Releases: Ne0nd0g/merlin
v2.1.3
Changed
- Upgraded golang.org/x/crypto v0.21.0 => v0.22.0
- Upgraded golang.org/x/sys v0.18.0 => v0.19.0
- Upgraded golang.org/x/sync v0.6.0 => v0.7.0
- Upgraded google.golang.org/grpc v1.62.1 => v1.63.2
- Upgraded golang.org/x/mod v0.16.0 => v0.17.0
- Upgraded golang.org/x/tools v0.19.0 => v0.20.0
- Upgraded golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 => v0.0.0-20240416160154-fe59bbe5cc7f
- Upgraded github.com/google/pprof v0.0.0-20240320155624-b11c3daa6f07 => v0.0.0-20240422182052-72c8669ad3e7
- Upgraded github.com/onsi/ginkgo/v2 v2.17.0 => v2.17.1
Security
- CVE-2023-45288 - Upgraded
golang.org/x/net
to v0.24.0 to address CVE-2023-45288
The data/bin
directory contains compiled versions of the Merlin CLI and Merlin Agents
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.1.2
Fixed
- SOCKS listener was not properly handling data and connection status
- Increased SOCKS job in/out channel size from 100 to 1,000
- Fixed a bug where multiple SOCKS go routines were created instead of one
- Updated
readSOCKSClient()
function to close the connection on any connection read error - Updated
processMessage()
to drop SOCKS jobs when the connection was already closed - Added
NewInfoWithID()
factory for SOCKS jobs information structures that keep the same Job ID for the connection lifetime
Changed
- Upgraded the following libraries to their latest version
- upgraded github.com/google/uuid v1.5.0 => v1.6.0
- upgraded golang.org/x/net v0.21.0 => v0.22.0
- upgraded golang.org/x/sync v0.5.0 => v0.6.0
- upgraded google.golang.org/grpc v1.60.1 => v1.62.1
- upgraded github.com/quic-go/quic-go v0.40.1 => v0.42.0
Security
- Upgraded go-jose/v3 to v3.0.3 to address CVE-2024-28180
- Upgraded the protobuf library to v1.33.0 to address CVE-2024-24786
The data/bin
directory contains compiled versions of the Merlin CLI and Merlin Agents
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.1.1
Added
- Added Qodana baseline file
Changed
- Upgraded packages
github.com/Ne0nd0g/merlin-message
to v1.3.0github.com/quic-go/quic-go
to v0.40.1google.golang.org/grpc
to v1.60.0- Modified Dockerfile
- Upgraded
ne0nd0g/merlin-base
v1.5.0 in Dockerfile - Changed
ENTRYPOINT
to execute a compiled binary instead ofgo run
- Upgraded
- Removed
GOGARBLE
environment variable from Makefile
The data/bin
directory contains compiled versions of the Merlin CLI and Merlin Agents
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v2.1.0
v2.0.0
Added
- Peer-to-Peer Agent communications
- gRPC Server for Merlin CLI
- Default interface/port is
127.0.0.1:50051
and default password ismerlin
-addr
the address to listen for gRPC connections from the Merlin CLI-password
the password for CLI RPC clients to connect to the Merlin server-secure
require client TLS certificate verification-tlsCA
TLS Certificate Authority file path to verify client certificates-tlsCert
TLS certificate file path for the Merlin server-tlsKey
TLS private key file path for the Merlin server
- Default interface/port is
- Structured logging in JSON format to STDOUT using log/slog package
-debug
enable debug output-extra
enable extra debug output (e.g., HTTP requests/responses)-trace
enable trace output to see stepping through functions
- New SMB/UDP/TCP listeners
- Used to configure how the listener process Agent traffic
- Listeners DO NOT bind to interfaces/ports on the Merlin server, used for Agent configuration/generation ONLY
- Delegate message types and functions for processing them
- Configurable listener authentication methods for Agent communications: OPAQUE & none
- Configurable listener transforms for Agent communications: aes, base64-byte, base64-string, hex-byte, hex-string, gob-base, gob-string, jwe, rc4, and xor
- The last transform in the list MUST be
gob-base
- The last transform in the list MUST be
- GitHub Actions for building and testing the Merlin Agent
Changed
- Refactored some areas to align with DDD and SOLID to alleviate circular dependencies implementing peer-to-peer comms
- Implemented base "entity" structures and "aggregates"
- Implemented the "Repository" pattern for Agents, Delegates, Groups, Listeners, Servers
- Implemented the "Services" patter for interacting with Agents, Listeners, & Base messages
- Configurable JWT key value for HTTP listeners
- Upgraded quic-go to v0.40.0
- The Minimum supported Go version is now 1.21
- Listeners are now handled by a UUID and no longer by a name as a string
- Moved the
build
string out ofmain.go
and intopkg/merlin.go
- Removed PWNBoard from
main.go
- Removed wiki documentation from
docs
to a new repository at https://github.com/Ne0nd0g/merlin-documentation - Replaced
github.com/satori/go.uuid
withgithub.com/google/uuid
- Replaced
github.com/square/go-jose
withgithub.com/go-jose/go-jose
- Replaced
github.com/Ne0nd0g/merlin/pkg/messages
withgithub.com/Ne0nd0g/merlin-message
- Removes the need to depend on or import the Merlin Server package
Removed
- Removed the interactive CLI menu to Merlin CLI
- Uses gRPC to communicate with the Merlin server
The data/bin
directory contains compiled versions of the Merlin CLI and Merlin Agents
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v1.5.1
Added
- Documentation for proxying Agent DLL provided by @HuskyHacks in PR 136
Security
- PR 137 - Bump golang.org/x/text from 0.3.7 to 0.3.8 by dependabot
- PR 138 - Bump golang.org/x/net from 0.0.0-20220708220712-1185a9018129 to 0.7.0 by dependabot
- PR 139 - Bump golang.org/x/crypto from 0.0.0-20200709230013-948cd5f35899 to 0.1.0 by dependabot
- PR 140 - Bump golang.org/x/net from 0.1.0 to 0.7.0 by dependabot
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v1.5.0
Added
- Added new SOCKS5 functionality
- Use
socks start 9050
from the agent menu to start a SOCKS5 listener on port 9050 on the Merlin server
- Use
Changed
- Go v1.18 is now the minimum supported version
- Upgraded quic-go to v0.28.0
- Upgraded Go JOSE to v2.6.0
- Reduced the default PBES2 count for payload JWE encryption from 500,000 to 3,000
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v1.4.1
v1.4.0
Added
- Added new
memory
command w/ associated API & documentation to read/write virtual memory for Windows agents- The
read
command will just read the specified number of bytes and return the results - The
write
command will just write the specified bytes without reading them first - The
patch
command will find a specified function, read the existing bytes, and then overwrite it with the provided bytes
- The
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin
v1.3.1
Added
- Added Garble builds to the Make file
windows-garble
,linux-garble
, &darwin-garble
- THE AGENT MUST BE GARBLED WITH THE EXACT SAME SEED
- Specify the seed at build with
make linux-garble SEED=<your seed valuee>
Fixed
- Instructing an agent to exit removes it from the server and CLI
Merlin documentation and Wiki can be found here
The compressed files have a password of
merlin