| Name | Version | License | Author | URL |
|---|---|---|---|---|
| Pillow | 10.0.1 | Historical Permission Notice and Disclaimer (HPND) | Jeffrey A. Clark (Alex) | https://python-pillow.org |
| SQLAlchemy | 2.0.22 | MIT License | Mike Bayer | https://www.sqlalchemy.org |
| aardwolf | 0.2.8 | UNKNOWN | Tamas Jos | https://github.com/skelsec/aardwolf |
| aesedb | 0.1.4 | UNKNOWN | Tamas Jos | https://github.com/skelsec/aesedb |
| aiohttp | 3.8.6 | Apache Software License | UNKNOWN | https://github.com/aio-libs/aiohttp |
| aiosignal | 1.3.1 | Apache Software License | UNKNOWN | https://github.com/aio-libs/aiosignal |
| aiosmb | 0.4.8 | MIT License | Tamas Jos | https://github.com/skelsec/aiosmb |
| aiosqlite | 0.19.0 | MIT License | Amethyst Reese amy@n7.gg | UNKNOWN |
| aiowinreg | 0.0.10 | MIT License | Tamas Jos | https://github.com/skelsec/aiowinreg |
| amurex | 0.0.1 | UNKNOWN | Tamas Jos | https://github.com/skelsec/amurex |
| arc4 | 0.4.0 | MIT License | Ryosuke Ito | https://github.com/manicmaniac/arc4 |
| asn1crypto | 1.5.1 | MIT License | wbond | https://github.com/wbond/asn1crypto |
| asn1tools | 0.166.0 | MIT License | Erik Moqvist | https://github.com/eerimoq/asn1tools |
| asyauth | 0.0.16 | MIT License | Tamas Jos | https://github.com/skelsec/asyauth |
| async-timeout | 4.0.3 | Apache Software License | Andrew Svetlov andrew.svetlov@gmail.com | https://github.com/aio-libs/async-timeout |
| asysocks | 0.2.9 | MIT License | Tamas Jos | https://github.com/skelsec/asysocks |
| attrs | 23.1.0 | MIT License | Hynek Schlawack hs@ox.cx | https://www.attrs.org/en/stable/changelog.html |
| bitstruct | 8.17.0 | MIT License | Erik Moqvist, Ilya Petukhov | https://github.com/eerimoq/bitstruct |
| cffi | 1.16.0 | MIT License | Armin Rigo, Maciej Fijalkowski | http://cffi.readthedocs.org |
| charset-normalizer | 3.3.0 | MIT License | Ahmed TAHRI | https://github.com/Ousret/charset_normalizer |
| colorama | 0.4.6 | BSD License | Jonathan Hartley tartley@tartley.com | https://github.com/tartley/colorama |
| cryptography | 41.0.4 | Apache Software License; BSD License | The Python Cryptographic Authority and individual contributors cryptography-dev@python.org | https://github.com/pyca/cryptography |
| frozenlist | 1.4.0 | Apache Software License | UNKNOWN | https://github.com/aio-libs/frozenlist |
| greenlet | 3.0.0 | MIT License | Alexey Borzenkov | https://greenlet.readthedocs.io/ |
| h11 | 0.14.0 | MIT License | Nathaniel J. Smith | https://github.com/python-hyper/h11 |
| idna | 3.4 | BSD License | Kim Davies kim@cynosure.com.au | https://github.com/kjd/idna |
| igraph | 0.11.2 | GNU General Public License (GPL) | Tamas Nepusz | https://igraph.org/python |
| jackdaw | 0.4.1 | UNKNOWN | Tamas Jos | https://github.com/skelsec/jackdaw |
| mdutils | 1.6.0 | MIT License | Didac Coll | https://github.com/didix21/mdutils |
| minidump | 0.0.21 | MIT License | Tamas Jos | https://github.com/skelsec/minidump |
| minikerberos | 0.4.2 | MIT License | Tamas Jos | https://github.com/skelsec/minikerberos |
| msldap | 0.5.7 | MIT License | Tamas Jos | https://github.com/skelsec/msldap |
| multidict | 6.0.4 | Apache Software License | Andrew Svetlov | https://github.com/aio-libs/multidict |
| networkx | 3.1 | BSD License | Aric Hagberg | https://networkx.org/ |
| numpy | 1.26.0 | BSD License | Travis E. Oliphant et al. | https://numpy.org |
| octopwn | 0.0.4 | UNKNOWN | Tamas Jos | https://github.com/skelsec/octopwn |
| opencv-python | 4.8.1.78 | Apache Software License | UNKNOWN | https://github.com/opencv/opencv-python |
| oscrypto | 1.3.0 | MIT License | wbond | https://github.com/wbond/oscrypto |
| prompt-toolkit | 3.0.39 | BSD License | Jonathan Slenders | https://github.com/prompt-toolkit/python-prompt-toolkit |
| protobuf | 4.24.4 | 3-Clause BSD License | protobuf@googlegroups.com | https://developers.google.com/protocol-buffers/ |
| pycparser | 2.21 | BSD License | Eli Bendersky | https://github.com/eliben/pycparser |
| pycryptodomex | 3.19.0 | Apache Software License; BSD License; Public Domain | Helder Eijs | https://www.pycryptodome.org |
| pyndiff | 1.0.2 | License is Apache License Version 2.0 | Brennon Thomas | https://github.com/rackerlabs/pyndiff |
