🧙‍ Merlin v0.6.0 Beta Released
Aug 7 2018
By: Russel Van Tuyl • 4 min read
Beta version 0.6.0 of Merlin has been released on July 29, 2018 and is packed with many changes. Take a look at the CHANGELOG for a complete list of them. The biggest new feature of this version is support for the QUIC protocol as a C2 channel and is detailed in a separate blog post.
x.509 Certificates
Merlin is distributed with the data/x509/server.crt and data/x509/server.key certificate files. The idea is to make trying Merlin out for the first time very simple and easy. However, the certificates should be replaced with new files generated by the user and preferable issued by a trusted Certificate Authority. In order to make sure it is very clear the user is running the server using the certificates publicly distributed with Merlin, a message is printed to the console during startup. By default Merlin will look in the data/x509 directory for x509 certificates. Alternatively, the -x509cert and -x509key command line flags can be used to provide the path to your own certificates.
Agent Status
The sessions command from the main menu and the info command from the agent menu will display the current status of the agent. Active indicates the agent is communicating on schedule according to its sleep time. Delayed means the agent has missed at least 1 check in based on the known sleep time but not more than number of the maxretry setting, plus 1. One is added to the maxretry setting to account for skew, which is determined randomly each time by the agent. The server does not have a way to account for the agent skew. Dead shows when the agent has missed a check in for the value of the maxretry setting plus 1. It should be noted that the agent can still communicate with the server even if it is marked as Dead and the status will change back to Active.
When an agent is marked as dead, you might not want to continue seeing it when you print the sessions table or when you are using the built-in tab completion to select an agent. For this reason, the remove command was added to the main menu. It should be noted that even after an agent is removed, it could still check in and would be treated as an orphaned agent.
Jobs
The way Merlin Server handles job tasking has been changed. In prior releases, a job was only created and added to the channel at the point when the agent checked in. This functionality was re-worked so that jobs are created and added to the channel when they are created, independent of when an agent checks in. In prior releases you might have to wait 30 seconds before you see a message on the console for the job creation. Now a message will display right away.
Module Info Alias
Out of muscle memory I kept trying to issue the info command while in the module menu. This was not a valid command in prior releases. The info command was added as an alias for the still present show info command.
Wrap Up
Beta version 0.6.0 added a few minor features along with one big new capability, support for QUIC. There is still plenty of work to be done and I’ll continue to actively add features and fix any issues. I would enjoy hearing from you if you have questions, issues, or just want to talk about Merlin and its capabilities. You can leave a comment here, reach me on Twitter, create a GitHub issue, or join the Slack Channel.
Happy Hacking!
