Using Merlin agents to evade detection


While penetration testing and Red Teaming are crucial to check a system’s security and to validate potential entry-points in the infrastructure, sometimes establishing an initial foothold on the target can be a big challenge due to host IDS agents, host firewalls, antivirus or even due to bypass security appliances that are inspecting internal network traffic.

This article will introduce the Merlin agent and how it can be used by ethical professionals to bypass antivirus (AV) signature detection and also to avoid its detection on the network by security appliances such as network IDS/IPSes, firewalls and endpoint detection and response (ERP) solutions.

What is Merlin?

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control (C&C) server written in the Golang language. Merlin works based on a client-server architecture and takes advantage of the HTTP/2 protocol to perform communications between the server and host agents.

Figure 1 below shows how Merlin could be employed during a security assessment.

Figure 1: High-level diagram of Merlin cross-platform post-exploitation over HTTP/2 protocol, bypassing network detection mechanisms and AV signature detection.

Merlin is composed of two crucial parts: the server and the agents. Due to the power of Golang, both components can be compiled to run on any platform, e.g., Windows, macOS and Linux. A server compiled to run on Linux can handle agents compiled for all other platforms (e.g., Windows). Merlin is a multi-platform tool and can be used during penetration testing scenarios to take advantage of the HTTP/2 protocol bypassing, and thus, security appliances and even AV detection.

Bypassing security appliances using HTTP/2 protocol

By using the HTTP/2 protocol during Merlin connections, we achieve a better use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: