Using PyFlash

PyFlash is a powerful scripting language that allows automation of common tasks in pyFLAG. Many of the commands have tab completion, just like in the shell.

Getting Started

Run the pyflag shell by invoking 'pyflash'

You can get help at any time by typing 'help' or for more information type

help <command>

You will generally want to start by opening a case. Simply type

load <case name>

You can now ls and cd around like you would a regular file system. If you don't already have a case, you can use the

create_case <case name>

command to make one.

A common thing to want to do is load a PCAP. Let's do that. Firstly we need to set the case (using set like using environment variables in a shell), and they get passed when we execute things. Just loading a case like we did above is not enough. So first below, we set the case and then we load a pcap like so:

set case=foobar
execute Load\ Data.Load\ IO\ Data\ Source iosource=ournewiosource subsys=Advanced filename=ourpcap.pcap offset=0

We know how have an iosource called "ournewiosource" that represents the PCAP file.

Set this as the default io source

set iosource=ournewiosource

Set the vfs mount point. This is how the pcap will appear in flag. e.g. /pcapOne

set mount_point=/pcapOne

Tell it to use the PCAP filesystem

execute Load\ Data.Load\ Filesystem\ image fstype=PCAP\ Filesystem

Now we are done!

Scripting

Using flash interactively is handy, but often the best use of flash is in a script in order to automate a task that would normally take a lot of interaction over a long period. You can do this very simply:

./pyflash < commands.txt

where commands.txt just contains a list of all the commands you want to run.

Running Scanners

Here we will talk about running scanners

A Real World Example

See examples in http://www.pyflag.net/pyflag/examples/