# OctoPwn WASM Documentation > OctoPwn is a browser-based offensive-security toolkit covering discovery, authentication, AD enumeration, exploitation, credential cracking and NTLM relay attacks. The docs below cover the client plugins, network scanners, post-auth attacks, utility tools, relay servers, and the visual flowgraph automation framework. > This `llms.txt` is auto-generated from the mkdocs nav. Run `python scripts/generate_llms_txt.py` from the docs repo to regenerate after any nav / page change. ## Getting started - [Getting Started](https://docs.octopwn.com/user-guide/gettingstarted.html): OctoPwn consists of three components. - [Modes of Operation](https://docs.octopwn.com/user-guide/modesofoperation.html): No network connections will be made to other hosts. Nothing extra to configure. - [Install](https://docs.octopwn.com/setup/install.html): Octopwn is a versatile suite of tools with multiple startup options. ## Clients - [Overview](https://docs.octopwn.com/plugins/clients/overview.html): At its heart, the Clients section serves as the command center for communication with different protocols. These clients are not standalone tools but rather modular components that work together seamlessly to execute complex tasks during a… - [DNS](https://docs.octopwn.com/plugins/clients/dns.html): The DNS Client is a thin wrapper around unidns that gives OctoPwn an interactive console for talking to a specific DNS server. You'll usually create one for two reasons: to perform ad-hoc forward and reverse lookups against an internal DNS… - [SMB](https://docs.octopwn.com/plugins/clients/smb.html): The SMB Client is OctoPwn's full-fat SMB / DCERPC-over-SMB swiss-army knife — built on top of aiosmb and exposing virtually every interactive primitive the library implements: file operations, user / group / session enumeration, the full… - [LDAP](https://docs.octopwn.com/plugins/clients/ldap.html): The LDAP Client is OctoPwn's general-purpose interface for LDAP — primarily Active Directory, but with limited support for non-Microsoft LDAP servers as well. It wraps the msldap library and exposes its full surface as both a GUI session… - [Kerberos](https://docs.octopwn.com/plugins/clients/kerberos.html): The Kerberos Client is OctoPwn's interactive console for talking directly to a Domain Controller's KDC (port 88) using minikerberos. It bundles the day-to-day ticket-acquisition primitives (tgt, tgs) together with the offensive Kerberos… - [MSSQL](https://docs.octopwn.com/plugins/clients/mssql.html): The MSSQL Client is OctoPwn's interactive interface for Microsoft SQL Server. It speaks the TDS protocol (the same one sqlcmd and SSMS use) and gives you the standard SQL toolset — running queries, navigating databases and tables — plus a… - [DCEDRSUAPI](https://docs.octopwn.com/plugins/clients/dcedrsuapi.html): The DCEDRSUAPI Client performs DCSync — extracting an account's secrets (NT hash, LM hash, Kerberos keys, password history, supplemental credentials) from a Domain Controller — by speaking the Directory Replication Service Remote Protocol… - [FTP](https://docs.octopwn.com/plugins/clients/ftp.html): The FTP Client speaks plain File Transfer Protocol (RFC 959) against FTP servers. It wraps asyncftp and provides the standard set of FTP commands — connection management, navigation, file operations, server-side metadata queries — together… - [NETCAT](https://docs.octopwn.com/plugins/clients/netcat.html): The Netcat Client is OctoPwn's "raw socket" interface — a way to open a single TCP socket to a target, send arbitrary bytes (text or hex), and watch whatever the other side sends back. Despite the name, it is not a Netcat clone: there are… - [NFS3](https://docs.octopwn.com/plugins/clients/nfs3.html): The NFS3 Client speaks NFS version 3 against UNIX-style file servers. It wraps anfs and exposes both a CLI for scripted file operations and — as with the SSH client — a graphical filesystem browser, which is the default tab when the… - [NTP](https://docs.octopwn.com/plugins/clients/ntp.html): The NTP Client is OctoPwn's interactive console for talking to a Network Time Protocol server (default port UDP/123). It's a small client with two purposes — reading the server's authoritative time, and enumerating the peers it's… - [SNMP](https://docs.octopwn.com/plugins/clients/snmp.html): The SNMP Client is OctoPwn's interactive console for talking to SNMP-enabled devices — routers, switches, printers, server lights-out controllers, anything that exposes a Management Information Base (MIB). It wraps puresnmp and supports… - [SSH](https://docs.octopwn.com/plugins/clients/ssh.html): The SSH Client is the most feature-rich client in OctoPwn. It wraps amurex for the SSH transport layer and bundles four very different operator surfaces into a single session: an interactive shell with multi-tab terminals, an SFTP file… - [WinRM](https://docs.octopwn.com/plugins/clients/winrm.html): The WinRM Client speaks Windows Remote Management (WS-Management over HTTP/HTTPS) and gives you remote command execution, PowerShell execution, and PowerShell-driven file transfer against Windows targets — i.e. the protocol behind… - [WMI](https://docs.octopwn.com/plugins/clients/wmi.html): The WMI Client speaks Windows Management Instrumentation (MS-WMI over DCOM) against Windows hosts. It wraps aiosmb's DCOM/WMI stack and provides the standard WMI surface — running WQL queries, executing commands via Win32_Process.Create,… - [RDP](https://docs.octopwn.com/plugins/clients/rdp.html): The RDP Client speaks the Remote Desktop Protocol (MS-RDPBCGR and friends) against Windows hosts. It wraps aardwolf for the protocol stack and renders the remote desktop into an HTML5 canvas inside the session window. Default port 3389. ## Credential - [Overview](https://docs.octopwn.com/user-guide/credentials.html): Credentials can be added via the credentials menu on the left. Depending on which communication and authentication protocol you are using you need to store the appropriate credentials. A list of each supported credential type and… ## Target - [Overview](https://docs.octopwn.com/user-guide/target.html): The Target Menu in OctoPwn allows you to define and manage targets for scanning and attacks. Targets can be added, grouped, and configured to suit various use cases. Below are the details of the functionality and configuration options… ## Scanners - [Overview](https://docs.octopwn.com/plugins/scanners/index.html): Scanners in OctoPwn automate network reconnaissance, vulnerability detection and service enumeration across many targets at once. Unlike clients, which provide direct, interactive access to a single protocol (SMB, LDAP, RDP, …), scanners… ### Discovery & inventory - [portscan](https://docs.octopwn.com/plugins/scanners/portscan.html): The TCP Port Scanner discovers open TCP ports on each target by performing a full TCP connect against every target/port combination. The scanner takes a list of targets (IPs, CIDR ranges, hostnames, files, target IDs, target groups) and a… - [nmap](https://docs.octopwn.com/plugins/scanners/nmap.html): The Nmap Scanner wraps the nmap binary so that you can launch full Nmap scans from inside OctoPwn and have the results imported into the project automatically. The scanner builds an Nmap command line from your parameters (targets, ports,… - [baseline](https://docs.octopwn.com/plugins/scanners/baseline.html): The Baseline Assessment Scanner is the recommended starting point for any internal-network engagement. It runs twelve complementary checks against each target host in a single pass, merges every finding into one stream and stores… ### SMB protocol & fingerprinting - [smbfinger](https://docs.octopwn.com/plugins/scanners/smbfinger.html): The SMB Fingerprint Scanner enumerates NTLM-handshake information from SMB servers (port 445) without requiring credentials. It is one of the fastest ways to gather Active Directory and OS-level metadata from a Windows estate during… - [smbsig](https://docs.octopwn.com/plugins/scanners/smbsig.html): The SMB Signature Scanner in OctoPwn checks whether SMB signing is enabled and whether it is enforced on target SMB servers. SMB signing ensures the integrity of SMB messages by adding a cryptographic signature to each message. However, if… - [smbproto](https://docs.octopwn.com/plugins/scanners/smbproto.html): The SMB Protocol Scanner enumerates all SMB dialect versions supported by each target and reports the signing configuration per dialect (port 445). For every dialect the scanner negotiates a separate connection and records: - [smbiface](https://docs.octopwn.com/plugins/scanners/smbiface.html): The SMB Interface Scanner in OctoPwn enumerates all network interfaces and their assigned IP addresses of target hosts via SMB. This scanner is particularly useful for identifying servers connected to multiple network segments, which may… ### SMB shares, files & sessions - [smbshare](https://docs.octopwn.com/plugins/scanners/smbshare.html): The SMB Share Enumeration Scanner in OctoPwn enumerates SMB shares on target systems. Optionally, it can check whether shares are writable, which can be particularly useful for identifying misconfigured shares that might allow unauthorized… - [smbfile](https://docs.octopwn.com/plugins/scanners/smbfile.html): The SMB File Scanner in OctoPwn performs file enumeration over SMB shares, traversing folders up to a specified depth to collect file and folder information. This scanner helps penetration testers uncover misconfigured SMB shares,… - [snaffler](https://docs.octopwn.com/plugins/scanners/snaffler.html): The Snaffler Scanner in OctoPwn enumerates SMB shares and scans for files containing sensitive data, such as credentials, configuration files, or private keys. This scanner is based on the popular tool Snaffler and automates the process of… - [smbsession](https://docs.octopwn.com/plugins/scanners/smbsession.html): The SMB Session Enumeration Scanner in OctoPwn enumerates active SMB user sessions on target servers. Session enumeration provides a snapshot of the currently logged-in users on a system. This information is useful during penetration tests… - [smbregsession](https://docs.octopwn.com/plugins/scanners/smbregsession.html): The SMB Registry Session Scanner enumerates local user SIDs on each target host by reading the SAM registry hive through the Remote Registry service over SMB (port 445). For each discovered SID it tries to resolve the matching SAM account… ### Web reconnaissance - [httpheader](https://docs.octopwn.com/plugins/scanners/httpheader.html): The HTTP Header Scanner is a lightweight first-pass tool for web reconnaissance. It sends a single GET request over both HTTP and HTTPS to every target/port combination, captures the full response headers, the HTTP status code and the page… - [httpfinger](https://docs.octopwn.com/plugins/scanners/httpfinger.html): The HTTP Fingerprint Scanner identifies web applications and technologies running on HTTP/HTTPS services across your target hosts by matching responses against a built-in library of service signatures. It connects to each target on