Version 2.1

Installation

Get the code

Pull the code from the official GitHub repository:

$ git clone https://github.com/its-a-feature/Mythic

This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the ./install_docker_ubuntu.sh script to install it for you. If you're running on debian, use the ./install_docker_debian.sh instead.

Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux

Configure your installation

/Mythic/mythic-docker/config.json contains all of the pieces for you to configure for accessing your operator web UI:

{
  "mythic_admin_user": "mythic_admin",
  "mythic_admin_password": "mythic_password",
  "default_operation_name": "Operation Chimera",
  "listen_port": 7443,
  "ssl_cert_path": "./app/ssl/mythic-cert.pem",
  "ssl_key_path": "./app/ssl/mythic-ssl.key",
  "allowed_ip_blocks": ["0.0.0.0/0"],
  "use_ssl": true,
  "server_header": "nginx 1.2",
  "web_log_size": 1024000,
  "web_keep_logs": true,
  "siem_log_name": "",
  "excluded_c2_profiles": [ ],
  "excluded_payload_types": [ ],
  "start_documentation_container": true,
  "documentation_container_port": 8080
}

A few important notes here. listen_port will be the port opened on the server where you're running Mythic. The allowed_ip_blocks allow you to restrict access to the login and register pages of Mythic. excluded_c2_profiles and excluded_payload_types allows you to exclude certain docker containers from starting. This is helpful if you know you're not going to use certain payload types or c2 profiles and want to cut down on time/space requirements.

The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.

The mythic_server connects to the database via a password specified in Mythic/.env. This password is passed into both the mythic_server and mythic_postgres services via environment variables via docker-compose. This value starts off as POSTGRES_PASSWORD=super_secret_mythic_user_password; however, on first start, Mythic replaces this value with a random 30 character value.

When the mythic_postgres database starts for the first time, it goes through an initialization step where it uses the password from Mythic/.env to create the mythic_user user. Once the database exists, the mythic_postgres container no longer uses that value; however, the password must remain in the Mythic/.env file so that the mythic_server container can connect to the database.

Logging

The web_log_size and web_keep_logs refers only to keeping web logs (i.e. web traffic hitting Mythic). If you're wanting to enable SIEM-based logging, set the siem_log_name to anything but an empty string. Mythic will create that file if it doesn't exist, and log to that file. The following things are logged currently:

file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)
file_manual_upload (file staged on mythic as part of a user manually hosting it)
file_screenshot (file is a screenshot from the agent)
file_download (file is downloaded from agent to mythic)
artifact_new (new artifact created - think IOC)
eventlog_new (new eventlog message)
eventlog_modified (eventlog was modified, like resolving an issue or changing their message)
payload_new (new payload created)
task_mitre_attack (a task was associated with a new mitre attack technique)
task_new (a new task was created)
task_completed (a task completed)
task_comment (somebody added/removed/edited a comment on a task)
credential_new (a new credential was added to the store)
credential_modified (a credential was modified)
response_new (a new response for the user to see)
keylog_new (a new keylog entry)
callback_new (new callback registered)

Mythic does SIEM-based logging as JSON data where each entry is as follows:

{"timestamp": "UTC Timestring", "mythic_object": "one of the values from above", "message": JSON of the actual message in question}

To start Mythic, simply run sudo ./start_mythic.sh.

Start Mythic

If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run sudo ./stop_mythic.sh and if you want to start it again run sudo ./start_mythic.sh. If Mythic is currently running and you need to make a change, you can run sudo ./start_mythic.sh again without any issue, that script will automatically stop things and then restart them.

Troubleshooting installation and connection

If something seems off, here's a few places to check:

  • Run sudo ./status_check.sh to give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue.

    • Your output will be similar to the following. Notice how the mythic_server docker container shows a status of Exited? That looks like an issue

Core mythic services:  mythic_server, mythic_postgres, mythic_rabbitmq
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
544a64a93894        mythic_rabbitmq     "/init.sh"               3 days ago          Up 3 days                               mythic_rabbitmq
ed9d07847839        mythic_postgres     "docker-entrypoint.s…"   3 days ago          Up 3 days                               mythic_postgres
a79cec76ee88        mythic_server       "./wait-for-postgres…"   4 weeks ago         Exited (1) 30 (seconds) ago                mythic_server

C2_Profile endpoints
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
d19a3424fc39        http                "/Mythic_service/c2_…"   3 days ago          Up 3 days                               http
bb8cca7066d7        dynamichttp         "/Mythic_service/c2_…"   3 days ago          Up 3 days                               dynamichttp
0ada364906dc        chrome-server       "/Mythic_service/c2_…"   3 days ago          Up 3 days                               chrome-server

Payload Type Endpoints
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
5d9c4f84eb7d        poseidon            "/Mythic_service/pay…"   3 days ago          Up 3 days                               poseidon
587bc657206f        serviceexe          "/Mythic_service/pay…"   3 days ago          Up 3 days                               serviceexe

  • To check the logs of any container, run sudo ./display_output.sh [container_name]. For example, to see the output of our stopped container, run sudo ./display_output.sh mythic_server. This will help track down if the last thing that happened was an error of some kind.

