Releases: Ne0nd0g/merlin-agent
Releases · Ne0nd0g/merlin-agent
v2.4.1
Changed
- Upgraded golang.org/x/crypto v0.21.0 => v0.22.0
- Upgraded golang.org/x/sys v0.18.0 => v0.19.0
- Upgraded golang.org/x/mod v0.16.0 => v0.17.0
- Upgraded golang.org/x/tools v0.19.0 => v0.20.0
- Upgraded golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 => v0.0.0-20240416160154-fe59bbe5cc7f
- Upgraded github.com/google/pprof v0.0.0-20240320155624-b11c3daa6f07 => v0.0.0-20240422182052-72c8669ad3e7
- Upgraded github.com/onsi/ginkgo/v2 v2.17.0 => v2.17.1
- Upgraded github.com/klauspost/compress v1.17.7 => v1.17.8
- Upgraded github.com/refraction-networking/utls v1.6.3 => v1.6.4
- GoVulnCheck to use the latest version of Go
Security
- GO-2024-2687 - Upgraded
golang.org/x/net
to v0.24.0 to address CVE-2024-2687
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.4.0
Added
- Mythic client handles multiple HTTP headers with the Mythic
http
C2 Profile - Automatic Windows HTTP proxy authentication through the
winhttp
API - Added the
-http-client
command line argument andHTTPCLIENT
Makefile variable to specify which HTTP client to use- Use
go
for the default Go HTTP client - Use
winhttp
API for HTTP C2
- Use
- Use
go build
tags to control which C2 clients are compiled into the agent. Build Tags- When ANY build tag is included, the agent will ONLY include that feature and nothing else. For example, if ONLY the http tag is provided, the SMB, TCP, and UDP clients will not be included.
- If one of the following build tags is used, then only the C2 profiles provided will be compiled in
http
- Include all HTTP clients (including HTTP/1.1, HTTP/2, and HTTP/3)http1
- Include HTTP/1.1 clienthttp2
- Include HTTP/2 clienthttp3
- Include HTTP/3 clientwinhttp
- Include Windowswinhttp
API clientmythic
- Include the Mythic client for the Mythichttp
C2 profilesmb
- Include SMB clienttcp
- Include TCP clientudp
- Include UDP client
Fixed
- Resolved several SOCKS5 issues
- Updated Mythic client to handle
post_response
actions withServerPostResponse
structure to include SOCKS information - Created a go routine and a channel just for sending SOCKS data in place of using the Jobs channel
- Updated Mythic client to handle
- Issue 38 - Added
evasion_386.go
to facilitate x86 Windows builds
Changed
- Upgraded the following libraries to their latest version
- upgraded golang.org/x/net v0.21.0 => v0.22.0
- upgraded github.com/google/uuid v1.5.0 => v1.6.0
- upgraded github.com/quic-go/quic-go v0.40.1 => v0.42.0
- upgraded github.com/refraction-networking/utls v1.6.0 => v1.6.3
Security
- Upgraded go-jose/v3 to v3.0.3 to address CVE-2024-28180
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.3.0
Added
- Support to decode Simplified Chinese (Code Page 936) encoding to UTF-8
- Support to decode Traditional Chinese (Code Page 950) encoding to UTF-8
- Support to decode Korean (Code Page 949) encoding to UTF-8
- Added
RSA
as a valid authentication method for Mythic EKE - Added
mythic
encoder to transform messages in the format Mythic expects them in
Changed
- Refactored clients/mythic to correctly implement the Client interface from merlin-agent/v2 package
- Moved encryption out of the client and into the transforms
- Accepts authenticator, transforms, and secure TLS configuration items
- Upgraded:
github.com/Ne0nd0g/merlin-message
to v1.3.0golang.org/x/net
to v0.19.0github.com/quic-go/quic-go
to v0.40.1github.com/refraction-networking/utls
to v1.6.0
- Removed
GOGARBLE
environment variable from Makefile
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.2.0
Added
- New
os/windows/pkg/text
package to detect and handle non UTF-8 encoding- Only handles ShiftJIS at this moment
- Will replace non UTF-8 characters with a � character
Fixed
- Issue 33 - Added handling for ShiftJIS encoding
