Mythic Documentation
Search…
Version 2.2
Common Questions and Answers
Updating
Installation
Get the code
Pull the code from the official GitHub repository:
1
$ git clone https://github.com/its-a-feature/Mythic
Copied!
This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the
./install_docker_ubuntu.sh script to install it for you.
If you're running on debian, use the ./install_docker_debian.sh instead.Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux
Configure your installation
Mythic configuration is all done via
Mythic/.env, which means for your configuration you can either add/edit values there or add them to your environment. Mythic/.env doesn't exist by default. You can either let Mythic create it for you when you run
sudo ./mythic-cli mythic start for the first time or you can create it ahead of time with just the variables you want to configureIf you need to run
mythic-cli as root for Docker and you set your environment variables as a user, be sure to run sudo -E ./mythic-cli so that your environment variables are carried over into your sudo call. The following are the default values that Mythic will generate on first execution of sudo ./mythic-cli mythic start unless overridden:1
ALLOWED_IP_BLOCKS = 0.0.0.0/0
2
COMPOSE_PROJECT_NAME = mythic
3
DEFAULT_OPERATION_NAME = Operation Chimera
4
DOCUMENTATION_HOST = 127.0.0.1
5
DOCUMENTATION_PORT = 8090
6
EXCLUDED_C2_PROFILES =
7
EXCLUDED_PAYLOAD_TYPES =
8
HASURA_HOST = 127.0.0.1
9
HASURA_PORT = 8080
10
HASURA_SECRET = (random 30 char password)
11
JWT_SECRET = (random 30 char password)
12
MYTHIC_ADMIN_PASSWORD = mythic_password
13
MYTHIC_ADMIN_USER = mythic_admin
14
MYTHIC_DEBUG = false
15
MYTHIC_SERVER_HOST = 127.0.0.1
16
MYTHIC_SERVER_PORT = 17443
17
NGINX_PORT = 7443
18
POSTGRES_DB = mythic_db
19
POSTGRES_HOST = 127.0.0.1
20
POSTGRES_PASSWORD = (random 30 char password)
21
POSTGRES_PORT = 5432
22
POSTGRES_USER = mythic_user
23
RABBITMQ_HOST = 127.0.0.1
24
RABBITMQ_PASSWORD = (random 30 char password)
25
RABBITMQ_PORT = 5672
26
RABBITMQ_USER = mythic_user
27
RABBITMQ_VHOST = mythic_vhost
28
REDIS_PORT = 6379
29
SERVER_HEADER = nginx 1.2
30
SIEM_LOG_NAME =
31
WEB_KEEP_LOGS = false
32
WEB_LOG_SIZE = 1024000
Copied!
A few important notes here:
MYTHIC_SERVER_PORTwill be the port opened on the server where you're running Mythic. TheNGINX_PORTis the one that's opened by Nginx and acts as a reverse proxy to all other services. TheNGINX_PORTis the one you'll connect to for your web user interface and should be the only port you need to expose externally (unless you prefer to SSH port forward your web UI port).- The
allowed_ip_blocksallow you to restrict access to theloginpage of Mythic. This should be set as a series of netblocks with NO host bits set - i.e.127.0.0.0/16,192.168.10.0/24,10.0.0.0/8 excluded_c2_profilesandexcluded_payload_typesallows you to exclude certain docker containers from starting. This is helpful if you know you're not going to use certain payload types or c2 profiles and want to cut down on time/space requirements. These are both just a comma-separated series of agent/c2 names like:apfell,atlasorhttp,dynamichttp.
The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.
When the
mythic_server container starts for the first time, it goes through an initialization step where it uses the password and username from Mythic/.env to create the mythic_admin_user user. Once the database exists, the mythic_server container no longer uses that value.mythic-cli
The
mythic-cli binary is used to start/stop/configure/install components of Mythic. You can see the help menu at any time with mythic-cli -h, mythic-cli --help or mythic-cli help. 1
mythic-cli usage ( v 0.0.5 ):
2
*************************************************************
3
*** source code: https://github.com/MythicMeta/Mythic_CLI ***
4
*************************************************************
5
help
6
mythic {start|stop} [service name...]
7
c2 {start|stop|add|remove|list} [c2profile ...]
8
The add/remove subcommands adjust the docker-compose file, not manipulate files on disk
9
to manipulate files on disk, use 'install' and 'uninstall' commands
10
payload {start|stop|add|remove|list} [payloadtype ...]
11
The add/remove subcommands adjust the docker-compose file, not manipulate files on disk
12
to manipulate files on disk, use 'install' and 'uninstall' commands
13
config
14
*no parameters will dump the entire config*
15
get [varname ...]
