UPDATE: Merlin v0.8.0

Type pentestit
Reporter Black
Modified 2019-08-28T17:58:53


PenTestIT RSS Feed

A week ago an update - Merlin v0.8.0 was released. There was a brief mention about Merlin in my post titled - List of Open Source C2 Post-Exploitation Frameworks. This new version includes several new features to increase Operations Security (OPSEC) and usability. One of the more notable features was the introduction of the augmented Password Authenticated Key Exchange (aPAKE) OPAQUE protocol.

Merlin v0.8.0

What's new with Merlin?

> Merlin is a post-exploit Command & Control (C2) tool, also known as a Remote Access Tool (RAT), that communicates using the HTTP/2 protocol. Another advantage of Merlin is that is cross-platform. Both the Merlin Server and Agent can easily be compiled to run on a multitude of operating systems to include windows, linux, darwin, solaris, freebsd, ARM, MIPS, or android.

Changes made to Merlin:

Key release features of this update include support for Golang Gob network traffic encoding, JSON Web Tokens (JWT) for authorization, JSON Web Encryption (JWE) for payload formatting, HTTP/1.1 Support, Proxy support and Host header modification. Wow! That's a lot of good features in this release. Officially, these are the changes:


  • Network requests and responses are now encrypted in to a JWE
  • Password Based Authenticated Key Exchange (PAKE) using OPAQUE technique
  • Server and agent have new pre-shared key (psk) command line flag
  • All network requests now contain an encrypted JWT in an Authorization header that are only valid for the agent's lifetime
  • RSA keys are exchanged between server and agent, but not currently used
  • Added PSK= to Make file so the binaries can be hard coded with the PSK
  • Added Merlin server identification tool dubbed PRISM
  • Added gcflags & asmflags trimpaths to remove some of the file path strings in output agent binary files
  • Added http/1.1 support
  • Added support for user defined HTTP proxy with agent -proxy command line flag; Only works with HTTP/1.1
  • Added PROXY= to Make file so the binaries can be hard coded with the proxy
  • Added PRISM application to detect a Merlin server
  • Added in CLI option to set HTTP Host header for domain fronting
  • Pull 72 - Added a Linux module that will hide the Merlin process from tools that walk the /proc filesystem by @ForensicITGuy
  • Pull 73 - Added 5 Linux evasion and persistence modules by @ForensicITGuy
  • Pull 76 - Prompt user to confirm exit or quit by Daniel Roberson


  • Pull 74 - Fixed issued that would crash the agent if the skew was set to 0 by @alexbires
  • Issue 54 - Prompt to exit server when user types "quit" or "exit"


  • Replaced JSON encoding with Go's gob encoding format
  • Server does not receive agent information/configuration until after password authentication/payload encryption
  • Base messages now contain a token; used to send an agent an encrypted JWT
  • agent.New() requires the url, psk, and proxy settings
  • agent.New() can return an error
  • agent.Run() does not take a url anymore, it is part of the Agent structure
  • agent.Run() can return an error
  • Server & Agent log file directory permissions changed to 0750
  • Server & Agent log file permissions changed to 0640


  • Removed http server's check to only allow HTTP/2 traffic so that HTTP/1.1 traffic can be supported
  • Removed Vendor folder updated project to use Go Modules in go.mod

Download Merlin v0.8.0:

You can checkout the Merlin 0.8.0.BETA C2 framework source code or the compiled binaries from it's project page here.

The post UPDATE: Merlin v0.8.0 appeared first on PenTestIT.