| pyparsing | 3.1.1 | MIT License | Paul McGuire ptmcg.gm+pyparsing@gmail.com | https://github.com/pyparsing/pyparsing/ |
| pyperclip | 1.8.2 | BSD License | Al Sweigart | https://github.com/asweigart/pyperclip |
| pypykatz | 0.6.9 | MIT License | Tamas Jos | https://github.com/skelsec/pypykatz |
| pysnaffler | 0.0.1 | MIT License | Tamas Jos | https://github.com/skelsec/pysnaffler |
| python-igraph | 0.11.2 | GNU General Public License (GPL) | Tamas Nepusz | https://igraph.org/python |
| six | 1.16.0 | MIT License | Benjamin Peterson | https://github.com/benjaminp/six |
| tabulate | 0.9.0 | MIT License | Sergey Astanin s.astanin@gmail.com | https://github.com/astanin/python-tabulate |
| texttable | 1.7.0 | MIT License | Gerome Fournier | https://github.com/foutaise/texttable/ |
| toml | 0.10.2 | MIT License | William Pearson | https://github.com/uiri/toml |
| tqdm | 4.66.1 | MIT License; Mozilla Public License 2.0 (MPL 2.0) | UNKNOWN | https://tqdm.github.io |
| typing_extensions | 4.8.0 | Python Software Foundation License | "Guido van Rossum, Jukka Lehtosalo, Łukasz Langa, Michael Lee" levkivskyi@gmail.com | https://github.com/python/typing_extensions |
| unicrypto | 0.0.10 | UNKNOWN | Tamas Jos | https://github.com/skelsec/unicrypto |
| unidns | 0.0.1 | MIT License | Tamas Jos | https://github.com/skelsec/unidns |
| websockets | 11.0.3 | BSD License | Aymeric Augustin aymeric.augustin@m4x.org | https://github.com/aaugustin/websockets |
| winacl | 0.1.7 | MIT License | Tamas Jos | https://github.com/skelsec/winacl |
| wsnet | 0.0.13 | MIT License | Tamas Jos | https://github.com/skelsec/wsnet |
| xmljson | 0.2.1 | MIT License | S Anand | https://github.com/sanand0/xmljson |
| yarl | 1.9.2 | Apache Software License | Andrew Svetlov | https://github.com/aio-libs/yarl/ |
Welcome to OctoPwn's security documentation! We prioritize safeguarding your interactions and data and are dedicated to maintaining a transparent and robust security posture.
At OctoPwn, we employ HTTPS to secure data in transit, relying on SSL policies meticulously managed by Google Cloud Platform (GCP). Our data is stored in a public Google bucket, granting read access to everyone given that our framework is open.
When it comes to unofficial hosting, please be aware that security assurance lies solely with the users. We cannot extend our security guarantees to platforms beyond our management.
Our plugin system features a credential protection mechanism, an additional protective layer over the SSL/TLS, designed to enhance backend security. This layer ensures stability and protection for our backend systems, and for the sake of maintaining its efficacy, further details are proprietary.
In offline variants, users are tasked with managing private keys/certificates issued by our backend system. Unfortunately, we cannot assure security in these scenarios.
At OctoPwn, data rendering employs a dual-layered approach to prevent Cross-Site Scripting (XSS):
- Terminal Data: Using
xterm.js, all input data is rendered in an HTML5 canvas to mitigate XSS vulnerabilities. - Datatables: Data rendered in datatables is purified cell-by-cell using the DOMPurify package to ensure a sanitized output.
Our licensing system facilitates user authentication and access control, exclusive to plugins. Here, three distinct user authentication endpoints are employed:
- Registration: Managed by Fusionauth.
- Certificate-based authentication: Users automatically receive an RSA2048 bit certificate and private key, with the certificate signed by OctoPwn and verified via our
/verifyendpoint. - Username and password authentication: The licensing system releases user’s certificates and private keys encrypted by a transient AES256 key after user authentication.
The details regarding cryptographic practices and data flow in these authentication modes are elaborately designed to maintain secure user interactions.
Our team is in the process of developing a structured incident response plan, which will be aimed at efficiently managing and mitigating any security incidents, ensuring transparent communication with affected parties, and implementing corrective actions.
