Greetings, fellow pen testers and red teamers! Today, I’m excited to delve into an exceptional tool that you’re going to love: the Mythic Post-Exploitation Framework. Mythic is an open-source framework designed to give you an edge in your penetration testing and red team engagements. It’s powerful, flexible, and packed with features that make it easier than ever to achieve your objectives in the target environment.
In this comprehensive article, I’ll introduce you to the inner workings of Mythic, its architecture, and its components. I’ll also walk you through some practical examples of how to use Mythic effectively in real-world scenarios. So, let’s get started!
Overview of Mythic
Mythic is a post-exploitation framework that aims to simplify and enhance the way red teamers and pen testers perform their tasks. It provides an extensible platform with numerous modules, agents, and C2 profiles that facilitate a wide range of attacks, lateral movement, and data exfiltration. One of the key strengths of Mythic is its modular architecture, which allows for easy customization and integration with other tools.
Developed by the illustrious Cody Thomas (@itsa_feature), Mythic has quickly become a go-to resource for security professionals around the globe. Its open-source nature allows for rapid development and adoption of new features, making it an ever-evolving asset in the cyber warfare arsenal.
Setting up Mythic
To get started with Mythic, you’ll need to clone the repository from GitHub:
git clone https://github.com/MythicAgents/Mythic.git
Once you’ve cloned the repository, navigate to the Mythic directory and run the following command to start the setup process:
./install.sh
The setup script will install the necessary dependencies, configure the environment, and prompt you to create an admin user account for the Mythic web interface. Once the installation is complete, you can start Mythic by running:
sudo ./mythic-cli mythic:start
You should now be able to access the Mythic web interface by navigating to https://localhost in your browser. Remember
to use HTTPS, as Mythic enforces secure connections.
Understanding Mythic’s Architecture
Mythic’s architecture consists of four main components: agents, payloads, C2 profiles, and the Mythic server. Let’s take a closer look at each of these components.
Agents
Agents are the heart and soul of Mythic’s post-exploitation capabilities. They are the programs running on the target systems, which communicate with the Mythic server to receive commands and send back results. Mythic supports multiple agents, written in various languages such as Python, JavaScript, and Golang. This flexibility allows you to choose the most suitable agent for your target environment and objectives.
Some of the popular agents included with Mythic are:
- Apollo: A powerful agent built on .NET Core, designed for Windows environments.
- Poseidon: A Python3-based agent, great for Linux and macOS systems.
- Sliver: A Golang agent known for its versatility and stealth.
Payloads
Payloads are the delivery mechanisms for deploying agents onto target systems. Mythic offers a variety of payload types to help you find the perfect fit for your engagement. Each payload is specifically designed to work with a particular agent and can be customized to suit your needs. Some common payload types include:
- Executable files (.exe, .dll, .dylib)
- Scripting files (Python, JavaScript, PowerShell)
- Office macros
- Web shells
Mythic also provides a simple interface to create and manage payloads, allowing you to easily configure options such as encryption, stagers, and execution techniques.
C2 Profiles
Command and Control (C2) profiles dictate how agents communicate with the Mythic server. By customizing your C2 profiles, you can make your agents more resilient to detection and better adapt to various network environments. Mythic offers several built-in C2 profiles, such as HTTP, DNS, and WebSocket. Additionally, you can create your own custom C2 profiles to tailor your agents’ communication patterns.
Mythic Server
The Mythic server acts as the central hub for managing your agents, payloads, and C2 profiles. It provides a web-based interface that allows you to interact with your agents, create and deploy payloads, and configure C2 profiles. The server also handles encryption, decryption, and routing of messages between agents and the operator.
Creating and Managing Agents
To create a new agent, navigate to the “Agents” tab in the Mythic web interface. Click on the “Create” button to open the agent creation wizard. You’ll be prompted to choose an agent type, a C2 profile, and any additional options specific to the chosen agent.
For example, let’s create a new Poseidon agent with an HTTP C2 profile:
- In the agent creation wizard, select “Poseidon” as the agent type.
- Choose “HTTP” as the C2 profile.
- Configure any additional options, such as “User Agent” and “Sleep Interval.”