the… - [webscreenshot](https://docs.octopwn.com/plugins/scanners/webscreenshot.html): The Web Screenshot Scanner captures screenshots of web services using a headless Chrome instance and returns the image data as base64-encoded PNGs. The scanner iterates over each target/port combination (both HTTP and HTTPS), navigates to… - [nuclei](https://docs.octopwn.com/plugins/scanners/nuclei.html): The Nuclei Scanner wraps the upstream Nuclei vulnerability scanner from ProjectDiscovery. It builds URLs from your target list and port configuration, launches the local nuclei binary as a subprocess, and streams findings back into the… ### SSH reconnaissance - [sshbanner](https://docs.octopwn.com/plugins/scanners/sshbanner.html): The SSH Banner Scanner retrieves the protocol banner string that every SSH server sends immediately upon TCP connection (typically port 22). The banner usually carries the SSH software name and version, for example SSH-2.0-OpenSSH_8.9p1… - [sshinfo](https://docs.octopwn.com/plugins/scanners/sshinfo.html): The SSH Algorithm Scanner enumerates the full set of cryptographic algorithms each target SSH server supports — without authenticating. It completes the key-exchange init phase (SSH_MSG_KEXINIT) and extracts every advertised algorithm… - [sshauth](https://docs.octopwn.com/plugins/scanners/sshauth.html): The SSH Authentication Methods Scanner enumerates which authentication methods each target SSH server is willing to accept. The scanner connects, requests the list of allowed authentication methods, and emits one row per target/method pair. ### Authentication & login - [krb5user](https://docs.octopwn.com/plugins/scanners/krb5user.html): The KRB5User Scanner in OctoPwn performs user enumeration against Kerberos authentication server. This scanner operates similarly to the kerbrute tool and leverages the Kerberos protocol to enumerate valid usernames within a target domain… - [smbadmin](https://docs.octopwn.com/plugins/scanners/smbadmin.html): The SMB Admin Scanner in OctoPwn performs SMB login attempts and determines whether the provided account has administrative privileges on the target systems. This scanner is particularly useful for identifying systems that can be used for… - [smblaps](https://docs.octopwn.com/plugins/scanners/smblaps.html): The SMBLAPS Scanner validates a single LAPS (Local Administrator Password Solution) admin user against all hosts in a provided LAPS dump file. This scanner is useful for verifying if dumped LAPS credentials are still valid or identifying… - [smbbrute](https://docs.octopwn.com/plugins/scanners/smbbrute.html): The SMB Brute-Force Scanner mounts a credential brute-force or password-spraying campaign against one or more SMB targets using user-supplied username and password lists. The scanner supports smart throttling so you can avoid AD account… - [mssqllogin](https://docs.octopwn.com/plugins/scanners/mssqllogin.html): The MSSQL Login Scanner validates a credential against one or more Microsoft SQL Server instances (default port 1433). It runs a full TDS login on every target and reports a simple LOGIN_OK boolean. Both SQL authentication and Windows… - [mssqladmin](https://docs.octopwn.com/plugins/scanners/mssqladmin.html): The MSSQL Admin Privilege Scanner logs into each target MSSQL server (default port 1433) with the supplied credential and asks SQL Server itself the question "am I sysadmin?". Concretely it executes SELECT IS_SRVROLEMEMBER('sysadmin') and… - [sshlogin](https://docs.octopwn.com/plugins/scanners/sshlogin.html): The SSH Login Scanner validates a credential against one or more SSH servers (default port 22). For every target it performs a full SSH login — using either password or public-key authentication, depending on what the credential carries —… - [ftplogin](https://docs.octopwn.com/plugins/scanners/ftplogin.html): The FTP Login Scanner validates a credential against one or more FTP servers (port 21 by default). For every target it performs a full FTP login and reports a simple LOGIN_OK boolean, allowing you to quickly map which credentials work… - [ftpanon](https://docs.octopwn.com/plugins/scanners/ftpanon.html): The FTP Anonymous Login Scanner tests every target FTP server (typically port 21) for anonymous login access. It logs in with the username anonymous and a dummy email address as the password — no real credential is required. - [rdplogin](https://docs.octopwn.com/plugins/scanners/rdplogin.html): The RDP Login Scanner in OctoPwn tests whether specified user credentials can successfully authenticate to a target system via Remote Desktop Protocol (RDP). This scanner helps identify systems that acquired credentials can log in to via… ### RDP - [rdpcap](https://docs.octopwn.com/plugins/scanners/rdpcap.html): The RDP Capabilities Scanner in OctoPwn enumerates Remote Desktop Protocol (RDP) settings and capabilities on target systems. This scanner identifies supported authentication methods and encryption protocols for RDP connections, such as… - [rdpscreen](https://docs.octopwn.com/plugins/scanners/rdpscreen.html): The RDP Screen Scanner in OctoPwn logs into a target system via Remote Desktop Protocol (RDP), captures a screenshot of the presented screen, and waits for a specified amount of time for frame data before proceeding to the next target.… ### MSSQL data hunting - [mssqlfinger](https://docs.octopwn.com/plugins/scanners/mssqlfinger.html): The MSSQL Fingerprint Scanner is the SQL-server equivalent of smbfinger. It connects to each MSSQL listener (default port 1433), starts a TDS pre-login and triggers an NTLM challenge — all without authenticating. The challenge response… - [mssqlpipe](https://docs.octopwn.com/plugins/scanners/mssqlpipe.html): The MSSQL Named-Pipe Scanner discovers MSSQL instances that are reachable through SMB named pipes (port 445), even when TCP 1433 is firewalled. It connects to IPC$ on each target, lists every named pipe, and matches the pipe names against… - [mssqldbinfo](https://docs.octopwn.com/plugins/scanners/mssqldbinfo.html): The MSSQL Database Info Scanner maps the full schema of every accessible database on each target SQL Server: databases → schemas → tables → columns, plus an approximate row count per table. System databases (master, model, msdb, tempdb)… - [mssqlsensdata](https://docs.octopwn.com/plugins/scanners/mssqlsensdata.html): The MSSQL Sensitive Data Scanner automates the search for high-impact data exposure across SQL Server estates. It walks every accessible database, schema, table and column, then matches the table and column names against a built-in keyword… - [mssqlquery](https://docs.octopwn.com/plugins/scanners/mssqlquery.html): The MSSQL Query Scanner runs an arbitrary SQL statement against every target MSSQL server (default port 1433) and streams every result row back. It connects with the supplied credential, executes the configured query (defaults to SELECT… ### WMI - [wmiadmin](https://docs.octopwn.com/plugins/scanners/wmiadmin.html): The WMI Admin Privilege Scanner verifies whether the configured credential has administrative access to the WMI service on each target host. It connects via DCOM/RPC (port 135 for the endpoint mapper, then a dynamic high port; SMB on 445… - [wmiquery](https://docs.octopwn.com/plugins/scanners/wmiquery.html): The WMI Query Scanner executes a custom WQL (WMI Query Language) statement against each target host via DCOM/RPC and streams the result rows back. It connects with the supplied credential, runs the configured WQL query (defaults to SELECT… ### LDAP & NFS - [ldapsig](https://docs.octopwn.com/plugins/scanners/ldapsig.html): The LDAP Signing Scanner in OctoPwn determines whether LDAP signing is enforced on target LDAP servers. LDAP signing ensures the integrity and security of communication by requiring digitally signed data. Systems without enforced LDAP… - [nfs3file](https://docs.octopwn.com/plugins/scanners/nfs3file.html): The NFS3 File Scanner in OctoPwn performs file enumeration over NFSv3 shares. It iterates through folders up to a specified depth, collecting file and folder information to identify potential credentials or other sensitive data. ### SNMP & IPMI - [snmphost](https://docs.octopwn.com/plugins/scanners/snmphost.html): The SNMP Host Scanner queries SNMP agents (UDP port 161) on each target and retrieves a single OID value. By default it asks for the system description (sysDescr, OID 1.3.6.1.2.1.1.1.0), which is the cheapest way to confirm a community… - [ipmicaps](https://docs.octopwn.com/plugins/scanners/ipmicaps.html): The Intelligent Platform Management Interface (IPMI) Capabilities Scanner in OctoPwn scans for open IPMI services and lists their authentication capabilities. IPMI is a protocol that allows for remote management of servers,. Compromising… - [ipmicipherzero](https://docs.octopwn.com/plugins/scanners/ipmicipherzero.html): The IPMI CipherZero Scanner in OctoPwn identifies systems vulnerable to the Cipher 0 authentication bypass in the IPMI 2.0 protocol. Cipher 0 is a significant vulnerability in IPMI 2.0 implementations that allows clear-text authentication,… ### Vulnerability & relay-path - [smbprintnightmare](https://docs.octopwn.com/plugins/scanners/smbprintnightmare.html): The SMB PrintNightmare Scanner in OctoPwn scans for hosts vulnerable to the PrintNightmare exploit. PrintNightmare refers to a set of vulnerabilities in the Windows Print Spooler service that allow remote code execution and privilege… - [smbspooler](https://docs.octopwn.com/plugins/scanners/smbspooler.html): The SMB Spooler Scanner detects whether the Windows Print Spooler service (spoolsv) is reachable on each target via RPC. It binds to the Spooler RPC interface (typically over port 135 endpoint mapper and 445 SMB) and reports a simple… - [smbwebdav](https://docs.octopwn.com/plugins/scanners/smbwebdav.html): The SMB WebDAV Detection Scanner detects whether the WebClient (WebDAV) service is running on each target host by probing over SMB (port 445). It returns a single boolean AVAILABLE per host. - [ntlmreflection](https://docs.octopwn.com/plugins/scanners/ntlmreflection.html): The NTLM Reflection Scanner identifies hosts that are vulnerable to NTLM reflection (a.k.a. NTLM relay-back-to-self). It authenticates with the supplied credential, opens the Remote Registry over SMB (port 445), reads the OS build / UBR… - [ntlmv1](https://docs.octopwn.com/plugins/scanners/ntlmv1.html): The NTLMv1 Scanner checks whether a target host still permits the legacy NTLMv1 authentication protocol. It connects over SMB (port 445), authenticates with the supplied credential, then opens the Remote Registry and reads: - [CVE_2017_12542](https://docs.octopwn.com/plugins/scanners/CVE_2017_12542.html): The HP iLO 4 Auth Bypass Scanner tests target hosts for CVE-2017-12542, an authentication-bypass vulnerability in HP iLO 4 management interfaces (HTTPS on port 443). The exploit is delightfully simple: an HTTP GET to… ### Post-exploitation secrets - [smbpshistory](https://docs.octopwn.com/plugins/scanners/smbpshistory.html): The SMB PowerShell History Scanner retrieves the PSReadline command history files from every user profile on each target host via SMB (port 445). Windows stores every command typed in a PowerShell console in a plaintext file: - [event6secrets](https://docs.octopwn.com/plugins/scanners/event6secrets.html): The Event Log Secrets Scanner mines Windows Event Logs on each target host for entries that contain embedded secrets — credentials, tokens, keys — by reading the logs remotely via SMB (port 445). Internally it relies on the Event6 library… ## Servers - [Overview](https://docs.octopwn.com/plugins/servers/overview.html): OctoPwn's servers host network services from inside the framework so you can run the classic "rogue server" attack patterns — name-resolution poisoning, NTLM relaying, WebDAV / HTTP loot-drop sinks, AD CS Web Enrollment relays, and more —… - [spoofer](https://docs.octopwn.com/plugins/servers/spoofer.html): The Spoofer Server is OctoPwn's unified Layer-2 name-resolution poisoner. A single session brings up three UDP listeners side by side and feeds them all from the same configuration: - [relaysmb](https://docs.octopwn.com/plugins/servers/relaysmb.html): The RelaySMB server is OctoPwn's NTLM relay variant aimed at SMB targets. It runs a set of front-end listeners (SMB, HTTP, HTTPS, HTTP-proxy by default), waits for an inbound NTLM authentication, and on success forwards the in-flight NTLM… - [relayldap](https://docs.octopwn.com/plugins/servers/relayldap.html): The RelayLDAP server is the NTLM relay variant aimed at LDAP / LDAPS / StartTLS back-ends. Inbound NTLM authentications are forwarded into a fresh MSLDAPClientConnection against one of the configured targets, and on success the relayed… - [relaymssql](https://docs.octopwn.com/plugins/servers/relaymssql.html): The RelayMSSQL server is the NTLM relay variant aimed at Microsoft SQL Server back-ends. Inbound NTLM authentications are forwarded into a fresh MSSQLConnection against one of the configured targets, and on success the connection is… - [relayesc8](https://docs.octopwn.com/plugins/servers/relayesc8.html): The RelayESC8 server is the NTLM relay variant aimed at AD CS Web Enrollment endpoints (the certsrv IIS application that ships with Active Directory Certificate Services Web Enrollment Role). It is OctoPwn's implementation of the ESC8… - [relayreflection](https://docs.octopwn.com/plugins/servers/relayreflection.html): The RelayNTLMReflection server is the NTLM relay variant aimed at the same machine that initiated the connection. There is no targets parameter: the back-end target is always the peer address of the inbound TCP/IP connection. On a… ## Utilities - [Overview](https://docs.octopwn.com/plugins/utils/index.html): OctoPwn's utilities are everything in the toolkit that isn't a network client or a scanner. They cover three broad areas: ### Offline analysis & decryption - [pypykatz](https://docs.octopwn.com/plugins/utils/pypykatz.html): This is OctoPwn's bundled wrapper around Pypykatz — the Python re-implementation of mimikatz. It performs offline parsing of credential-bearing files that you've already gathered (LSASS minidumps, registry hives, NTDS.dit) and provides a… - [dpapi](https://docs.octopwn.com/plugins/utils/dpapi.html): This utility performs the offline-decryption half of the DPAPI workflow. It loads, caches, and decrypts the various Windows DPAPI artefacts — master keys, credential / vault files, Chrome stores, WiFi configs, PowerShell SecureStrings,… - [nmap](https://docs.octopwn.com/plugins/utils/nmap.html): The Nmap utility parses an Nmap XML report and lets you query the parsed result, list services, and feed the discovered hosts into the Targets window. It does not run Nmap itself — you bring the XML, it does the parsing. - [masscan](https://docs.octopwn.com/plugins/utils/masscan.html): The legacy utility parses a Masscan XML output file and can populate the Targets window with the discovered hosts (with their open ports attached). It does not perform any scanning itself — Masscan must be run separately and its XML… ### AD modelling & exploitation - [bloodhound](https://docs.octopwn.com/plugins/utils/bloodhound.html): The BloodHound utility is OctoPwn's collector for BloodHound CE — it produces a BloodHound-compatible zip from a live AD environment that can be ingested directly into BloodHound CE / Legacy. It is the spiritual replacement of the older… - [neo4j](https://docs.octopwn.com/plugins/utils/neo4j.html): The Neo4j utility is a thin OctoPwn-side client for an external Neo4j instance — typically the one backing a BloodHound CE deployment. It lets an analyst run arbitrary Cypher queries (or BloodHound path queries) without leaving the OctoPwn… - [domain](https://docs.octopwn.com/plugins/utils/domain.html): The DOMAIN utility is OctoPwn's AD attack-path engine. It loads a domain model (from a live LDAP session and/or a BloodHound zip) and on top of that model offers two things: ### Operator helpers - [hashcat](https://docs.octopwn.com/plugins/utils/hashcat.html): The Hashcat utility wraps a local Hashcat binary and ties it into OctoPwn's Credentials Hub: hashes added to the Hub are queued for cracking automatically, and any plain recovered by Hashcat is fed back into the Hub as a new PASSWORD… - [snaffler](https://docs.octopwn.com/plugins/utils/snaffler.html): The Snaffler utility is OctoPwn's port / wrapper of the Snaffler "find interesting files" philosophy, built on top of pysnaffler. It walks remote filesystems looking for files whose name, share, path, or contents match Snaffler's rule set,… - [terminal](https://docs.octopwn.com/plugins/utils/terminal.html): The Terminal utility opens an interactive PTY shell inside an OctoPwn window — a real, full-featured bash process driven through the GUI's embedded xterm.js terminal. It mirrors the in-window terminal experience the SSH client provides,… - [roadtools](https://docs.octopwn.com/plugins/utils/roadtools.html): The ROADtools utility is OctoPwn's wrapper around Dirk-jan Mollema's ROADtools framework for Entra ID / Azure AD reconnaissance. It exposes: - [pluginloader](https://docs.octopwn.com/plugins/utils/pluginloader.html): The Plugin Loader is the runtime that loads and runs OctoPwn plugins — custom Python modules that extend OctoPwn at runtime without modifying the core code base. It is the entry point for everything authored in the OctoPwn IDE and for any… - [ide](https://docs.octopwn.com/plugins/utils/ide.html): The IDE Utility in OctoPwn serves as an Integrated Development Environment for extending and automating OctoPwn functionalities. It provides a streamlined way to develop custom plugins and scripts tailored to your needs, with built-in… - [python-console](https://docs.octopwn.com/plugins/utils/python-console.html): The Python Console is an in-browser Python interpreter wired into the OctoPwn UI. It is intended for quick, one-off Python evaluation — testing a snippet, computing something on the fly, importing a module to inspect its attributes,… ## Attacks - [Overview](https://docs.octopwn.com/plugins/attacks/overview.html): OctoPwn's Attacks are one-button orchestrators for higher-level, multi-step techniques — the post-exploitation moves you'd otherwise stitch together by hand from the Clients, Scanners and Servers. Each attack is configured like a scanner… ### AD credentials & secrets - [kerberoast](https://docs.octopwn.com/plugins/attacks/kerberoast.html): The Kerberoast attack module performs both classic SPN-roasting (MITRE ATT&CK T1558.003) and AS-REP roasting (T1558.004) against Active Directory in a single run, against every etype the KDC will issue (RC4, AES128, AES256). Hashes are… - [dcsync](https://docs.octopwn.com/plugins/attacks/dcsync.html): The DCSync attack module performs the canonical DCSync technique — replicating secrets out of Active Directory by impersonating a Domain Controller at the MS-DRSR (Directory Replication Service) RPC level. It is the cleanest path from… - [adspray](https://docs.octopwn.com/plugins/attacks/adspray.html): The ADSpray attack is OctoPwn's Active Directory password spray module. It tests a small list of likely passwords against many user accounts in parallel, safely: it reads the domain's lockout policy from LDAP up front and self-throttles so… - [pre2k](https://docs.octopwn.com/plugins/attacks/pre2k.html): The PRE2K attack abuses a long-standing AD quirk: machine accounts created through the legacy "Pre-Windows 2000 compatibility" code path get a default password derived from the machine's own sAMAccountName. Specifically, the password is… - [timeroast](https://docs.octopwn.com/plugins/attacks/timeroast.html): The Timeroast Attack leverages the Kerberos NTP response hashing mechanism to retrieve hashes of computer accounts in an Active Directory (AD) domain. It performs NTP Roasting by requesting NTP responses with specific RIDs. The attack is… ### AD CS - [esc1](https://docs.octopwn.com/plugins/attacks/esc1.html): The ESC1 attack module exploits a misconfigured AD CS certificate template to enroll a certificate with an attacker-chosen Subject Alternative Name (SAN), then uses that certificate to authenticate to the domain as the impersonated user.… - [esc4](https://docs.octopwn.com/plugins/attacks/esc4.html): The ESC4 attack module exploits write access to a certificate template's LDAP object to temporarily make that template vulnerable to ESC1, enrol an arbitrary-SAN certificate, and then automatically restore the template's original flags so… ### Kerberos delegation - [rbcd](https://docs.octopwn.com/plugins/attacks/rbcd.html): The RBCD (Resource-Based Constrained Delegation) attack abuses the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on a target machine account to make any user authenticate to that machine as any other user, including Domain Admins. The… - [shadowcreds](https://docs.octopwn.com/plugins/attacks/shadowcreds.html): The Shadow Credentials attack (Elad Shamir's "Shadow Credentials") abuses write access on a target user / computer object's msDS-KeyCredentialLink attribute to plant a forged WHfB-style key credential, then uses PKINIT to obtain a TGT for… - [constraineddeleg](https://docs.octopwn.com/plugins/attacks/constraineddeleg.html): The CONSTRAINEDDELEG attack is OctoPwn's helper for the S4U2Self → S4U2Proxy Kerberos chain. Given a credential whose account already has Kerberos Constrained Delegation configured (i.e. msDS-AllowedToDelegateTo is populated for the… ### Coercion & relay - [coercer](https://docs.octopwn.com/plugins/attacks/coercer.html): The Coercer attack module is OctoPwn's multi-vector authentication-coercion driver. Given a domain credential and one or more targets, it cycles through every known SMB-side coercion RPC — PetitPotam (EFSRPC), PrinterBug (RPRN),… - [ntlmreflection](https://docs.octopwn.com/plugins/attacks/ntlmreflection.html): The NTLMReflection attack module is OctoPwn's one-button orchestrator for the end-to-end CVE-2025-33073 exploit chain. It does, in a single attack session, what would otherwise require five separate tools running in lockstep: ### SMB host secrets - [smbregdump](https://docs.octopwn.com/plugins/attacks/smbregdump.html): The SMBRegDump attack is OctoPwn's "classic" remote registry secrets dumper — modeled on Impacket's secretsdump.py "registry" technique. It saves the SAM, SYSTEM and SECURITY hives to disk on the target under… - [smbregdump2](https://docs.octopwn.com/plugins/attacks/smbregdump2.html): The SMBRegDump2 attack is OctoPwn's "no-touchy disk" remote registry secrets dumper. Instead of dumping SAM / SYSTEM / SECURITY to a file on the target (the smbregdump approach), it works entirely through the Remote Registry RPC interface:… - [dpapi](https://docs.octopwn.com/plugins/attacks/dpapi.html): The DPAPI attack is OctoPwn's automated, multi-target, end-to-end DPAPI looter. It authenticates over SMB to each target as a local admin and, in a single pass per host, extracts and decrypts: ### Edge cases - [snmpbrute](https://docs.octopwn.com/plugins/attacks/snmpbrute.html): The SNMPBRUTE attack is OctoPwn's brute-forcer for SNMPv2c community strings. Given one or more targets, it tries a list of candidate community strings (built-in default of ~150 of the most common ones, or your own list) against 161/UDP… - [ipmihash](https://docs.octopwn.com/plugins/attacks/ipmihash.html): A significant flaw in the IPMI 2.0 specification allows the server (Baseboard Management Controller or BMC) to send a salted SHA1 or MD5 hash of a user's password during the authentication process. This means that for any valid user… ## Automations - [Autopwn](https://docs.octopwn.com/plugins/automations/autopwn.html): Autopwn is an automated tool designed to achieve quick results on any network and enable more time for manual testing. It is a fully configurable and expandable tool that enables you to automate the routine aspects of your workflow with… ### Flowgraph - [Overview](https://docs.octopwn.com/plugins/automations/flowgraph/index.html): Flowgraph is OctoPwn's visual, node-based automation framework. You drag blocks onto a canvas, wire their typed ports together, and the engine executes the resulting graph end-to-end — credentials, targets and sessions flow along the wires… - [Core concepts](https://docs.octopwn.com/plugins/automations/flowgraph/concepts.html): This page explains the data model that the rest of the flowgraph documentation assumes you understand. Read it once and the recipes become readable at a glance. - [UI tour](https://docs.octopwn.com/plugins/automations/flowgraph/ui-tour.html): This page walks through the FLOWGRAPH window end-to-end: opening it, the block palette, the canvas, the per-node configuration panel, the run controls, the results inspector and the kill-chain viewer. Each section is paired with a… - [Run modes & opsec](https://docs.octopwn.com/plugins/automations/flowgraph/run-modes.html): A flowgraph is a description of work. How that work is dispatched is determined by the run mode you pick from the FLOWGRAPH window toolbar (or the equivalent console command). - [Typing & wiring](https://docs.octopwn.com/plugins/automations/flowgraph/typing-and-wiring.html): Every port has a wire type. The engine refuses to connect ports whose types are incompatible, and the editor only draws connectable ports when you start a drag from a port. This page is the cheat sheet that explains why a given connection… - [Composites](https://docs.octopwn.com/plugins/automations/flowgraph/composites.html): A composite is a piece of a flowgraph saved as a reusable, named block with its own typed port surface. They are the flowgraph equivalent of writing a function: define inputs, define outputs, hide the implementation, drop the result into… - [Script block](https://docs.octopwn.com/plugins/automations/flowgraph/script-block.html): SCRIPT is the escape hatch. When FILTER, COLLECT, CREDMUX and the other built-in vocabulary can't express what you need, drop a SCRIPT block into the pipeline and write the logic in Python. - [CLI reference](https://docs.octopwn.com/plugins/automations/flowgraph/cli.html): The flowgraph framework is built around its UI, but every UI action is ultimately implemented as a command on a FLOWGRAPH utility session. That console is also exposed directly, which makes the CLI the right tool for: - [Reporting & killchain](https://docs.octopwn.com/plugins/automations/flowgraph/reporting.html): Every flowgraph pass writes an execution journal to iter_state and to the History database. The journal is what makes the killchain report work: given any item in the store, OctoPwn can walk the journal backwards and reconstruct the entire… ### Recipes - [Overview](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/index.html): Six small, self-contained recipes that show how the blocks in the block reference snap together into real pipelines. Each one fits on one screen, is wired to actually validate against the engine, and ends in something useful — discovered… - [Portscan + SMB finger](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/portscan-smbfinger.html): The bread-and-butter discovery chain: sweep a target range for open TCP ports, then collect SMB server fingerprints from every host with 445/TCP open. - [Credential spray](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/credential-spray.html): Validate every credential in the store against every SMB-speaking host in the project — without trying credential types SMB can't use, and without re-scanning the same (host, credential) pair twice. - [DCSync from creds](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/dcsync-from-creds.html): Use any DCSync-capable credential the project knows about to dump the domain over DRSUAPI, push every discovered NT hash back into the credential