OctoPwn manages only the session file, stored securely in the browser's local storage. Future versions are projected to introduce encryption for these files to enhance security further. Users are advised to securely manage and delete session data when operating on third-party machines.
Updates and patches are delivered via our CDN, which users will automatically download upon refreshing the OctoPwn page, maintaining the same security guarantees as all other backend-served files.
Our backend systems are overseen by logging and monitoring mechanisms provided by Google Cloud, ensuring performance and security metrics are consistently scrutinized.
We strive to deliver as much information as possible regarding the security of our systems. While our commitment is towards maintaining transparency and safeguarding user interactions and data, please note that certain backend system details remain undisclosed to protect our intellectual property.
Our security posture is under perpetual refinement. We continuously monitor, review, and enhance our security policies and practices to ensure alignment with emerging threats and technological advancements.
We are exploring external security audits and certifications and are in the phase of aligning our practices with recognized cybersecurity frameworks to further affirm our commitment to robust cybersecurity practices.
Our practices are tailored to protect your data and uphold privacy, aligning with applicable data protection regulations. Details on our adherence to these regulatory environments will be shared in our upcoming data protection documentation.
Thank you for engaging with our security documentation. Your trust and security are paramount to us at OctoPwn, and we remain dedicated to safeguarding your digital interactions and data. For further inquiries, please contact us.
Plugins are categorized as clients, scanners, servers, utils.
Clients act as fully functional protocl clients that allow both normal and security realted operations, some also interface with the File Browser Window to allow a better interface for file/object operations.
Scanners
- SMB Scanner
Performs SMB login and tries to guess wether the account is administrator on the targets.
- SMB Network Interfaces enumerator
Enumerates all network interfaces and their assigned IP addresses over SMB
- RDP screenshot enumeration
Performs RDP login and tries to take a screenshot on target hosts.
- SMB protocol scanner
TODO
- SMB Network Interfaces enumerator
This is a very basic port scanner, and should only be used when better options (nmap/masscan/unicornscan etc) are not available.
- Kerberos user enumeration
TODO
This section only lists the plugin-related scan parameters. For the common parameters please check the
- LDAP enumeration
- SMB enumeration
- Kerberos attacks
This scanner plugin is akin to Bloodhound's ingestor, but doesn't produce the same output.
Jackdaw performs LDAP enumeration including fetching User/Machine/OU/Group/... objects from the LDAP server including basic attributes and their Security Descriptor. On SMB it performs session enumeration and share enumeration.
All results are stored in a SQLite database.
OctoPwn comes with various scanner plugins, these can be operated with the same unified interface both via the UI or via the command line.
The actual parameters depend on the plugin type, but the most common parameters are credential, targets and proxy. Some scanner plugins do not need credential, in which case you will not see that parameter listed during setup.
The credential parameter takes an integer corresponding to the credentialId parameter form the credentials displayed in the Credentials Window.
Any credential you wish to use for scanning MUST be first stored in the Credentials Window
The targets parameter controls which hosts the scan job will be executad against.
This parameter is quite special as it can take different input values.
Using stored targets
In case you wish to specify a target which is stored in the Targets Window you can do so by entering the targetId of the corresponding target. If succsessful, the targetId will be resolved to the correspondint target's IP or Hostname.
There is one shortcut which is the control word all which will add all targets stored in the Targets Window to the list of targets in the scanner options table.
Using IP addresses
If you wish to scan one IP address or a range of IP addresses, you can enter it directly to the target field, there is no need to create separate targets in the Targets Window. For IP ranges, this parameter accepts CDIR notation.
Using target list files
If you wish to scan a list of targets from a text file, you can simply enter the targets file name, but be careful the file must be located in the work directory of OctoPwn which is by default the /volatile mount point.
The proxy parameter takes an integer corresponding to the proxyId parameter form the credentials displayed in the Proxy Window.
Any credential you wish to use for scanning MUST be first stored in the Proxy Window.
IMPORTANT: If you are using the webassembly based OctoPwn version (eg. from the browser) there must always be either one proxy with the id of 0 set OR a proxy chain created from the Proxy Window but all of the chains must start with the proxyID of 0!
After loading any scanner plugin you will see a Parameter Table that lets you control all aspects of the scan job.
You can modify the parameters by left-clicking on the value field and edit the current value then either hit enter button or click on the small save button below the parameter value editor.
Once all parameters set up you will see a button SCAN which will start the scan job.
Hitting the STOP button will terminate the scan job.
In case you are a fan of terminals, OctoPwn has you covered! All aspects of the scan job can be controlled from the terminal, in a fashion which closely resembles a certain well known tool starting with meta.
To list the scan parameters, you can use the options command. All available parameters will be printed out in a neat table.
To set a given scan parameter, you can use the set command.
To start the scan job you can use the scan command.
