Havoc C2 framework is growing due to it’s capabilities of bypassing Windows 11 Defender (at least used to). But I am not writing about using it, but rather decrypting the traffic of it.
How traffic can be analyzed from a Havoc beacon is described by Immersive Labs in this blog post: Havoc C2 Framework – A Defensive Operator’s Guide.
The traffic is encrypted with AES-CTR. And this tool from Immersive Labs would be useful to extract the AES key and IV key from the pcap: HavocC2-Forensics.
$ python3 havoc-pcap-parser.py --pcap ~/traffic.pcapng
[+] Parsing Packets
[+] Parsing Request
[!] Error parsing request body: 'NoneType' object has no attribute 'replace'
[+] Parsing Request
[!] Error parsing request body: 'NoneType' object has no attribute 'replace'
[+] Parsing Request
[!] Error parsing request body: 'NoneType' object has no attribute 'replace'
[+] Parsing Request
[+] Found Havoc C2
[-] Agent ID: 0e9fb7d8
[-] Magic Bytes: deadbeef
[-] C2 Address: http://10.0.2.37/
[+] Found AES Key
[-] Key: 946cf2f65ac2d2b868328a18dedcc296cc40fa28fab41a0c34dcc010984410ca
[-] IV: 8cd00c3e349290565aaa5a8c3aacd430
...Adding --save will result in saving decrypted payloads to file from the pcap.
$ python3 havoc-pcap-parser.py --pcap ~/traffic.pcapng --save ~/traffic_bins
# Sample output
061b7737-43d7-4f1b-ad11-db20419f73fd-request-0e9fb7d8.bin
0e00ea41-8032-4c40-afa4-bd10635c50bb-request-0e9fb7d8.bin
...