ββββ
ββββββββββββ
ββββββββββββββββ
ββββββββββββββββββββ
ββββββββββββββββββββ
ββββββββββββββββββββββ
ββββββββββββββββββββββ
β ββββββββββββββββββββββ ββ
βββββββββββββββ ββββββββ ββββββββ βββββββββββββββ
ββββββββββββββββββββ ββββββ βββββ ββββββββββββββββββββ
βββββββββββββββββββββ βββ βββ ββββββββββββββββββββββ
βββββββββββββββββββββββ ββ β βββββββββββββββββββββββ
βββββββββββββββββββββββββ βββββββββββββββββββββββββ
ββββββββββββββ ββββββββββ ββββββββββ ββββββββββββββ
ββββββββββββββββ ββββ ββββ ββββββββββββββββ
ββββββββββββββββββ βββββββ ββββββββββββββββββ
ββββββββββββββββββ ββββββββββββββββββββββββββββ
βββββββββββββββ ββ ββ βββββββββββββββ
ββββββββββββ ββ βββ ββββββββββββ
ββ βββββ ββββ βββ
βββββββββββ ββββ ββββ βββββββββββ
ββββββββββ ββ ββββββββββββ ββ ββββββββββ
ββββββββββββββ ββββββββββββ ββββββββββββββ
ββββββββββββββ ββββββββββββββ ββββββββββββββ
ββββββββββββββ ββββββββββββββ ββββββββββββββ
βββββββββββββ βββββββββββββ ββββββββββββββ
ββββββ ββββββββββββ ββββββ
ββββββββ
ββββ
O R C H I D Β· offensive automation Β· v0.1
Orchid automates offensive engagement from first contact to shell. Point it at a target: it scans, harvests every finding, decides what each finding unlocks, and executes the next step. That loop runs until there is nothing left to try. No manual steps between stages. No model, no API, no internet. The decision logic that an experienced tester carries in their head is in the code.
β οΈ Early development. Currently tested on active.htb. Every new machine adds trigger conditions, protocol coverage, and edge case handling. The more targets Orchid has seen, the more it can handle autonomously.
When it's done, you get this: findings, credentials, attack paths, and exactly what to run next.
During the run:
I wanted to automatically uncover everything possible on a target, and existing tools didn't do it the way I had in mind. So I built a recon helper. The wave logic worked well enough that stopping at recon felt wrong, and stopping at wave logic felt equally wrong. At some point the question stopped being "what should I add next" and became "why am I still doing any of this manually."
A penetration test normally requires someone at the keyboard at every step: run a scan, read the output, decide what to try next, run the next tool, take note of what was found, decide what that unlocks.
Every finding changes what happens next. Found a password buried in a configuration file? Every relevant service gets tried with it immediately. Got a hostname from an LDAP response? It gets added to /etc/hosts and full enumeration runs against it. Cracked a hash? The result feeds directly into the next step.
Orchid scans, collects findings, decides what those findings unlock, and repeats that loop until there is nothing left to try. No manual steps between stages. When it stops, you get a full briefing: what was found, what's exploitable, and what to do next.
No LLM. No API. No internet required. Pure code logic that runs the same way every time.
Deciding what comes next. After every finding, Orchid determines what to run next without waiting for input. The logic that an experienced tester carries in their head "if this, then try that" is in the code.
Keeping track of what was found and passing it forward.
Passwords, hashes, usernames, hostnames: everything gets written to a shared state and used immediately. A hostname discovered mid-scan gets added to /etc/hosts on the spot. A found password gets retried against every relevant service before the scan moves on.
Building the commands you would have built manually. hashcat mode, correct flags, real values already filled in copy-paste ready.
Never running the same thing twice. Every scan result is saved. Expensive port scans do not repeat across runs. If Orchid has already mapped a target, it picks up where it left off.
What Orchid doesn't do. Browser-based testing, Burp Suite workflows, and anything that requires human judgment on dynamic web content stay with you. Orchid hands you the findings and the commands. The rest is yours.
When Orchid finishes, the output directory contains:
- Every credential and hash found, with the source it came from
- Confirmed attack paths, ranked by what requires the least additional work
- Copy-paste ready exploitation commands with real values already filled in
- A clear list of what still needs human judgment -- BloodHound review, browser steps, Burp Suite
- A full timestamped log of every command that ran
Target: Windows Server, Active Directory environment, no credentials to start with.
Port scan detects 53, 88, 135, 389, 445, 636, 3268
Hostname discovered from LDAP response: active.htb
/etc/hosts updated automatically
SMB null session succeeds
GPP cpassword found in SYSVOL, plaintext password recovered
Authenticated enumeration starts automatically:
SMB shares
LDAP full dump
Kerberoasting: Administrator TGS hash recovered
BloodHound collection
Summary:
[1] hashcat -m 13100 kerberoast.txt rockyou.txt
[2] impacket-psexec active.htb/Administrator:'<cracked_pass>'@10.10.10.100
One command. Nothing typed between stages.
(more examples coming at launch)
git clone https://github.com/corviansec/orchid-chain
cd orchid-chain
chmod +x orchid.sh lib/*.sh
./orchid.sh -H 10.10.10.10 -t Recon
# With known credentials
./orchid.sh -H 10.10.10.10 -t Recon -u administrator -p Password123 -D corp.localHard requirement: nmap
Pre-installed on Kali (nothing else needed):
nmap smbclient smbmap enum4linux hydra dnsrecon theHarvester wafw00f whatweb
Install remaining tools
sudo apt install -y \
feroxbuster ffuf nuclei gowitness \
subfinder dnsx ssh-audit \
enum4linux-ng netexec \
bloodhound-python impacket-scripts \
ldap-utils \
snmp snmp-mibs-downloader onesixtyone snmp-check \
smtp-user-enum \
sslscan sslyze \
odat redis-tools nfs-common \
katana# kerbrute
git clone https://github.com/ropnop/kerbrute && cd kerbrute && go build
# mongosh
# https://www.mongodb.com/try/download/shell -> download .deb, then:
sudo dpkg -i mongodb-mongosh_*.debPre-installed list verified against Kali 2026.1.
Missing tools are detected at startup and listed. The scan continues with whatever is available.
Most automation tools run a fixed sequence: scan, then enumerate, then stop. Orchid works differently. Every finding updates a central state. Every iteration, Orchid evaluates that state against a set of trigger conditions: what does this finding unlock? A plaintext password triggers authenticated enumeration across every relevant service immediately, not after the current pass finishes. A Kerberoastable hash triggers hashcat and, when cracked, feeds the result directly into the next escalation step. A hostname discovered mid-scan gets added to /etc/hosts and enumerated on the spot. The loop runs until one of three things is true: no new findings, no new triggers, or the depth limit is reached. There is no hardcoded sequence. A target that needs five credential escalations runs five iterations. A target that falls in one pass stops after one. Nothing in that logic requires a model to decide what is relevant. The conditions are explicit, the behavior is reproducible, and the output is the same every time.
| Type | What it does | Approx. time |
|---|---|---|
Port |
Fast TCP scan, all open ports | ~15s |
Script |
Service and version detection + NSE scripts | ~5min |
Full |
All 65535 ports, then scripts on new finds | ~10min |
UDP |
UDP scan (requires sudo) | ~5min |
Vulns |
CVE scan + vuln scripts | ~15min |
Recon |
Protocol-aware enumeration + credential chaining | varies |
All |
Everything above in sequence | ~30min |
-u USER / -U users.txt # single username or wordlist
-p PASS / -P passwords.txt # single password or wordlist
-D domain.local # AD domain (also auto-detected)Credentials found during a run are written to HOST/recon_TIMESTAMP/creds_found_HOST.tsv and immediately trigger authenticated enumeration. NTLM hashes are passed forward for Pass-the-Hash rather than treated as passwords.
25+ protocols including HTTP/S, SMB, LDAP/LDAPS, Kerberos, SSH, WinRM, RDP, FTP, DNS, SNMP, SMTP, NFS, and common databases (MySQL, MSSQL, PostgreSQL, MongoDB, Redis, Oracle).
Full list
HTTP/S Β· SMB Β· LDAP/LDAPS Β· Kerberos Β· WinRM Β· RDP Β· SSH Β· FTP Β· DNS Β· SNMP Β· SMTP Β· NFS Β· RPC/MSRPC Β· MySQL Β· MSSQL Β· PostgreSQL Β· MongoDB Β· Redis Β· Oracle Β· Elasticsearch Β· VNC Β· Rsync Β· IMAP/POP3 Β· Telnet Β· NTP
10.10.10.10/
βββ nmap/
β βββ Port_10.10.10.10.nmap
β βββ Script_10.10.10.10.nmap
β βββ Recon_10.10.10.10.tsv
βββ recon_20260101_1200/
β βββ creds_found_10.10.10.10.tsv
β βββ kerberoast_chain_10.10.10.10.txt
β βββ ...
βββ orchid_10.10.10.10.log
nmap output is reused across runs. Expensive port scans never repeat.
orchid-chain/
βββ orchid.sh
βββ lib/
β βββ core.sh
β βββ scans.sh
β βββ recon_offline.sh
βββ config/
βββ offline.conf
Use only against systems you are authorized to test, or purpose-built lab environments such as HackTheBox, TryHackMe, GOAD, or personal labs. Unauthorized scanning is illegal in most jurisdictions.
For commercial licensing: [email]
Developed and maintained by corviansec.