Octopus is an open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.
The main purpose of creating Octopus is for use before any red team operation, where rather than starting the engagement with your full operational arsenal and infrastructure, you can use Octopus first to attack the target and gather information before you start your actual red team operation.
Octopus works in a very simple way to execute commands and exchange information with the C2 over a well encrypted channel, which makes it inconspicuous and undetectable from almost every AV, endpoint protection, and network monitoring solution.
One cool feature in Octopus is called ESA, which stands for “Endpoint Situational Awareness”, which will gather some important information about the target that will help you to gain better understanding of the target network endpoints that you will face during your operation, thus giving you a shot to customize your real operation based on this information.
Octopus is designed to be stealthy and covert while communicating with the C2, as it uses AES-256 by default for its encrypted channel between the powershell agent and the C2 server. You can also opt for using SSL/TLS by providing a valid certficate for your domain and configuring the Octopus C2 server to use it.
Octopus is packed with a number of features that allows you to gain an insight into your upcoming engagement before you actually need to deploy your full aresenal or tools and techniques, such as:
You can install all of Octopus’ requirements via :
pip install -r requirements.txt
You need to install nasm
for linux and ‘mingw-w64’ compiler to use the shellcoding feature and the spoofed args agent.
You can install nasm on Debian based distros using:
apt install nasm
And you can install mingw-w64
on Debian based distros using:
apt install mingw-w64
Octopus has been tested on the following operating systems:
You will also need to install mono to make sure that you can compile the C# source without issues.
Octopus depends on mono-csc binary to compile the C# source and you can install it by the following command apt install mono-devel
which has been tested on kali and ubuntu 16.04.
you can use Octopus without installing mono but you will not be able to use generate_exe
command.
Also please note that compling C# depends on the System.Management.Automation.dll
assembly with SHA1 hash a43ed886b68c6ee913da85df9ad2064f1d81c470.
If you encounter any issues using Octopus, feel free to file a bug report!
First of all make sure to download the latest version of Octopus using the following command :
git clone https://github.com/mhaskar/Octopus/
Then you need to install the requirements using the following command :
pip install -r requirements.txt
After that you can start the octopus server by running the following :
./octopus.py
You will by greeted with the following once you run it :
Using Octopus is quite simple to use, as you just need to start a listener and generate your agent based on that listener’s information.
You can generate as many listeners as you need, and then you can start interacting with your agents that connect to them.
Before you can start using Octopus you have to setup a URL handling profile which will control the C2 behavior and functions, as Octopus is an HTTP based C2 thus it depends on URLs to handle the connections and to guarantee that the URLs will not serve as a signatures or IoC in the network you are currently attacking, the URLs can be easily customized and renamed as needed.
Profile setup currently only support URL handling, auto kill value and headers.
Setting up your profile
To start setting up your profile you need to edit the profile.py
file , which contains a number of key variables, which are:
Example:
this is the web listener profile for Octopus C2
you can customize your profile to handle a specific URLs to communicate with the agent
TODO : add the ability to customize the request headers
handling the file downloading
Ex : /anything
Ex : /anything.php
file_receiver_url = “/messages”
handling the report generation
Ex : /anything
Ex : /anything.php
report_url = “/calls”
command sending to agent (store the command will be executed on a host)
leave as it with the same format
Ex : /profile/
Ex : /messages/
Ex : /bills/
command_send_url = “/view/”
handling the executed command
Ex : /anything
Ex : /anything.php
command_receiver_url = “/bills”
handling the first connection from the agent
Ex : /anything
Ex : /anything.php
first_ping_url = “/login”
will return in every response as Server header
server_response_header = “nginx”
will return white page that includes HTA script
mshta_url = “/hta”
auto kill value after n tries
auto_kill = 10
The agent and the listeners will be configured to use this profile to communicate with each other. Next we need to know how to create a listener.
Octopus has two main listeners,”http listener” and “https listener” , and the options of the two listeners are mostly identical.
HTTP listener
listen_http
command takes the following arguments to start:
you can also view an example of it by running the listen_http
command:
Octopus >>listen_http
[-] Please check listener arguments !
Syntax : listen_http BindIP BindPort hostname interval URL listener_name
Example (with domain) : listen_http 0.0.0.0 8080 myc2.live 5 comments.php op1_listener
Example (without domain) : listen_http 0.0.0.0 8080 172.0.1.3 5 profile.php op1_listener
Options info :
BindIP IP address that will be used by the listener
BindPort port you want to listen on
Hostname will be used to request the payload from
Interval how may seconds that agent will wait before check for commands
URL page name will hold the payload
Listener_name listener name to use
Octopus >>
And we can start a listener using the following command :
listen_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1
The following result will be returned:
Octopus >>listen_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1
Octopus >> * Serving Flask app “core.weblistener” (lazy loading)
The listen_https
command takes the following arguments to start:
Please note that you need to provide a valid SSL certficate that is associated with the domain used.
Powershell oneliner
To generate an agent for the listener operation1
we can use the following command:
generate_powershell operation1
HTA oneliner
To generate a HTA oneliner for the listener1 operation1
we can use the following command:
generate_hta operation1
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…