- SMB Share enumerator
Enumerates shares, folder and fles on the remote targets
- SMB OS enumerator
TODO
- SMB Share enumerator and secrets extractor
TODO
- SMB Registry dumping
TODO
- SMB Printnightmare scanner
TODO
- RDP login enumeration
Tries to log in to the RDP service and reports wether it faild or succseeded.
- RDP capabilities flag enumeration
TODO
- SMB Network Interfaces enumerator
Enumerates all network interfaces and their assigned IP addresses over SMB
TBD
This plugin Performs DPAPI related functions.
In order to decrpyt a file/blob/data of any kind you must obtain a masterkey.
Masterkey can be obtained either from the LSASS process, or by decrypting a masterkeyfile. LSASS is straightforward, succsessfully dumping it will give you all the plaintext masterkeys with the appropriate GUID.
But if you can't use LSASS, you have to obtain the masterkey file, and decrypt it with an appropriate key. (too many keys, I know...)
Masterkey files can be located in '%APPDATA%\Microsoft\Protect\%SID%' for each user or '%SYSTEMDIR%\Microsoft\Protect' for the SYSTEM user. But how to decrypt them?
A masterkeyfile can contain multiple different keys, a masterkey is one of them. The masterkey is stored encrypted in the masterkeyfile, and is encrypted with a key that can be either a key stored in registry (LSA secrets) or not. In case the LSA DPAPI keys are not valid, you will need to use the NT hash of the user's password or the user's plaintext password itself. BUT! deriving the key from the password and the SID will yield 3 different keys, and so far noone could tell what key is the correct one to be used.
Solution for decrypting a masterkey in the mastereky file: harvest as many key candidates as possible and try to decrypt the masterkey. Much to our luck, verifying the signature data after decryption can tell us if the decrpytion was sucsessfull, so we can tell if the masterkey decrypted correctly or not.
But you may ask: I see a lot of different masterkey files, how can I tell which one is used for my <credential file/vault files/blob>. The answer: a masterkeyfile stores GUID of the keys it stores (eg. the masterkey), and so does your <secret> data sructure for the appropriate key. Therefore it's easy to tell which file to decrypt for a given <secret>
BUT WAIT! THERE IS MORE!
DPAPI is also used to decrypt stroed secrets in Windows Vault and Credential files.
Credential files:
1. standalone file, inside it there is a DPAPI_BLOB.
2. DPAPI_BLOB can be decrypted with the corresponding masterkey
3. After decryption you'll find a CREDENTIAL_BLOB strucutre.
4. CREDENTIAL_BLOB strucutre has the plaintext secrets, but it's not possible to tell in which filed they are stored. You'll need to check them by hand :)
Vault files (VCRD and VPOL):
VCRD file holds the secrets encrypted. The decrpytion key is stored in the VPOL file, but also encryted. The VPOL file's decryption key is a masterkey. The masterkey is stored in a Masterkeyfile...
1. Need to find the masterkey to decrypt the VPOL file
2. VPOL file will give two keys after sucsessful decryption
3. There is no way to tell (atm) which key will be the correct one to decrypt the VCRD file
4. The VCRD file has a lot of stored secrets, called attributes. Each attribute is encrypted with one of the keys from the VPOL file
5. For each attribute: for each key: decrypt attribute.
6. Check manually if one of them sucseeded because there are no integrity checks, so no way to tell programatically which key worked.
Path to decrypt stuff:
Sub-sections are options of how to get the keys
1. pre_masterkey:
a, from user password and SID
b, from user NT hash and SID
c, from live registry SYSTEM cached DPAPI key or SAM cache NT hash and SID
d, from offline registry hives
2. masterkey:
a, from masterkeyfile + pre_masterkey
b, from live LSASS dump
c, from offline LSASS dump
3. credential file:
a, masterkey + credential_file
3. VPOL file:
a, masterkey + VPOL file
3. VCRED file:
a, VPOL file + VCRED file
3. DPAPI_BLOB:
a, masterkey
All pre-key and masterkey data will be automatically cached in the session to help you in the secrets extraction phase.
To perform any meaningful decryption, first you will need to generate pre-keys, except if you have already decrypted masterkey secrets in the form of LSASS dump or you are a wizard Harry and from some unknown source you managed to get the keys (pls let me know how).
You can get pre-keys by either using user SID and password or NT hash. Chanses are that you have some pre-key material already stored in the Credentials Window int his case just smash the loadcreds button. In case you have some not stored creds, use the commands in the PREKEY command group.
Now that you have pre-keys you can grab a Masterkey file and try to decrypt the masterkey using the masterkeys or masterkey command. The former will automatically search all masterkey files and try to decrypt if with all the pre-keys cached from before. In case you have successfully decrypted a masterkey the key will be cached.
If you have masterkeys cached, then you can try to decrypt some actual secrets with the other command groups. Those commands do not need any masterkey specification because the blobs they are decrypting already contain the masterkey's ID which will be looked up in the hidden cache.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
LOADCREDS
loadcreds
Loads all useble credentials from the Credentials Window.
minidump Parses an LSASS minidump file to extract masterkeys.
masterkeys
Searches the given path for Masterkey files (filenames with GUID format) and tries to decrypt them all with previously loaded pre-keys
PREKEY
clearprekeys
Clears the pre-key cache
prekey_nt Generates pre-keys from user's SID and NT hash
prekey_password Generates pre-keys from user SID and plaintext password
prekey_registry Fetches pre-keys from registry hives
MASTERKEY
clearmasterkeys
Clears the masterkey cache
masterkey
Tries to decrypt a Maskterkey file using all cached pre-keys
BLOB blob Decrypts a DPAPI blob (in hex please) using the exisiting masterkey cache describe Shows metadata of the DPAPI Blob data without performing decryption
BROWSER chrome Decrypts credentials stored by Google Chrome using the exisiting masterkey cache.
WIFI wifi Decrypts Windows stored WiFi passwords using the exisiting masterkey cache
VPOL/VCRED/CREDENTIAL vpol Decrypts .vpol files using the exisiting masterkey cache vcred Decrypts .vcred files using the exisiting masterkey cache credential Decrypts .cred files using the exisiting masterkey cache
CLOUDAP cloudapkd Decrypts CloudAP PRT secret using the exisiting masterkey cache
SECURESTRING securestring Decrypts Powershell SecureString blob using the exisiting masterkey cache
This plugin parses Masscan XML files, capable of adding the hosts to the Targets Window
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
GENERIC
load Loads a masscan XMl file.
addtargets
Populates the Targets Window with all hosts from the masscan file which have at least one open ports.
Jackdaw domain graphing and password cracking excercise tool
The SQLite database file contains all information which is needed to create one or multiple relationship graphs of domain objects.
To acieve this, the first step is to use the dbload or bhimport commands. This graph cache file will then be interpreted by a graph library which can be networkx or igraph. By default we ship OctoPwn with networkx for licensing reasons, but igraph is much more performant. After the graph has been created in memory it is ready to be used by the
JackDaw tool has two components: scanner and util. This documentation discusses the util part.
The JackDaw tool supports the following activities:
- Domain graphing -similar to BloodHound
- Performing password cracking excercise
Jackdaw relies on a SQLite database file which is produced by the scanner part of the tool.
DATABASE
dbload
The dbload will load the SQLite database file and generate a temporary graph cache file.
bhimport This commands convers a Bloodhound ingestor file (.zip) and converts it to Jackdaw database.
adids Lists available active directory IDs from the database
graphids Lists available graph IDs from the database
currentad Shows the currently active AD ID
GRAPH graphload
graphsetowned
graphclearowned
grapthsethvt
graphclearhvt
PATH
pathdcsync pathkerberoastda pathasrepda pathhvtda pathownedda pathfromowned pathgettaggednodes pathownedhvt pathkerberoastany pathtoda path
AD currentad changead trusts kerberoast shares dns
dcsyncaiosmb dcsyncimpacket potfile pwuncracked pwcracked pwsharing pwstats pwreport
This category contains helpful tools which are not scanners or network clients.
Most utils are either file parsers which extract secrets from certian file formats or helping you to quickly generate some exotic hashes etc.
This plugin is a markdown editor
GENERIC
load Loads a markdown file's contents to the cache and displays it in the editor
getcontent Used by the editor, do not touch
updatetext Used by the editor, do not touch
This plugin implements the file parsing and secrets extraction part of pypykatz.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
LSASS lsass Parses an LSASS minidump file to extract secrets.
registry Parses registry hive files and extracts the secrets. At least the system hive file must be provided.
NTDS
ntds
Parses an NTDS.dit file extracted from a domain controller. You must also supply the SYSTEM registry hive as it contains the decryption keys for the secrets to be extracted. The outfile specifies the location of the results file which will hold the extracted secrets.
The NTDS.dit file and the SYSTEM hive must first be 'uploaded' to the /volatile mountpoint of the browser.
DECRYPTORS gppassword Decrypts encrypted passwords found in Group Policy Preferences xml/ini files.
ofscan Decryptes passwords found in TrendMicro's OfficeScan ofcscan.ini files.
HASHING lm Generates the LM hash of a given plaintext password nt Generates the NT hash of a given plaintext password. msdcc Generates the old Domain Cached Credentials hash of a given password msdcc2 Generates the new (current) Domain Cached Credentials hash of a given username and password kerberos Generates the kerberos keys for a given passowrd. Be careful, the AES key is generated from using the username and domain as a salt, and this salt might not always be static.
hashes Generates all the hashes mentioned above in one go.