- Click “Create” to generate the agent.
Once your agent is created, you can manage it from the “Agents” tab. You’ll see a list of active agents, their current status, and the last time they checked in with the server. You can also interact with individual agents by clicking on their respective entries. This will open a new window where you can issue commands, view command history, and access agent-specific features.
Crafting and Deploying Payloads
Creating a payload in Mythic is a straightforward process. Navigate to the “Payloads” tab and click the “Create” button. This will open the payload creation wizard, where you can choose the agent type, payload type, and configure payload-specific options.
Let’s create a payload for our Poseidon agent:
- In the payload creation wizard, select “Poseidon” as the agent type.
- Choose your desired payload type (e.g., Python script).
- Select the C2 profile you want to use (e.g., HTTP).
- Configure any additional payload options, such as encryption, stagers, or execution techniques.
- Click “Create” to generate the payload.
Once your payload is created, you can download it and deploy it to the target system using your preferred method. This could include phishing emails, USB drops, or exploiting known vulnerabilities.
Designing Custom C2 Profiles
Mythic allows you to create custom C2 profiles to further tailor your agents’ communication patterns. To create a new C2 profile, navigate to the “C2 Profiles” tab and click the “Create” button. You’ll need to provide a name for your C2 profile and configure its settings.
For example, let’s create a custom HTTP C2 profile with a unique User Agent and a specific URL path for communications:
In the C2 profile creation wizard, provide a name for your profile (e.g., “Custom_HTTP”).
Choose “HTTP” as the base C2 profile.
Configure the settings specific to the HTTP profile, such as:
- “User Agent”: Set a custom User Agent string to masquerade as a legitimate browser or application.
- “URL Path”: Specify a unique URL path for agent-server communications to avoid detection.
- “HTTP Method”: Choose the HTTP method (GET, POST, PUT, DELETE) for sending and receiving data.
- “Jitter”: Set the jitter value to randomize the interval between check-ins, making the agent’s network behavior less predictable.
Click “Create” to generate the custom C2 profile.
You can now use this custom C2 profile when creating new agents and payloads.
The Art of Post-Exploitation with Mythic
Once you have your agents deployed and communicating with the Mythic server, it’s time to unleash the full power of post-exploitation. Mythic offers a wide range of modules and commands to help you achieve your objectives in the target environment. Some of the post-exploitation capabilities include:
- Privilege escalation
- Lateral movement
- Data exfiltration
- Command execution
- Keylogging
- Persistence
Mythic’s modular design allows you to easily add new modules and expand its capabilities. You can also leverage third-party modules or create your own to meet the unique requirements of your engagements.
Real-World Examples
Now that you have a solid understanding of Mythic’s architecture and features, let’s walk through a few real-world examples of how you can use Mythic effectively in your engagements.
Gaining Initial Access with Office Macros
For this example, let’s assume you have successfully phished a target and tricked them into opening a malicious Office document containing a macro payload. The macro payload executes and downloads a Poseidon agent, which then establishes a connection with the Mythic server.
Privilege Escalation and Lateral Movement
With the Poseidon agent running on the target system, you can now use Mythic to search for privilege escalation opportunities. You can use built-in modules to check for common misconfigurations, unpatched vulnerabilities, or weak credentials. Once you’ve gained elevated privileges, you can use the agent to perform lateral movement across the network, compromise additional systems, and expand your foothold.
Data Exfiltration and Persistence
Once you’ve achieved your objectives on the target systems, you can use Mythic to exfiltrate any valuable data. You can choose from various exfiltration techniques, such as over the C2 channel, DNS, or even steganography. Additionally, you can set up persistence mechanisms to maintain access to the target environment, should your agents be discovered and removed.
Conclusion
Mythic is an exceptional tool that offers a wealth of post-exploitation capabilities to red teamers and pen testers. Its modular architecture, customizability, and ease of use make it an indispensable asset in today’s ever-evolving cyber landscape. With Mythic in your arsenal, you’ll be well-equipped to tackle even the most challenging engagements and effectively demonstrate the risks your clients face.
So, go forth and unleash the power of Mythic in your next engagement. Happy hacking!