Listener Menu¶
Main¶
help¶
The help command is used to view available commands for the Listener menu. Tab completion can be used at any time to provide the user a list of commands that can be selected.
COMMAND | DESCRIPTION | OPTIONS
+-----------+--------------------------------+--------------------------------+
back | Return to the main menu |
configure | Interact with and configure a | configure <listener_name>
| named listener to modify it |
delete | Delete a named listener | delete <listener_name>
info | Display all information about | info <listener_name>
| a listener |
interact | Interact with an agent | interact <agent_id>
list | List all created listeners |
main | Return to the main menu |
sessions | List all agents session |
| information. Alias for MSF |
| users |
start | Start a named listener | start <listener_name>
stop | Stop a named listener | stop <listener_name>
use | Create a new listener by | use
| protocol type | [http,https,http2,http3,h2c]
! | Execute a command on the host | !<command> <args>
| operating system |
back¶
The back command is used to move one level back. In this case the command will return the user to the Main Menu.
Merlin[listeners]» back
Merlin»
configure¶
The configure command is used to operate, or configure, a previously created listener.
NOTE: Cycle through the available listeners using the tab key after the info command.
Merlin[listeners]» configure Default
Merlin[listeners][Default]»
delete¶
The delete command is used to delete a listener by its name. The user will be prompted for confirmation to prevent accidentally deleting a listener.
NOTE: Cycle through the available listeners using the tab key after the delete command.
Merlin[listeners]» delete Default
Are you sure you want to delete the Default listener? [yes/NO]:
yes
Merlin[listeners]»
[+] deleted listener Default:0db5969e-2fa5-4f6d-8ec8-e07eaf4bf2c2
Merlin[listeners]»
info¶
The info command is used to display information about a previously created Listener.
Note
Cycle through the available listeners using the tab key after the info command.
- Protocol: The communication protocol the listener will use
- Name: The operator defined name for the listener
- Port: The port that the listener will bind to
- PSK: The Pre-Shared Key (PSK) that the listener will use for initial communication with an agent
- URLS: The URLs that the listener will answer on for agent communications
- X509Cert: The file path to the SSL/TLS x509 public certificate the listener will use
- X509Key: The file path to the SSL/TLS x509 key file the listener will use
- Description: The operator defined description of the listener
- ID: A unique identifier for the instantiated listener
- Interface: The network interface that the listener will bind to. Use
0.0.0.0for ALL interfaces
Merlin[listeners]» info Default
+-------------+-----------------------------------------------------------------+
| NAME | VALUE |
+-------------+-----------------------------------------------------------------+
| Protocol | HTTPS |
+-------------+-----------------------------------------------------------------+
| Name | Default |
+-------------+-----------------------------------------------------------------+
| Port | 443 |
+-------------+-----------------------------------------------------------------+
| PSK | merlin |
+-------------+-----------------------------------------------------------------+
| URLS | / |
+-------------+-----------------------------------------------------------------+
| X509Cert | |
+-------------+-----------------------------------------------------------------+
| X509Key | |
+-------------+-----------------------------------------------------------------+
| Description | Default listener |
+-------------+-----------------------------------------------------------------+
| ID | aa020d5c-7c1a-4781-9d1d-e7c659d126f9 |
+-------------+-----------------------------------------------------------------+
| Interface | 127.0.0.1 |
+-------------+-----------------------------------------------------------------+
interact¶
The interact command takes one argument, the agent ID, and is used to switch agents and interact with a different, specified agent.
Note
Use the built-in tab completion to cycle through and select the agent to interact with.
Merlin[agent][c22c435f-f7c4-445b-bcd4-0d4e020645af]» interact d07edfda-e119-4be2-a20f-918ab701fa3c
Merlin[agent][d07edfda-e119-4be2-a20f-918ab701fa3c]»
list¶
The list command returns a list of all created listeners to include some configuration information and status.
Merlin[listeners]» list
+---------+-----------+------+----------+---------+------------------+
| NAME | INTERFACE | PORT | PROTOCOL | STATUS | DESCRIPTION |
+---------+-----------+------+----------+---------+------------------+
| Default | 127.0.0.1 | 443 | HTTPS | Running | Default listener |
| HTTP3 | 127.0.0.1 | 443 | HTTP3 | Running | Default listener |
| H2C | 127.0.0.1 | 80 | H2C | Running | Default listener |
+---------+-----------+------+----------+---------+------------------+
sessions¶
The sessions command is used to quickly list information about established agents from the main menu to include their status.
The sessions command is available from any menu in the CLI.
