From 8e5458655cfef26381623c807cbaaaddd9da4c72 Mon Sep 17 00:00:00 2001 From: Lavender Date: Thu, 9 May 2024 16:33:17 +0400 Subject: [PATCH] Updated docs --- Dockerfiledocke => Dockerfile | 0 README.md | 33 +++++++++------- WIKI.MD | 72 +++++++++++++++++------------------ makefile | 22 +++++------ 4 files changed, 67 insertions(+), 60 deletions(-) rename Dockerfiledocke => Dockerfile (100%) diff --git a/Dockerfiledocke b/Dockerfile similarity index 100% rename from Dockerfiledocke rename to Dockerfile diff --git a/README.md b/README.md index b1eb0b8e..84f66d61 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,11 @@

- + -> :warning: Havoc is in an early state of release. Breaking changes may be made to APIs/core structures as the framework matures. +>[!caution] +>Havoc is in an early state of release. Breaking changes may be made to APIs/core structures as the framework matures. ### Support @@ -19,9 +20,10 @@ Consider supporting C5pider on [Patreon](https://www.patreon.com/5pider)/[Github ### Quick Start -> Please see the [Wiki](https://github.com/HavocFramework/Havoc/wiki) for complete documentation. +>[!note] +>Please see the [Wiki](https://github.com/HavocFramework/Havoc/wiki) for complete documentation. -Havoc works well on Debian 10/11, Ubuntu 20.04/22.04 and Kali Linux. It's recommended to use the latest versions possible to avoid issues. You'll need a modern version of Qt and Python 3.10.x to avoid build issues. +Havoc works well on Debian 10/11, Ubuntu 20.04+ and Kali Linux. It's recommended to use the latest versions possible to avoid issues. You'll need a modern version of Qt and Python 3.10.x to build the project. See the [Installation](https://havocframework.com/docs/installation) docs for instructions. If you run into issues, check the [Known Issues](https://github.com/HavocFramework/Havoc/wiki#known-issues) page as well as the open/closed [Issues](https://github.com/HavocFramework/Havoc/issues) list. @@ -34,6 +36,8 @@ See the [Installation](https://havocframework.com/docs/installation) docs for in > Cross-platform UI written in C++ and Qt - Modern, dark theme based on [Dracula](https://draculatheme.com/) +- Table and Graph view for agents +- Feature rich with extensible module support #### Teamserver @@ -42,9 +46,9 @@ See the [Installation](https://havocframework.com/docs/installation) docs for in - Multiplayer - Payload generation (exe/shellcode/dll) -- HTTP/HTTPS listeners -- Customizable C2 profiles -- External C2 +- HTTP/HTTPS/SMB listeners +- Customizable C2 profiles +- External C2 Support #### Demon @@ -58,7 +62,7 @@ See the [Installation](https://havocframework.com/docs/installation) docs for in - Variety of built-in post-exploitation commands - Patching Amsi/Etw via Hardware breakpoints - Proxy library loading -- Stack duplication during sleep. +- Stack duplication during sleep.

@@ -69,21 +73,24 @@ See the [Installation](https://havocframework.com/docs/installation) docs for in - [External C2](https://github.com/HavocFramework/Havoc/wiki#external-c2) - Custom Agent Support - [Talon](https://github.com/HavocFramework/Talon) + - [Revenant](https://github.com/0xTriboulet/Revenant) - [Python API](https://github.com/HavocFramework/havoc-py) - [Modules](https://github.com/HavocFramework/Modules) + - [Havoc Modules Store](https://p4p1.github.io/havoc-store/) +- [Malleable Profile Generation](https://github.com/Ghost53574/havoc_profile_generator) --- ### Community -You can join the official [Havoc Discord](https://discord.gg/z3PF3NRDE5) to chat with the community! +You can join the official [Havoc Discord](https://discord.gg/z3PF3NRDE5) to chat with the community! ### Contributing -To contribute to the Havoc Framework, please review the guidelines in [Contributing.md](https://github.com/HavocFramework/Havoc/blob/main/CONTRIBUTING.MD) and then open a pull-request! +To contribute to the Havoc Framework, please review the guidelines in [Contributing.md](https://github.com/HavocFramework/Havoc/blob/main/CONTRIBUTING.MD) and then open a pull-request! ### Note +>[!important] +>Please do not open any issues regarding detection. -Please do not open any issues regarding detection. - -The Havoc Framework hasn't been developed to be evasive. Rather it has been designed to be as malleable & modular as possible. Giving the operator the capability to add custom features or modules that evades their targets detection system. +The Havoc Framework hasn't been developed to be evasive. Rather it has been designed to be as malleable & modular as possible. Giving the operator the capability to add custom features or modules that evades their targets detection system. diff --git a/WIKI.MD b/WIKI.MD index 16e7146b..c286a16a 100644 --- a/WIKI.MD +++ b/WIKI.MD @@ -73,7 +73,7 @@ Havoc is a modern and malleable post-exploitation command and control framework. ## Known Issues -> See the Issues tab for all open issues. +> See the Issues tab for all open issues. ### Kali Linux Font/Formatting Issues @@ -81,7 +81,7 @@ Kali has issues loading the proper font (Monaco) from the embedeed Qt resources _You will experience formatting issues in the Havoc client if you are not using a monospace/fixed-width font!_ -### Build Errors +### Build Errors #### `fatal error: Python.h: No such file or directory` @@ -175,7 +175,7 @@ make client-build Install additional Go dependencies: ``` -go mod download golang.org/x/sys +go mod download golang.org/x/sys go mod download github.com/ugorji/go ``` @@ -186,7 +186,7 @@ make ts-build # Run the teamserver sudo ./havoc server --profile ./profiles/havoc.yaotl -v --debug -``` +``` All files created during interaction with the Teamserver are stored within the `/Havoc/data/*` folder. @@ -222,7 +222,7 @@ This part assumes you have a Teamserver running, with a Teamserver-client connec - Creating a Listener: 1. To create a new listener, we must first open the `Listeners` subwindow. * To do this, in the upper left hand corner, click on the `View` button, and then on the `Listeners` button in the drop down menu. - * ![Listeners-select](./assets/Screenshots/Listeners-select.png) + * ![Listeners-select](./assets/Screenshots/Listeners-select.png) 2. You should see a new sub window in the bottom of the server window, with the title of `Listeners` on the header tab. 3. You should also now see three(3) buttons on the bottom of the server window, `Add`, `Remove` and `Edit`. * ![Listeners-Add-select](./assets/Screenshots/Listeners-Add-New-Remove.png) @@ -236,7 +236,7 @@ This part assumes you have a Teamserver running, with a Teamserver-client connec 9. We now have an active Listener, and are ready to receive an incoming agent's communications! - Spawning an Agent: 1. To create an Agent Payload, we must first open the `Payload` window. - * We can do so by going up to the upper left hand corner, and clicking on the `Attack` button. + * We can do so by going up to the upper left hand corner, and clicking on the `Attack` button. 2. Doing so, we see the `Payload` button appear in the drop down menu. We want to then click on it. * ![Agent-select](./assets/Screenshots/Agent-select.png) 3. This will open the `Payload` window, where we may then configure the various options for generating our payload. @@ -264,13 +264,13 @@ Usage: `teamserver [command] [flags]` Here is a full list of arguments that can be passed to the teamserver: -| Command | Flag | Description | Args | -| -------- | ---- | ----------- | ----- | -| `server` |`--profile` | The configuration profile to load at start | Teamserver profile path (`string`) | -| | `-v` / `--verbose` | Enable verbose output | | -| | `-d` / `--debug` | Enable debug output | | -| | `-h` / `--help` | Output server help | | -| | `--debug-dev` | Enables DEBUG output (see below for caveats) | | +| Command | Flag | Description | Args | +|----------|--------------------|----------------------------------------------|------------------------------------| +| `server` | `--profile` | The configuration profile to load at start | Teamserver profile path (`string`) | +| | `-v` / `--verbose` | Enable verbose output | | +| | `-d` / `--debug` | Enable debug output | | +| | `-h` / `--help` | Output server help | | +| | `--debug-dev` | Enables DEBUG output (see below for caveats) | | #### Enabling DEBUG Output @@ -291,7 +291,7 @@ The default example profile can be found at `Havoc/Teamserver/profiles/havoc_def The teamserver can be configured to listen on a specific bind address and port with the following directive: ```hcl -Teamserver { +Teamserver { Host = "0.0.0.0" Port = 40056 } @@ -423,11 +423,11 @@ Running `./havoc client` will start the Client. ### Connecting