Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider. I first came into contact with Havoc C2 in April 2022 when it was still a private tool under development. C5pider went on Flangvik's stream to discuss about development in general and demoed this awesome tool. Back in May it was announced that Havoc would be released in about 3-5 months and here we are!
I'm gona deploying this into my infra and playing around with it in this post! Been wanting to test out the Sleep Obfuscation implementation on the Demon for a while now.
Sidenote: You'll notice a lot of similarities between Havoc and Cobalt Strike and that's not necessarily a downside IMO!
Debian-Based Host (C2 Server)
Debian-Based Host (C2 Client)
Target Host (Windows 7/10/11)
Setup & Installation
┌──(nee㉿4pfsec)-[~] └─$ sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev libspdlog-dev python3-dev libboost-all-dev mingw-w64 nasm
Setting up the
bookworm repo for Python 3.10.
┌──(nee㉿4pfsec)-[~] └─$ echo 'deb http://ftp.de.debian.org/debian bookworm main' >> /etc/apt/sources.list sudo apt update sudo apt install python3-dev python3.10-dev libpython3.10 libpython3.10-dev python3.10
┌──(nee㉿4pfsec)-[~] └─$ git clone https://github.com/HavocFramework/Havoc.git
Building the Client
cd Havoc/Client mkdir Build cd Build cmake .. cd .. ./Install.sh
Building the Teamserver
┌──(nee㉿4pfsec)-[~/Havoc/Teamserver] └─$ ./teamserver
With that, Havoc is installed and ready to go!
The C2 consists of 2 main parts. The client and the team server. Let's start off with the Teamserver.
The teamserver allows us to specify a profile or use the default one. The profile allows us to edit configs of the following domains:
The default profile is located at
Running the teamserver with a profile
┌──(nee㉿4pfsec)-[~/Havoc/Teamserver] └─$ ./teamserver server --profile profiles/havoc.yaotl
Running the Client
┌──(kali㉿kali)-[~] └─$ Havoc/Client/Havoc
Connecting to the teamserver
And we're in! The Dracula theme on the client looks really good. Let's check out some of the functionalities!
Let's configure our listener and point the host to
c2.4pfsec.com. This is the domain proxied through Cloudflare.
Generating Payload (UNDETECTED BY Windows Defender)
As of writing, the payload is not detected by Microsoft Defender. (05/10/22)
Callback to C2 (UNDETECTED BY Windows Defender)
As of writing, the callback method is not picked up by Microsoft Defender. (05/10/22)
Now that we have our payload, lets deliver and execute it. [You're free to use any delivery method]
I simply hosted an SMB share and transferred the payload to the target. As shown in the demo below, I was able to get a call back from a fully patched Windows 11 Pro Machine using the generated payload.
Interacting with Target
There's a whole list of commands that you're able to run on the target once it calls back to your C2. The target will fetch the C2 for jobs based on the given sleep duration during payload generation.
You're able to run shell commands directly on the target with the help of Havoc
\>>> shell [command]
The screenshot command takes a snapshot of the target's desktop and send it back to the C2.
Seen on Host
Seen on C2
These were just some of Post exploitation offered by Havoc.
Havoc looks to have great potential and I hope to continue this series by exploring the C2 in-depth real soon!