🧙 Merlin v0.1.4 Released — Menus &Modules
Mar 15 2018
By: Russel Van Tuyl • 3 min read
tl;dr
Version 0.1.4 was released on March 2, 2018. It includes module support, a new menu system, and a JavaScript agent. Grab it from the Releases page.
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. I’ve been slowly working on the project over the past couple of months and have added a bunch of features. Community members like Dan Borges and @twigatech have made significant contributions as well. A quick highlight of the new features in this release include:
- Time skew
- Agent IP address information
- Agent file upload and download functionality
- Modules
- JavaScript Agent
- New menu system
- Command aliases
A more in-depth list of changes can be found in the README
Menu System
I wanted to focus on the new menu system in this blog post. Version 0.1.3 of Merlin Server did not come with any menus. Every command that was to be executed was a long string of commands. I went with that method because it was easier to implement and allowed me focus on establish a solid base of functionality for the project. Here is an example used to execute a PowerShell command on an agent agent cmd 209342db-ce7c-49e8-883f-0ee4da7d266d powershell "Get-NetAdapter|fl". While it is a very long string, Merlin has always come with tab completion to make using it a breeze.
As I worked to implement modules support, I quickly came to realize that having a single menu system was going to cause a lot of problems. Because of this, I implemented 3 new menus:
- Main
- Agent
- Module
Every menu type has built-in help support and tab completion. To access the help menu, type ? or help and list of available commands with a description will be presented to the user.
Another highlight is that you can now execute commands directly on the system running the Merlin Server. This comes in handy when you want to run ifconfig eth0 to find your IP address without having to open a new tab or window. If the entered command is not valid for the current menu, it will be executed on host operating system.
One of the challenges I always face when switching between tools like Empire or Metasploit is trying to remember the right command. Because of this, I’ve implemented several alias commands to ease the use of Merlin Server. For instance, you run sessions from main menu for a list of all agents that have checked in. Additionally, interact was implemented to compliment Empire users. As always, tab completion is available to fill out the commands or provide a list of agents to interact with.
A quick run through of for some of the new features to include the 3 new menu systems and executing a module have been recorded in this presentation:
I’ve written Merlin as a way to learn Go and quench my hunger for programming. The tool is coming together bit by bit, commit by commit. Each release is used to build on the previous. I’ll continue to work on this and enrich its features and add additional features. This release was a big milestone adding support for modules and implementing a new menu system. Let me know your thoughts in the comments below.
-Happy Hacking
