
Merlin: A cross-platform command and control server and agent written in Go - SEJeff
https://github.com/Ne0nd0g/merlin
======
moray
This reminded me of Back Orifice:

[https://www.cultdeadcow.com/tools/bo.html](https://www.cultdeadcow.com/tools/bo.html)

aahh the nineties!

~~~
sitkack
SATAN really drove home how automated our attacks would become. Diversity,
defense in depth, compartmentalization. That reminds me, I need to setup my
VPN to localhost, TRUST NO ONE!

[https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...](https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks)

~~~
Gibbon1
/dev/null

Trust no one not even yourself.

------
innocentoldguy
I'm always puzzled by these "Blah blah blah, written in Go" posts. Can't you
write the same thing in any other language? Most of the time, isn't "Blah blah
blah" just a Go clone of some tool written in another language anyway? Is Go
feature-challenged, or nigh unto impossible to use, thus rendering "Blah blah
blah, written in Go" newsworthy?

I'm sure this sounds sarcastic and to be fair, it is. Still, I really don't
understand the need to constantly tout the fact that it is, indeed, possible
to write things using Go. As a community, Hacker News doesn't seem to do this,
at least not to the same extent, with any other language. However, if a new
developer cracks open a Go book, it seems we have to have a "Hello, World!
written in Go" article to go along with it. Does anyone else find that weird?

~~~
GrumpyCoder
Lightweight and portable come to mind when I see "written in Go". Those
qualities are pretty appealing for the self-hosted crowd.

~~~
innocentoldguy
I guess that's a possibility; however, Go isn't the most lightweight and
portable language out there. Rust and Erlang both seem like better options if
those criteria are important.

~~~
wieghant
I just find Go a more pleasant experience. The source code is easily readable
and understandable. I don't run into weird wrong version or dependency
problems ever. Go get, go build and i'm done. Or if i download the binary,
just dump it in a bin folder and it works without even having Go on the
system. I haven't written anything in Rust or Erlang yet, but I have run into
trouble when building Rust packages from source. Maybe it was the package
maintainer's bad every time, the system setup or I'm just dim, but I just need
to get stuff done and not go down the rabbit hole. I also personally don't
like the hassle with Python version environments.

------
PhantomBKB
The language analysis does not show any % for Golang :D

~~~
Ne0nd0g
Yeah, that part is frustrating. It picks up the PowerShell script in one of
the sub directories and marks the whole project as such.

~~~
w8rbt
That happened to a Go repo of mine once as well (except it was a python script
causing the misidentification). I fixed it by adding a gitattributes file to
the repo. Here it is:

[https://github.com/w8rbt/netscan/blob/master/.gitattributes](https://github.com/w8rbt/netscan/blob/master/.gitattributes)

~~~
StavrosK
Why is the fix to tell Github that py files are Go? I would have expected the
fix to be to tell it that go files are Go instead, no?

~~~
rmetzler
I would guess, the real fix is to improve linguist, the Ruby gem GitHub uses
to determine the programming language. Everything else is a workaround.

[https://github.com/github/linguist](https://github.com/github/linguist)

------
badrabbit
Neat project.

On HN a lot of people are against TLS interception. How is a defender suppose
to detect this traffic? TLS aside snort or yara rules can be implemented.

For personal devices of course TLS should not be interceptable. But I've
personally gone 180 and support TLS decryption for enterprise networks.

~~~
Ne0nd0g
Tools like JA3
[https://github.com/salesforce/ja3](https://github.com/salesforce/ja3) can
fingerprint TLS traffic to provide one way to perform some type of evaluation.
Defender can detect on a lot of other things like an applications behavior.

~~~
xfs
That can be trivially defeated by operating on top of Chrome's net stack
though.

------
equalunique
Interestingly there is another project called Merlin in the network security
space, although it hasn't been updated in almost a year.

[http://www.frenetic-lang.org/merlin/](http://www.frenetic-lang.org/merlin/)

The best documentation available is the paper linked to on the above page, and
the examples in the github repo below.

[https://github.com/merlin-lang/merlin](https://github.com/merlin-lang/merlin)

------
qaq
Nice to be a blackhat today so many tools

~~~
alexchamberlain
It would be interesting to read an ethical analysis of a tool like this.

~~~
jerf
Once you have the first 5 or 10 such tools, the consequences of the 11th are
pretty minimal. And this is probably more like in the hundreds, not the 11th.

Plus, they're sort of inevitable anyhow. The technical difference between
ansible/puppet/etc. and blackhat C&C servers isn't that great. Definitely non-
zero, but not _that_ huge.

~~~
qaq
well the evasion part is pretty huge diff.

~~~
jerf
If you're referring to what is mentioned in this post:
[https://medium.com/@Ne0nd0g/introducing-
merlin-645da3c635a](https://medium.com/@Ne0nd0g/introducing-
merlin-645da3c635a) , I'm not sure "We use HTTP2 and TLS" is that significant
of a difference. If there was some elaborate system in place for evasion,
sure, but this is just "using a new, but standard, protocol before everybody
else understands it yet". Heck, just the fact it's using TLS is about 90% of
the evasion; HTTP2 is just icing on the cake.

A more significant difference I was thinking of is that ansible et al are more
focused on getting the system into a certain state, whereas a C&C server is
likely to be oriented around executing commands and keeping certain tasks
running. However, since the way you get a system into a certain state is by
executing commands, well, the technical differences aren't that significant.
Most of that difference would be in organization of the "UI" layer, rather
than under the hood.

~~~
SEJeff
My take is that HTTP/2 is more significant than you might expect, primarily
because it is a full duplex protocol (unlike the typical request / response of
HTTP/1). This makes it like a more efficient websocket, so the C2 bits can
move faster than a polling based approach. That said, this makes it easier to
detect.

------
equalunique
I wonder about the possibility of porting to other architectures & operating
systems supported by Go, like BSDs, Solaris/Illumos, AIX, Plan9, even WASM...

