Attacks
OctoPwn's Attacks are one-button orchestrators for higher-level, multi-step techniques — the post-exploitation moves you'd otherwise stitch together by hand from the Clients, Scanners and Servers. Each attack is configured like a scanner (parameters in a session window, results land in the Credentials Hub), but instead of "find hosts that match X" it does "perform multi-stage technique X end to end".
Examples of what's automated:
- The full DCSync flow with optional LDAP-driven user filtering.
- The full CVE-2025-33073 NTLM-reflection chain (DNS write → relay server → coerce → SYSTEM session per target).
- AD CS ESC1 / ESC4 including template-flag flip + restore.
- Resource-Based Constrained Delegation including machine-account creation + cleanup.
- Shadow Credentials including
msDS-KeyCredentialLinkwrite + restore + UnPAC the Hash.
Hits — NT hashes, AES keys, PFX credentials, service tickets, community strings, NTP roast hashes — are stored automatically in the Credentials Hub for immediate use by any downstream client / scanner / attack / server.
AD credentials and secrets
| Attack | What it does |
|---|---|
KERBEROAST |
SPN-roast and AS-REP-roast every eligible user across all etypes (RC4 / AES128 / AES256). |
DCSYNC |
Pull every NT / AES / DPAPI key out of AD via DRSGetNCChanges. Optional LDAP filter for scope. |
ADSPRAY |
Lockout-aware password spray (passwords or NT hashes) across all enabled domain users. |
PRE2K |
Find machine accounts whose password is still the legacy "lowercased name" default. |
TIMEROAST |
Unauthenticated NTP-RID-roast against DCs; recovers computer-account hashes for offline cracking. |
AD CS (Active Directory Certificate Services)
| Attack | What it does |
|---|---|
ESC1 |
Enroll a SAN-supplying certificate as any user via a vulnerable template (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). |
ESC4 |
When you can write the template object: temporarily enable ESC1, run ESC1, restore. |
For the HTTP / Web-Enrollment AD CS variant (ESC8), see the
RELAYESC8 server.
Kerberos delegation
| Attack | What it does |
|---|---|
RBCD |
Resource-Based Constrained Delegation: create a machine, write msDS-AllowedToActOnBehalfOfOtherIdentity, S4U, restore. |
SHADOWCREDS |
Plant a msDS-KeyCredentialLink entry on a target user/computer, PKINIT, UnPAC the hash, restore. |
CONSTRAINEDDELEG |
Use an already-configured constrained-delegation right (S4U2Self → S4U2Proxy) to impersonate any user. |
Coercion and relay
| Attack | What it does |
|---|---|
COERCER |
Multi-vector coercion driver — fires PetitPotam (EFSRPC), PrinterBug (RPRN), ShadowCoerce (FSRVP), DFSCoerce (DFSNM), EventLog (EVEN). |
NTLMREFLECTION |
One-button CVE-2025-33073 chain: scan → DNS write → relay server → COERCER → SYSTEM session per vulnerable target. |
For the listener side of these coercions, see the
server pages: SPOOFER,
RELAYSMB, RELAYLDAP,
RELAYMSSQL, RELAYESC8,
RELAYNTLMREFLECTION.
SMB host secrets
| Attack | What it does |
|---|---|
SMBREGDUMP |
Dump SAM / SYSTEM / SECURITY hives via BaseRegSaveKey to disk on the target, read back, parse, delete. |
SMBREGDUMP2 |
Same secrets, no disk artifact — temporarily widens registry security descriptors and reads in-place. |
DPAPI |
Full DPAPI loot: master keys + credentials + Chrome blobs + SCCM (Network Access Account, Task Sequences, …). |
Edge cases
| Attack | What it does |
|---|---|
SNMPBRUTE |
Brute-force SNMPv2c community strings against 161/UDP. |
IPMIHASH |
Capture IPMI 2.0 RAKP hashes (one of the few pre-auth, no-creds-needed wins on bare-metal). |
Choosing the right attack
A few rules of thumb that come up in real engagements:
- You have a domain user but no admin anywhere → run
KERBEROAST ADSPRAY+PRE2K+TIMEROASTin parallel as a fan-out. Then look at AD CS templates with the LDAP client — if any is ESC1-vulnerable, runESC1.- You have local admin on one machine, want lateral movement → run
DPAPI(covers DPAPI + SCCM + registry secrets in one pass). - You have replicating-rights on the domain → run
DCSYNC; one shot, pulls everything. - You have any domain user and a vulnerable subnet → run
NTLMREFLECTIONin continuous mode. Auto-owns every CVE-2025-33073-vulnerable host that gets added to the project. - You can write to a target user's
msDS-KeyCredentialLinkACL → runSHADOWCREDS. Cleanest user takeover primitive in AD. - You can write to a target machine's
msDS-AllowedToActOnBehalfOfOtherIdentityACL → runRBCD. Cleanest machine takeover primitive.
Each attack page lists its prerequisites, the exact LDAP / SMB / RPC operations it performs, the credentials it produces, and the manual client-side equivalents you'd use for full control instead.