English
Magyar
Built for every phase of the engagement
From solo bug bounty hunting to enterprise red team ops — OMNI adapts to how your team works, not the other way around.
Active Directory Red Team Assessment
Map the full path from a single compromised workstation to Domain Admin. OMNI automates the entire kill chain — credential extraction, Kerberos attacks, lateral movement, and ADCS abuse — producing a timestamped evidence trail at every step.
- Full AD kill chain: User desk → Domain Admin, documented
- Kerberoasting + AS-REP roasting with hashcat-ready output
- ADCS ESC1–ESC4 vulnerable certificate template detection
- DCSync rights enumeration: who-can-sync audit
!cred_kerberoast → # SPN hash extraction
!lat_winrm SQLPROD → # lateral movement
!ca_enum → # ADCS ESC1-ESC4 audit
ai report → # CVSS v4.0 findings
Ransomware Impact Demo (Executive Briefing)
Show management exactly what ransomware would encrypt on their own machines — without touching a single file. Dry-run mode lists every affected file first; the reversible encryption demo is undone with a single command.
- Dry-run mode: shows affected files without modification
- Reversible encryption demo — full rollback in seconds
- Exfiltration simulation: shows what data would leave the network
- More convincing than any slide deck — it's their own files
!backup --drive C --ext docx,xlsx,pdf # exfil scope
!audit decrypt <key> # full rollback
Credential Exposure on a Single Workstation
How many credentials are extractable from a single average office machine without admin rights? The answer is usually 15–40. OMNI runs all extraction modules in sequence and catalogs every finding with LOOT markers.
- Chrome/Edge/Brave v20 AES-GCM encryption bypass
- DPAPI blob decryption — Credential Manager, RDP, generic
- Azure AD / Teams / MSAL OAuth token harvest
- AWS, Azure, GCP, Kubernetes, Terraform config sweep
- WiFi WPA2-PSK, SSH keys, PuTTY, WinSCP, FileZilla
!cred_vault_credman # Windows Credential Manager
!cred_azure_token # Teams + MSAL tokens
!cred_cloud --sweep # .env, appsettings, k8s
!wifi # WPA2-PSK plaintext
EDR / AV Control Effectiveness Test
Your client runs XDR. Does it actually detect modern techniques? OMNI executes a controlled sequence of evasion techniques — AMSI bypass, ETW suppression, module stomping BOF execution, PPID spoofing — and you measure exactly what fired and what didn't.
- AMSI bypass: AmsiScanBuffer in-process patch
- ETW suppression: EtwEventWrite ntdll patch
- BOF execution via module stomping (MEM_IMAGE, not MEM_PRIVATE)
- PPID spoofing: process spawned under explorer.exe
- Sleep obfuscation: XOR-encrypted memory during C2 sleep
!evade_etw # suppress telemetry
!bof whoami # module stomping execution
!evade_parent_spoof --parent explorer
!evade_sleep_obf # memory XOR during sleep
Network Segmentation & Pivot Test
The client believes their DMZ and office network are separated. OMNI proves or disproves it — deploying SOCKS5 proxies, port forwards, and agent-to-agent SMB relays to reach isolated segments without a direct internet connection.
- SOCKS5 proxy: proxychains / Burp / Metasploit compatible
- Port forwarding: reach internal targets through the agent
- SMB Named Pipe relay: beacon internal hosts without internet
- WinRM subnet scan: 30 parallel runspaces, /24 in seconds
!pivot --fwd 8888 10.0.0.5 445 # port forward
!lat_winrm --scan 10.0.0.0/24 # parallel WinRM scan
!smb_pipe # offline agent relay
Persistence & Incident Response Test
The client 'cleaned up' after an incident. Did they get everything? OMNI installs multiple persistence mechanisms — WMI subscriptions, LSA SSP, service hijacking — and the IR team's job is to find them all.
- WMI Event Subscription: invisible to filesystem scanners
- LSA SSP DLL: intercepts cleartext credentials on every login
- Service binary path hijacking: existing service, no new service created
- !persist check enumerates all installed mechanisms for debrief
!persist_lsa --inmem # LSA SSP in-memory
!persist_service --hijack SvcName
!persist check # enumerate all installed
Privileged Access Management Audit
How hard is it to escalate from standard User to Admin/SYSTEM? OMNI's !privesc scanner checks every common path — UAC bypass, unquoted service paths, AlwaysInstallElevated, token theft — and confirms which vectors are exploitable in the current environment.
- AlwaysInstallElevated policy detection
- UAC bypass: wsreset + computerdefaults (no prompt)
- SeImpersonatePrivilege → SYSTEM via Potato techniques
- Unquoted service paths, writable service binaries
- Token theft from running SYSTEM-level processes
!priv_uac_wsreset # UAC bypass
!priv_potato --check # SeImpersonate?
!priv_token_theft --list # SYSTEM tokens
Cloud-Ready DevOps Workstation Audit
Developer machines carry cloud credentials. OMNI sweeps every known storage location — CLI configs, environment variables, IMDS endpoints, IaC state files — across AWS, Azure, GCP, Kubernetes, Terraform, and Docker.
- AWS: ~/.aws/credentials, env vars, EC2 IMDS token
- Azure: az-cli tokens, azureProfile.json, Azure IMDS
- GCP: application_default_credentials.json, GCE metadata
- Kubernetes: ~/.kube/config cluster token + cert
- Terraform: tfstate resource attributes (plaintext passwords)
- Code signing certs: PFX export with private key
!cred_cloud --azure # + IMDS
!cred_cloud --terraform # tfstate sweep
!cred_cloud --k8s # kubeconfig
!cred_codesign --export # PFX + private key
Every finding is reproducible, timestamped, and exportable.
OMNI's JSONL journal records every command and response with HMAC chaining — not 'we did it but can't prove it', but a concrete timestamped action log for every step.
View Pricing Talk to Sales