Russel Van Tuyl - HTTP/2 Magic with Merlin

are you taking the time to come listen to my talk have you any of you guys been to the wasp talk on this before because if you have you probably have already seen it and can you hear me now all right anyway as I was saying thanks that have if any of you have been out to my talk this will be the exact same talk so you can probably save yourself the time and and go watch something else a little more entertaining than this one but if you haven't glad think thanks for being here there's gonna walk through some protocol stuff with AC to be - real quick let me stretch my arm really far

feel like I need to straddle this mic alright so today we're going to talk about HTTP to as many of you guys heard of that protocol before if you raise your hand I couldn't see anyway so I'm just gonna assume you are raising your hand back there lots of hands went up lots and lots of hands we will talk a little bit about TLS and perfect forward secrecy the reason for that is because it's a primitive that you need to understand when we talk about some of the other capabilities that work with the protocol I'll talk to you about how you can maybe look to see if you're using any HTTP to enabled applications because you probably all right now if

you didn't know it and then I'll get into my favorite part and we'll talk about blue team defenses and kind of red team activities and then I'll wrap it up with the demonstration of a tool I wrote called Merlin I think some of you guys are dying to know what Merlin is so isolated yeah yeah also I got a I got some free stickers if you guys want a sticker for the logo from Merlin come see me afterwards I got plenty to hand out that was a the way I try to talk people to come to my talk was by offering free stuff everybody likes free stuff

all right you can't you can't actually read that still but anybody want to guess how old HTTP is as a communication protocol any of you guys like been around like when the internet was first invented plus yeah 20 plus all right the very first version of HTTP was version 0.9 current version is obviously 1.1 and 2.0 0.9 came out in 1991 where some of you even born in 1991 all right and then we came up with version 1.0 and 1.1 think with HTTP to know is that when it first came out it was designed to be like a stateless protocol to have communications back with each other if you were probably use an internet when

it kind of first came out or way back in the day the web pages weren't that big you'd request something you'd get something back HTTP wasn't designed for the things that we use it for today most of you are probably pretty familiar with thick web applications and it's like just using a desktop app but it's in your browser leveraging that protocol in the background so there's a lot going on there on that and so what happened was Google had decided that you know HTTP 1.1 is a little too slow for the needs so they needed a new protocol and so they decided to come up with HTTP 2 well let me back up a second on that Google

had a protocol before that called speedy anybody heard of that one from Google speedy you've heard of speedy alright so it pretty much happened as Google was developing a protocol called speedy and then someone from the IETF said hey we need to turn that into actual protocol and they've pretty much adopted speedy and turn that into HTTP HTTP version 2 one of the key things that they had to do with HTTP 2 is make sure that it maintained backwards compatibility if you notice when you use the HTTP 2 application the URL stays the same you know it's the protocol and address you're trying to access everything has to stay backwards compatible that it wouldn't have to develop new tools and

stuff to be able to use that protocol there are a lot of unique things about http/2 that makes it different than version 1.1 one of them is that the protocol is multiplexed means instead of on HTTP 1 it would just send one request and get one response and one request get one response for the multiplex they can send a bunch of requests at one time in one packet going off and another key feature of HTTP 2 is that it's bi-directional communications can go back and forth like a regular TCP connection original web worked on TCP but I didn't act like the TCP protocol didn't maintain a state or a session go back and forth which is why you have

cookies to kind of maintain that state information but with HTTP 2 you can kind of go you can go bi-directional go both ways and then any of you guys ever done any a packet analysis on maybe a web traffic to kind of look at in Wireshark anyone look at water sparking packets yeah and we need to open it up and you just be followed the the HTTP stream what do you see you just see the text you just see the text go so you can just breathe it in human readable text format HTTP 2 is a binary protocol it's not text it's not human readable you can't just like open a pack and look at it

without a protocol analyzer to go on top of it so that makes it more of a challenge it makes it great for traffic going back and forth because it compressed the data down and it gets rid of vulnerabilities that come with handling packets to figure out where the line terminations are and what the spacing character is and all that kind of stuff are so HTTP 2 is a binary protocol which makes it drastically different than HTTP 1.1 and then if you guys have looked at web traffic you'll notice there's usually a stack of headers that go on every web request with HTTP 2 they use another protocol called H pack and they do compression on

the headers so it's usually the same data going back and forth on a on a web request usually the same header so that they're every time going back and forth and so H pack just compresses that down so it makes the traffic more efficient going back and forth and I think the biggest one is that http/2 has this thing called server push and a lot of that has to do with head-of-line blocking anybody use like Facebook out there anybody yeah I don't know I don't know what it is when you request that web page what happens is your your web browser says hey Facebook be me though give me the Facebook web page and then

it starts asking for all these other files like CSS files and pictures and JavaScript libraries and multimedia and all kinds of other stuff but each one of those are serial they happen in one request and then they get one response and they can ask for the next one and if they don't get all the requests the web page doesn't load so back in the early days if you had any frustrations looking at web pages you're just waiting for it to load it's probably in the background requesting all those contents that won't actually display and so it gets all the pieces in and so what that's called as head-of-line blocking there's one big thing that's blocking the rest of your

web application at download while it's like waiting to load so with HTTP 2 they have this thing called server push promise and basically the the web server says I know you're gonna need this so I'm just gonna go ahead and send it to you because they have that bi-directional TCP connection it doesn't have to wait for the client to request it the web server can just say I know you're gonna need this and send it off so that becomes super efficient when you're working with HTTP two the one thing you do need to know is that in order for that to work the web application has to be configured that way it doesn't just work out of the box

you have to write the web app to say I'm going to push that stuff down so that comes in handy later on

so earlier I mentioned that http/2 needs to maintain backwards compatibility and kind of one of the quickest ways to do that is if you're talking on an HTTP 1.1 connection and you need to upgrade your connection to a version 2 connection that the protocol is defined sorry the protocol is called in two different formats either h2 which you see up there in the upper left hand corner h2 stands for HTTP 2 and H 2 C stands for HTTP 2 over clear text another interesting thing when Google was developing speedy they pretty much said hey this protocol is gonna always be encrypted we're never not using an unencrypted communication channel like you know regular HTTP if

you guys are from the with that and you can just read everything in the clear as it goes across the wire Google is very adamant I like we're not we're not doing any unencrypted stuff everything's gonna stay encrypted but they lost the fight against the IETF board on actually standardizing the protocol the board was like well what if someone develops a package I can't handle encryption and they want to go back so they ultimately lost and there is actually a clear text version of HTTP - but I will say that your web browsers won't support it so Google was like fine if you're gonna you're gonna allow that protocol that's cool but we're not gonna

actually support it in our browser so your browser's won't actually supports HTTP - over clear text h2c communication channel but if you're using a 1.1 connection and you want to upgrade to a to do this happens on the back end you don't actually get to choose what you'll get is HTTP upgrade header and that will basically tell the web server that you need to upgrade your connection to a new one and when you do that what'll happen is you'll get back a 101 for switching protocols but here's kind of one of the neat things about the way the upgrade works what happens is the web server and the client establish a connection back and forth with each other and one of the

final steps after they finally got HTTP 2 going is as one final check to make sure that that both pieces can actually talk on HTTP 2 protocol they send what's called a connection string or sorry a connection preface or a magic string which you see right here and that magic string is the server basically sent of the client the letters PRI with a carriage return the aligned carriage return newline and the client responds back with the SM and that affirms that they can actually talk the HTTP protocol you know together that spells prizm I'd anybody remember like the NSA program like inspecting traffic called prism yeah so I think that's a PlayOn that I think someone was trying to basically

say we're gonna set this protocol up so it can't be affected by the prism program but I thought that was kind of an interesting fact it spells prism going on there

so here's just a screenshot like I was telling you before you can see the upgrade header and I have the h2 see and they are saying at what protocol I want to upgrade to again it could be h2 or h2c or there's actually another header called alt services header that you can use to upgrade to different protocols as well but this is basically how the web client tells us server that I wants to change to different one and again you can see down here it's switching protocols with the 101 status message and it's responding back with the prism message

TLS anybody know what version of the current version of TLS is 1.3 was actually just ratified about two or three weeks ago I was doing a presentation and someone called me out on it so that's why I know well I had to learn the hard way because someone asked me and I didn't know either so I thought I'd share that with you but one of the staples for HTTP to to work is it TLS 1.2 has to be a thing TLS 1.1 is not capable of doing HTTP 2 so if you have an old application that can't even support TLS 1.2 you can't use the protocol at all and TLS 1.2 has an extension called the application layer

protocol negotiation extension it's an extension of TLS and that's what's required to establish an HTTP 2 connection earlier I mentioned to you that if a clients currently talking to a web server and it wants to upgrade the connection then that do that but there are cases when you can actually negotiate HTTP 2 upfront without having to do that that client server talking to the web server and you do that through the TLS a OPN protocol and so what happens anybody know how it CLS handshake works yeah typically a client sends a client hello message saying hey I can talk to these cipher suites and these protocols and the server will respond back on it with what they're

gonna do this is a screenshot of a client sending a message to a server so you'll have the TCP handshake and then you'll have the TLS handshake and then once all that done then they'll start talking actually HTTP to at that point so those these things happen ahead before you've actually established a connection with the web server it's self talking on actual protocol do you notice down here this clients cable will talk in h2 which is HTTP to speedy 3.1 which I've mentioned to you you should probably still see that in some of your web browser traffic I believe Chrome's still supports speedy but again h2 is pretty much the latest version of speedy and then you can see at the bottom my

last service that I offer was HTTP 1.1

all right so I mentioned that a TLS is gonna be kind of a big big part of the game because that offers a encryption for the communication protocol and that's gonna come in handy later when I talk about Blue Team and Red Team stuff and it's kind of the premise of why this tool is very effective for me to come up with but one of the things that TLS are sorry that HTTP 2 uses is eff immoral diffie-hellman key exchange and elliptic curve diffie-hellman key exchange and what that means is that they have perfect forward secrecy you guys probably now have a web server and I probably have like RSA key exchange anybody for know if like that you know

you got that giant private key have any of you ever like tried to decrypt HTTP communication you needed a key to actually be crypt that stuff well with with Emerald key exchanges you actually there's no key to give anybody what happens is the client and the server negotiate well sorry they have a premaster secret and they use that premaster secret to makeup session keys and the session keys or what encrypts the traffic going back and forth if you're using the RSA key exchange method if someone has the key they can just go ahead and decrypt any any piece of traffic after the fact so I could capture all your packets now and then wait till two months from now what I'm

actually able to get that RSA certificate from you and I can just go ahead and decrypt it the RSA certificate is used to develop those session keys so you can go ahead and read anything perfect forward secrecy means that even if you manage to get one set of session keys that's only good for that session you have to continually compromise that stuff over and over again that's why it's called perfect for its secrecy the actual King data is never sent across the wire at any points on the web server I'm sorry that the protocol specification for HTTP two says that if you're not using one of these two cipher suites or key exchange messages in your

cipher suites that the web browser will actually just send you back an adequate security message basically refusing so all that to say htv-2 has to use perfect forward secrecy cipher suites if it written correctly it will not use insecure cipher suites that are not capable of perfect forward secrecy and let me give you a quick so the the spec for our sorry for HTV to has like a blacklist of ciphers basically all these cipher suites are blacklisted according to the protocol and show you that real quick

so what I'm what I'm showing you here is I'm just gonna scroll through like these are all the blacklisted ciphers according to the specification

all right so as you guys could see that was quite a bit of cipher suites going on there the main thing again the main takeaway is that the TLS 1.2 and HTTP version to use cipher suites that are good for perfect forward secrecy and that's again gonna play and say what I'm about to get to next

I forgot to mention up front that a lot of this worked on this protocol was stuff I had to do for a college class that I was taking and I actually published a paper on kind of some of this stuff a couple years ago so the work that I did initially is about two years old actual HTTP to protocol was actually ratified in 2015 and it's about the time I put the paper out that I had done the work on when I was doing the work I kind of checked all the browsers again Anna client hello message which comes from your browser it says I can talk all these cypress suites and so I went in a numerated that lists that

every browser could talk and then I subtracted out the ones that were blacklisted and this is what was left this is about again about a year or two old so it's probably changed on the cipher suites but this is what all the protocols that were left which is trimmed off the edge of the screen but that's okay if you notice they're all ephemeral diffie-hellman exchange or elliptic curve diffie-hellman exchange cipher suites that's all it's left for that

so any of you happen to know if you use HTTP two right now or not like anybody can kind of tell or not know so one of the ways you can if you're using Chrome you are using HTTP 2 by the way you just probably don't know it when you talk to Google servers on the background they're a big proponent of it obviously but you can get a little plugin for your browser the last one that I use had like a little lightning bolt and the thing so that way it just lights up when you're actually using the HTTP 2 protocol so that you know another thing you can do is look at the web developer console and

it will just say what protocol is being used so that's another good way to do it

all right so I was just telling you about how we're using this perfect board secrecy and that it's hard to break the encryption to read the stuff especially if you don't have the keying material and that's kind of the big difference between this this protocol the HTTP 2 protocol is that again it uses perfect forward secrecy cipher suites and not RSA key exchange methods methods where you can just decrypt packets at the fact actually doing packet inspection on HTTP 2 protocol is really challenging so what my research had found that typically what laughs to do now or any type of intercepting proxy that's gonna inspect the traffic for TLS they're pretty much provided with the RSA key so that way

they can decrypt on the flying and keep going and that will not work with this there is no key to give anybody the key material for the session keys never leaves the client or the server stays there so you're like how would I actually inspect packet traffic on 4 HTTP 2 it's actually pretty challenging but one thing you can do is if you use an application that has the NSS library is used to compile the application and they offer an easy way to do that most notably that's Firefox Firefox is compiled with the NSS library and so what you end up having to do is you set an environment variable and your Windows or Linux that basically says write all

the session keys to a file and all those session keys become what you need to actually be keep the traffic that works great if you control the endpoint if you control the workstation and you're using Firefox and you set the global environment variable then you can have what you need to decrypt the traffic but chances are you own a web server but you don't own the client so you can't control both sides of the communication which makes it hard also for a network traffic you're not gonna be able to look at that kind of stuff so Wireshark is capable of actually looking at HTTP 2 so I encourage you if you get the chance to

go mess around and look at that by default if you do it on 4 4 4 3 yr starts gonna think that it's HTTP 1.1 so you gonna have to go in and tell it you know actually want version 2 then you're gonna have to also tell it where all the session keys are so they can go back through and find the key I mean the session keys aren't like just one password or one key like it's it'll be a giant line list of for every time it establishes a new connection we'll have a session keep her connection going through so it'll be quite a lengthy file you can go there and do that it's neat that Wireshark

actually knows how to do the protocol but my initial work had shown that many other tools aren't actually capable of looking at the protocol whatsoever so when it comes across their device that don't know what it is if you probably mention it at the beginning of the talk two protocols binary it uses compression and it uses perfect forward secrecy so chances are even if you were using a web proxy and you are trying to do some type of inspection when you see the protocol you won't know what the hell do with it anyways because your tooling doesn't understand it I have seen that tools now we're starting to actually come up with protocol analyzers so that way they can

actually do a little bit of work of it but I don't know any practical use cases where that's coming in handy so again that helps defeat proxies reverse proxies anybody in here work for a company that uses a TLS inspecting proxy on the way out yeah I pay - let's talk with you after what I actually don't have much experience with it but I'm trying to find out like what companies do when I do that first I know there's the problem of a lot of companies don't want to do TLS inspection at all because then I have to deal with the whole privacy concerns and all that kind of stuff so some of them just stay away

from it completely but what I'm interested in know is does your proxy feel open or closed my general assumption is that it fails open meaning if you can't inspect it or you don't know what to do with it you just continue let the traffic go through anyways have you had to talk to someone who says it fails closed and then let me try it on a network to see what actually happens so it's a little immature in that sense the tool that I wrote because I don't know what's actually gonna happen but I would say by and large part of my experience most people are inspecting traffic at all ever to begin with but even those that do I would say

probably fail open and then obviously the same thing for a laugh it's gonna do the same type of thing trying to inspect the traffic going back and forth snort three actually has the HTTP to protocol analyzer in it I was trying to talk with one of the snort guys to figure out how well it worked my general understanding is that it just looks at clear text protocol and it doesn't do any TLS decryption to actually look at the stuff my question to the snort team was going to be well how do you actually do the TLS inspection if you don't have the session keys I'm interested to see how people do that so those are some of the challenges of

packet inspection altogether

all right so I just kind of like you know painted a bad scenario why I'm saying you got this protocol in your network because you do right now and I'm like how are you ever gonna what are you gonna do with it from a security perspective how what kind of controls can you have there are a couple options one of them is you could do a protocol downgrade you can actually set up like a reverse proxy and down look down grade a connection from HTTP to 21.1 however by doing that you're really just ruining all the efficiencies that HTTP two gave you to begin with remember I told you that HB 2 is bi-directional stays open

connection your base is gonna say ma'am let's go back to the old way of making things really slow and do that so it is possible depending on kind of your environment that you're trying to protect but that is an option to do that you could do encryption downgrade a couple of different ways if you actually control the server if you've heard me mention earlier the RFC says that you should blacklist that list of Cypress Suites but if you actually write write the code for the software for the server you can actually just tell it I don't care use it anyways you control the application at that point so you could stand up a proxy and intermarry a proxy

intermediary proxy that allows you to use a weaker protocol even though the RFC says it's not a good idea so that way you can have that the traffic and still stay encrypted you can set up some type of like little encryption corridor type thing we're likely use a reverse proxy in between two endpoints it uses a weaker encryption that you can't inspect and then put it back up going out is an option you can also just downgrade the protocol so you can maybe you can have an HTTP to enable a proxy and then when it comes in on encrypted you can just relay it back to the server again using a reverse proxy over the clear text

version of the protocol again your support for that's gonna be a little challenging clients don't support it but if it's just between a proxy and a web server you might be able to make that happen and so during my research I was I was looking at like what I did was I did a sequel injection attack over the broken web app from OWASP I did a sequel injection on HTTP 2 and it worked and nothing was able to detect it cuz it kind of went across that protocol nothing could look at it so what I ended up doing is I used mod security anybody for notice that one on security uses the wasp core rulesets one of things you can

use I've been talking to you like it's harden and inspect the package you don't have the tools you need to decrypt the protocol you don't have the encryption keying material actually inspect it anyways well there is one saving grace if you use a wasp core rule set on an HTTP 2 webserver it actually inspects the traffic at layer 7 so it doesn't matter what level the cripton comes in at it comes it comes up the stack and as it comes up the stack and goes off to the actual web server the encryption is actually removed by that time so mod security doesn't care if you use an HTTP 3 4 10 doesn't care what version using

by the time it sees it it's just processing a request that can actually tell what's going on at that point so that's one of my better recommendations if you're if you're fighting off that protocol you're looking at it or don't enable the protocol at all but and so I turn around I did the sequel injection attack again with just the web server that could only talk h2 and wasp or rules that was able to catch it on that protocol because again it happens higher up the stack and then maybe you can't inspect traffic at all maybe that's just something you guys are not gonna do which again I've seen a lot of companies say they don't want to inspect

traffic to begin with you can use another technique called TLS fingerprinting that connection that happens between the web server and a client you can fingerprint that because it'll offer unique set of cypress suites not only that the stock receipts will come in a certain order depending on the tool that it comes from the applications that it'll advertise like HTTP to HTTPS PD and all kind of stuff so you can use that to generate a hash and you can use that for fingerprinting fingerprinting traffic going across your network there's a tool called ja3 I believe it's from Salesforce ax that's the tool does exactly that it does TLS fingerprinting it says it can detect malicious traffic

just without ever having to inspect the traffic's whatsoever so that's another Avenue to look at as well

all right so all that was kind of like the the precursor to what I actually do again I do penetration testing and I was looking for other avenues to help me out on on tests and I've just told you about a protocol that's new that a lot of tools aren't capable of understanding and even if they were capable understanding it they're not able to encrypt it to decrypt it and I thought to myself that's perfect that's exactly what I need at doing a pen test so that way I can do my job without getting caught and so what that really helps out with is for evasion again if I'm trying to go through now we're gonna have to

worry about our proxy looking at my traffic going back and forth even if there was nothing would be able to actually be cryptid to begin with so that makes it nice and then it makes a good actual command and control traffic channel as well going back across the internet and you can use that for exfiltration again if you're trying to exfil large amounts of data if you're in a company that that's like trying to protect against that you might actually doing TLS inspection stuff you can actually see if anyone's ex billing data but this this protocol would make a good candidate for that to get around that

all right so finally we're here I was gonna introduce you guys to Merlin it is a tool that I wrote to kind of take advantage of all these things Merlin is a tool that I wrote in golang anybody heard of that programming language before yeah if I haven't told you enough about Google yet it is another Google programming language you know using Google's protocol using Google's tools using Google's programming language and whatnot and so look the way I describe Merlin Merlin is a post exploitation command and control tool post exploitation means the tool doesn't handle the exploit part you got to handle that part on your own how you get access to the computer how you run

commands is all up to you this tool does not do any any exploit stuff it just does post exploitation activities the reason I have cited it goes go is because it is cross-platform anybody you guys use like PowerShell Empire problem is is it's only works in PowerShell that's the problem if you compromise anything that's not a Windows box your shells not gonna work and you can use meterpreter as well on other systems that are windows and it does have actually pretty good support but with go I can write one code base and I can just cross compile it to anything I don't have to change the code at all I can I compile it for for Darwin which is

your Mac I can compile it for Linux that compile it for Windows I can compile it for MIPS so anybody know like IOT devices or arm which are cell phones you can cross compile to Android just all on the same code base I thought that was pretty attractive reason to use the protocol I was looking through the protocol list that the language supports there's another protocol called or not protocol there's another operating system called dragonfly anybody heard of that one well it's a it's an operating system and you can cross compile this tool to run on dragonfly if you ever happen to run across it Solaris anybody finish hilarious you can you can cross cross compile it to run Solaris actually

did it for a little test you can it'll run on anything raspberry PI's typically run on ARM processors cross compile this to work on that so it just works on anything which is why I really like the language one of the other things I like about go is you can run it like a script if you guys have worked with a scripting language like Python anybody I found Ruby just regular bash scripting all that you know the beauty and those is that when you when you edit something and you want to run it right now you don't have to like run it through a Dane compiler first and deal with any errors they can stuff like that you can just

actually run it so go has a feature where you can actually run the program like a script and the reason why I use air quotes around like is because what's really happening is when you type go run and the name of thing you want to run it's secretly compiling it in the background creating a binary and then it's executing it for you but it still gives you the perception that you're actually running it like a script so that makes it really handy if you're trying to do some like live development you don't have to like to recompile anything merlin comes with precompiled binaries if you guys have used git anybody here used git before like it

repos and go uses something like git they use they use a command called go get and it goes to the repository it pulls it down if you're not familiar with that and you try and pull down the Merlin source doing that you're gonna run into a bunch of problems and it has to do with the way that go references the libraries I have had quite a few people put in issue tickets because when they when I pull down the source and I trying to work with it they did it wrong there is a very unique way you have to deal with go I left comments on the github page if in case you wanted to do that but the short

and skinny of what I'm trying to say is just download the precompiled binaries it'll save you a lot of time you have to do it the hassle of all that other kind of stuff if you actually get into development you want to mess with it let me know and we could work through that but for the average people I would say just download the precompiled binaries that I provide on the releases tab from Merlin do I sign him down I could [Music] yeah the one thing that I do which I don't actually give the information how so that would be useful is Merlin has a version number and a build number and what the build number is is a hash of

the last pull request that has been compiled against and that's hard coded into the actual compiled binary so you could technically go backwards and check the hash from the last pull request to see what code you're running if you wanted to but I don't actually like don't we can actually find that string as by running Merlin you can't like I don't put it in a file so you can read it afterwards or anything and then kind of why not PowerShell like again PowerShell was like getting a lot of attention and I initially actually wanted to write the tool in PowerShell but the problem is is that PowerShell at the time did not support a way for you

to configure TLS 1.2 if you remember me telling you it has to use TLS 1.2 that's the only version of TLS that has support for the al PN protocol today PowerShell does have support for a LPN our sorry does have support for TLS point 1.2 but last I checked it did not have support for the LPN protocol so I don't know if there currently is a way I haven't checked on in like a year but that's why I didn't end up using PowerShell because it just isn't capable of setting the protocol up the way I need to actually do the communication back and forth

so this is a screenshot of the server here in a minute I got actually like a live demo what's up Zack are you

so here's the screenshot of the server I'll walk you through some of the components of the server I was talking to somebody else who does like tool development and I was asking them like kind of what are the keys to success on developing a tool if you want white adoption you have to make it easy for people to use and so that was kind of one of the underlying things I really had to make sure that put a lot of effort into and the way I did that is by using tab-completion like if you're in the middle of typing out a command you just hit tab it will fill out the rest of the command for you if you were on a

blank prompt and you don't know what to do if you double tap it'll bring up a list of all the commands that you have that are available to you at that time to be able to use so I really make sure I put a good effort in there on that tab completion the server uses sorry that every agent that checks in uses a version for UUID string which are pretty long and I serve you guys are familiar with that or not I've had people say that they don't really like having to type out that giant UUID string you can see that it's probably hard to see but you can see that blue colored a bunch of

zeros that's how long a UUID string is that's just an empty one but that's how long it is and people are like I don't want to type all those characters out give me a way to alias the command one of my co-workers is actually helping out with the way to alias the commands but my retort to that is there's tab completion built in so if you know the first letter of the agent you want to work with like a and you push tab and there's no other agent of the a it'll just spill off the rest of the thing for you so I would argue that it's just as few keystrokes as renaming the agent to

begin with if you're gonna use tab completion for call an agent another thing I made sure to do is that everything had a good help menu so any point time you can type help and it'll give you a table of commands that you available to you along with options that you can set for that command again my goal there was that you had everything you need to be able to use a tool I don't know if any of you guys ever like been using a tool like you're trying to get out of it but you can't figure out the damn command to get out yeah like that's the worst I was using I was using

someone else's command and control channel and I was like trying to get the agent to die and I just couldn't find a command there's no help exit wasn't working and quit wasn't working like I did anyone just want to kill the program because I didn't want the agent to just keep running on that compromise computer the whole time I tried to fight that by putting in a good help menu on here command alias was another good thing I tried to put some time into any guys like Big Time users of a tool like this not a muscle memory like when you get on the tool like you just type like sessions like that I just

do that person out a minute out of muscle memory like I'm on any command and control tool and all his sessions and I'm like sorry that's the wrong command so for this tool I tried to put alias to like commands that you would run in interpreter or that you would run in Empire being one of the you know the two famous or more popular command control tools trying to ease that so like if you typed sessions and Merlin will actually pull it up for you that wasn't the way that I originally intended for you to be able to get a list but I put the aliases in there Merlin has module support the module supports honestly not that great but

it's better than nothing it's pretty much described in a JSON file you can look at the modules the key thing with the module support is that while Merlin is running you can actually drop in a JSON file and will dynamically show up in the list while you're doing it some some companies have their own tradecraft that I don't want to share with other people and this is great for that because you can just distribute the JSON files to your team and they can just put them in the directory and it'll just show up and use now one of the key things is that you don't have to exit Merlin to be able to use the modules

like you can drop it in there while Merlin's running and you can use it while it's running without having to exit out or recompile or anything like that so that's really handy and then another thing when I'm working on a pen test and I'm done sometimes on my King I just I was having fun but I wasn't actually keeping track of what I was doing so I made sure to put a lot of effort in to have some verbose logging both the server and the agent have pretty verbose log files though you can go back after the pen test is done you can read through the file and see kind of what commands you executed with

timestamps and what the results were and all that kind of stuff so you can back-trace your stuff if you need to and the last one is system commands like if you're in the Merlin prompt and you want to on and I'll do IP config for some reason if you just type ipconfig and push enter it'll execute on the system the logic is if it's not a command that Merlin knows it'll just turn around execute it on the actual system you're running it from I found that to be useful stuff we have to exit out of the tool or switch tabs or anything like that you can just run it there right now there's no collision I haven't

had any like the command in Merlin that doesn't go back and forth

and so that was the server component of the Asian component again I told you every agent has a unique identifier it's kind of long on it when you're running the agent that precompiled binaries are set to communicate back to the server on the loopback adapter that's the hard hard coded address that works great for me for testing it's probably not gonna work great for you on a pen test cuz your servers probably somewhere else not on a loopback adapter so there's just a - URL flag you can specify at runtime any any other server that you want it to run on no shell restrictions I find this to be powerful some people don't like it

typically you guys all for me with like cmd.exe or powershell exe or bash or zs8 those are all shells when merlin runs it actually it doesn't run in cmd.exe it doesn't run in PowerShell use you can specify the shell that you want it to run in what happens is when you execute a command it checks the path variable if the command you want to run is in the path and it will execute that so it gives you more flexibility if you don't want all your commands running in a cmd.exe you can just just by a powershell and i'll work that way so offer some flexibility that way one way i'm trying to work on evading traffic or

sorry evading detection a lot of tools would do detection based off beaconing so they'll look at a beacon size for c2 traffic going back and forth and one of those quick ways to detect beaconing is that it's a consistent every 30 seconds on that dot it's a message a message a message and then typically the size of the message is relatively the same every time and so one way i try and combat that is i have a time skew so it'll kind of it'll the time will waver so it's not consistent which is moderately useful but my my bigger win is that i had a message to every side so like you can set it on the fly you can set it while

the agents running but by default every time you send a command back and forth that has your regular command payload and then it has a pad of somewhere between 2048 bytes of data going back in and it randomly selects that every time so that way it's not consistent I do that to try and defeat I detected beaconing I don't know how well it works but again the size is configurable so you can you can bump it up to 4096 you can go as far as you want on the size on that and that goes both ways from the server to the client from the client server and so that the agent comes in the precompiled binary that you can run

on Windows Mac whatever you want to run on but I also thought to myself do you guys know what you currently have on you right now that can actually talk to h2 protocol your phone your phone can talk if you got a web browser web browsers can talk HTTP to as is so I wrote a quick JavaScript agent that can talk h2 as well the thing that does suck about it is you're stuck in the context of what JavaScript can execute so you're not gonna be executing system commands unless you have some exploit you're gonna run but you are stuck in the Dom or running that and then last but not least is I have a dll object that it

compiles to a really cool thing about go is that I have like 15 lines of code that's all I need to generate that deal well which comes in handy if you're gonna run like a run dll across the network I've also taken that dll and embedded it into a PowerShell script so that we can do in memory execution of merlin by taking that dll and basic support coding and stuffing it into one giant powershell script so that comes in handy as well invoke merlin powershell script is most the works done by the powersploit developers I just took an SH of the merlin dll in there to execute it but that's on the dev branch for the git

repos well this level here's a screenshot on my iPhone I basically ran Merlin on my iPhone because again my iPhone currently has a web browser and it capable talkin h2 there's there's blog post if you want to see more on that

here's a quick demo of kind of the server running let me see if I get a bigger real quick

the I kind of put my comments on there so you can read it so I don't really need to talk what's going on but here I'm checking in some some agents real quick

there's a list of the agents so you can see Linux Windows Mac I've agent running on all those [Music]

there's a tap completion for the agents you just hit tab and go to the one you want

I'll let that keep running again there's burr Bo's commands on there so you can kind of see what I'm talking about on there but that's pretty much the end of the the talk I do have another example of the JavaScript agent which you can pull all of these from my blog on medium I'll pull that slide up here when this is done if you want to know more there's actually a pretty good write-ups I tried to make sure there's a really good wiki page that way you're not left confused on how to use it to begin with try to make it very verbose on how you can use any of those things so I guess

I'll just turn it over so if you guys have any questions while this slide place through if you if not you can catch up with me on word yes sir

nice nice a gentleman was saying that in chrome you can go to a console and enable an h2 proxy so you can see the data frames going back and forth so I'd be pretty handy as well again it's probably like the same thing I was talking about though a lot of time has gotten to Chrome all the decryptions already happen so it's just looking at packets at that point in time that are meant for the browser to obviously understand so the decryptions already happened

yeah as far as like companies that not in the context of security yes I've seen a ton of it like Alka my advertises h2 I use digitalocean I'd recently got an email from them about a month ago talking about how they have support for h2 and we're just talking general server support yes I've seen a ton of adoption for h2 the Google's been using that for a while as far as security tools I have seen an uptick and that is well I did a quick check about a month ago and like Imperva WAP is using h2 but they use on one of the techniques I talked about cameras when it was there either downgrade in the traffic to 1.1 or

they're downgrading the encryption when it comes back in one thing I didn't cover too much is if you if you control the proxy and you set a TLS termination point then that point that encryption is obviously done because you set a termination point see that's always an option as well if you're gonna terminate the TLS connection established a second one on top of that that does give you an opportunity

so I I actually wrote Merlin and only offers up to cipher suites right now I'm gonna go back and make that configure but only offers up to I'd haven't heard about the work on the elliptic curve but uh but I will say this no I'm not worried because most of times I'm gonna pen test nobody even knows I'm there so I'm good to go any other questions all right well thanks your time and come see me if you want to stick or appreciate

you