Skip to content

options.yaml

Purpose/Function

The options file is intended to provide the attack module options, targets, and any metadata required by the Hive.

You will receive an options.yaml after registering and creating your user in the Hive platform.

Sections

Global Variables

global_variables:

This option is used to define global variables referenced in the options file using ##VARNAME##. For example: 

global_variables:
  targeturl: 'https://www.darksidesecurity.io'

This can be referenced using 

modules:
  whatweb-template:
    module: whatweb
    target: '##TARGETURL##'

Please note the case for the variable when it is being used is UPPERCASE while the reference is lowercase

Configuration

The configuration section is used to tell Aphids whether to act in online or offline mode. Online mode utilizes the Hive platform. While Offline will write the output to the working directory when using aphids-cli These are properties of:

configuration:
  online: enabled
  scan_group: Default-UUIDHERE
  team: users
  network: public
  engagements:
    - Hive Engagement 1
  • online: enabled - [REQUIRED] - Your 2 options are enabled or disabled
  • network: public - [REQUIRED] - Used for specifying whether this is scanning the public net or a private network. Private networks should be named to prevent collisions. For example if you scan 10.10.10.21 on 2 different networks, in order to prevent collision between the 2 data points, the network should be specified. Standard nomenclature can be applied such as domain.local.
  • scan_group: Default-NameHere - [OPTIONAL] - This is for grouping the individual scans modules for tracking purposes in the Hive platform.
  • team: users - [OPTIONAL] - Used for specifying a team on a multiuser license.
  • engagements: List of engagements by name - this will link the scan to an engagement.
engagements:
    - My Test Engagement

Modules

The most important part of the options file. This defines the scan template name or arbitrary name, the scan module to be used, and the options to be applied for arguments and target. An example that can be used here is the whatweb scan:

modules:
  whatweb-some-template-name:
    module: 'whatweb'
    target: 'https://www.darksidesecurity.io'
    args:
      - '-a'
      - '3'

Above is a great example of where you could substitute **##TARGETURL## for the target value of https://www.darksidesecurity.io if it is defined in the global_variables section.

The required arguments here at the top level are:

  • An arbitrary name. Literally this can be anything, we prefer to use the toolname-templatename from the generator, but it can be anything.
  • In the example we used whatweb-some-template-name

The children to the name are:

  • module: 'nmap' - [REQUIRED] - The module name is required and must match one of the supported modules. See Module List for more details.
  • target: 'sometarget' - [REQUIRED] - This varies per module, may be target_tld or target_url or just target and is entirely module dependent. See the full options file sample for each supported module.
  • args: ['-Pn', '-sV', '-A'] - [REQUIRED - Sometimes] - Some applications have required arguments such as -a 3 for whatweb and should not be modified. Arguments are considered supplementary and should only be added if the user is aware of how the arguments affect the operation of the tool.
  • parse_only: false - [OPTIONAL] - This is ONLY used when choosing to run in parse mode. For instance, you ran a scan in offline mode and want to later parse and push the results to the Hive platform.
  • filename: filename_to_be_parsed.someoutput - [OPTIONAL] - Only used in conjunction with parse_only: true and is used to provide the filename in the current working directory to be parsed.

Example Options

Please see the example options file that contains the majority of the currently supported tools when last published.

configuration:
  online: enabled
  network: public
modules:
  whatweb-default-03658566:
    module: whatweb
    args:
      - -a
      - "3"
    target: https://www.darksidesecurity.io
  nmap-default-381f0841:
    module: nmap
    args:
      - -A
      - -sV
      - -T4
      - -Pn
      - -p21,22,23,25,443,80,8080,8443,8000,9000,6000
    target: www.darksidesecurity.io
  zap2-default-8484a852:
    module: zap2
    args: []
    target_url: https://www.darksidesecurity.io
    quickscan: "true"
  nuclei-default-f6a19353:
    module: nuclei
    args: []
    target_url: https://www.darksidesecurity.io
  gobuster-dir-default-686dfd7d:
    module: gobuster
    args:
      - -k
    type: dir
    target: https://www.darksidesecurity.io
  amass-dns-default-21ddc389:
    module: amass
    args:
      - -passive
    tld: darksidesecurity.io
  nikto-web-default-148f479d:
    module: nikto
    args: []
    target: https://www.darksidesecurity.io
  wapiti-default-00682cda:
    module: wapiti
    args: []
    target: https://www.darksidesecurity.io

Note: For offline mode change

 configuration:
   online: disabled

Ran it in offline mode (due to network restrictions or opsec?) and want to upload, no worries. Rerun in online mode and override the options. Re-use your existing options file and add the following under each module:

  parse_only: true
  filename: relative/path/from/working/directory.json

An example:

  nmap-default-381f0841:
    module: nmap
    args:
      - -A
      - -sV
      - -T4
      - -Pn
      - -p21,22,23,25,443,80,8080,8443,8000,9000,6000
    target: www.darksidesecurity.io
    parse_only: true
    filename: aphids-nmap-output-0000000000.xml

For extra precaution you can always comment the args and target properties. The module property is required.