build](https://merlin-c2.readthedocs.io/en/latest/agent/custom.html) page * For a full list of available commands: * [Main Menu](https://merlin-c2.readthedocs.io/en/latest/server/menu/main.html) * [Listener Menu](https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html) * [Agent Menu](https://merlin-c2.readthedocs.io/en/latest/server/menu/agents.html) * [Module Menu](https://merlin-c2.readthedocs.io/en/latest/server/menu/modules.html) * View the [Frequently Asked Questions](https://merlin-c2.readthedocs.io/en/latest/quickStart/faq.html) page * View the [Blog Posts](https://merlin-c2.readthedocs.io/en/latest/misc/blogs.html) page for additional information ### [Slack](https://github.com/Ne0nd0g/merlin#slack) Join the `#merlin` channel in the [BloodHoundGang](https://bloodhoundgang.herokuapp.com/) Slack to ask questions, troubleshoot, or provide feedback. ### [JetBrains](https://github.com/Ne0nd0g/merlin#jetbrains) Thanks to [JetBrains](https://www.jetbrains.com/?from=merlin) for kindly sponsoring Merlin by providing a Goland IDE Open Source license ![](/files/eGV1cTejGWtTobwAMMZ0) ![](/files/AYs2MF0cspI8TjbII7as) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.konstantinsecurity.com/readme/pentest/red-team/c2-frameworks/merlin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.