Building Red Team C2 Infrastructure with Havoc

What Is This

The "Building Red Team C2 Infrastructure with Havoc" skill provides practical, hands-on expertise for deploying and configuring the Havoc Command and Control (C2) framework in authorized red team engagements. Havoc is an advanced open-source C2 framework designed to facilitate post-exploitation operations and adversary emulation. It offers features such as the Demon agent for Windows, collaborative multi-operator support, customizable listener profiles, and flexible transport mechanisms like HTTP, HTTPS, and SMB. This skill guides security professionals through the process of building a robust, production-ready C2 infrastructure using Havoc, ensuring operational security (OPSEC) and compliance with organizational or regulatory requirements.

Why Use It

Red team operations require reliable, stealthy, and flexible C2 infrastructure to simulate real-world adversaries effectively. Havoc excels in this context by providing:

• Modern Operator Interface: Similar to commercial offerings like Cobalt Strike, supporting multi-user collaboration.
• Flexible Listeners: Capable of handling multiple protocols (HTTP, HTTPS, SMB) and easily customizable to evade detection.
• Traffic Malleability: Support for custom listener profiles to shape outbound/inbound agent traffic, reducing the risk of signature-based detection.
• Robust Post-Exploitation: Through the Demon agent, Havoc enables advanced persistence, privilege escalation, and lateral movement techniques.
• Open Source and Extensible: No licensing constraints and an active community for continuous improvement.

Using Havoc allows red teams to emulate sophisticated threats, test blue team detection capabilities, and assess organizational defenses in a controlled, authorized manner.

How to Use It

Setting up a full-featured Havoc C2 infrastructure involves several key steps: deploying the teamserver, configuring secure listeners, integrating redirectors, and managing Demon agents.

1. Prerequisites

• A dedicated server or VPS for the Havoc teamserver (Ubuntu 20.04 or later recommended)
• A separate redirector (e.g., nginx on a VPS) for traffic obfuscation
• Valid SSL/TLS certificates for HTTPS listeners
• Administrative access and permissions for authorized red team activities

2. Install

Havoc

Clone the official Havoc repository and build from source:

git clone https://github.com/HavocFramework/Havoc.git
cd Havoc
chmod +x install.sh
./install.sh

This will install dependencies and compile the framework.

3. Launch the

Teamserver

Start the Havoc teamserver, which acts as the central hub for operator connections and agent management:

./teamserver --profile /path/to/profile.yaml --bind 0.0.0.0:40056

• --profile: Path to the YAML configuration profile containing teamserver and listener settings.
• --bind: IP and port for operator connections.

4. Configure HTTPS

Listener

Listeners are endpoints where Demon agents communicate back to the C2. For HTTPS:

listeners:
  - name: "https"
    protocol: "https"
    bind: "0.0.0.0:443"
    cert: "/etc/ssl/certs/havoc_cert.pem"
    key: "/etc/ssl/private/havoc_key.pem"
    profile: "/path/to/https_profile.yaml"

Edit your /path/to/profile.yaml to include the above. Use strong, valid certificates for OPSEC.

5. Setup a

Redirector

A redirector (e.g., nginx) helps mask the C2’s real IP and filter bad traffic.

Example nginx configuration:

server {
    listen 443 ssl;
    server_name redteam.example.com;

    ssl_certificate /etc/letsencrypt/live/redteam.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redteam.example.com/privkey.pem;

    location / {
        proxy_pass https://YOUR_C2_IP:443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Change YOUR_C2_IP to your Havoc teamserver's IP.

6. Generate and Deploy the Demon

Agent

From the Havoc operator client:

1. Connect to the teamserver.
2. Use the UI to create a new Demon agent, selecting the HTTPS listener.
3. Download the agent binary and deploy it on authorized test systems.

Example Demon generation command (CLI):

./DemonGen --listener https --output demon.exe

7. Operator

Workflow

• Connect via the Havoc GUI or CLI to the teamserver.
• Monitor agent callbacks.
• Task agents for post-exploitation actions: privilege escalation, lateral movement, credential dumping, etc.

When to Use It

This skill is applicable in situations such as:

• Setting up red team infrastructure for simulated adversary campaigns
• Testing blue team detection and response capabilities
• Training security personnel in realistic attack and defense scenarios
• Assessing the effectiveness of security controls in compliance-driven environments
• Validating network and endpoint visibility against advanced threat techniques

It is critical that all usage complies with legal, organizational, and ethical guidelines and is performed only in authorized environments.

Important Notes

• Authorization: Deploy Havoc only in environments where you have explicit written authorization. Misuse may violate laws and organizational policies.
• OPSEC: Apply strict operational security practices-use redirectors, strong certificates, and non-default profiles to reduce detection risk.
• Logging and Monitoring: Assume all C2 traffic may be logged or monitored by defenders. Regularly rotate infrastructure and update profiles.
• Compliance: Align usage with frameworks like NIST CSF and maintain documentation to support compliance audits.
• Open Source Risks: Continuously monitor the Havoc project for updates and community advisories to address vulnerabilities or detection signatures.
• For Education and Training: Havoc is a powerful tool. Use it responsibly for learning, capability development, and authorized operations only.

By mastering this skill, you can confidently deploy and operate Havoc C2 infrastructure, enabling realistic, effective, and compliant red team engagements.