Hacker News new | past | comments | ask | show | jobs | submit login
Merlin: A cross-platform command and control server and agent written in Go (github.com)
181 points by SEJeff 8 months ago | hide | past | web | favorite | 58 comments

This reminded me of Back Orifice:


aahh the nineties!

SATAN really drove home how automated our attacks would become. Diversity, defense in depth, compartmentalization. That reminds me, I need to setup my VPN to localhost, TRUST NO ONE!



Trust no one not even yourself.

We purposefully installed BO to act as a remote control system for machines inside the firewall.

we did this as well. It was super useful for legit purposes as well as a RAT

And netbus!

And Sub7

Heh, written in Delphi I think.

My earliest PC consulting was cleaning up sub7 infections caused by antivirus packages deleting the main executable.

Sub7 associated the .exe format in windows with it's main executable, so if you removed the "infection" you had a really interesting time loading up windows afterwards, explorer.exe and all the others were looking for sub7.exe to load themselves =)

I'm always puzzled by these "Blah blah blah, written in Go" posts. Can't you write the same thing in any other language? Most of the time, isn't "Blah blah blah" just a Go clone of some tool written in another language anyway? Is Go feature-challenged, or nigh unto impossible to use, thus rendering "Blah blah blah, written in Go" newsworthy?

I'm sure this sounds sarcastic and to be fair, it is. Still, I really don't understand the need to constantly tout the fact that it is, indeed, possible to write things using Go. As a community, Hacker News doesn't seem to do this, at least not to the same extent, with any other language. However, if a new developer cracks open a Go book, it seems we have to have a "Hello, World! written in Go" article to go along with it. Does anyone else find that weird?

I don't understand your beef with describing it as a Go project. Most of the common pentesting tools are in Python or Ruby.

I've been hoping Go would replace Ruby and Python as the language for security and pentesting tooling, so in that respect I'm happy to see this and hope for more.

Lightweight and portable come to mind when I see "written in Go". Those qualities are pretty appealing for the self-hosted crowd.

I guess that's a possibility; however, Go isn't the most lightweight and portable language out there. Rust and Erlang both seem like better options if those criteria are important.

I just find Go a more pleasant experience. The source code is easily readable and understandable. I don't run into weird wrong version or dependency problems ever. Go get, go build and i'm done. Or if i download the binary, just dump it in a bin folder and it works without even having Go on the system. I haven't written anything in Rust or Erlang yet, but I have run into trouble when building Rust packages from source. Maybe it was the package maintainer's bad every time, the system setup or I'm just dim, but I just need to get stuff done and not go down the rabbit hole. I also personally don't like the hassle with Python version environments.

Of course it won't beat Rust or C but it's good enough.

Portable and trivial to cross compile make go a perfect language for an agent, like a C2 agent and server. This type of app being written in go is a feature. Most red team tools are written in ruby/python/C#/.Net/Powershell.

On one hand, I'm dismayed at all the résumé-driven development and tedious code that should have been generated from a DSL. On the other, replacing C with Go pretty much anywhere is a step forward.

The language analysis does not show any % for Golang :D

Yeah, that part is frustrating. It picks up the PowerShell script in one of the sub directories and marks the whole project as such.

That happened to a Go repo of mine once as well (except it was a python script causing the misidentification). I fixed it by adding a gitattributes file to the repo. Here it is:


Why is the fix to tell Github that py files are Go? I would have expected the fix to be to tell it that go files are Go instead, no?

I would guess, the real fix is to improve linguist, the Ruby gem GitHub uses to determine the programming language. Everything else is a workaround.



Neat project.

On HN a lot of people are against TLS interception. How is a defender suppose to detect this traffic? TLS aside snort or yara rules can be implemented.

For personal devices of course TLS should not be interceptable. But I've personally gone 180 and support TLS decryption for enterprise networks.

For enterprise networks, you can still analyze the pattern of packets to match fingerprints of C2 traffic. There are solutions such as Cisco's Encrypted Traffic Analytics, that do just this: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Camp...

> How is a defender suppose to detect this traffic?

Probably by taking a decentralized approach, that's probably more secure, performant and better to maintain anyways. Also on the server side one could do TLS using Haproxy or nginx, this way it would even be possible to use existing tools - just on localhost though. Or, one can do TLS re-encryption with Haproxy/nginx (or Squid for the other direction), and do checking on the host at the same time.

Tools like JA3 https://github.com/salesforce/ja3 can fingerprint TLS traffic to provide one way to perform some type of evaluation. Defender can detect on a lot of other things like an applications behavior.

That can be trivially defeated by operating on top of Chrome's net stack though.

Most modern implants dont directly talk to a C2, they relay over other protocols like pastebin, twitter, or blog storage pictures, or databases to obscure traffic.

Interestingly there is another project called Merlin in the network security space, although it hasn't been updated in almost a year.


The best documentation available is the paper linked to on the above page, and the examples in the github repo below.


Nice to be a blackhat today so many tools

It would be interesting to read an ethical analysis of a tool like this.

Once you have the first 5 or 10 such tools, the consequences of the 11th are pretty minimal. And this is probably more like in the hundreds, not the 11th.

