Skip to content

DragoQCC/HardHatC2

Repository files navigation

Discord GitHub issues GitHub Repo stars GitHub forks GitHub tag (latest by date) GitHub last commit Twitter Follow chat on Bloodhound Slack Sponsored by SpecterOps

HardHat C2

A cross-platform, collaborative, Command & Control framework written in C#, designed for red teaming and ease of use

image

HardHat is a multi-user C# .NET-based command and control (C2) framework designed to aid in red team engagements and penetration testing. It aims to improve quality-of-life during engagements by providing a robust, easy-to-use C2 framework.

HardHat has three main components:

  1. An ASP.NET teamserver
  2. A Blazor .NET client
  3. Built-in C# based implants
  4. Support for 3rd party implants in other languages

Full documentation is available at https://docs.hardhat-c2.net/.

NOTE: HardHat is in an Alpha release; it will have bugs, missing features, and unexpected things will happen. Thank you for trying it, and please report back any issues or missing features so they can be addressed.

Community

Join our Discord community to talk about HardHat C2, programming, red teaming and general cyber security topics. It's also a great place to ask for help, submit bugs or new features, and stay up-to-date on the latest additions.

Code contributions are welcome! Feel free to submit feature requests, pull requests, or send me your ideas on Discord.

Features

Custom Asset Support

  • Assets are the Implants and associated plugins for the team server and client. To see the available ones and learn how to create more, check out the HardHat Toolbox

Teamserver & Client

  • Individual operator accounts with role-based access control (RBAC)
    • Allows account personalization
    • Allows restricted access to specific features (e.g., view-only guest role, team-lead opsec approval (WIP))
  • Managers (Listeners)
  • Dynamic Payload Generation (EXE, DLL, shellcode, PowerShell command)
  • Creation & editing of C2 profiles on the fly in the client
  • Customization of payload generation
    • Sleep time/jitter
    • Kill date
    • Working hours
    • Type (EXE, DLL, shellcode, PowerShell command)
    • Included commands (WIP)
    • Option to run ConfuserEx
  • File upload & Downloads
  • Graph View
  • File Browser GUI
  • Event Log
  • JSON logging for events & tasks
  • Loot tracking
    • Credentials
    • Downloads
  • Indicator of Compromise (IOC) tracking
  • Pivot proxies (SOCKS 4a, Port forwards)
  • Credential store
  • Autocomplete command history
  • Detailed help command
  • Interactive bash terminal command if the client is on Linux or PowerShell on Windows
    • Allows automatic parsing and logging of terminal commands like proxychains
  • Persistent database storage of teamserver items (User accounts, Managers, Engineers, Events, tasks, creds, downloads, uploads, etc. )
  • Recon Entity Tracking (track info about users/devices, random metadata as needed)
  • Shared files for some commands (see teamserver page for details)
  • tab-based interact window for issuing commands
  • Table-based output option for some commands (e.g., ls, ps, etc.)
  • Automatic parsing of Seatbelt output to create "recon entities" for convenient reference
  • Dark and Light 🤮 theme

image image

Engineers

  • C# .NET framework implant for Windows devices (currently only CLR/.NET 4 support)
    • Only one implant at the moment, but looking to add others
  • Can be generated as EXE, DLL, shellcode, or PowerShell stager
  • RC4 encryption of payload memory & heap when sleeping (EXE / DLL only)
  • AES encryption of all network communication
  • ConfuserEx integration for obfuscation
  • HTTP, HTTPS, TCP, SMB communication
    • TCP & SMB can work peer-to-peer (P2P) in bind or reverse configurations
  • Unique per implant key generated at compile time
  • Multiple callback URI's depending on the C2 profile
  • P/Invoke & D/Invoke integration for windows API calls
  • SOCKS 4a support
  • Reverse Port Forward & Port Forwards
  • All commands run as asynchronous, cancellable jobs
    • Option to run commands synchronously, if desired
  • Inline assembly execution & inline shellcode execution
  • DLL Injection
  • Execute assembly & Mimikatz integration
    • Mimikatz is not built into the implant but is pushed when specific commands are issued
  • Various local and network enumeration tools
  • Token manipulation commands
    • Steal Token Mask (WIP)
  • Lateral Movement Commands
  • Jump (psexec, wmi, wmi-ps, winrm, dcom)
  • Remote Execution (WIP)
  • Antimalware Scan Interface (AMSI) & Event Tracing for Windows (ETW) Patching
  • Unmanaged Powershell
  • Script Store allows multiple scripts to be loaded at once
  • Spawn & Inject
    • Spawn-to is configurable
  • Run, execute, and shell image

Getting Started

Installation

Docker

  1. Install Docker and Docker Compose
  2. Run docker compose up -d
    • Optionally, provide HARDHAT_ADMIN_USERNAME and/or HARDHAT_ADMIN_PASSWORD as environment variables; if omitted, the default admin username and randomly generated password will be written to the teamserver logs on first run
  3. Navigate to https://localhost:7096/ in your browser

Manual

  1. Install .NET 7 SDK from Microsoft
  2. Run dotnet run from the .\TeamServer directory to build and start the teamserver
  3. Run dotnet run https://<TEAMSERVER_HOST>:<TEAMSERVER_PORT> from the HardHatC2Client directory
    • For example, assuming your teamserver is running on the same host and default port: dotnet run https://127.0.0.1:5000
  4. Navigate to https://localhost:7096/ in your browser

To configure the teamserver's listening address (i.e., where clients will connect), edit .\TeamServer\Properties\LaunchSettings.json and change "applicationUrl": "https://127.0.0.1:5000" to the desired location and port.

Setup

  1. Login to the client web UI using the username and password set with environment variable or printed to STDOUT by the teamserver
  2. Navigate to the Settings page and create a new user account
    • If successful, a message will appear; you may then login with that account to access the full client

Release Tracking