Key Concepts¶
Understanding these core concepts will help you use Hive effectively.
Platform Concepts¶
Assets¶
Assets are the building blocks of your attack surface. They represent any discoverable component of your digital infrastructure.
Asset Types¶
| Asset Type | Description | Examples |
|---|---|---|
| URL | Web addresses | https://example.com/login |
| Site | Web applications | example.com |
| Host | Server or device | web-server-01.example.com |
| Port | Network service endpoint | 443/tcp on 192.168.1.1 |
| IP Address | Network identifier | 192.168.1.1, 2001:db8::1 |
| DNS Record | Domain name mapping | A, AAAA, CNAME, MX records |
| Application | Software/service | Apache 2.4.41, OpenSSH 8.2 |
| Metadata | Additional information | Headers, certificates, banners |
Asset Relationships¶
Assets are connected through relationships:
graph LR
DNS[DNS Record] --> IP[IP Address]
IP --> Host[Host]
Host --> Port[Port]
Port --> App[Application]
App --> URL[URL]
URL --> Site[Site]
Organizations¶
Organizations represent entities you're testing - typically clients or business units.
Use Cases: - Separate client data - Organize internal vs. external testing - Manage multiple business units
Example:
Organization: Acme Corporation
├── Campaign: Q1 2024 Security Assessment
│ ├── Engagement: External Web Application Test
│ └── Engagement: Internal Network Assessment
└── Campaign: Continuous Monitoring
└── Engagement: Monthly Vulnerability Scans
Campaigns¶
Campaigns are high-level security initiatives or projects within an organization.
Characteristics: - Time-bound (start and end dates) - Contain multiple engagements - Track overall objectives - Generate consolidated reports
Example Campaigns: - Annual Penetration Test - Quarterly Security Assessment - Compliance Audit (SOC 2, PCI-DSS) - Red Team Exercise
Engagements¶
Engagements are specific security testing activities within a campaign.
Types: - Penetration Test: Time-boxed security assessment - Red Team: Adversary simulation - Vulnerability Assessment: Automated scanning - Bug Bounty: Ongoing testing program - Compliance Audit: Regulatory requirement testing
Engagement Scope: - Defines what's in scope for testing - Sets rules of engagement - Establishes testing boundaries - Documents authorization
Attack Platform Concepts¶
Modules¶
Modules are individual security testing tools integrated into Hive.
Categories: - Network Scanning: Nmap, Masscan - Web Testing: Nikto, Wapiti, ZAP - Subdomain Enumeration: Amass, Sublist3r - Vulnerability Scanning: Nuclei, Nessus - Exploitation: Metasploit, SQLMap - Information Gathering: WhatWeb, Shodan
Module Properties: - Name: Tool identifier - Version: Tool version - Arguments: Configurable parameters - Output Format: JSON, XML, text - Dependencies: Required tools or libraries
Options¶
Options are configurable parameters for modules.
Option Types: - String: Text input (e.g., target URL) - Integer: Numeric input (e.g., port number) - Boolean: True/false flag (e.g., enable verbose mode) - List: Multiple values (e.g., port list) - File: File path input
Example:
module: nmap
options:
- name: target
type: string
value: "192.168.1.0/24"
- name: ports
type: string
value: "1-1000"
- name: scan_type
type: string
value: "syn"
Runbooks¶
Runbooks are pre-configured sequences of modules designed for specific testing scenarios.
Characteristics: - Ordered module execution - Pre-configured options - Reusable across engagements - Shareable with team
Common Runbooks: - Web Application Scan: Subdomain enum → Port scan → Web testing - Network Discovery: Host discovery → Port scan → Service enumeration - SSL/TLS Analysis: Certificate check → Configuration test → Vulnerability scan
Runbook Structure:
runbook:
name: "Web Application Security Scan"
description: "Comprehensive web app testing"
modules:
- module: amass
order: 1
- module: nmap
order: 2
- module: nikto
order: 3
- module: wapiti
order: 4
Attack Trees¶
Attack Trees are complex, multi-stage attack scenarios with conditional logic.
Features: - Branching Logic: Different paths based on results - Conditional Execution: Run modules based on findings - Parallel Execution: Run multiple modules simultaneously - Scope Management: Automatic scope filtering
Use Cases: - Red team operations - Advanced penetration testing - Automated exploitation chains - Adaptive testing scenarios
Example:
Attack Tree: Web Application Compromise
├── Stage 1: Reconnaissance
│ ├── Subdomain Enumeration
│ └── Port Scanning
├── Stage 2: Vulnerability Discovery
│ ├── If web server found → Web scanning
│ └── If database port found → Database testing
└── Stage 3: Exploitation
└── If vulnerabilities found → Exploitation modules
Scan Executions¶
Scan Executions represent running or completed security tests.
States: - Pending: Queued for execution - Running: Currently executing - Completed: Finished successfully - Failed: Encountered errors - Cancelled: Manually stopped
Execution Properties: - ID: Unique identifier - Status: Current state - Progress: Percentage complete - Start Time: When execution began - End Time: When execution completed - Results: Discovered assets and findings
Intelligence Concepts¶
Vulnerabilities¶
Vulnerabilities are security weaknesses discovered during testing.
Severity Levels: - Critical: Immediate exploitation risk (CVSS 9.0-10.0) - High: Significant security risk (CVSS 7.0-8.9) - Medium: Moderate security risk (CVSS 4.0-6.9) - Low: Minor security risk (CVSS 0.1-3.9) - Informational: No direct security risk (CVSS 0.0)
Vulnerability Properties: - CVE ID: Common Vulnerabilities and Exposures identifier - CVSS Score: Numerical risk rating - CWE ID: Common Weakness Enumeration - Description: What the vulnerability is - Impact: Potential consequences - Remediation: How to fix it - References: Additional information
Findings¶
Findings are security issues or observations discovered during testing.
Finding Types: - Vulnerability: Exploitable weakness - Misconfiguration: Insecure settings - Information Disclosure: Leaked sensitive data - Best Practice Violation: Security guideline violation - Observation: Notable but not necessarily vulnerable
Finding Components: - Title: Brief description - Description: Detailed explanation - Evidence: Proof of finding (requests, responses, screenshots) - Affected Assets: Which assets are impacted - Risk Rating: Severity assessment - Remediation: Fix recommendations
Reports¶
Reports are formatted documents summarizing security testing results.
Report Types: - Executive Summary: High-level overview for management - Technical Report: Detailed findings for technical teams - Compliance Report: Regulatory requirement documentation - Trend Report: Changes over time
Report Sections: - Executive Summary: Key findings and recommendations - Methodology: Testing approach - Scope: What was tested - Findings: Detailed vulnerability descriptions - Risk Analysis: Overall security posture - Remediation: Prioritized fix recommendations - Appendices: Technical details, evidence
APHIDS CLI Concepts¶
Online Mode¶
Online Mode connects APHIDS CLI to the Hive platform for orchestration and data synchronization.
Features: - Retrieve runbooks and attack trees from Hive - Sync results to Hive in real-time - Associate scans with engagements - Centralized configuration management
Usage:
aphids-cli \
--api-key YOUR_API_KEY \
--api-url https://api.hive.darksidesecurity.io \
--runbook RUNBOOK_ID \
--target-url https://example.com \
--engagement ENGAGEMENT_ID
Offline Mode¶
Offline Mode runs APHIDS CLI without Hive platform connectivity.
Features: - Local configuration files - No internet required (after container pull) - Standalone operation - Manual result management
Usage:
Configuration Files¶
options.yaml¶
Defines what to scan and how:
version: "1.0"
scan:
name: "My Scan"
description: "Description"
modules:
- name: "nmap"
enabled: true
args:
target: "192.168.1.0/24"
ports: "1-1000"
config.yaml¶
Defines Hive platform connection:
hive:
api_url: "https://api.hive.darksidesecurity.io"
ws_url: "wss://api.hive.darksidesecurity.io"
api_key: "YOUR_API_KEY"
engagement:
id: "ENGAGEMENT_ID"
Docker Container¶
APHIDS Core is the Docker container that executes security testing modules.
Benefits: - Isolation: Scans run in isolated environment - Consistency: Same tools and versions every time - Portability: Run anywhere Docker runs - Security: Contained execution limits risk - Updates: Easy to update with new container versions
Container Contents: - Security testing tools (Nmap, Nikto, etc.) - Python runtime and dependencies - APHIDS Core execution engine - Output parsers and formatters
Workflow Concepts¶
Scope¶
Scope defines what's authorized for testing.
Scope Types: - In Scope: Authorized targets - Out of Scope: Prohibited targets - Conditional: Requires approval
Scope Formats:
- IP addresses: 192.168.1.1
- IP ranges: 192.168.1.0/24
- Domains: example.com
- Wildcards: *.example.com
- URLs: https://example.com/*
Authorization¶
Authorization is explicit permission to conduct security testing.
Required Documentation: - Signed authorization letter - Scope definition - Rules of engagement - Emergency contacts - Testing windows
Legal Requirement
Never conduct security testing without explicit written authorization. Unauthorized testing is illegal and unethical.
Rules of Engagement (RoE)¶
Rules of Engagement define how testing should be conducted.
Common Rules: - Testing hours (e.g., business hours only) - Prohibited actions (e.g., no DoS attacks) - Communication protocols - Escalation procedures - Data handling requirements
Best Practices¶
Asset Management¶
- Regular Discovery: Run scans regularly to discover new assets
- Relationship Mapping: Understand how assets connect
- Tagging: Use tags to organize assets
- Lifecycle Tracking: Monitor asset changes over time
Testing Strategy¶
- Start Broad: Begin with reconnaissance
- Focus Deep: Dive deep into interesting findings
- Document Everything: Record all findings and evidence
- Validate Results: Confirm findings before reporting
- Prioritize Remediation: Focus on high-impact issues
Security¶
- Least Privilege: Use minimum required permissions
- Secure Storage: Encrypt sensitive data
- Access Control: Limit who can access what
- Audit Logging: Track all actions
- Regular Updates: Keep tools and platform updated
Collaboration¶
- Share Knowledge: Document findings for team
- Standardize Processes: Use consistent methodologies
- Communicate Clearly: Keep stakeholders informed
- Review Together: Peer review findings
- Learn Continuously: Share lessons learned
Glossary¶
| Term | Definition |
|---|---|
| ASM | Attack Surface Management |
| CVSS | Common Vulnerability Scoring System |
| CVE | Common Vulnerabilities and Exposures |
| CWE | Common Weakness Enumeration |
| OSINT | Open Source Intelligence |
| RoE | Rules of Engagement |
| TTPs | Tactics, Techniques, and Procedures |
| IoC | Indicator of Compromise |
| SIEM | Security Information and Event Management |
Next Steps¶
Now that you understand the key concepts:
- Quick Start Guide - Put concepts into practice
- Architecture Overview - Understand system design
- Hive Platform Guide - Explore platform features
- APHIDS CLI Guide - Master the command-line tool
Ready to start testing?