16
set <var name> <var value>
17
database reset
18
install
19
github <url> [branch name] [-f]
20
folder <path to folder> [-f]
21
-f forces the removal of the currently installed version and overwrites with the new, otherwise will prompt you
22
* this command will manipulate files on disk and update docker-compose
23
uninstall {name}
24
(this command removes the payload or c2 profile from disk and updates docker-compose)
25
status
26
logs <container name>
27
version
Copied!
Installing Agents / C2 Profiles
By default, Mythic does not come with any Payload Types (agents) or C2 Profiles. This is for a variety of reasons, but one of the big ones being time/space requirements - all Payload Types and C2 Profiles have their own Docker containers, and as such, collectively they could eat up a lot of space on disk. Additionally, having them split out into separate repositories makes it much easier to keep them updated.
To install a Payload Type or C2 Profile, use the
mythic-cli binary with:1
sudo ./mythic-cli install github <url>
Copied!
If you have an agent already installed, but want to update it, you can do the same command again. If you supply a
-f at the end, then Mythic will automatically overwrite the current version that's installed, otherwise you'll be prompted for each piece.You won't be able to create any payloads within Mythic until you have at least one Agent and a matching C2 Profile installed
Agent / C2 Container Version out of Sync
If you've installed an agent or c2 profile and Mythic is complaining about the version being out of bounds, this is typically a really easy fix. This means that the Mythic server version and the agent/c2 profile versions are out of sync. Mythic will give you a warning and say something like:
Agent version 5 is not supported. Agent version must be between 7 and 9. You can look here to see which Docker images or PyPi packages you should be using for your version of Mythic.Logging
The
web_log_size and web_keep_logs refers only to keeping web logs (i.e. web traffic hitting Mythic). If you're wanting to enable SIEM-based logging, set the siem_log_name to anything but an empty string. Mythic will create that file if it doesn't exist, and log to that file. The following things are logged currently:1
file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)
2
file_manual_upload (file staged on mythic as part of a user manually hosting it)
3
file_screenshot (file is a screenshot from the agent)
4
file_download (file is downloaded from agent to mythic)
5
artifact_new (new artifact created - think IOC)
6
eventlog_new (new eventlog message)
7
eventlog_modified (eventlog was modified, like resolving an issue or changing their message)
8
payload_new (new payload created)
9
task_mitre_attack (a task was associated with a new mitre attack technique)
10
task_new (a new task was created)
11
task_completed (a task completed)
12
task_comment (somebody added/removed/edited a comment on a task)
13
credential_new (a new credential was added to the store)
14
credential_modified (a credential was modified)
15
response_new (a new response for the user to see)
16
keylog_new (a new keylog entry)
17
callback_new (new callback registered)
Copied!
Mythic does SIEM-based logging as JSON data where each entry is as follows:
{"timestamp": "UTC Timestring", "mythic_object": "one of the values from above", "message": JSON of the actual message in question}To start Mythic, simply run
sudo ./mythic-cli mythic start.Start Mythic
If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run
sudo ./mythic-cli mythic stop and if you want to start it again run sudo ./mythic-cli mythic start. If Mythic is currently running and you need to make a change, you can run sudo ./mythic-cli mythic start again without any issue, that command will automatically stop things and then restart them.The default username is
mythic_admin, but that user's password is randomly generated when Mythic is started for the first time. You can find this random value in the Mythic/.env file. Once Mythic has started at least once, this value is no longer needed, so you can edit or remove this entry from the Mythic/.env file. Mythic starts with NO C2 Profiles or Agents pre-installed. Due to size issues and the growing number of agents, this isn't feasible. Instead. use the
./mythic-cli install github <url> [branch] [-f] command to install an agent from a GitHub (or GitLab) repository. Troubleshooting installation and connection
If something seems off, here's a few places to check:
- Run
sudo ./mythic-cli statusto give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue.- Your output will be similar to the following. Notice how the
mythic_serverdocker container shows a status ofExited? That looks like an issue
1
Core mythic services: mythic_server, mythic_postgres, mythic_rabbitmq
2
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3
544a64a93894 mythic_rabbitmq "/init.sh" 3 days ago Up 3 days mythic_rabbitmq
4
ed9d07847839 mythic_postgres "docker-entrypoint.s…" 3 days ago Up 3 days mythic_postgres
5
a79cec76ee88 mythic_server "./wait-for-postgres…" 4 weeks ago Exited (1) 30 (seconds) ago mythic_server
6
​
7
C2_Profile endpoints
8
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9
d19a3424fc39 http "/Mythic_service/c2_…" 3 days ago Up 3 days http
10
bb8cca7066d7 dynamichttp "/Mythic_service/c2_…" 3 days ago Up 3 days dynamichttp
11
0ada364906dc chrome-server "/Mythic_service/c2_…" 3 days ago Up 3 days chrome-server
12
​
13
Payload Type Endpoints
14
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
15
5d9c4f84eb7d poseidon "/Mythic_service/pay…" 3 days ago Up 3 days poseidon
16
587bc657206f serviceexe "/Mythic_service/pay…" 3 days ago Up 3 days serviceexe
Copied!