This plugin implements a basic SQLite browser.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
SQL load Loads a SQLite file.
tables Lists all tables columns Lists all columns for a given table query Executes an SQL query on the database readtable TODO
This plugin parses NMAP XML files and supports some basic processing on the results, as well as capable of adding the hosts to the Targets Window
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
GENERIC load Loads an NMAP XML file. hosts Lists all host entries from the Nmap XMl file. ips Lists all ip addresses from the Nmap XMl file. ports Lists all ip:port touples from the Nmap XMl file. services Generates a table of all services with IP:port touples.
addtargets
Adds all hosts from the NMAP file with at least one open ports to the Targets Window
Chat
TBD
Simple DNS query plugin. Only TCP is supported currently!
https://github.com/skelsec/unidns
You can create a DNS session and use it as a default resolver for all future targets added to the targets window.
Sends a signle DNS query to the server, prints result to the console.
This section describes the features and functionalities of the RDP client plugin
If you enable recording please remember that the resulting file will be stored in your browser's memory.
Copy-pase of text data works, but depending on the browser and hosting location of the framework you might bw prompted to allow clipboard access to OctoPwn's webpage.
- RDP operations
CONNECTION
login
You can set the resolution up front, as screen resizing is not implemented yet.
The record option allows you to record the entire RDP session to an mp4 file.
logout
CLIPBOARD OPERATIONS paste Sets the remote clipboard to a given text. pastefile Sets the remote clipboard to a local text file's content.
RUBBERDUCKY duckyexec Performs a single rubberducky command on the remote host's virtual keyboard duckyfile Performs a sequence of rubberducky commands on the remote host's virtual keyboard
SCREEN screenshot Takes a screenshot
This section describes the features and functionalities of the LDAP client plugin
- LDAP browser
- LDAP operations
LDAP browser After sucsessfully logging in to the target server, the SMB file browser will automatically list the host in the File Browser Window The file browser supports basic file operations as you'd expect from a file browser like downloading and uploading files, removing and creating directories.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
CONNECTION login logout
INFO ldapinfo This command prints out the LDAP root query results. adinfo This connection prints out basic information about the current AD forest whoami Performs a whoami LDAP query, prints out the domain, username and group membership information of the curret user
ROAST
spns
Lists all user objects who have servicePrincipalName set.
asrep Lists all user objects who have the UAC_PASSW_NOTREQ flag set.
ENUMERATION
computeraddr
Lists all machine account's DNS name
targetenum
Fetches all machine account hostnames and adds them to the Targets Window. In case a default resolver is set up with an active DNS session all domain names will be resolved as well before storing them in the Targets Window
userenum
dump Fetches detailed user and machine account information and stores it in two separate .tsv files
tree Prints out a tree from the given DN, with a given depth.
QUERY query Performs a raw LDAP query, prints out the results on the console.
USER
user
Fetches detailed information of a user object based on its SAMAccountName
adduser
Adds a new user to the domain with a given DN and password. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
deluser Deletes a user account given its DN. This will only work if you have the correct permissions assigned to the user account you created the session with.
changeuserpw
Changes a user's password. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
unlockuser
Unlocks a user account. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
enableuser
Enables a user account. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
disableuser
Disables a user account. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
addspn
Assigns an SPN to a given DN. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
delspn
Removes an SPN record from a given DN. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
addusertogroup
Assigns a user to a specific group. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
deluserfromgroup
Removes a user from a group. This will only work if you have the correct permissions assigned to the user account you created the session with, also you must use LDAPS or an encrypted LDAP connection.
MACHINE machine Fetches detailed information of a user object based on its SAMAccountName
addhostname
pre2000 Lists all machine account which were created a Pre-Windows 2000 compatible machine account
GPO gpos Lists all GPOs
LAPS laps Prints all machine accounts and plaintext passwords for the local admin user of said accounts. You'd need to have the necessary permission to do this.
newlaps
Print the encrypted blobs containing all (or some) machine account's local administrator passwords for which your user has access to. You'd need to Decrypt these blobs using an SMB session
GROUP groupmembership
groupmembers
dadms Lists first degree domain admins.
TRUSTS trusts Lists AD trusts.
SCHEMA schemaentry Used for debugging purposes. allschemaentry Used for debugging purposes. Do not use this!
SECURITY DESCRIPTOR changeowner Changes the Owner entry in the nTSecurityDescriptor attribute of a given DN addprivdcsync Adds DCSync privileges to a a user specified by DN on the current forest.
addprivaddmember Adds AddMember privileges to a user on a group
setsd Replaces the security descriptor of a given DN.
getsd Fetches the security descriptor of a given DN
addallowedtoactonbehalfofotheridentity
SID sidresolv sid2dn Fetches the DN for an object identified by its SID dn2sid Fetches the SID of an object identified by its DN dn2sam Fetches the sAMAccountName of a given object identified by its DN sam2dn Fetches the DN of an object by its sAMAccountName
GMSA gmsa
PKI
certify
Lightweigth certipy implementation. When the command field is vuln it will show potentically vulnerablecertificate templates.
rootcas Lists all root certificate authorities
ntcas Lists all NT certificate authorities
aiacas
enrollmentservices Lists all enrollment services
addcerttemplatenameflagaltname
Modifies a certificate template by giving the
addenrollmentright
certtemplates
Lists all certificate templates with attributes when name parameter is left empty, otherwise it only lists the specific template attributes.
DELEGATION unconstrained Lists all unconstrained delegetion objects constrained Lists all constrained delegation objects s4u2proxy
DNS
dnszones
Lists all dns zones
dnsdump
Fetches all DNS entries when the zone parameter is empty and stores them in a .tsv file. In case the zone parameter is set it will only fetch DNS entries for that gibven zone.
This section describes the features and functionalities of the SMB client plugin
- SMB file browser
- SMB operations
- DCE/RPC operations
SMB File browser After sucsessfully logging in to the target server, the SMB file browser will automatically list the host in the File Browser Window The file browser supports basic file operations as you'd expect from a file browser like downloading and uploading files, removing and creating directories.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
Connection Login Performs an SMB login to the target server Logout Terminates the connection after logging out gracefully Nodce This is a pre-login command which disables all DCE operations for restricted systems which do not even allow listing of shares. (Because for some reason SMB doesn't support lisiting of shares without using an extra complex protocol...)
File Operations
The file operation commands are independent of the operations performed in the File Browser Window.
shares
Lists available shares on the target server
use
Mounts the share so further file operations can be perfomed on it.
cd
Changes current directory on the mounted share
get
Download a file or multiple files from the mounted share's current directory
put
Uploads a file to the mounted share's current directory
del
Removes a file from the mounted share's current directory
mkdir
Creates a new folder under the mounted share's current directory
getdirsd
Fetches the Security Descriptor of a directory in the the mounted share's current directory
getfilesd
Fetches the Security Descriptor of a file in the the mounted share's current directory
ls
Lists the contents of the mounted share's current directory
dir
See ls
refreshcurdir
As the directory listing of the current directory is cached, this command is used to refresh the listing
USER/GROUP MANAGEMENT
domains
Lists all available domains the server is a member of
domaingroups
Lists all groups of a given domain
groupmembers
Lists all accounts in a given domain for a given group
users
Lists all users of a given domain
localgroups
Lists all local groups on the target (using Builtin domain)
localgroupmembers
Lists all accounts which are member of the given loal group
session
Enumerates all active sessions
enumall
Do not use this.
SERVICE OPERATIONS services Lists all services on the target machine serviceen Enables a service given it's name on the remote machine servicedeploy Deploys a binary file from the local system as a service on the remote system servicecreate Creates a service and starts it. This only operates on the remote system, no file upload and alike
REGISTRY OPERATIONS reglistusers Lists users who have logged in at some point to the remote system via querying the registry. regsave Dumps registry hive on the remote system.
TASK OPERATIONS tasks List tasks on the remote system taskregister Registers a new scheduled task on the remote system taskdel Deletes a scheduled task on the remote system
PRINTER OPERATIONS printerenumdrivers Enumerates printer drivers on the remote system
CERTIFICATE OPERATIONS certreq certreqonbehalf
NTLM COERCION printerbug
COMMAND EXECUTION servicecmdexec taskcmdexec
SECRETS DUMPING regdump backupkeys dcsync lsassdump
SECRETS HUNTING cpasswd
VULNERABILITIES printnightmare parprintnightmare
This section describes the features and functionalities of the SSH client plugin
- SFTP file browser
- SSH operations
SFTP File browser After sucsessfully logging in to the target server, the SFTP file browser will automatically list the host in the File Browser Window The file browser supports basic file operations as you'd expect from a file browser like downloading and uploading files, removing and creating directories.
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
CONNECTION login logout
SHELL ptyshell Spawns an interactive shell.
This section describes the features and functionalities of the WinRM client plugin
- WinRM operations
CONNECTION login logout
CMD cmdexec Executes a single shell command and prints out the result.
This section describes the features and functionalities of the Kerberos client plugin
- Kerberos operations
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
BASIC
tgt
Fetches a TGT from the server using the credentials you used when starting the session.
Resulting TGT will be printed to the console and added as a new credential in the Credentials Window
tgs
Fetches a TGS for a given SPN, using the credentials you used when starting the session.
Resulting TGS will be printed to the console and added as a new credential in the Credentials Window. It is NOT usable for authentication from the credentials window however, this is in the TODO list.
s4uproxy TBD
s4uself TBD
ROAST
kerberoast
Performs SPNRoast (kerberoast) attack, prints the results to the console.
