Havoc C2 Framework - Setup Demonstration with Windows Defender Bypass

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello all welcome back to another video in this video we will be walking through Havoc C2 a very popular C2 framework that has a GUI similar to kobok strike this video will be a little bit long so be sure to check out the timestamp provided to skip to the part where you are interested in the video will provide setup and installation guide for the Havoc C2 frame mode and following which basic usage will be demonstrated such as setting up a listener and generating a payload for it as a bonus the video will also be showcasing how you can bypass the latest Windows Defender successfully obtaining a callback to the Havoc C2 framework server by utilizing a c plus Shell Code loader without further Ado let's get started as shown in the screen this Windows machine that I am using is pretty fresh I am downloading VMware Workstation and Kali so and starting it from scratch a lot of the waiting time is edited out I am trying to show only the important parts if we were to read through the GitHub repo there is an official documentation page provided so that is pretty convenient it is quite simple to follow through the installations provided to get the C2 up and running be sure to follow accordingly to what your environment is foreign [Music] [Music] foreign [Music] I am setting up SSH access as well I prefer to use the root user directly don't worry my Kali is behind n80 and not directly breached to my Wi-Fi and I don't have any port forwarding configured on my router as well let's follow the installation instructions provided and copy paste the comments over thank you [Music] looking through the installation documentation it seems that ultimately we will have a single Havoc binary and it can be executed as the server or the client depending on the command line arguments applied this error is a weird one I was trying to troubleshoot and follow quite a few references by switching up on the error message and nothing seems to fix it in the end I did a reboot of my curling machine and instead of accessing the Kali via SSH I assess the Kali VM directly instead since the Havoc client is a GUI program let's run the server with the commands provided foreign client we can simply execute the command Havoc client the credentials to connect should be in the profile file that we have executed with the server earlier let's try to connect to the Havoc C2 server by supplying the IP address port and credentials this is where it didn't work I see it is case sensitive of course the username should be Capital new and not the small letter new that I have entered great this is pretty similar looking to Cobalt strike let's start up a listener first once we have a listener running we should be able to generate a payload for The Listener let's leave everything as it is and generate it [Music] after a long wait we should see a download prompt the payload has been generated successfully as an exe file for us to download let's transfer the payload over to our Windows machine and give it a shot take note that there is a Windows Defender exclusion configured for this demo folder we will be showing how to bypass Windows Defender later on outside of this folder of course foreign works well and we have a callback on our Havoc C2 server as shown in the screen let's try out the file explorer this is pretty nice just interact with the demon agent it supports a lot of commands this looks good let's try out the shell command to execute ipconfig now let's try out the screenshot command we can view the screenshot captured by navigating to view and selecting loot alright now let's exit this demon agent and demonstrate how we can bypass Windows Defender the good stuff this is weird that it is still triggering a Windows Defender alert even though it is in the excluded folder oh well let's ignore it foreign C2 server and go to attack and select payload let's change the output format from exe to Shell Code instead let's make use of a template C plus dll file that was used in the previous video feel free to check out my other Windows Defender bypassers videos there is a playlist containing several videos on it on my YouTube channel okay this is the code let's copy this let's hop over to our Kali machine and save the Shell Code Generator First [Music] the demon shell code is now saved in the demon.x64.bin file grade now let's create a file loader.c Plus on our Kali machine in the temp directory and paste the C plus code over we will need to make some changes to the decrypt AES function as this function is heavily signatured by Windows Defender as malicious this is pretty crazy after making some minor changes let's try to compile it as a dll and transfer it over to our Windows machine note that the dimension code has yet to be inputted into the C plus code foreign now let's transfer over the loader.dll file this is crazy right the C plus plus code contains no shell code yet but it is triggering Windows Defender as metabritter let's make more changes to the decrypt AES function we should rename the function as well all right now let's give it a try again awesome it worked now our dll template file can land on this successfully there is no Windows Defender detection now it's time to input the dimension code generated into the C plus code this C plus plus dll program will execute the dimension code for us we will need to perform AES encryption on the demon Shell Code pin file let's head over to this GitHub repository and use the aes.py script the AES python script will help perform AES encryption on the demon Shell Code bin file and output the AES encrypted Shell Code for us as well as the AES key foreign [Music] let's try to access our Kali VM directly instead of over SSH maybe it's easier to copy from there okay no chance it is still a PIN to copy such a large amount of output alright let's modify the AES python script instead instead of printing out to the console the AES encrypted Shell Code and AES key let's modify the python script to read our loader.c template file and write the AES encrypted Shell Code and key directly into a new C plus file instead we can use the replace function to perform a mesh and replace so that the AES encrypted Shell Code and AES key will be returned into a new C plus file okay this looks good let's write it into a new file called new.loader.c it should work let's give it a try let's compile it as a dll now it seems that there is a typo it should be a small letter K instead let's fix that in our python script now let's generate the new loader C plus plus code again awesome the compilation works now we have a new dll payload file that should contain our AES encrypted demon Shell Code let's transfer this over to our Windows machine and give it a shot also there is no detection let's try executing the dll payload file hopefully we get a nice callback on our Havoc C2 server leave [Music] also it worked as shown in the screen we were able to obtain a callback on our Havoc C2 server successfully bypassing Windows Defender the session works as well as shown over here this is great we can even try out the screenshot function again nice it worked no detection from Windows Defender as well all right guys this is it to this video if you are interested in learning more about red team attack techniques and tactics I highly recommend Rafael march with Team pops with Cobalt strike playlist this is completely free and available on YouTube you are definitely going to upskill yourself a lot after watching this series I have recently created a free fishing course available on udemy This fishing course is completely free and it is only about 30 minutes long several fishing techniques and popular tools such as goldfish is demonstrated in the course the link to the free course will be available in the videos description all of the references used in the video will be provided in the video's description so be sure to check that out as well I hope you all have found the video to be interesting and useful please help to like the video and subscribe to the channel it will really help out the channel a lot thanks all I appreciate it I will see you all soon in the next video bye

Info

Channel: Gemini Cyber Security

Views: 5,544

Rating: undefined out of 5

Keywords: ethical hacking, hacking, ethical hacker, hacker, vulnerability, bypass, security assessment, penetration testing, penetration tester, web app security, network security, cyber security, it security, offensive security, red team, red teaming, vulnhub, oscp, how to, learn hacking, crest, wargames, learn linux, linux, kali, overthewire, overthewire.org, bandit, bandit overthewire, blackhat, sliver c2, sliver

Id: DXJNWiZJGko

Channel Id: undefined

Length: 12min 59sec (779 seconds)

Published: Mon Sep 25 2023