- To check the logs of any container, run
sudo ./mythic-cli logs [container_name]. For example, to see the output of our stopped container, runsudo ./mythic-cli logs mythic_server. This will help track down if the last thing that happened was an error of some kind. - If all of that looks ok, but something still seems off, it's time to check the browser.
- If you're seeing "Session Expired, Please Refresh", "Socket errored, please refresh", or "Socket closed, please refresh", then there's an issue with your websocket connections.
- First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.
- If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Mythic uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Mythic cannot provide you any data.
Container Sizes
Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:
1
[email protected]:$ sudo docker system df
2
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
3
Images 15 10 8.274GB 6.266GB (75%)
4
Containers 12 12 2.992MB 0B (0%)
5
Local Volumes 1 0 166B 166B (100%)
6
Build Cache 0 0 0B 0B
7
[email protected]:$ sudo docker system df -v
8
Images space usage:
9
​
10
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
11
mythic_documentation latest 297df1e2f151 12 minutes ago 48.01MB 48MB 166B 1
12
poseidon latest 2ba62d144c91 12 minutes ago 3.508GB 3.482GB 26.85MB 1
13
leviathan latest 9ca4e9803436 14 minutes ago 1.021GB 922.7MB 98.47MB 1
14
dynamichttp latest 7a17ef432456 16 minutes ago 738.7MB 711.2MB 27.43MB 2
15
apfell_mythic latest 1c7d1ce07f67 16 minutes ago 939.2MB 702.7MB 236.5MB 1
16
apfell_rabbitmq latest f47d738256c3 17 minutes ago 148.8MB 148.8MB 2.414kB 1
17
apfell_postgres latest 66c45a1c2200 17 minutes ago 250.7MB 250.7MB 20.88kB 1
18
itsafeaturemythic/xgolang_payload 0.0.5 5ae6a5e9c5e5 8 days ago 3.482GB 3.482GB 0B 0
19
klakegg/hugo latest 1af18a30400a 3 weeks ago 48MB 48MB 0B 0
20
itsafeaturemythic/python36_c2profile 0.0.2 bb950bf20d86 8 weeks ago 711.2MB 711.2MB 0B 1
21
itsafeaturemythic/python36_payload 0.0.5 3507a2c336a7 2 months ago 922.7MB 922.7MB 0B 1
22
itsafeaturemythic/csharp_payload 0.0.5 4345127d1907 2 months ago 1.619GB 0B 1.619GB 2
23
postgres 9.4 ed5a45034282 6 months ago 250.7MB 250.7MB 0B 0
24
python 3.6-jessie 890456b21ed5 13 months ago 702.7MB 702.7MB 0B 0
25
rabbitmq 3.7.6-management 500d74765467 2 years ago 148.8MB 148.8MB 0B 0
26
​
27
Containers space usage:
28
​
29
CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
30
50b9b40d826d mythic_documentation "hugo server" 0 0B 12 minutes ago Up 12 minutes documentation
31
27c9c16a2920 servicewrapper "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes servicewrapper
32
4bffb5f83a08 poseidon "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes poseidon
33
d8841127ed15 leviathan "/Mythic_service/pay…" 0 478kB 14 minutes ago Up 14 minutes leviathan
34
f4f1d6a2c1fb atlas "/Mythic_service/pay…" 0 0B 14 minutes ago Up 14 minutes atlas
35
e3363eec0c23 apfell "/Mythic_service/pay…" 0 478kB 15 minutes ago Up 15 minutes apfell
36
a66f3c5acf31 websocket "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes websocket
37
e340ed52df59 http "/Mythic_service/c2_…" 0 533kB 16 minutes ago Up 16 minutes http
38
aa73e22acf9b dynamichttp "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes dynamichttp
39
6ce00c1e4811 apfell_mythic "./wait-for-postgres…" 0 493kB 16 minutes ago Up 16 minutes mythic_server
40
1c6416ebfeae apfell_postgres "docker-entrypoint.s…" 0 63B 16 minutes ago Up 16 minutes mythic_postgres
41
2c6f41370dd9 apfell_rabbitmq "/init.sh" 0 144B 16 minutes ago Up 16 minutes mythic_rabbitmq
42
​
43
Local Volumes space usage:
44
​
45
VOLUME NAME LINKS SIZE
46
documentation-docker 0 166B
47
​
48
Build cache usage: 0B
49
​
50
CACHE ID CACHE TYPE SIZE CREATED LAST USED USAGE SHARED
Copied!
If you want to save space or if you know you're not going to be using a specific container, add that C2 profile or Payload Type name to the appropriate
exclude list in the config.json specified above. That indicates to Mythic to not even build or start that container.Last modified 3mo ago