TIP: Instead of using username, you can use a Session ID of an established LDAP or LDAPS session, in this case all vulnerable users will be kerberoasted.
asreproast
Performs asreproast attack, prints the results to the console.
TIP: Instead of using username, you can use a Session ID of an established LDAP or LDAPS session, in this case all vulnerable users will be asreproasted.
PKI nt Fetches the NT hash of the user. Only works if you created the session using a certificate type credential.
ATTACKS cve202233679 Performs CVE-2022-33679 attack against a vulnerable user. If succseeds you will get a TGT for that user.
DRSUAPI allows you to perform DCSync, without the use of SMB.
This has the benefit of not touching port 445 on the DC, but the tradeoff is that you won't get any automatization eg. you will need to know the domain and username to use for a dcsync attack.
- DRSUAPI operations
As usual, all functionalities will be discussed in command groups which logically group commands of similar nature.
CONNECTION login logout
OPERATIONS dcsync Performs DCSync agains a given user.
No network connections will be made to other hosts. Nothing extra to configure
This mode turns the OctoPwn webpage into a UI for a remote server. Currently in closed beta.
Standalone is the default mode of operation. In this mode the wasm code running in the browser relies on a custom websocket to tcp proxy for communicating over the network. This is needed as browsers do not allow raw TCP/UDP sockets to be created which are needed for the common protocols you'd use on a pentest.
The setup can be a bit tricky so please read this part carefully.
You'd need to use an implementation of the WSNET protocol, which is officially available in Python and C#. This manual will show the setup of the Python implementation, as it is the most up-to-date.
You'd need to have Python3.8 or above installed.
You can install wsnet via the PIP package manager
pip install wsnet
After installing, you'd need to start the server binary wsnet-wssserver.
In case the frameowrk is loaded via HTTP, the following command will start the proxy on HTTP mode
wsnet-wsserver --plaintext
As browsers do no allow connecting to a plaintext websocket server from a page loaded via HTTPS, the server binary must use a TLS certificate which is trusted by your browser. There are two options: either supply your own certificate and private key --ssl-cert and --ssl-key respectively. Be sure that the certificate is trusted by your browser.
If you start the proxy without any parameters, it will look for certificate and private key under the name of octopwn_ceritficate.pem and octopwn_ca_key.pem. If these files exist they will be used to set up the server. if not, the code will automatically generate a new CA and a certificate/key combo that will be loaded automatically during startup. The CA certificate will need to be manually loaded in the browser's trusted CA store.
Whether you're here for a quick demo, wish to explore a bit further, or want to dive deep into our advanced functionalities, we're thrilled to have you on board. Below you'll find a step-by-step guide to help you navigate through the initial stages of using OctoPwn.
Types of Users:
-
Unregistered Users: Explore basic file parsing operations with our demo without the need to register.
-
Registered Users: Unlock additional plugins and features by registering here.
-
Paid Users: Access the full suite of tools and plugins for an extensive experience. (Note: This option will be available post-beta testing)
**Important Notice: ** Currently, an issue with our registration system results in the first verification email containing an incorrect link. Please open it to trigger a second email with the correct URL.
- Recommended Browser: Google Chrome for the best UI experience. Firefox and Edge are supported with some UI variations.
- Memory: A system with at least 8GB of RAM to accommodate result storage in memory.
- Extensions: No additional browser extensions or plugins are needed.
- A detailed guide on how to navigate through OctoPwn's user interface will be provided in a separate document.
- Comprehensive information on core functionalities and usage will be available in a separate document.
- Automatic Delivery: No manual installation needed, as plugins will be delivered automatically to users.
For users utilizing the live system on live.octopwn.com:
- Ensure that OctoPwn is always loaded via HTTPS.
- Establish a certificate for the WSNET proxy.
If you are operating OctoPwn from your system:
- Do not forget to remove the session file upon completion of use.
And if you’ve downloaded the private key and certificates for your license, ensure:
- Secure storage, akin to how you would manage a license file.
- Never share these credentials.
User management is fully handled by the OctoPwn team and is not user-accessible to ensure security and simplicity.
This document is part of a wider documentation suite. For further inquiries or if more detailed information is needed, kindly refer to our FAQ section.
Stay tuned! We’ll be curating and sharing tips to optimize your usage and best practices for efficient utilization of OctoPwn.
- A dedicated page for troubleshooting common issues and FAQs will be provided separately to assist you in navigating through potential challenges.
We're delighted to welcome you to OctoPwn and are dedicated to offering you a seamless experience. Should you encounter any issues or have further inquiries, our FAQ and additional documentation are here to guide you through your journey.
Happy exploring!
Note: Replace placeholder URLs (Link-to-FAQ) with actual URLs once they're available. This will facilitate easy navigation for users accessing the document.