Extractors

An extractor is attached to a chain step and pulls a value out of the step’s response into a named variable. That variable is then available to all subsequent steps in the chain via {{variableName}}.

Extractor configuration panel — type dropdown, expression field, variable name

Configuration

Field	Description
Type	Extractor type (protocol-specific, see below)
Expression	What to extract (meaning depends on type)
Variable name	Name of the variable to store the result in

HTTP extractors

`HTTP_STATUS`

Extracts the HTTP response status code as a string.

Field	Value
Expression	(not used)
Example output	`"200"`

`HTTP_JSON_PATH`

Evaluates a JSONPath expression against the response body.

Field	Value
Expression	JSONPath string, e.g. `$.data.token`
Example output	`"eyJhbGci..."`

`HTTP_BODY_RAW`

Returns the entire response body as a string.

Field	Value
Expression	(not used)

`HTTP_HEADER`

Returns the value of a specific response header. The lookup is case-insensitive; if the header appears multiple times the first occurrence is returned.

Field	Value
Expression	Header name, e.g. `Content-Type` or `X-Request-Id`
Example output	`"application/json"`

SMTP extractors

`SMTP_SUCCESS`

Returns "true" if the SMTP exchange completed without any assertion failures, "false" otherwise.

Field	Value
Expression	(not used)

`SMTP_EXCHANGE_LINES`

Returns the server’s response lines for a specific command, joined as a string.

Field	Value
Expression	The command string to match (e.g. `MAIL FROM:<sender@example.com>`)

Leave the expression blank to match the server greeting exchange.

IMAP extractors

`IMAP_SUCCESS`

Returns "true" if all IMAP commands completed successfully.

Field	Value
Expression	(not used)

`IMAP_EXCHANGE_LINES`

Returns the untagged server lines for a specific IMAP command.

Field	Value
Expression	The command string to match (e.g. `SEARCH UNSEEN`)

Leave the expression blank to match the server greeting.

LDAP extractors

`LDAP_SUCCESS`

Returns "true" if the LDAP operation completed without assertion failures.

Field	Value
Expression	(not used)

`LDAP_EXCHANGE_RESULT_CODE`

Returns the result code for a specific LDAP operation as a string.

Field	Value
Expression	A prefix of the operation string (e.g. `BIND cn=admin`)
Example output	`"0"` (success)

DNS extractors

`DNS_SUCCESS`

Returns "true" if all DNS queries completed without any assertion failures, "false" otherwise.

Field	Value
Expression	(not used)

`DNS_ANSWER_VALUE`

Returns the value of the first answer record from a specific query.

Field	Value
Expression	A prefix of the question string (e.g. `A example.com`)
Example output	`"93.184.216.34"`

Leave the expression blank to use the first query’s answer. Useful for extracting a resolved IP and passing it to subsequent chain steps.

Kerberos extractors

`KERBEROS_SUCCESS`

Returns "true" if the Kerberos operation succeeded, "false" otherwise.

Field	Value
Expression	(not used)

`KERBEROS_HASH`

Returns the hashcat-ready hash produced by a roasting operation — $krb5asrep$23$… for AS-REP roasting (mode 18200) or $krb5tgs$23$… for Kerberoasting (mode 13100). Empty string for operations that produce no hash (e.g. credential validation).

Field	Value
Expression	(not used)
Example output	`$krb5asrep$23$jdoe@LAB.LOCAL:…`

Pair with an ITERATE over a username wordlist to roast a whole user list and collect hashes into chain variables.

`KERBEROS_ERROR_CODE`

Returns the KDC error code (0 on success). Useful for username enumeration: 24 (KDC_ERR_PREAUTH_FAILED) means a valid account with a wrong password, while 6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) means the account does not exist.

Field	Value
Expression	(not used)
Example output	`"24"`

SMB extractors

`SMB_SUCCESS`

Returns "true" if every enabled command in the SMB session completed successfully, "false" otherwise.

Field	Value
Expression	(not used)

`SMB_LAST_STATUS`

Returns an SMB NT status code (e.g. STATUS_SUCCESS, STATUS_ACCESS_DENIED). Useful for branching a chain on the exact result of a command (access checks, vulnerability probes).

Field	Value
Expression	A substring of the command label (e.g. `TREE_CONNECT`); blank = last exchange’s status
Example output	`"STATUS_ACCESS_DENIED"`

`SMB_SHARE_LIST`

Returns the share names from a LIST_SHARES command, newline-separated. Feed it into an ITERATE step (variable-reference source, whitespace-split) to walk every share.

Field	Value
Expression	(not used)
Example output	`"public\nprivate\nIPC$"`

`SMB_FILE_CONTENT`

Returns the content read by a FILE_READ command, so a file read over SMB can feed a later chain step. UTF-8 text when decodable, otherwise a base64 fallback for binary files.

Field	Value
Expression	A substring of the file path (e.g. `secret.txt`); blank = first `FILE_READ` result
Example output	`"hunter2"`

Generic extractors

`CONSTANT`

Stores a fixed value into a variable — useful for passing hardcoded values or defaults through the chain context.

Field	Value
Expression	The literal string value to store

`REGEX`

Applies a regular expression to the string representation of the step response and returns the first capture group (or the full match if no groups are defined).

Field	Value
Expression	Regex pattern, e.g. `token=([A-Za-z0-9]+)`
Example output	`"abc123"`

Most useful when the response is already a plain string — for example, on an IMAP step whose exchange lines contain structured text, or in the scripting engine where you can pass any string response. For HTTP responses, combine with HTTP_BODY_RAW in a scripting context if you need regex over the body.