Merlin The (C2) Wizard!

Let's take a moment and talk about Merlin and the awesomeness!

Alright, maybe not the Merlin from the 1963 Disney film The Sword in the Stone. No, the Merlin I'd like to speak about is the cross-platform post-exploitation HTTP/2 Command & Control (C2) server and agent written in golang. Merlin C2 written by Russel Van Tuyl (@Ne0nd0g)is an impressively easy to configure and run a C2 that will help evade network detection during test/red team exercises.

What makes Merlin more successful than other C2s?  Ne0nd0g realized a need for a C2 that will cause IDS/IPS devices to struggle. This was designed with the newly ratified RFC7450, involving HTTP/2, in mind  According to the IETF,  HTTP/2 enables a more efficient use of network    resources and a reduced perception of latency by introducing header    field compression and allowing multiple concurrent exchanges on the same connection.  Most of that technical jargon can be simplified as a way to solve some HTTP/1.x issues and provide functionality to support current web application operations.  

Diving deeper into the HTTP/2 protocol the communications are multiplexed, bi-directional connections that do not end after one request and response. Additionally, HTTP/2 is a binary protocol that seeks to be easier parsed. This means the HTTP/2 is not human readable without the use of translation tool. HTTP/2 utilizes the use of Perfect Forward Secrecy (PFS) cipher suites, and recommends that all non-PFS-enabled cipher suites are to be blocked.  This last little bit is the reason it makes the review of HTTP/2 difficult for IDS/IPS devices. This is because the traffic cannot be decrypted using only the server side private key. In order to decrypt HTTP/2 traffic, the client's session keying information is required.  

Ne0nd0g talks about the ideology in using the Go programming language to construct Merlin framework.  To quote his introduction article, "This worked well because I also wanted to learn how to program in this language and I was hoping anti-virus solutions had a harder time working with it too."

The Merlin framework is built with two parts in mind, the typical server and agent you see commonly in C2 frameworks.  However, with the Go language both components can be cross-compiled to run on any platform.  This means that a server running on a Linux AWS instance can accept agents from Windows or Mac as well.  

Merlin's Github page has plenty of instructions on obtaining the code, configuring, and running the framework.  I'd like to simply provide my experience on test driving Merlin.  

The following commands will get the package and setup ready to run.  If your preference is to pull the code and build from source, that is also an option.

As you can see from the screenshot below the merlinServer-linux-x64 is the script/program that will run the server side.  using --help will show the possible command line arguments that can be passed to Merlin.  

For demonstration purposes, I have decided to use the host address.  Bonus points for the amazing ASCII banner shipped with Merlin.  

Further commands that can be used inside the Merlin server are shown in the screenshot below.  This menu can be accessed by running help with the Merlin shell prompt.

Now it's time to deploy an agent on a remote machine.  For testing I will be using a fully patched Windows 7 x64 virtual machine on a segmented virtual network. Merlin full server releases come with the agents already precompiled for ease of use. Simply navigate to /data/bin/<os>/

For this demonstration, I simply used the precompiled executable binary.  Merlin comes with various methods that can be used on a remote machine.  

In the screenshot above, the MerlinAgent was executed using the --url https://192.168.0.165:443 arguments.  Nearly, instantaneously the Merlin server catches the connection, and creates a custom Universally Unique Identifier (UUID). Interaction with specific hosts will be used by setting the UUID of the targeted agent.  

Using the agent list command we can few the agents that have checked in and the latest status.  

The interact command with the UUID will allow the server to communicate with the agent or show current information about the agent.

The screenshot below shows the available commands from within the agent interaction menu.  

The screenshot below shows how to utilize the modules that are built into Merlin. Be careful here though, just because your Merlin C2 is hidden, does not mean all of the following modules are.  Tread lightly.  

A quick out of the box check of the MerlinAgent against VirusTotal.  Solid results were had.

I am currently installing a trial version of Symantec's Endpoint Protection Manager to deploy SEP to a Windows 7 that's fully patched.  To show that Merlin is able to avoid common antivirus.  Hopefully, screenshots will follow in the coming days,that demonstrate that claim.

This concludes my experience with Merlin the Wizard!  Until next time, keep casting spells!