Skip to content

Releases: Ne0nd0g/merlin

v2.1.3

23 Apr 05:22
90ef16b
Compare
Choose a tag to compare

Changed

  • Upgraded golang.org/x/crypto v0.21.0 => v0.22.0
  • Upgraded golang.org/x/sys v0.18.0 => v0.19.0
  • Upgraded golang.org/x/sync v0.6.0 => v0.7.0
  • Upgraded google.golang.org/grpc v1.62.1 => v1.63.2
  • Upgraded golang.org/x/mod v0.16.0 => v0.17.0
  • Upgraded golang.org/x/tools v0.19.0 => v0.20.0
  • Upgraded golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 => v0.0.0-20240416160154-fe59bbe5cc7f
  • Upgraded github.com/google/pprof v0.0.0-20240320155624-b11c3daa6f07 => v0.0.0-20240422182052-72c8669ad3e7
  • Upgraded github.com/onsi/ginkgo/v2 v2.17.0 => v2.17.1

Security


The data/bin directory contains compiled versions of the Merlin CLI and Merlin Agents

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.1.2

26 Mar 11:54
a8d69e9
Compare
Choose a tag to compare

Fixed

  • SOCKS listener was not properly handling data and connection status
    • Increased SOCKS job in/out channel size from 100 to 1,000
    • Fixed a bug where multiple SOCKS go routines were created instead of one
    • Updated readSOCKSClient() function to close the connection on any connection read error
    • Updated processMessage() to drop SOCKS jobs when the connection was already closed
    • Added NewInfoWithID() factory for SOCKS jobs information structures that keep the same Job ID for the connection lifetime

Changed

  • Upgraded the following libraries to their latest version
    • upgraded github.com/google/uuid v1.5.0 => v1.6.0
    • upgraded golang.org/x/net v0.21.0 => v0.22.0
    • upgraded golang.org/x/sync v0.5.0 => v0.6.0
    • upgraded google.golang.org/grpc v1.60.1 => v1.62.1
    • upgraded github.com/quic-go/quic-go v0.40.1 => v0.42.0

Security


The data/bin directory contains compiled versions of the Merlin CLI and Merlin Agents

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.1.1

04 Jan 15:31
b279c6a
Compare
Choose a tag to compare

Added

  • Added Qodana baseline file

Changed

  • Upgraded packages
  • github.com/Ne0nd0g/merlin-message to v1.3.0
  • github.com/quic-go/quic-go to v0.40.1
  • google.golang.org/grpc to v1.60.0
  • Modified Dockerfile
    • Upgraded ne0nd0g/merlin-base v1.5.0 in Dockerfile
    • Changed ENTRYPOINT to execute a compiled binary instead of go run
  • Removed GOGARBLE environment variable from Makefile

The data/bin directory contains compiled versions of the Merlin CLI and Merlin Agents

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.1.0

15 Dec 13:58
caaea3b
Compare
Choose a tag to compare

Fixed

  • Issue 148 - Validate & encode gRPC messages to UTF-8

The data/bin directory contains compiled versions of the Merlin CLI and Merlin Agents

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.0.0

05 Nov 22:45
e80c47a
Compare
Choose a tag to compare

Added

  • Peer-to-Peer Agent communications
  • gRPC Server for Merlin CLI
    • Default interface/port is 127.0.0.1:50051 and default password is merlin
    • -addr the address to listen for gRPC connections from the Merlin CLI
    • -password the password for CLI RPC clients to connect to the Merlin server
    • -secure require client TLS certificate verification
    • -tlsCA TLS Certificate Authority file path to verify client certificates
    • -tlsCert TLS certificate file path for the Merlin server
    • -tlsKey TLS private key file path for the Merlin server
  • Structured logging in JSON format to STDOUT using log/slog package
    • -debug enable debug output
    • -extra enable extra debug output (e.g., HTTP requests/responses)
    • -trace enable trace output to see stepping through functions
  • New SMB/UDP/TCP listeners
    • Used to configure how the listener process Agent traffic
    • Listeners DO NOT bind to interfaces/ports on the Merlin server, used for Agent configuration/generation ONLY
  • Delegate message types and functions for processing them
  • Configurable listener authentication methods for Agent communications: OPAQUE & none
  • Configurable listener transforms for Agent communications: aes, base64-byte, base64-string, hex-byte, hex-string, gob-base, gob-string, jwe, rc4, and xor
    • The last transform in the list MUST be gob-base
  • GitHub Actions for building and testing the Merlin Agent

Changed

  • Refactored some areas to align with DDD and SOLID to alleviate circular dependencies implementing peer-to-peer comms
    • Implemented base "entity" structures and "aggregates"
    • Implemented the "Repository" pattern for Agents, Delegates, Groups, Listeners, Servers
    • Implemented the "Services" patter for interacting with Agents, Listeners, & Base messages
  • Configurable JWT key value for HTTP listeners
  • Upgraded quic-go to v0.40.0
  • The Minimum supported Go version is now 1.21
  • Listeners are now handled by a UUID and no longer by a name as a string
  • Moved the build string out of main.go and into pkg/merlin.go
  • Removed PWNBoard from main.go
  • Removed wiki documentation from docs to a new repository at https://github.com/Ne0nd0g/merlin-documentation
  • Replaced github.com/satori/go.uuid with github.com/google/uuid
  • Replaced github.com/square/go-jose with github.com/go-jose/go-jose
  • Replaced github.com/Ne0nd0g/merlin/pkg/messages with github.com/Ne0nd0g/merlin-message
    • Removes the need to depend on or import the Merlin Server package

Removed

  • Removed the interactive CLI menu to Merlin CLI
    • Uses gRPC to communicate with the Merlin server

The data/bin directory contains compiled versions of the Merlin CLI and Merlin Agents

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.5.1

09 Mar 13:52
ffb9feb
Compare
Choose a tag to compare

Added

Security

  • PR 137 - Bump golang.org/x/text from 0.3.7 to 0.3.8 by dependabot
  • PR 138 - Bump golang.org/x/net from 0.0.0-20220708220712-1185a9018129 to 0.7.0 by dependabot
  • PR 139 - Bump golang.org/x/crypto from 0.0.0-20200709230013-948cd5f35899 to 0.1.0 by dependabot
  • PR 140 - Bump golang.org/x/net from 0.1.0 to 0.7.0 by dependabot

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.5.0

22 Jul 12:16
2d7754d
Compare
Choose a tag to compare

Added

  • Added new SOCKS5 functionality
    • Use socks start 9050 from the agent menu to start a SOCKS5 listener on port 9050 on the Merlin server

Changed

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.4.1

13 Apr 01:11
Compare
Choose a tag to compare

Fixed

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.4.0

02 Apr 14:34
Compare
Choose a tag to compare

Added

  • Added new memory command w/ associated API & documentation to read/write virtual memory for Windows agents
    • The read command will just read the specified number of bytes and return the results
    • The write command will just write the specified bytes without reading them first
    • The patch command will find a specified function, read the existing bytes, and then overwrite it with the provided bytes

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.3.1

02 Apr 14:29
Compare
Choose a tag to compare

Added

  • Added Garble builds to the Make file
    • windows-garble, linux-garble, & darwin-garble
    • THE AGENT MUST BE GARBLED WITH THE EXACT SAME SEED
    • Specify the seed at build with make linux-garble SEED=<your seed valuee>

Fixed

  • Instructing an agent to exit removes it from the server and CLI

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin