Mythic Documentation
Search…
Version 2.3
Common Questions and Answers
Installation
Get the code
Pull the code from the official GitHub repository:
1
$ git clone https://github.com/its-a-feature/Mythic
Copied!
This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the
./install_docker_ubuntu.sh script to install it for you.
If you're running on debian, use the ./install_docker_debian.sh instead.Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on for C2 containers. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux
Configure your installation
Mythic configuration is all done via
Mythic/.env, which means for your configuration you can either add/edit values there or add them to your environment.Mythic/.env doesn't exist by default. You can either let Mythic create it for you when you run
sudo ./mythic-cli start for the first time or you can create it ahead of time with just the variables you want to configure.If you need to run
mythic-cli as root for Docker and you set your environment variables as a user, be sure to run sudo -E ./mythic-cli so that your environment variables are carried over into your sudo call. The following are the default values that Mythic will generate on first execution of sudo ./mythic-cli mythic start unless overridden:1
ALLOWED_IP_BLOCKS="0.0.0.0/0"
2
COMPOSE_PROJECT_NAME="mythic"
3
DEFAULT_OPERATION_NAME="Operation Chimera"
4
DOCUMENTATION_BIND_LOCALHOST_ONLY="true"
5
DOCUMENTATION_HOST="mythic_documentation"
6
DOCUMENTATION_PORT="8090"
7
EXCLUDED_C2_PROFILES=
8
EXCLUDED_PAYLOAD_TYPES=
9
HASURA_BIND_LOCALHOST_ONLY="true"
10
HASURA_HOST="mythic_graphql"
11
HASURA_PORT="8080"
12
HASURA_SECRET= random password
13
JWT_SECRET= random password
14
MYTHIC_ADMIN_PASSWORD= random password
15
MYTHIC_ADMIN_USER="mythic_admin"
16
MYTHIC_DEBUG="false"
17
MYTHIC_ENVIRONMENT="production"
18
MYTHIC_REACT_BIND_LOCALHOST_ONLY="false"
19
MYTHIC_REACT_HOST="mythic_react"
20
MYTHIC_REACT_PORT="3000"
21
MYTHIC_SERVER_BIND_LOCALHOST_ONLY="true"
22
MYTHIC_SERVER_DYNAMIC_PORTS="7000-7010"
23
MYTHIC_SERVER_HOST="mythic_server"
24
MYTHIC_SERVER_PORT="17443"
25
NGINX_BIND_LOCALHOST_ONLY="false"
26
NGINX_HOST="mythic_nginx"
27
NGINX_PORT="7443"
28
NGINX_USE_SSL="true"
29
POSTGRES_BIND_LOCALHOST_ONLY="true"
30
POSTGRES_DB="mythic_db"
31
POSTGRES_HOST="mythic_postgres"
32
POSTGRES_PASSWORD= random password
33
POSTGRES_PORT="5432"
34
POSTGRES_USER="mythic_user"
35
RABBITMQ_BIND_LOCALHOST_ONLY="false"
36
RABBITMQ_HOST="mythic_rabbitmq"
37
RABBITMQ_PASSWORD= random password
38
RABBITMQ_PORT="5672"
39
RABBITMQ_USER="mythic_user"
40
RABBITMQ_VHOST="mythic_vhost"
41
REBUILD_ON_START="true"
42
REDIS_BIND_LOCALHOST_ONLY="true"
43
REDIS_HOST="mythic_redis"
44
REDIS_PORT="6380"
45
SERVER_HEADER="nginx 1.2"
46
SIEM_LOG_NAME=
47
WEB_KEEP_LOGS="false"
48
WEB_LOG_SIZE="1024000"
Copied!
A few important notes here:
MYTHIC_SERVER_PORTwill be the port opened on the server where you're running Mythic. TheNGINX_PORTis the one that's opened by Nginx and acts as a reverse proxy to all other services. TheNGINX_PORTis the one you'll connect to for your web user interface and should be the only port you need to expose externally (unless you prefer to SSH port forward your web UI port).- The
allowed_ip_blocksallow you to restrict access to theloginpage of Mythic. This should be set as a series of netblocks with NO host bits set - i.e.127.0.0.0/16,192.168.10.0/24,10.0.0.0/8 excluded_c2_profilesandexcluded_payload_typesallows you to exclude certain docker containers from starting. This is helpful if you know you're not going to use certain payload types or c2 profiles and want to cut down on time/space requirements. These are both just a comma-separated series of agent/c2 names like:apfell,atlasorhttp,dynamichttp.
The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.
When the
mythic_server container starts for the first time, it goes through an initialization step where it uses the password and username from Mythic/.env to create the mythic_admin_user user. Once the database exists, the mythic_server container no longer uses that value.You'll notice that a lot of the containers have a
*_BIND_LOCALHOST_ONLY environment variable associated with them. To help prevent Mythic from opening up port unnecessarily, Mythic binds as many containers as possible to the mythic_default Docker network and binds exposed ports to 127.0.0.1. If you set the *_BINDLOCALHOSTONLY environment variable to false then Mythic will bind that port to 0.0.0.0 instead. The only container that isn't bound to localhost by default is nginx so that you can access that web user interface without having to do a port forward to reach it.mythic-cli
The
mythic-cli binary is used to start/stop/configure/install components of Mythic. You can see the help menu at any time with mythic-cli -h, mythic-cli --help or mythic-cli help.1
mythic-cli usage ( v 0.0.5 ):
2
*************************************************************
3
*** source code: https://github.com/MythicMeta/Mythic_CLI ***
4
*************************************************************
5
help
6
mythic {start|stop} [service name...]
7
start | restart
8
Stops and Starts all of Mythic - alias for 'mythic start'
9
stop
10
Stop all of Mythic - alias for 'mythic stop'
11
c2 {start|stop|add|remove|list} [c2profile ...]
12
The add/remove subcommands adjust the docker-compose file, not manipulate files on disk
13
to manipulate files on disk, use 'install' and 'uninstall' commands
14
payload {start|stop|add|remove|list} [payloadtype ...]
15
The add/remove subcommands adjust the docker-compose file, not manipulate files on disk
16
to manipulate files on disk, use 'install' and 'uninstall' commands
17
config
18
*no parameters will dump the entire config*
19
get [varname ...]
20
set <var name> <var value>
21
payload (dump out remote payload configuration variables)
22
c2 (dump out remote c2 configuration variables)
23
database reset
24
install
25
github <url> [branch name] [-f]
26
folder <path to folder> [-f]
27
-f forces the removal of the currently installed version and overwrites with the new, otherwise will prompt you
28
* this command will manipulate files on disk and update docker-compose
29
uninstall {name1 name2 name2 ...}
30
(this command removes the payload or c2 profile from disk and updates docker-compose)
31
status
32
logs <container name>
33
mythic_sync
34
install github [url] [branch name]
35
* if no url is provided, https://github.com/GhostManager/mythic_sync will be used
36
install folder <path to folder>
37
uninstall
38
version
Copied!
Installing Agents / C2 Profiles
By default, Mythic does not come with any Payload Types (agents) or C2 Profiles. This is for a variety of reasons, but one of the big ones being time/space requirements - all Payload Types and C2 Profiles have their own Docker containers, and as such, collectively they could eat up a lot of space on disk. Additionally, having them split out into separate repositories makes it much easier to keep them updated.
To install a Payload Type or C2 Profile, use the
mythic-cli binary with:1
sudo ./mythic-cli install github <url>
Copied!
If you have an agent already installed, but want to update it, you can do the same command again. If you supply a
-f at the end, then Mythic will automatically overwrite the current version that's installed, otherwise you'll be prompted for each piece.You won't be able to create any payloads within Mythic until you have at least one Agent and a matching C2 Profile installed
Logging
If you're wanting to enable SIEM-based logging, set the
siem_log_name to anything but an empty string. Mythic will create that file if it doesn't exist, and log to that file. The following things are logged currently:1
file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)
2
file_manual_upload (file staged on mythic as part of a user manually hosting it)
3
file_screenshot (file is a screenshot from the agent)
4
file_download (file is downloaded from agent to mythic)
5
artifact_new (new artifact created - think IOC)
6
eventlog_new (new eventlog message)
7
eventlog_modified (eventlog was modified, like resolving an issue or changing their message)
8
payload_new (new payload created)
9
task_mitre_attack (a task was associated with a new mitre attack technique)
10
task_new (a new task was created)
11
task_completed (a task completed)
12
task_comment (somebody added/removed/edited a comment on a task)
13
credential_new (a new credential was added to the store)
14
credential_modified (a credential was modified)
15
response_new (a new response for the user to see)
16
keylog_new (a new keylog entry)
17
callback_new (new callback registered)
Copied!
Mythic does SIEM-based logging as JSON data where each entry is as follows:
{"timestamp": "UTC Timestring", "mythic_object": "one of the values from above", "message": JSON of the actual message in question}To start Mythic, simply run
sudo ./mythic-cli mythic start.Start Mythic
If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run
sudo ./mythic-cli stop and if you want to start it again run sudo ./mythic-cli start. If Mythic is currently running and you need to make a change, you can run sudo ./mythic-cli restart again without any issue, that command will automatically stop things and then restart them.The default username is
mythic_admin, but that user's password is randomly generated when Mythic is started for the first time. You can find this random value in the Mythic/.env file. Once Mythic has started at least once, this value is no longer needed, so you can edit or remove this entry from the Mythic/.env file.Mythic starts with NO C2 Profiles or Agents pre-installed. Due to size issues and the growing number of agents, this isn't feasible. Instead. use the
./mythic-cli install github <url> [branch] [-f] command to install an agent from a GitHub (or GitLab) repository.Troubleshooting installation and connection
If something seems off, here's a few places to check:
- Run
sudo ./mythic-cli statusto give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue. The status command gives a lot of information about what services are running, on which ports, and if they're externally accessible or not.- Your output will be similar to the following. Notice how the
mythic_serverdocker container shows a status ofExited? That looks like an issue
1
CONTAINER NAME MYTHIC SERVICE WEB ADDRESS BOUND LOCALLY
2
mythic_nginx Nginx (Mythic Web UI) https://127.0.0.1:7443 false
3
mythic_server Mythic Backend Server http://127.0.0.1:17443 true
4
mythic_graphql Hasura GraphQL Console http://127.0.0.1:8080 true
5
mythic_documentation Internal Documentation http://127.0.0.1:8090 true
6
​
7
CONTAINER NAME ADDITIONAL SERVICES IP PORT BOUND LOCALLY
8
mythic_postgres Postgres Database 127.0.0.1 5432 true
9
mythic_redis Redis Database 127.0.0.1 6379 true
10
mythic_react React Server 192.168.53.129 3000 true
11
mythic_rabbitmq RabbitMQ 127.0.0.1 5672 true
12
​
13
Mythic Main Services:
14
NAME STATE STATUS PORTS
15
mythic_server running Up 15 hours 17443/tcp -> 127.0.0.1:17443, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7007, 7008, 7009, 7010
16
mythic_graphql running Up 15 hours 8080/tcp -> 127.0.0.1:8080
17
mythic_redis running Up 15 hours 6379/tcp -> 127.0.0.1:6379
18
mythic_rabbitmq running Up 15 hours 5672/tcp -> 127.0.0.1:5672
19
mythic_nginx running Up 15 hours 7443
20
mythic_documentation running Up 15 hours 8090/tcp -> 127.0.0.1:8090
21
mythic_postgres running Up 15 hours 5432/tcp -> 127.0.0.1:5432
22
​
23
Payload Type Services:
24
NAME STATE STATUS PORTS
25
apfell running Up 20 Seconds
26
poseidon running Up 15 hours
27
atlas running Up 15 hours
28
​
29
C2 Profile Services:
30
NAME STATE STATUS PORTS
31
http running Up 15 hours
32
​
33
[*] RabbitMQ is currently listening on localhost. If you have a remote PayloadType or C2Profile, they will be unable to connect
34
Use 'sudo ./mythic-cli config set rabbitmq_bind_localhost_only false' and restart mythic ('sudo ./mythic-cli mythic start') to change this
35
[*] If you are using a remote PayloadType or C2Profile, they will need certain environment variables to properly connect to Mythic.
36
Use 'sudo ./mythic-cli payload config' or 'sudo ./mythic-cli c2 config' for easy-to-use configs for these services.
37
​
Copied!
- To check the logs of any container, run
sudo ./mythic-cli logs [container_name]. For example, to see the output of our stopped container, runsudo ./mythic-cli logs mythic_server. This will help track down if the last thing that happened was an error of some kind. - If all of that looks ok, but something still seems off, it's time to check the browser.
- If you're seeing "Session Expired, Please Refresh", "Socket errored, please refresh", or "Socket closed, please refresh", then there's an issue with your websocket connections.
- First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.
- If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Mythic uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Mythic cannot provide you any data.
Container Sizes
Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:
1
[email protected]:$ sudo docker system df
2
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
3
Images 32 32 14.8GB 6.726GB (45%)
4
Containers 115 11 77.25MB 75.87MB (98%)
5
Local Volumes 13 2 498B 254B (51%)
6
Build Cache 0 0 0B 0B
7
[email protected]:$ sudo docker system df -v
8
Images space usage:
9
​
10
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
11
poseidon latest cdff4b42515d 15 hours ago 3.596GB 3.01GB 585.7MB 1
12
apfell latest 819f500ce428 15 hours ago 907.2MB 883.6MB 23.66MB 1
13
atlas latest f9572f0dcc1b 5 days ago 1.756GB 1.755GB 340.7kB 1
14
<none> <none> 1d40ecbbfc93 5 days ago 1.86GB 1.755GB 105MB 0
15
nginx 1.21.4-alpine b46db85084b8 2 weeks ago 23.2MB 0B 23.2MB 1
16
<none> <none> c0f1b5c143b6 4 weeks ago 906.7MB 883.6MB 23.1MB 0
17
itsafeaturemythic/csharp_payload 0.0.15 9c5714ea8fb7 2 months ago 1.755GB 1.755GB 0B 0
18
<none> <none> b21ae223893a 2 months ago 3.874GB 3.01GB 863.9MB 0
19
<none> <none> 42aab0c8184c 2 months ago 896.2MB 883.3MB 12.92MB 0
20
<none> <none> 15156ebb5053 2 months ago 895MB 883.3MB 11.71MB 0
21
mythic_redis latest 591750eea2dc 3 months ago 32.31MB 5.595MB 26.71MB 1
22
mythic_postgres latest fa532a7c8577 3 months ago 159.5MB 0B 159.5MB 1
23
mythic_documentation latest 22da9cd2b72a 3 months ago 52.09MB 0B 52.09MB 1
24
mythic_rabbitmq latest 4168ba9e4515 3 months ago 133.3MB 133.2MB 51.65kB 1
25
<none> <none> 6af270349f2b 3 months ago 52.91MB 5.595MB 47.31MB 0
26
<none> <none> 79749b04f4ba 3 months ago 51.61MB 42.66MB 8.951MB 0
27
<none> <none> ac67ed6876f8 3 months ago 42.66MB 42.66MB 37B 0
28
<none> <none> 903fd92735ca 3 months ago 42.66MB 42.66MB 45B 0
29
<none> <none> 33bb9b5d0d90 3 months ago 133.2MB 133.2MB 0B 0
30
tcp latest b86f777d70df 4 months ago 961MB 883.3MB 77.72MB 1
31
<none> <none> 01354badf9e3 4 months ago 942.9MB 883.3MB 59.63MB 0
32
mythic_graphql latest 0d81f467f1f3 4 months ago 424.4MB 0B 424.4MB 1
33
<none> <none> 7494ffd16bba 4 months ago 112.1MB 0B 112.1MB 0
34
<none> <none> efc50622e6f4 5 months ago 895MB 883.3MB 11.7MB 0
35
itsafeaturemythic/xgolang_payload 0.0.11 034e97930122 5 months ago 3.584GB 0B 3.584GB 0
36
<none> <none> ff958fe8d254 5 months ago 883.3MB 883.3MB 220B 0
37
itsafeaturemythic/python38_payload 0.0.5 1f1f9958d570 5 months ago 895MB 883.3MB 11.7MB 0
38
<none> <none> e9ef6bc79ef5 5 months ago 1.732GB 0B 1.732GB 0
39
<none> <none> 56a1d05bdbb9 6 months ago 895MB 895MB 11.58kB 0
40
itsafeaturemythic/python38_payload 0.0.4 b1cd2e331850 6 months ago 895MB 895MB 0B 0
41
mythic_server latest 43e62f4de2ba 7 months ago 995.6MB 883.3MB 112.3MB 1
42
python 3.8.5-alpine3.12 0f03316d4a27 15 months ago 42.66MB 42.66MB 0B 0
43
​
44
Containers space usage:
45
​
46
CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
47
169c508098f1 apfell "/Mythic/mythic/payl…" 0 0B 3 hours ago Up 3 hours mythic_apfell_1
48
6dbaa8bc973e mythic_server "/bin/bash /Mythic/s…" 0 101kB 15 hours ago Up 15 hours mythic_server
49
1460793cf421 mythic_graphql "docker-entrypoint.s…" 0 801kB 15 hours ago Up 15 hours mythic_graphql
50
709046591b17 mythic_redis "docker-entrypoint.s…" 1 0B 15 hours ago Up 15 hours mythic_redis
51
0d339efc65fa mythic_rabbitmq "docker-entrypoint.s…" 0 768B 15 hours ago Up 15 hours mythic_rabbitmq
52
3b9547a85efa poseidon "/Mythic/mythic/payl…" 0 0B 15 hours ago Up 15 hours mythic_poseidon_1
53
2ad1e781c0df atlas "/Mythic/mythic/payl…" 0 0B 15 hours ago Up 15 hours mythic_atlas_1
54
55e465a87b50 b86f777d70df "/Mythic/mythic/c2_s…" 0 473kB 15 hours ago Up 15 hours mythic_http_1
55
53b26b7ef246 b46db85084b8 "/docker-entrypoint.…" 0 2B 15 hours ago Up 15 hours mythic_nginx
56
ff0c9f8b5175 mythic_documentation "hugo server -p 8090" 0 0B 15 hours ago Up 15 hours mythic_documentation
57
fbe7cd466887 mythic_postgres "docker-entrypoint.s…" 0 63B 15 hours ago Up 15 hours mythic_postgres
58
​
59
Local Volumes space usage:
60
​
61
VOLUME NAME LINKS SIZE
62
fd69883c79fe52f5108558f84b8989943b47406ac96de68c555ac7cbebb1a66b 0 0B
63
57f0091f43fe689767fb6aba2ff22ea3299067c931142e4e7b818dcfd4e6e3b9 1 244B
64
0cd941f7e6b4b25ab1e13f1d575f2f1caaacb4664eaa9d6c404ad2347554a7fb 0 0B
65
cfaacc90b7b34bdce1ed35481cab48540e6f58fd948b4bc59c5a18ecd87e00c9 0 0B
66
473660a24b907ce4194806b0584c236964d2b0fe0e8690057d470eaee8fcbe97 0 0B
67
780ee9b1d726ac35d5ef0d2ff19f155d0e2bff437f522d6fbe984499a27c6202 0 0B
68
9c870d0f01bcbc303eb6fbf4a5a1e1bdd2c70854c02c737bb0542c5f56c0c040 0 0B
69
9de90d6f8308c2cc9c19043373b4f9f45d000b7ecea8b3682df224e8f9a79ada 0 0B
70
d0776a4a8e535a9d35f444413be020d51f0cdfd473c773c5127b5d31d95bdb61 0 0B
71
documentation-docker 0 166B
72
1bdf5e715217e03b9e10e33b7c7e55e1ddb8898c9da53da5fc42b72c77e05ea3 0 0B
73
1c181b8dbadf04787e4e3faeab9b7a863d3c78a462068e9165ce4da258c31564 0 0B
74
mythic 0 88B
75
​
76
Build cache usage: 0B
Copied!
If you want to save space or if you know you're not going to be using a specific container, add that C2 profile or Payload Type name to the appropriate
exclude list in the config.json specified above. That indicates to Mythic to not even build or start that container.Last modified 5mo ago