store, and queue the new hashes for the next runloop pass so they immediately feed downstream… - [Kerberoast and crack](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/kerberoast-and-crack.html): Roast every kerberoastable account in the domain, push the hashes into a local Hashcat session for cracking, and feed any cracked plaintext passwords back into the credential store so subsequent runloop passes try them everywhere. - [ADCS ESC1 to NT](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/adcs-esc1-to-nt.html): Enumerate every certificate template available in the domain, filter to the one(s) vulnerable to ESC1, request a certificate impersonating a target user, and convert the resulting PFX to an NT hash via PKINIT U2U. The NT hash is… - [Runloop convergence](https://docs.octopwn.com/plugins/automations/flowgraph/recipes/runloop-discover-iterate.html): Wire discovery, authentication and exploitation into a single self-feeding pipeline. Run it under runloop and walk away — every new target the portscan discovers gets fingerprinted, every new credential DCSync produces gets sprayed back… ### Block reference - [All categories](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/index.html): Complete, auto-generated reference for the 172 block types the flowgraph engine knows about. Regenerated from octopwn/enterprise/flowgraph/registry.py on every release — see the comment at the top of each page for the regeneration command. - [Sources & prompts](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/sources.html): Source blocks inject data into a flowgraph. Most pipelines start with one or more SOURCE_ blocks that emit credentials, targets, or live sessions from the OctoPwn project store. _NEW variants only emit items not yet processed in the… - [Queues & sinks](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/queues-sinks.html): QUEUE blocks are feedback sinks: items wired into a queue are held for the next runloop iteration, where the matching SOURCE_*_NEW block re-emits them with their "seen" flag cleared. This is how a flowgraph discovers new credentials,… - [CredMux](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/credmux.html): CREDMUX is the single most important routing block: it fans a single credential stream out onto protocol-typed output ports so that each downstream scanner / session / attack block receives only credentials it can actually use. Wiring… - [Filters & gates](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/filters.html): Filter blocks evaluate conditions on flowing items. FILTER and FILTER_TARGETS route items between match and no_match outputs based on a key / op / value triple. COLLECT accumulates items into a re-emittable store that feeds the lookup port… - [Scanners](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/scanners.html): Every entry in octopwn.scanners.OCTOPWN_SCANNER_TABLE is auto-registered as a SCANNER_ block. Scanner blocks have a target input port, an optional credential port (for authenticated scanners), an optional pair input that bypasses the… - [Sessions](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/sessions.html): OPEN_SESSION_ blocks consume a target (and a protocol-typed credential where required) and emit a session_ reference on success or an error dict on failure. One block is generated per entry in… - [Commands](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/commands.html): A CMD_ block runs any command supported by a live session — the command list comes straight from the same command map that drives the interactive console for that client. One block is generated per entry in… - [Attacks](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/attacks.html): Curated, opinionated wrappers around the most common post-auth attacks in OCTOPWN_ATTACK_TABLE. Most attack blocks accept either a pair input (paired target + credential dict from ID_SPLITTER_PAIR) or independent target and credential… - [Enumeration](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/enumeration.html): LDAP enumeration blocks consume an open session_ldap and stream individual user / computer / template / trust dicts to downstream blocks. The engine uses StorageRef so the memory footprint stays flat even on 100 000-user domains — items… - [Transforms](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/transforms.html): Transform blocks take credentials of one kind and turn them into credentials of another kind. CONVERT_PFX_TO_NT walks a PKINIT U2U exchange on an already-opened Kerberos session to extract an NT hash. The HASHCAT_* blocks spawn a visible… - [Script](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/script.html): The SCRIPT block lets you drop a Python coroutine into the middle of a flowgraph for the cases where the existing filter / transform vocabulary is not enough. See the script block guide for the process(item, octopwn) contract and a couple… - [Composite & boundaries](https://docs.octopwn.com/plugins/automations/flowgraph/blocks/composite.html): Composite blocks let you turn a piece of a flowgraph into a reusable, named component with its own typed ports — think "save selection as block". The composite itself is an inner Flowgraph whose external interface is defined by the… ## Misc - [Security considerations](https://docs.octopwn.com/security.html): Welcome to OctoPwn's security documentation! We prioritize safeguarding your interactions and data and are dedicated to maintaining a transparent and robust security posture. - [Licenses](https://docs.octopwn.com/licenses.html)