- AGENT GUID - A unique identifier for every running instance
- TRANSPORT - The protocol the agent is communicating over
- PLATFORM - The operating system and architecture the agent is running on
- HOST - The hostname where the agent is running
- USER - The username that hte agent is running as
- PROCESS - The Agent’s process name followed by its Process ID (PID) in parenthesis
- STATUS - The Agent’s communication status of either active, delayed, or dead
- LAST CHECKIN - The amount of time that has passed since the agent last checked in
- NOTE - A free-form text area for operators to record notes about a specific agent; tracked server-side only
Merlin» sessions
AGENT GUID | TRANSPORT | PLATFORM | HOST | USER | PROCESS | STATUS | LAST CHECKIN | NOTE
+--------------------------------------+-----------------+---------------+-----------------+---------------------+------------------------------------------+--------+--------------+-----------------+
d07edfda-e119-4be2-a20f-918ab701fa3c | HTTP/2 over TLS | linux/amd64 | ubuntu | rastley | main(200769) | Active | 0:00:08 ago | Demo Agent Here
start¶
The start command is used to start a previously created and stopped Listener by its name.
NOTE: Cycle through the available listeners using the tab key after the start command.
Merlin[listeners]» start Default
Merlin[listeners]»
[+] Restarted Default HTTPS listener on 127.0.0.1:443
[!] Insecure publicly distributed Merlin x.509 testing certificate in use for https server on 127.0.0.1:443
Additional details: https://github.com/Ne0nd0g/merlin/wiki/TLS-Certificates
Merlin[listeners]»
stop¶
The stop command is used to stop a previously created Listener by its name.
NOTE: Cycle through the available listeners using the tab key after the stop command.
Merlin[listeners]» stop Default
Merlin[listeners]»
[+] Default listener was stopped
Merlin[listeners]»
use¶
The use command is leveraged to create a new listener. The use command expects the listener type, by protocol, to follow. Press enter to select a template for the listener type. View the ?? section for additional information on creating a listener.
NOTE: Cycle through the available listener types using the tab key after the use command.
Merlin[listeners]» use http3
Merlin[listeners][http3]»
!¶
Any command that begins with a ! (a.k.a bang or exclamation point) will be executed on host itself where the Merlin server is running. This is useful when you want simple information, such as your interface address, without having to open a new terminal.
Merlin» !ip a show ens32
[i] Executing system command...
[+] 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:z3:ff:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.211.221/24 brd 192.168.211.255 scope global dynamic noprefixroute ens32
valid_lft 1227sec preferred_lft 1227sec
inet6 fe80::a71d:1f6a:a0d1:7985/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Merlin»
Instantiated¶
This menu is accessed by issuing the the interact command followed by the name of previously created (instantiated) Listener. The help command is used to view available commands for the instantiated Listener menu. Tab completion can be used at any time to provide the user a list of commands that can be selected.
Merlin[listeners]» configure Default
Merlin[listeners][Default]» help
COMMAND | DESCRIPTION | OPTIONS
+---------+--------------------------------+------------------------+
back | Return to the listeners menu |
delete | Delete this listener | delete <listener_name>
info | Display all configurable |
| information the current |
| listener |
interact| Interact with an agent | interact <agent_id>
main | Return to the main menu |
restart | Restart this listener |
sessions| List all agents session |
| information. Alias for MSF |
| users |
set | Set a configurable option | set <option_name>
show | Display all configurable |
| information about a listener |
start | Start this listener |
status | Get the server's current |
| status |
stop | Stop the listener |
* | Anything else will be execute |
| on the host operating system |
Listener Help Menu
back¶
The back command is used to move one level back. In this case the command will return the user to the root Listener menu.
Merlin[listeners][Default]» back
Merlin[listeners]»
delete¶
The delete command is used to delete the Listener you are currently interacting with, indicated in the square brackets in the Merlin prompt. The user will be prompted for confirmation to prevent accidentally deleting a listener.
Merlin[listeners][Default]» delete
Are you sure you want to delete the Default listener? [yes/NO]:
yes
Merlin[listeners]»
info¶
The info command is used to display information about the Listener you are currently interacting with, indicated in the square brackets in the Merlin prompt.
Merlin[listeners][Default]» info
+-------------+--------------------------------------+
| NAME | VALUE |
+-------------+--------------------------------------+
| Name | Default |
+-------------+--------------------------------------+
| ID | 2e3025e8-6e8e-4fe1-b69c-5d248e34068c |
+-------------+--------------------------------------+
| Interface | 127.0.0.1 |
+-------------+--------------------------------------+
| Port | 443 |
+-------------+--------------------------------------+
| Protocol | HTTPS |
+-------------+--------------------------------------+
| PSK | merlin |
+-------------+--------------------------------------+
| URLS | / |
+-------------+--------------------------------------+
| X509Cert | |
+-------------+--------------------------------------+
| X509Key | |
+-------------+--------------------------------------+
| Description | Default listener |
+-------------+--------------------------------------+
| Status | Running |
+-------------+--------------------------------------+
Merlin[listeners][Default]»
restart¶
The restart command stops the current listener and then immediately starts it. This is useful to apply configuration changes made with the set command.
Merlin[listeners][Default]» restart
[-] Certificate was not found at:
Creating in-memory x.509 certificate used for this session only
Merlin[listeners][Default]»
[+] Default listener was successfully restarted
Merlin[listeners][Default]»
set¶
The set command is used to set the value of a configurable option for the Listener you are currently interacting with. Use the show command to see a list of configurable options.
NOTE: Cycle through the available configurable options for the current Listener using the tab key after the set command.
Merlin[listeners][Default]» set Name AcmeHTTPS
Merlin[listeners][Default]»
[+] set Name to: AcmeHTTPS
Merlin[listeners][Default]» set Description Main listener for Acme hacks
Merlin[listeners][Default]»
[+] set Description to: Main listener for Acme hacks
Merlin[listeners][Default]»
Merlin[listeners][Default]» info
+-------------+--------------------------------------+
| NAME | VALUE |
+-------------+--------------------------------------+
| Port | 443 |
+-------------+--------------------------------------+
| URLS | / |
+-------------+--------------------------------------+
| X509Key | |
+-------------+--------------------------------------+
| Description | Main listener for Acme hacks |
+-------------+--------------------------------------+
| Name | AcmeHTTPS |
+-------------+--------------------------------------+
| ID | 2e3025e8-6e8e-4fe1-b69c-5d248e34068c |
+-------------+--------------------------------------+
| Interface | 127.0.0.1 |
+-------------+--------------------------------------+
| Protocol | HTTPS |
+-------------+--------------------------------------+
| PSK | merlin |
+-------------+--------------------------------------+
| X509Cert | |
+-------------+--------------------------------------+
| Status | Running |
+-------------+--------------------------------------+
Merlin[listeners][Default]»
show¶
The show command is used to show a table of all configurable options.
Merlin[listeners][Default]» show
+-------------+--------------------------------------+
| NAME | VALUE |
+-------------+--------------------------------------+
| PSK | merlin |
+-------------+--------------------------------------+
| Name | AcmeHTTPS |
+-------------+--------------------------------------+
| X509Cert | |
+-------------+--------------------------------------+
| X509Key | |
+-------------+--------------------------------------+
| Description | Main listener for Acme hacks |
+-------------+--------------------------------------+
| ID | 2e3025e8-6e8e-4fe1-b69c-5d248e34068c |
+-------------+--------------------------------------+
| Interface | 127.0.0.1 |
+-------------+--------------------------------------+
| Port | 443 |
+-------------+--------------------------------------+
| Protocol | HTTPS |
+-------------+--------------------------------------+
| URLS | / |
+-------------+--------------------------------------+
| Status | Running |
+-------------+--------------------------------------+
Merlin[listeners][Default]»
start¶
The start command is used to start the current Listener you are interacting with, indicated in the square brackets in the Merlin prompt.
Merlin[listeners][Default]» start
[-] Certificate was not found at:
Creating in-memory x.509 certificate used for this session only
Merlin[listeners][Default]»
[+] Restarted Default HTTPS listener on 127.0.0.1:443
Merlin[listeners][Default]»
status¶
The status command is used to quickly determine if the Listener’s server you are currently interacting with is running or stopped.
Merlin[listeners][Default]» status
Merlin[listeners][Default]»
Running
Merlin[listeners][Default]»
stop¶
The stop command is used to stop the current Listener you are interacting with, indicated in the square brackets in the Merlin prompt.
Merlin[listeners][Default]» stop
Merlin[listeners][Default]»
[+] Default listener was stopped
Merlin[listeners][Default]»
!¶
Any command that begins with a ! (a.k.a bang or exclamation point) will be executed on host itself where the Merlin server is running. This is useful when you want simple information, such as your interface address, without having to open a new terminal.
Merlin» !ip a show ens32
[i] Executing system command...
[+] 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:z3:ff:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.211.221/24 brd 192.168.211.255 scope global dynamic noprefixroute ens32
valid_lft 1227sec preferred_lft 1227sec
inet6 fe80::a71d:1f6a:a0d1:7985/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Merlin»
Template¶
The Listener Template menu is accessed by issuing the use command followed by a valid listener type from the Listener Main menu. The help command is used to view available commands for the Listener menu. Tab completion can be used at any time to provide the user a list of commands that can be selected.
Merlin[listeners]» use https
Merlin[listeners][https]» help
COMMAND | DESCRIPTION | OPTIONS
+---------+--------------------------------+-------------------+
back | Return to the listeners menu |
execute | Create and start the listener |
| (alias) |
info | Display all configurable |
| information about a listener |
interact| Interact with an agent | interact <agent_id>
main | Return to the main menu |
run | Create and start the listener |
| (alias) |
sessions| List all agents session |
| information. Alias for MSF |
| users |
set | Set a configurable option | set <option_name>
show | Display all configurable |
| information about a listener |
start | Create and start the listener |
* | Anything else will be execute |
| on the host operating system |
Listener Setup Help Menu
back¶
The back command is used to move one level back. In this case the command will return the user to the root Listener menu.
