README

Merlin

Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go.
Highlighted features:
- merlin-cli command line interface over gRPC to connect to the Merlin Server facilitating multi-user support
- Supported Agent C2 Protocols: http/1.1 clear-text, http/1.1 over TLS, HTTP/2, HTTP/2 clear-text (h2c), http/3 (http/2 over QUIC)
- Peer-to-peer (P2P) communication between Agents with bind or reverse for SMB, TCP, and UDP
- Configurable agent data encoding and encryption transforms: AES, Base64, gob, hex, JWE, RC4, and XOR
- JWE transform use PBES2_HS512_A256KW PBES2 (RFC 2898) with HMAC
SHA-512 as the PRF and AES Key Wrap (RFC 3394) using 256-bit keys for the encryption scheme
- Configurable agent authenticators:
- None: No authentication
- OPAQUE: Asymmetric Password Authenticated Key Exchange (PAKE)
- Encrypted JWT for message authentication
- Configurable Agent message data padding
to combat beaconing detections based on a fixed message size
- Execute .NET assemblies in-process with
invoke-assembly or in a sacrificial process with execute-assembly
- Execute arbitrary Windows executables (PE) in a sacrificial process with
execute-pe
- Various shellcode execution techniques: CreateThread, CreateRemoteThread, RtlCreateUserThread, QueueUserAPC
- Integrated Donut, sRDI,
and SharpGen support
- Dynamically change the Agent's JA3 hash
- Mythic support
- Documentation & Wiki
An introductory blog post can be found here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a
Supporting Repositories:
- Merlin Agent - Agent source code
- Merlin Agent DLL - Agent DLL source code
- Merlin CLI - Command line interface for Merlin
- Merlin Documentation - Documentation source code
- Merlin on Mythic - Merlin agent for Mythic Framework
- Merlin Docker - Base Docker image for for Merlin images
- Merlin Message - A Go library for Merlin messages exchanged between a Merlin Server and Agent
Quick Start
- Download the latest version of Merlin Server from the releases section
The Server package contains compiled versions of the CLI and Agent for all the major operating systems in the data/bin directory
- Extract the files with 7zip using the
x function The password is: merlin
- Start Merlin
- Start the CLI
- Configure a listener
- Deploy an agent. See Agent Execution Quick Start Guide for examples
- Pwn, Pivot, Profit
mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
7z x merlinServer-Linux-x64.7z
sudo ./merlinServer-Linux-x64
./data/bin/merlinCLI-Linux-x64
Mythic
Merlin can be integrated and used as an agent with the Mythic a
collaborative, multi-platform, red teaming framework.
Visit the Merlin on Mythic repository in the MythicAgents organization
to get started.
Misc.
Slack
Join the #merlin channel in the BloodHoundGang Slack to ask questions,
troubleshoot, or provide feedback.
JetBrains
Thanks to JetBrains for kindly sponsoring Merlin by providing a Goland IDE
Open Source license

Extension points exported contracts — how you extend this code
Authenticator (Interface)
Authenticator is an interface used by various authentication methods [6 implementers]
pkg/authenticators/authenticators.go
Listener (Interface)
Listener is an interface that contains all the functions any Agent listener must implement [4 implementers]
pkg/listeners/listeners.go
Transformer (Interface)
(no doc) [11 implementers]
pkg/transformer/transformer.go
ServerInterface (Interface)
ServerInterface is used to provide a standard set of methods a server module must support to work with Merlin [1 implementers]
pkg/servers/servers.go
Repository (Interface)
Repository is an interface to store and retrieve data
pkg/delegate/repository.go
Repository (Interface)
Repository is an interface used to add, get, or update groups from a data source
pkg/group/repository.go
Repository (Interface)
Repository is an interface used to add, get, or update Agents from a data source
pkg/agents/repository.go
Repository (Interface)
(no doc)
pkg/client/repository.go
Core symbols most depended-on inside this repo
Error
called by 239
pkg/client/message/message.go
Log
called by 125
pkg/agents/repository.go
String
called by 53
pkg/transformer/transformer.go
addJob
called by 46
pkg/services/rpc/job.go
Add
called by 45
pkg/agents/repository.go
ID
called by 42
pkg/servers/servers.go
ID
called by 31
pkg/listeners/listeners.go
Name
called by 27
pkg/listeners/listeners.go
Shape
Method
1,057
Function
225
Struct
77
Interface
20
TypeAlias
3
Modules by API surface
pkg/rpc/rpc_grpc.pb.go428 symbols
pkg/rpc/rpc.pb.go240 symbols
pkg/services/rpc/agent.go44 symbols
pkg/agents/agents.go35 symbols
pkg/services/agent/agent.go32 symbols
pkg/services/rpc/rpc.go24 symbols
pkg/services/listeners/listeners.go22 symbols
pkg/agents/memory/memory.go22 symbols
pkg/servers/http/http.go21 symbols
pkg/listeners/udp/udp.go20 symbols
pkg/listeners/tcp/tcp.go20 symbols
pkg/listeners/smb/smb.go20 symbols
Dependencies from manifests, versioned
github.com/Binject/debugv0.0.0-2020122808205 · 1×
github.com/Binject/go-donutv0.0.0-2020121522420 · 1×
github.com/Ne0nd0g/merlin-messagev1.3.0 · 1×
github.com/cretz/gopaquev0.1.0 · 1×
github.com/go-jose/go-jose/v3v3.0.4 · 1×
github.com/go-task/slim-sprig/v3v3.0.0 · 1×
github.com/google/pprofv0.0.0-2025040315510 · 1×
github.com/onsi/ginkgo/v2v2.23.4 · 1×
github.com/quic-go/qpackv0.5.1 · 1×
github.com/quic-go/quic-gov0.50.1 · 1×
go.dedis.ch/fixbufv1.0.3 · 1×