Ability to return multiple outputs per app

Question

Ability to return multiple outputs per app

peterclemenko opened this issue 5 years ago · 4 comments

The ability to return different data as different pipes, which can then be used as input would be useful for workflow automation. IE you can get an IP from an nmap scan and use that as RHost in MSF in the same workflow. I know you have the ability to do output as input, however I'm referring to the ability to have multiple outputs based on the data involved.

Answer 1 · 2019-08-21T12:39:20.000Z

This can be accomplished by using multiple transforms directly connected to the desired action.

For example, if you have an action named "foo" that returns the following JSON:

{
  "a": 1,
  "b": 2
}

You can connect foo directly to two transforms as:

# In transform_1
result = foo.result.get("a")

transform_1 result is 1

# In transform_2
result = foo.result.get("b")

transform_2 result is 2

Transforms use asteval to evaluate a limited subset of Python and are intended for things like pulling values out of larger objects, key remapping, list operations, etc.

The result of all the transform's immediate predecessors are provided as node_label.result (if Node Label has uppercase characters or spaces, it will be normalized to lowercase with underscores). You then assign the final desired value to result, which will be the value that the transform node returns.

We're hoping to add a more friendly UI for this at some point as well as bundle preset transforms with apps, but we haven't gotten around to it. I also realize this could result in an inordinate number of transforms if you wanted to pull out a lot of different keys, for example. I have a few ideas to handle that but they'll need to wait until we implement type checking for action outputs first.

Answer 2 · 2019-08-21T14:39:55.000Z

Can you send multiple transforms like that to/from the same actions. IE if I have a single action that does an nmap scan, and the next action launches an exploit, can I tie them together with that method?

Answer 3 · 2019-08-21T15:12:33.000Z

Yeah, let's just say the exploit action has three parameters for hosts, OSes, and open ports. You could extract each of those individually with an transform (one for list of hosts, one for list of OSes, etc.) after the nmap scan.

Then those three transforms can point to the exploit action, and the exploit action's parameters can reference the respective transforms using the "Action Output" parameter type.

Answer 4 · 2019-08-21T19:01:33.000Z

Thanks, this makes sense. I'd appreciate it if this were added to the documentation.