Merlin[listeners][https]» back
Merlin[listeners]»
execute¶
The execute command is used to create and start the Listener from the configured template options. This is an alias for the start command.
Merlin[listeners]» use https
Merlin[listeners][https]» execute
[!] Insecure publicly distributed Merlin x.509 testing certificate in use for https server on 127.0.0.1:443
Additional details: https://github.com/Ne0nd0g/merlin/wiki/TLS-Certificates
[+] Default listener was created with an ID of: f6826564-000a-4edf-94b2-b79ee7d892a5
[+] Started HTTPS listener on 127.0.0.1:443
Merlin[listeners][Default]»
info¶
The info command is used to display the Listener template configurable options and their current value.
Merlin[listeners]» use https
Merlin[listeners][https]» info
+-------------+------------------+
| NAME | VALUE |
+-------------+------------------+
| PSK | merlin |
+-------------+------------------+
| Interface | 127.0.0.1 |
+-------------+------------------+
| Port | 443 |
+-------------+------------------+
| URLS | / |
+-------------+------------------+
| X509Cert | |
+-------------+------------------+
| X509Key | |
+-------------+------------------+
| Name | Default |
+-------------+------------------+
| Description | Default listener |
+-------------+------------------+
| Protocol | https |
+-------------+------------------+
Merlin[listeners][https]»
run¶
The run command is used to create and start the Listener from the configured template options. This is an alias for the start command.
Merlin[listeners]» use https
Merlin[listeners][https]» run
[!] Insecure publicly distributed Merlin x.509 testing certificate in use for https server on 127.0.0.1:443
Additional details: https://github.com/Ne0nd0g/merlin/wiki/TLS-Certificates
[+] Default listener was created with an ID of: 632db67c-7045-462f-bf09-aea90272aed5
Merlin[listeners][Default]»
[+] Started HTTPS listener on 127.0.0.1:443
Merlin[listeners][Default]»
set¶
The set command is used to set the value of a configurable option for the Listener you are currently interacting with. Use the show command to see a list of configurable options.
NOTE: Cycle through the available configurable options for the current Listener using the tab key after the set command.
Merlin[listeners]» use https
Merlin[listeners][https]» set Name Merlin Demo Listener
[+] set Name to: Merlin Demo Listener
Merlin[listeners][https]»
show¶
The show command is used to display the Listener template configurable options and their current value.
Merlin[listeners][https]» show
+-------------+-----------------------------------------------------------------+
| NAME | VALUE |
+-------------+-----------------------------------------------------------------+
| URLS | / |
+-------------+-----------------------------------------------------------------+
| X509Cert | /home/joe/go/src/github.com/Ne0nd0g/merlin/data/x509/server.crt |
+-------------+-----------------------------------------------------------------+
| Protocol | https |
+-------------+-----------------------------------------------------------------+
| Interface | 127.0.0.1 |
+-------------+-----------------------------------------------------------------+
| Port | 443 |
+-------------+-----------------------------------------------------------------+
| PSK | merlin |
+-------------+-----------------------------------------------------------------+
| X509Key | /home/joe/go/src/github.com/Ne0nd0g/merlin/data/x509/server.key |
+-------------+-----------------------------------------------------------------+
| Name | Merlin Demo Listener |
+-------------+-----------------------------------------------------------------+
| Description | Default listener |
+-------------+-----------------------------------------------------------------+
Merlin[listeners][https]»
start¶
The start command is used to create and start the Listener from the configured template options.
Merlin[listeners]» use https
Merlin[listeners][https]» start
[+] Default listener was created with an ID of: 20b337ba-01d4-44eb-9ebd-cdebf156967e
[+] Started HTTPS listener on 127.0.0.1:443
[!] Insecure publicly distributed Merlin x.509 testing certificate in use for https server on 127.0.0.1:443
Additional details: https://github.com/Ne0nd0g/merlin/wiki/TLS-Certificates
Merlin[listeners][Default]»
!¶
Any command that begins with a ! (a.k.a bang or exclamation point) will be executed on host itself where the Merlin server is running. This is useful when you want simple information, such as your interface address, without having to open a new terminal.
Merlin» !ip a show ens32
[i] Executing system command...
[+] 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:z3:ff:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.211.221/24 brd 192.168.211.255 scope global dynamic noprefixroute ens32
valid_lft 1227sec preferred_lft 1227sec
inet6 fe80::a71d:1f6a:a0d1:7985/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Merlin»