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.1.0
Changed
- Allow the TLS X509 certificate validation setting to be passed through to JA3 and Parrot clients
- JA3 & Parrot HTTP transports use agent's
-secure
command line argument to determine if TLS X.509 certificate validation should be performed - Upgraded the following modules
golang.org/x/sys v0.13.0 => v0.14.0
golang.org/x/net v0.17.0 => v0.18.0
github.com/go-jose/go-jose/v3 v3.0.0 => v3.0.1
github.com/fatih/color v1.15.0 => v1.16.0
Fixed
- Issue 26 - uTLS package uses HTTP proxy if provided or from environment variables
- Implemented a custom dialer to connect to the proxy first and then the destination
- uTLS package for correctly set the TLS version from the provided JA3 string
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.0.0
Added
- Peer-to-Peer Agent communication methods: smb-bind, smb-reverse, tcp-bind, tcp-reverse, udp-bind, udp-reverse
- An associated Listener UUID must be provided with
-listener
command line argument orLISTENER
Make file variable - An associated network interface and port must be provided with the
-addr
command line argument orADDR
Make file variable Delegate
message type and associated handling
- An associated Listener UUID must be provided with
- Configurable Agent authentication methods: OPAQUE & none
- Added
auth
variable to main.go - Added
AUTH
variable to Make file (e.g.,make windows AUTH=OPAQUE
) - Added
-auth
command line argument
- Added
- Configurable Agent transforms: gob-base, gob-string, base64-byte, base64-string, hex,-byte, hex-string, aes, jwe, rc4, and xor
- Added
transforms
variable to main.go - Added
TRANSFORMS
variable to Make file (e.g., `make windows TRANSFORMS=aes,gob-base) - Added
-transforms
command line argument
- Added
link
command for the Agent to initiate a peer-to-peer connection with a listening bind agent- Example:
link tcp 192.168.1.72:4444
- Example:
listener
command for the Agent to start a listener to receive a connection from a reverse peer-to-peer connectionlist
to return a list of instantiated on the Agent (e.g.,listener list
)start
to start a listener based on the passed in type and interface- Example:
listener start tcp 0.0.0.0:4444
- Example:
stop
to stop an already created listener- Example:
listener stop tcp [::]:4444
- Example:
unlink
command to disconnect a chile peer-to-peer agent from its parent- Example:
unlink childAgentID
- Example:
- GitHub Actions for building and testing the Merlin Agent
- Implemented "services" and "repositories"
- Services are: agent, client, job, message, and p2p
- Configurable TLS x.509 certificate validation
- Default is
false
, TLS certificates are not validated - Added
-secure
command line argument to require TLS X.509 certificate validation - Added
SECURE
variable to Make file (e.g.,make windows SECURE=true
)
- Default is
Changed
- Moved from
Initial
toAuthenticated
for Agent struct - Removed tests
- Upgraded quic-go to v0.40.0
- The Minimum supported Go version is now 1.20
- HTTP URL rotation strategy is now random instead of round-robin
- Replaced
github.com/satori/go.uuid
withgithub.com/google/uuid
- Replaced
github.com/square/go-jose
withgithub.com/go-jose/go-jose
- Replaced
github.com/Ne0nd0g/merlin/pkg/messages
withgithub.com/Ne0nd0g/merlin-message
- Removes the need to depend on or import the Merlin Server package
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v1.6.5
Changed
- Replaced manual Windows DLL and procedure loads for Golang's Windows package and moved remaining to
os/windows/api
directory - Replaced
PAGE_EXECUTE_READWRITE
withPAGE_READWRITE
for shellcode memory allocation - Replaced
PAGE_EXECUTE
withPAGE_EXECUTE_READ
after shellcode memory allocation
Fixed
- Issue 28 - Use Golang's Windows package for API calls where possible
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin