Skip to main content
This section details how to build custom build a Merlin Agent using the Make file.
Merlin is distributed with pre-compiled agent binaries for all major platforms in the data/bin directory.

Basic

The provided Make file can be used to build a new agent from source. It is recommended that you first use go get github.com/Ne0nd0g/merlin-agent to pull a copy of the Merlin source code to the host. Move into the Merlin root directory where the Make file is located.
  • Windows agent: make windows
  • Linux agent: make linux
  • macOS agent: make darwin
  • MIPS agent: make mips
  • ARM agent: make arm

Advanced

Use the provided Make file to build a Merlin Agent with hard coded values. This removes the need for an operator to use commandline arguments and allows the Agent to simply be executed. The table below shows configurable compile options View the Listeners page for additional information on specific listener configurable options.
OptionDescriptionNotes
ADDRThe interface and port for peer-to-peer agents to bind or connect toOverrides the -addr flag
AUTHThe method of Agent authentication to the serverOverrides the -auth flag
HEADERSComma Separated list of HTTP headers to send with every HTTP request.Overrides the -headers flag
HOSTHTTP Host headerOverrides the -host commandline flag
HTTPCLIENTThe type of HTTP client (or driver) to use (e.g., go or winhttp)Overrides the -http-client commandline flag
JA3JA3 signature string (not the MD5 hash)Overrides the -ja3 commandline flag
KILLDATEThe date, as a Unix EPOCH timestamp, that the agent will quit runningOverrides the -killdate commandline flag
LISTENERThe UUID of the listener that the peer-to-peer agent is configured to communicate with.Overrides the -listener flag
RETRYThe maximum amount of failed checkins before the agent will quit runningOverrides the -maxretry commandline flag
PADThe maximum amount of data that will be randomly selected and appended to every messageOverrides the -padding commandline flag
PARROTConfigure the HTTP client’s TLS configuration to match the provided browser stringOverrides the -parrot commandline flag
PROTOProtocol for the agent to connect with [https (HTTP/1.1), http (HTTP/1.1 Clear-Text), h2 (HTTP/2), h2c (HTTP/2 Clear-Text), http3 (QUIC or HTTP/3.0)] (default ‘h2’)Overrides the -proto commandline flag
PROXYHardcoded proxy to use for http/1.1 traffic only that will override host configurationOverrides the -proxy commandline flag
PSKPre-Shared Key used to encrypt initial communications (default “merlin”)Overrides the -psk commandline flag
SECURERequire TLS certificate validation for HTTP communicationsOverrides the -secure commandline flag
SKEWAmount of skew, or variance, between agent checkinsOverrides the -skew commandline flag
SLEEPThe amount of time the Agent will sleep between checkins Must use golang time notation (e.g., 10s for ten seconds)Overrides the -sleep command line flag
TAGSComma separated list of Go build tags for compiling the agentOverrides Go’s -tags commandline flag
TRANSFORMSOrdered CSV of transforms to construct a message withOverrides the -transforms commandline flag
URLFull URL for agent to connect to (default “https://127.0.0.1:443”)Overrides the -url commandline flag
USERAGENTThe HTTP User-Agent header string that Agent will use while sending trafficOverrides the -useragent commandline flag
An example of creating a new Linux HTTP agent that is using domain fronting through https://merlin.com/c2endpoint.php using a PSK of SecurePassword1: make linux URL=https://merlin.com:443/c2endpoint.php HOST=myendpoint.azureedge.net PROTO=https PSK=SecurePassword1

Build Tags

By default, the Merlin Agent is built with all available features and components compiled in. Build tags can be used to control what features are compiled into the agent to reduce the size of the binary or to restrict the agent’s capabilities. When any build tag is included, the agent will ONLY include that feature and nothing else. For example, if ONLY the http tag is provided, the SMB, TCP, and UDP clients will not be included. The following build tags are available:
TagDescriptionNotes
httpInclude ALL HTTP clients
http1Include Go’s built-in HTTP/1.1 clientUsed with the -proto flag’s http & https options
http2Include the HTTP/2 clientUsed with the -proto flag’s http2 & h2c options
http3Include the HTTP/3 UDP clientUsed with the -proto flag’s http3 option
mythicInclude the Mythic C2 clientUsed with the Mythic C2 Framework’s http profile
smbInclude the SMB clientUsed with the -proto flag’s smb-bind & smb-reverse options
tcpInclude the TCP clientUsed with the -proto flag’s tcp-bind & tcp-reverse options
udpInclude the UDP clientUsed with the -proto flag’s udp-bind & udp-reverse options

Windows Agent

The Windows Merlin Agent executable is compiled as a GUI application instead of console application. The Merlin Agent does not have a GUI component. The reason this is used is so that the Merlin Agent window disappears after it is executed. This behavior is intentional so that the user will not see the application window. This is done with the LDFLAGS when building the agent using the -H=windowsgui option as shown here This causes problems when a user WANTS to see the Merlin Agent verbose or debug output. To view Merlin verbose/debug output, use the Makefile windows-debug target (e.g., make windows-debug)

Cross-Compiling

The Merlin agent and server can be cross-compiled to any operating system or architecture. A list of golang supported operating systems and architectures can be found here: https://golang.org/doc/install/source#environment
$GOOS$GOARCH
androidarm
darwin386
darwinamd64
darwinarm
darwinarm64
dragonflyamd64
freebsd386
freebsdamd64
freebsdarm
linux386
linuxamd64
linuxarm
linuxarm64
linuxppc64
linuxppc64le
linuxmips
linuxmipsle
linuxmips64
linuxmips64le
netbsd386
netbsdamd64
netbsdarm
openbsd386
openbsdamd64
openbsdarm
plan9386
plan9amd64
solarisamd64
windows386
windowsamd64