to the Teamserver -When the client opens, you will be presented with a profile window similar to that in other C2 frameworks like Cobalt Strike. +When the client opens, you will be presented with a profile window similar to that in other C2 frameworks like Cobalt Strike. ![teamserver-client](./assets/Screenshots/Teamserver-Client-Fresh.png) -Enter the profile name, teamserver bind address (`Host`) and `Port`, along with your defined username/password in the teamserver profile. +Enter the profile name, teamserver bind address (`Host`) and `Port`, along with your defined username/password in the teamserver profile. Then hit 'Connect' to connect your configured teamserver. ![teamserver-and-client](./assets/Screenshots/Teamserver-LoggedIn.png) @@ -446,25 +446,25 @@ Demon is the primary Havoc agent, written in C/ASM. The source-code is located a > Currently, only x64 EXE/DLL formats are supported. -From the Havoc UI, nagivate to `Attack -> Payload`. +From the Havoc UI, nagivate to `Attack -> Payload`. #### Layout -| Directory | Description | -| --------------- | ----------------------------------------------------- | -| `Source/Asm` | Assembly code (return address stack spoofing) | -| `Source/Core` | Core functionality (transport, win32 apis, syscalls) | -| `Source/Crypt` | AES encryption functionality | -| `Source/Extra` | KaynLdr (reflective loader) | -| `Source/Inject` | Injection functionality | -| `Source/Loader` | COFF Loader, Beacon API | -| `Source/Main` | PE/DLL/RDLL Entry Points | +| Directory | Description | +|-----------------|------------------------------------------------------| +| `Source/Asm` | Assembly code (return address stack spoofing) | +| `Source/Core` | Core functionality (transport, win32 apis, syscalls) | +| `Source/Crypt` | AES encryption functionality | +| `Source/Extra` | KaynLdr (reflective loader) | +| `Source/Inject` | Injection functionality | +| `Source/Loader` | COFF Loader, Beacon API | +| `Source/Main` | PE/DLL/RDLL Entry Points | #### Features ##### Indirect Syscalls -When compiled with `OBF_SYSCALL`, Demon performs indirect syscalls for many Nt* APIs. By masquerading the `RIP` to point to a location within `ntdll.dll`, traps placed by EDR solutions (such as process instrumentation callbacks or other forms of sycall tracing)may be evaded. +When compiled with `OBF_SYSCALL`, Demon performs indirect syscalls for many Nt* APIs. By masquerading the `RIP` to point to a location within `ntdll.dll`, traps placed by EDR solutions (such as process instrumentation callbacks or other forms of sycall tracing)may be evaded. The Syscall logic is primarily contained within `/Teamserver/data/implants/Demon/Source/Core/Syscalls.c` @@ -513,7 +513,7 @@ During sleep, x64 demons may implement [return address spoofing](https://www.unk ##### `job` -Demon implements a multi-threaded job management system that allows the operator to manage long-running tasks. +Demon implements a multi-threaded job management system that allows the operator to manage long-running tasks. > OPSEC NOTE: Long-running jobs will PREVENT sleep obfuscation from occurring at the specified sleep interval due to the other threads running. Sleep obfuscation will only occur when there are no job threads in a running state. @@ -531,9 +531,9 @@ Process management and enumeration system. - `proc list` - Display a list of running processes on the target. - `proc kill [pid]` - Kills a process with the specified PID - `proc create [state] [process] (args)` Start a process either in suspended or normal mode. -- `proc module [pid]` lists loaded modules from the specified process. +- `proc module [pid]` lists loaded modules from the specified process. - `proc grep [process name]` searches for specified running process and shows Process Name, Process ID, Process Parent PID, Process User, Process Arch -- `proc memory [pid] [memory protection]` queries process memory pages with specified Protection. +- `proc memory [pid] [memory protection]` queries process memory pages with specified Protection. ##### `token` @@ -561,7 +561,7 @@ Demon is capable of injecting shellcode (supplied in raw format as a path) into - `shellcode inject x64 [pid] [path-to-raw-shellcode]` - Injects shellcode into the remote process - `shellcode spawn x64 [path-to-raw-shellcode]` - Launches the defined fork & run process and injects the shellcode -> OPSEC NOTE: Depending on your injection technique and configuration settings, certain API calls may be performed outside of indirect syscalls. +> OPSEC NOTE: Depending on your injection technique and configuration settings, certain API calls may be performed outside of indirect syscalls. Here is a high-level overview of each supported process injection technique: @@ -574,7 +574,7 @@ Here is a high-level overview of each supported process injection technique: - `DX_MEM_SYSCALL -> NtAllocateVirtualMemory*` 3. `NtWriteVirtualMemory*` 4. `NtProtectVirtualMemory*` -5. Create Thread +5. Create Thread - `DX_THREAD_WIN32 -> CreateRemoteThread` - `DX_THREAD_SYSCALL -> NtCreateThreadEx*` 6. `NtResumeThread*` @@ -597,7 +597,7 @@ The `inline-execute` works by first creating an instance of the CLR (Common Lang Havoc supports custom agents and ExternalC2 by using Teamserver service endpoints. These are configured using `Service` directives (see the Teamserver Profiles documentation). -The Service module is for interacting with external services (custom agents, ExternalC2, etc). +The Service module is for interacting with external services (custom agents, ExternalC2, etc). By registering a Service directive, the Teamserver will automatically spawn a service listener that can route commands to/from the Teamserver. @@ -608,7 +608,7 @@ Service { } ``` -This would create a service endpoint at `:/service-endpoint` that is authenticated with `service-password`. +This would create a service endpoint at `:/service-endpoint` that is authenticated with `service-password`. ## Custom Agents @@ -655,7 +655,7 @@ class CommandShell(Command): ] Mitr = [] - def job_generate( self, arguments: dict ) -> bytes: + def job_generate( self, arguments: dict ) -> bytes: Task = Packer() Task.add_int( self.CommandId ) @@ -698,7 +698,7 @@ Official Modules: ## FAQ ### Why does Havoc not perform sleep obfuscation when jobs are running? -Jobs are ran in their own threads, and sleep obfuscation requires that all threads are suspended in order to encrypt the heap, otherwise the process would crash. +Jobs are ran in their own threads, and sleep obfuscation requires that all threads are suspended in order to encrypt the heap, otherwise the process would crash. --- diff --git a/makefile b/makefile index 5d3a6dbc..947eb761 100644 --- a/makefile +++ b/makefile @@ -7,35 +7,35 @@ all: ts-build client-build # teamserver building target ts-build: - @ echo "[*] building teamserver" + @ echo "[*] Building Teamserver" @ ./teamserver/Install.sh @ cd teamserver; GO111MODULE="on" go build -ldflags="-s -w -X cmd.VersionCommit=$(git rev-parse HEAD)" -o ../havoc main.go @ sudo setcap 'cap_net_bind_service=+ep' havoc # this allows you to run the server as a regular user dev-ts-compile: - @ echo "[*] compile teamserver" - @ cd teamserver; GO111MODULE="on" go build -ldflags="-s -w -X cmd.VersionCommit=$(git rev-parse HEAD)" -o ../havoc main.go + @ echo "[*] Compile Teamserver" + @ cd teamserver; GO111MODULE="on" go build -ldflags="-s -w -X cmd.VersionCommit=$(git rev-parse HEAD)" -o ../havoc main.go -ts-cleanup: - @ echo "[*] teamserver cleanup" +ts-cleanup: + @ echo "[*] Teamserver Cleanup" @ rm -rf ./teamserver/bin @ rm -rf ./data/loot - @ rm -rf ./data/x86_64-w64-mingw32-cross + @ rm -rf ./data/x86_64-w64-mingw32-cross @ rm -rf ./data/havoc.db @ rm -rf ./data/server.* @ rm -rf ./teamserver/.idea @ rm -rf ./havoc -# client building and cleanup targets -client-build: - @ echo "[*] building client" +# client building and cleanup targets +client-build: + @ echo "[*] Building Client" @ git submodule update --init --recursive @ mkdir client/Build; cd client/Build; cmake .. @ if [ -d "client/Modules" ]; then echo "Modules installed"; else git clone --recurse-submodules https://github.com/HavocFramework/Modules client/Modules --single-branch --branch `git rev-parse --abbrev-ref HEAD`; fi @ cmake --build client/Build -- -j 4 client-cleanup: - @ echo "[*] client cleanup" + @ echo "[*] Client Cleanup" @ rm -rf ./client/Build @ rm -rf ./client/Bin/* @ rm -rf ./client/Data/database.db @@ -45,7 +45,7 @@ client-cleanup: @ rm -rf ./client/Modules -# cleanup target +# cleanup target clean: ts-cleanup client-cleanup @ rm -rf ./data/*.db @ rm -rf payloads/Demon/.idea