    • If you don't supply any container names, the script will iterate through all of the containers and dump their output to a file called display_output.txt that you can then grep or browse through.

  • If all of that looks ok, but something still seems off, it's time to check the browser.

    • If you're seeing "Session Expired, Please Refresh", "Socked errored, please refresh", or "Socket closed, please refresh", then there's an issue with your websocket connections.

    • First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.

    • If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Apfell uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Apfell cannot provide you any data.

Container Sizes

Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:

its-a-feature@ubuntu:$ sudo docker system df
TYPE                TOTAL               ACTIVE              SIZE                RECLAIMABLE
Images              15                  10                  8.274GB             6.266GB (75%)
Containers          12                  12                  2.992MB             0B (0%)
Local Volumes       1                   0                   166B                166B (100%)
Build Cache         0                   0                   0B                  0B
its-a-feature@ubuntu:$ sudo docker system df -v
Images space usage:

REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE                SHARED SIZE         UNIQUE SIZE         CONTAINERS
mythic_documentation                   latest              297df1e2f151        12 minutes ago      48.01MB             48MB                166B                1
poseidon                               latest              2ba62d144c91        12 minutes ago      3.508GB             3.482GB             26.85MB             1
leviathan                              latest              9ca4e9803436        14 minutes ago      1.021GB             922.7MB             98.47MB             1
dynamichttp                            latest              7a17ef432456        16 minutes ago      738.7MB             711.2MB             27.43MB             2
apfell_mythic                          latest              1c7d1ce07f67        16 minutes ago      939.2MB             702.7MB             236.5MB             1
apfell_rabbitmq                        latest              f47d738256c3        17 minutes ago      148.8MB             148.8MB             2.414kB             1
apfell_postgres                        latest              66c45a1c2200        17 minutes ago      250.7MB             250.7MB             20.88kB             1
itsafeaturemythic/xgolang_payload      0.0.5               5ae6a5e9c5e5        8 days ago          3.482GB             3.482GB             0B                  0
klakegg/hugo                           latest              1af18a30400a        3 weeks ago         48MB                48MB                0B                  0
itsafeaturemythic/python36_c2profile   0.0.2               bb950bf20d86        8 weeks ago         711.2MB             711.2MB             0B                  1
itsafeaturemythic/python36_payload     0.0.5               3507a2c336a7        2 months ago        922.7MB             922.7MB             0B                  1
itsafeaturemythic/csharp_payload       0.0.5               4345127d1907        2 months ago        1.619GB             0B                  1.619GB             2
postgres                               9.4                 ed5a45034282        6 months ago        250.7MB             250.7MB             0B                  0
python                                 3.6-jessie          890456b21ed5        13 months ago       702.7MB             702.7MB             0B                  0
rabbitmq                               3.7.6-management    500d74765467        2 years ago         148.8MB             148.8MB             0B                  0

Containers space usage:

CONTAINER ID        IMAGE                  COMMAND                  LOCAL VOLUMES       SIZE                CREATED             STATUS              NAMES
50b9b40d826d        mythic_documentation   "hugo server"            0                   0B                  12 minutes ago      Up 12 minutes       documentation
27c9c16a2920        servicewrapper         "/Mythic_service/pay…"   0                   0B                  12 minutes ago      Up 12 minutes       servicewrapper
4bffb5f83a08        poseidon               "/Mythic_service/pay…"   0                   0B                  12 minutes ago      Up 12 minutes       poseidon
d8841127ed15        leviathan              "/Mythic_service/pay…"   0                   478kB               14 minutes ago      Up 14 minutes       leviathan
f4f1d6a2c1fb        atlas                  "/Mythic_service/pay…"   0                   0B                  14 minutes ago      Up 14 minutes       atlas
e3363eec0c23        apfell                 "/Mythic_service/pay…"   0                   478kB               15 minutes ago      Up 15 minutes       apfell
a66f3c5acf31        websocket              "/Mythic_service/c2_…"   0                   505kB               16 minutes ago      Up 16 minutes       websocket
e340ed52df59        http                   "/Mythic_service/c2_…"   0                   533kB               16 minutes ago      Up 16 minutes       http
aa73e22acf9b        dynamichttp            "/Mythic_service/c2_…"   0                   505kB               16 minutes ago      Up 16 minutes       dynamichttp
6ce00c1e4811        apfell_mythic          "./wait-for-postgres…"   0                   493kB               16 minutes ago      Up 16 minutes       mythic_server
1c6416ebfeae        apfell_postgres        "docker-entrypoint.s…"   0                   63B                 16 minutes ago      Up 16 minutes       mythic_postgres
2c6f41370dd9        apfell_rabbitmq        "/init.sh"               0                   144B                16 minutes ago      Up 16 minutes       mythic_rabbitmq

Local Volumes space usage:

VOLUME NAME            LINKS               SIZE
documentation-docker   0                   166B

Build cache usage: 0B

CACHE ID            CACHE TYPE          SIZE                CREATED             LAST USED           USAGE               SHARED

If you want to save space or if you know you're not going to be using a specific container, add that C2 profile or Payload Type name to the appropriate exclude list in the config.json specified above. That indicates to Mythic to not even build or start that container.

Last updated