Plus, they're sort of inevitable anyhow. The technical difference between ansible/puppet/etc. and blackhat C&C servers isn't that great. Definitely non-zero, but not that huge.

well the evasion part is pretty huge diff.

If you're referring to what is mentioned in this post: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a , I'm not sure "We use HTTP2 and TLS" is that significant of a difference. If there was some elaborate system in place for evasion, sure, but this is just "using a new, but standard, protocol before everybody else understands it yet". Heck, just the fact it's using TLS is about 90% of the evasion; HTTP2 is just icing on the cake.

A more significant difference I was thinking of is that ansible et al are more focused on getting the system into a certain state, whereas a C&C server is likely to be oriented around executing commands and keeping certain tasks running. However, since the way you get a system into a certain state is by executing commands, well, the technical differences aren't that significant. Most of that difference would be in organization of the "UI" layer, rather than under the hood.

My take is that HTTP/2 is more significant than you might expect, primarily because it is a full duplex protocol (unlike the typical request / response of HTTP/1). This makes it like a more efficient websocket, so the C2 bits can move faster than a polling based approach. That said, this makes it easier to detect.

They are looking at adding domain fronting :)

One point of view is it's a mafiosi tactic. Create the problem. Sell the security solution. Or, at best, it is irresponsible to enable attackers.

Another is that by disclosing security problems and the tools to test and research them, we enable defenders and we fix what might be kept confidential and exploited by attackers. The theory that sunlight is the best disinfectant.

It's not a magic and if detection tools don't support http/2, then it's their fault and quite frankly anybody could come up with this tool.

The "enabled" attackers surely are nothing when they couldn't have come up with anything better themselves.

It just made the discussion of such tools public.

As noted in the blog post linked from the readme, their red team is using it for internal testing.

Thats the funny thing sometimes people ignore alerts on tools that red teams normally use because they think it's their red team

If people are ignoring alerts because it might be the red team then surely when the red team breaks in... those people all look like idiots who can't keep their systems secure?

If this is happening, then either the red team needs to be disbanded as nobody cares enough to warrant their existence... or the engineers ignoring the alerts need to be educated on the value of a red team.

Very true I was not referring to SOC not reacting it's more things getting misinterpreted when things get escalated to higher ups if org is huge and structure is complex sometimes things get complicated. E.g. a company undergoing an external pen test and some real incident in the same time window using tools that a pen tester would use (e.g metasploit)

This is just another one, so there isn't anything really new to discuss ethically.

And so many systems still writen in C....

I know it's trendy to hate on C but most security bugs are not memory access related errors. Most are logic errors which any language is susceptible to.

Tell that to Google, which presented a report at Linux Kernel Summit 2018, where 68% from Linux kernel CVEs are caused by C's memory corruption features, and has been pushing for the Kernel Self Preservation Project on Linux.

The videos are freely available.

As for hating C's lack of safety features, it goes back to the earlier 80's from Algol/Pascal/Modula-2/Ada side.

So no, it isn't something new, just now the always on Internet and IoT adoption are making it relatively easier to prove our point.

I think KSP is Kernel Self Protection and Kees Cook has been pushing it since he was the kernel security guy @ Canonical many years ago:


Yeah I get it wrong all the time, thanks for the correction.

I only became aware of his work since Google.

All good! He was at Canonical for awhile actually, but did a lot on proactive security and I’ve followed him since. The “SE” in my username is a hat tip to SELinux, as I’ve always been a fan of the Flask Security Architecture.


In practice, the key to avoiding logic errors tends to be well-considered interface design.

Not all languages are necessarily equally susceptible to logic errors, though, and C is rather middling in that regard.

We can't stop it, but we can put it in a sandtrap and serialize its access to the outside world.

In what concerns UNIX clones, Oracle did it with Solaris and SPARC ADI, which doesn't have a bright future anyway.

It remains to be seen what ARM and Google will actually do with the new memory extensions.

It remains to be seen what will happen with Fuchsia.

Microsoft is pushing for a mix of .NET Native, modern C++ and Rust.

Apple is still pushing for Swift, although very incrementally.

The big question is how UNIX clones will actually tackle C's unsafety at large, if ever.

I don’t think the widespread availability of tools like this makes it any easier. This project doesn’t seem to be too active.

How availability of tools does not make it easier?

I’m not sure but I’m guessing his point is that black hats would more likely write their own software and script kiddies would rather not use abandoned software?

In any case, there wasn’t any shortage of tools even in the 90s. Nor places to research them either. Plus systems were less security conscious then too so the barrier for entry was a little lower.

Source: my own misspent youth.

This is not abandoned software there was an active discussion on adding domain fronting just a few weeks back.

I make most of my commits to the Dev branch and I am selective about pushing things to the Master branch. Check the releases page for a good indication of activity. I will also be pushing out an update in the next couple of days that adds the ability to execute shellcode using 4 different methods (Windows only).

I wonder about the possibility of porting to other architectures & operating systems supported by Go, like BSDs, Solaris/Illumos, AIX, Plan9, even WASM...

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact