Awesome
<a href="https://bloodhoundgang.herokuapp.com/"> <img src="https://img.shields.io/badge/BloodHound Slack-4A154B?logo=slack&logoColor=white" alt="chat on Bloodhound Slack" /> </a> <a href="https://github.com/specterops#hardhatc2"> <img src="https://img.shields.io/endpoint?url=https%3A%2F%2Fraw.githubusercontent.com%2Fspecterops%2F.github%2Fmain%2Fconfig%2Fshield.json" alt="Sponsored by SpecterOps"/> </a>
HardHat C2
A cross-platform, collaborative, Command & Control framework written in C#, designed for red teaming and ease of use
HardHat is a multi-user C# .NET-based command and control (C2) framework designed to aid in red team engagements and penetration testing. It aims to improve quality-of-life during engagements by providing a robust, easy-to-use C2 framework.
HardHat has three main components:
- An ASP.NET teamserver
- A Blazor .NET client
- Built-in C# based implants
- Support for 3rd party implants in other languages
Full documentation is available at https://docs.hardhat-c2.net/.
NOTE: HardHat is in an Alpha release; it will have bugs, missing features, and unexpected things will happen. Thank you for trying it, and please report back any issues or missing features so they can be addressed.
Community
Join our Discord community to talk about HardHat C2, programming, red teaming and general cyber security topics. It's also a great place to ask for help, submit bugs or new features, and stay up-to-date on the latest additions.
Code contributions are welcome! Feel free to submit feature requests, pull requests, or send me your ideas on Discord.
Features
Custom Asset Support
- Assets are the Implants and associated plugins for the team server and client. To see the available ones and learn how to create more, check out the HardHat Toolbox
Teamserver & Client
- Individual operator accounts with role-based access control (RBAC)
- Allows account personalization
- Allows restricted access to specific features (e.g., view-only guest role, team-lead opsec approval (WIP))
- Managers (Listeners)
- Dynamic Payload Generation (EXE, DLL, shellcode, PowerShell command)
- Creation & editing of C2 profiles on the fly in the client
- Customization of payload generation
- Sleep time/jitter
- Kill date
- Working hours
- Type (EXE, DLL, shellcode, PowerShell command)
- Included commands (WIP)
- Option to run ConfuserEx
- File upload & Downloads
- Graph View
- File Browser GUI
- Event Log
- JSON logging for events & tasks
- Loot tracking
- Credentials
- Downloads
- Indicator of Compromise (IOC) tracking
- Pivot proxies (SOCKS 4a, Port forwards)
- Credential store
- Autocomplete command history
- Detailed help command
- Interactive bash terminal command if the client is on Linux or PowerShell on Windows
- Allows automatic parsing and logging of terminal commands like proxychains
- Persistent database storage of teamserver items (User accounts, Managers, Engineers, Events, tasks, creds, downloads, uploads, etc. )
- Recon Entity Tracking (track info about users/devices, random metadata as needed)
- Shared files for some commands (see teamserver page for details)
- tab-based interact window for issuing commands
- Table-based output option for some commands (e.g.,
ls
,ps
, etc.) - Automatic parsing of Seatbelt output to create "recon entities" for convenient reference
- Dark and Light 🤮 theme
Engineers
- C# .NET framework implant for Windows devices (currently only CLR/.NET 4 support)
- Only one implant at the moment, but looking to add others
- Can be generated as EXE, DLL, shellcode, or PowerShell stager
- RC4 encryption of payload memory & heap when sleeping (EXE / DLL only)
- AES encryption of all network communication
- ConfuserEx integration for obfuscation
- HTTP, HTTPS, TCP, SMB communication
- TCP & SMB can work peer-to-peer (P2P) in bind or reverse configurations
- Unique per implant key generated at compile time
- Multiple callback URI's depending on the C2 profile
- P/Invoke & D/Invoke integration for windows API calls
- SOCKS 4a support
- Reverse Port Forward & Port Forwards
- All commands run as asynchronous, cancellable jobs
- Option to run commands synchronously, if desired
- Inline assembly execution & inline shellcode execution
- DLL Injection
- Execute assembly & Mimikatz integration
- Mimikatz is not built into the implant but is pushed when specific commands are issued
- Various local and network enumeration tools
- Token manipulation commands
- Steal Token Mask (WIP)
- Lateral Movement Commands
- Jump (psexec, wmi, wmi-ps, winrm, dcom)
- Remote Execution (WIP)
- Antimalware Scan Interface (AMSI) & Event Tracing for Windows (ETW) Patching
- Unmanaged Powershell
- Script Store allows multiple scripts to be loaded at once
- Spawn & Inject
- Spawn-to is configurable
- Run, execute, and shell
Getting Started
Installation
Docker
- Install Docker and Docker Compose
- Run
docker compose up -d
- Optionally, provide
HARDHAT_ADMIN_USERNAME
and/orHARDHAT_ADMIN_PASSWORD
as environment variables; if omitted, the default admin username and randomly generated password will be written to the teamserver logs on first run
- Optionally, provide
- Navigate to https://localhost:7096/ in your browser
Manual
- Install .NET 7 SDK from Microsoft
- Run
dotnet run
from the.\TeamServer
directory to build and start the teamserver - Run
dotnet run https://<TEAMSERVER_HOST>:<TEAMSERVER_PORT>
from theHardHatC2Client
directory- For example, assuming your teamserver is running on the same host and default port:
dotnet run https://127.0.0.1:5000
- For example, assuming your teamserver is running on the same host and default port:
- Navigate to https://localhost:7096/ in your browser
To configure the teamserver's listening address (i.e., where clients will connect), edit .\TeamServer\Properties\LaunchSettings.json
and change "applicationUrl": "https://127.0.0.1:5000"
to the desired location and port.
Setup
- Login to the client web UI using the username and password set with environment variable or printed to STDOUT by the teamserver
- Navigate to the Settings page and create a new user account
- If successful, a message will appear; you may then login with that account to access the full client
Release Tracking
- Alpha 0.2 Release - 7/6/23
- Alpha Release - 3/29/23