Command Line Flags¶
The following command line flags can be used when executing Merlin agent:
Merlin Agent -debug Enable debug output -host string HTTP Host header -ja3 string JA3 signature string (not the MD5 hash). Overrides -proto flag -killdate string The date, as a Unix EPOCH timestamp, that the agent will quit running (default "0") -maxretry string The maximum amount of failed checkins before the agent will quit running (default "7") -padding string The maximum amount of data that will be randomly selected and appended to every message (default "4096") -proto string Protocol for the agent to connect with [https (HTTP/1.1), http (HTTP/1.1 Clear-Text), h2 (HTTP/2), h2c (HTTP/2 Clear-Text), http3 (QUIC or HTTP/3.0)] (default "h2") -proxy string Hardcoded proxy to use for http/1.1 traffic only that will override host configuration -psk string Pre-Shared Key used to encrypt initial communications (default "merlin") -skew string Amount of skew, or variance, between agent checkins (default "3000") -sleep string Time for agent to sleep (default "30s") -url string Full URL for agent to connect to (default "https://127.0.0.1:443") -useragent string The HTTP User-Agent header string that Agent will use while sending traffic (default "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36") -v Enable verbose output -version Print the agent version and exit
By default, the Merlin Agent will not write anything to STDOUT while it is running. The
-debug flag enables debug output and facilitates troubleshooting to identify the source of a problem.
-host flag is used to specify the HTTP Host: header when communicating with the server. This feature is predominately used for Domain Fronting.
JA3 is a method for fingerprinting TLS clients on the wire. Every TLS client has a unique signature depending on its configuration of the following TLS options:
-ja3 flag allows the agent to create a TLS client based on the provided JA3 hash signature. This is useful to evade detections based on a JA3 hash for a known tool (i.e. Merlin). This article documents a JA3 fingerprint for Merlin. Known JA3 signatures can be downloaded from https://ja3er.com/
NOTE: Make sure the input JA3 hash will enable communications with the Server. For example, if you leverage a JA3 hash that only supports SSLv2 and the server does not support that protocol, then they will not be able to communicate. The
-ja3 flag will override the the
-proto flag and will cause the agent to use the protocol provided in the JA3 hash.
-killdate flag is used to specify the date, as an Unix epoch timestamp, that the agent should quit running. EpochConverter is a good resource to generate or convert a timestamp. The default value is
0 which means the Agent does not have a killdate.
-maxretry flag is the maximum amount of failed checkins before the agent will quit running. The default value is 7.
-padding flag is maximum amount of data that will be randomly selected and appended to every message. The default value is 4096 bytes. The data padding is intended to increase the detection difficulty for idle checkin behavior when the message size was fixed everytime.
-proto flag specifies what protocol the Merlin Agent will use to communicate with the server
http protocol communicates using the clear-text HTTP/1.1 protocol. This can be useful when leveraging Domain Fronting on a CDN that does not allow both fronting and TLS encrypted traffic.
https protocol communicates using SSL/TLS encrypted HTTP/1.1 protocol.
h2c protocol communicates using the clear-text HTTP/2 protocol. This clear-text version is not used by web browsers like Chrome and may stand out during traffic analysis. However, it also has the potential to evade detections if allowed out of the network and no network defenses are able to parse the traffic.
h2 protocol communicates using the TLS encrypted HTTP/2 protocol. This will start the connection with prior knowledge and will not negotiate from HTTP/1.1 to HTTP/2. Some web proxies will not allow HTTP/2 communications. In this case you should use
https. Alternatively, the HTTP/2 protocol might bypass network defenses or detections.
http3 protocol communicates using HTTP/2 transported over QUIC known as HTTP/3. It is important to note that QUIC is a UDP protocol and may not be allowed of the network depending on egress filtering. QUIC uses TLS transport encryption.
-proxy flag is used to force HTTP/1.1 communications to go through a known proxy. At this time the Merlin Agent WILL NOT automatically detect if a host is configured to use a proxy. The HTTP/2 protocol does not support using a proxy. If a proxy is required to egress a network, use the
-psk flag is used to specify the Pre-Shared Key (PSK) that the Merlin Agent uses to initiate communication with the Merlin Server. The first message is encrypted with the PSK and subsequent messages establish a new session based encryption key using the OPAQUE protocol from this IETF draft. Additional information about OPAQUE can be found here: Merlin Goes OPAQUE for Key Exchange.
-skew flag is the amount of skew, or variance, between agent checkins. The default value is 3000
-sleep flag is used to specify how long the agent will sleep between checkin attempts. NOTE: You must include the unit of measurement after the number. For example,
30s is for thirty seconds and
1m is for one minute.
-url flag is used to specify the Uniformed Resource Locator (URL) that the agent will attempt to communicate with. Include the protocol (i.e.
https), the host (i.e.
127.0.0.1), the page (i.e
/news.php), and optionally port (i.e.
:443). This will result in
https://127.0.0.1:443/. NOTE: By default the Merlin agent will communicate on the loopback adapter.
-useragent flag is the HTTP User-Agent header string that the Agent will use while sending traffic. The default value is:
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36.
-v flag enables verbose output. By default a running Merlin Agent will not write any information to STDOUT. This can be used to see what the agent is doing along with what commands it is receiving.
-version flag will print the Agent version to the screen and then exit.