search

Merlin

https://github.com/Ne0nd0g/merlin

hashtag
Installation

hashtag
Install GO

#Download GO package from: https://golang.org/dl/
#Decompress the packe using:
tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz

#Change /etc/profile
Add ":/usr/local/go/bin" to PATH
Add "export GOPATH=$HOME/go"
Add "export GOBIN=$GOPATH/bin"

source /etc/profile

hashtag
Install Merlin

go get https://github.com/Ne0nd0g/merlin/tree/dev #It is recommended to use the developer branch
cd $GOPATH/src/github.com/Ne0nd0g/merlin/

hashtag
Launch Merlin Server

hashtag
Merlin Agents

You can download precompiled agentsarrow-up-right

hashtag
Compile Agents

Go to the main folder $GOPATH/src/github.com/Ne0nd0g/merlin/

hashtag
Manual compile agents

hashtag
Modules

The bad news is that every module used by Merlin is downloaded from the source (github) and saved indisk before using it. Forge about usingwell known modules because Windows Defender will catch you!

SafetyKatz --> Modified Mimikatz. Dump LSASS to file and launch:sekurlsa::logonpasswords to that file SharpDump --> minidump for the process ID specified (LSASS by default) (Itsais that the extension of the final file is .gz but indeed it is.bin, but is agz file) SharpRoast -->Kerberoast (doesn't work) SeatBelt --> Local Security Tests in CS (does not work) https://github.com/GhostPack/Seatbelt/blob/master/Seatbelt/Program.csarrow-up-right Compiler-CSharp --> Compile using csc.exe /unsafe Sharp-Up -->Allchecks in C# in powerup (works) Inveigh --> PowerShellADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool (doesn't works, need to load: https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\arrow-up-right) Invoke-InternalMonologue --> impersonates all available users and retrieves a challenge-response for each (NTLM hash for each user) (bad url) Invoke-PowerThIEf --> Steal forms from IExplorer or make it execute JS or inject a DLL in that process (doesnt work) (and the PS looks like doesnt work either) https://github.com/nettitude/Invoke-PowerThIEf/blob/master/Invoke-PowerThIEf.ps1arrow-up-right LaZagneForensic --> Get browser passwords (works but dont prints the output directory) dumpCredStore --> Win32 Credential Manager API (https://github.com/zetlen/clortho/blob/master/CredMan.ps1\arrow-up-right) https://www.digitalcitizen.life/credential-manager-where-windows-stores-passwords-other-login-detailsarrow-up-right Get-InjectedThread --> Detect classic injection in running processes (Classic Injection (OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)) (doesnt works) Get-OSTokenInformation --> Get Token Info of the running processes and threads (User, groups, privileges, owner… https://docs.microsoft.com/es-es/windows/desktop/api/winnt/ne-winnt-_token_information_class\arrow-up-right) Invoke-DCOM --> Execute a command (inother computer) via DCOM (http://www.enigma0x3.net.\arrow-up-right) (https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/\arrow-up-right) Invoke-DCOMPowerPointPivot --> Execute a command in othe PC abusing PowerPoint COM objects (ADDin) Invoke-ExcelMacroPivot --> Execute a command in othe PC abusing DCOM in Excel Find-ComputersWithRemoteAccessPolicies --> (not working) (https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/\arrow-up-right) Grouper --> It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff. (deprecated) Take a look at Grouper2, looks really nice Invoke-WMILM --> WMI to move laterally Get-GPPPassword --> Look for groups.xml, scheduledtasks.xml, services.xmland datasources.xml and returns plaintext passwords (insidedomain) Invoke-Mimikatz --> Use mimikatz (default dump creds) PowerUp --> https://github.com/PowerShellMafia/PowerSploit/tree/master/Privescarrow-up-right Find-BadPrivilege --> Check the privileges of users in computers Find-PotentiallyCrackableAccounts --> retrieve information about user accounts associated with SPN (Kerberoasting) psgetsystem --> getsystem

Didn't check persistence modules

hashtag
Resume

I really like the feeling and the potential of the tool. I hope the tool will start downloading the modules from the server and integrates some kind of evasion when downloading scripts.

PreviousCrypto CTFs TricksNextEmpire

Last updated