HardHatC2

Alpha 0.3 Update Oct 13, 2023

Introduction

The Alpha 0.3 update is finally here. It includes many bug fixes, general code cleanups, and new features such as webhooks, assembly viewing, custom Implant support, data chunking, and much more. The full changelog is below.

Changelog

  • General / Misc

    • General performance and speed improvements due to various code rewrites

    • Rewrote various code classes to enable them to be more generic for 3rd party implants

    • Updated the various Nuget packages HardHat uses, giving a general improvement to bugs and UI issues

    • Working on upgrading the plugin system to support more generalized, powerful plugins vs. just overriding specific parts that are predefined

    • Added docker support

      • Teamserver and Client port are now on 0.0.0.0 by default to work with docker so make sure to edit the appsettings.json as needed if this is not desired

    • Cleaned up some console messages to make them clear

    • Lots of implant-related code on the team server & client are now virtual, so devs can fully override functionality where needed

  • Team Server

    • Rewrote the logic for implant check-in and Tasking to support plugins and 3rd party implants and improve code flow

    • Added webhooks for Discord, Slack, and Matter Most can also support custom destinations

      • currently supports new implant check-in notifications or custom notifications

    • Added more asp.net APIs so users can be created via API calls with web posts vs having to use the UI

    • Updated logging logic to support the custom return types being logged as text

    • Enabled data chunking so implants can return large command output in pieces to help lower network traffic detections

    • Fixed some bugs related to implant creation when building dynamically and not including all commands/modules

    • Updated database logic to support adding arbitrary objects vs only predefined types

    • Added Event URLs to allow for implants to send and receive non-task-related communications (not currently used, still in testing)

    • Added OAuth to the swagger/asp.net API page to support authenticating via a bearer token

    • Rewrote implant task pre and post-processing to clean up code and improve speed

    • Fixed some bugs around serialization and deserialization

    • Removed hard-coded encryption keys that were added in 0.2 for ease of debugging

    • Performance increase in speed of processing implant check-ins

    • Performance increase to lower ram usage

    • Performance increase to socks on average

      • ~30%-40% decrease in latency

      • ~30%-40% decrease in jitter

      • ~150%-200% increase in download speed

    • Added option to set server Ip address from command line args needs to passed in like 127.0.0.1:8000

    • Added support to set HARDHAT_ADMIN_PASSWORD and HARDHAT_ADMIN_USERNAME environment variables

  • Client

    • Rewrote many components to support plugins and 3rd party implants

    • Improved scaling of UI elements when the browser window is not full-sized

    • Fixed UI display bugs where elements had fixed sizes, now use a % of screen size instead

    • Removed need to perform redirection on the first login, the client now gets implants when the implants page is first visited

    • Performance improvements for ram use, the client will now only use ram for command output when the implants tab is open and that commands panel is expanded; closing a command panel frees up the ram

    • Separated various command display pieces into unique components allowing for better control of rendering

    • Added a page for objective tracking, a basic list of objectives with sub-tasks can be created

    • Added a tagging system to go with objectives

      • tags can then be set on commands and local terminal commands and then can be filtered on the objectives page to see all commands related to a specific tag

    • Added a tab to the toolbox page to see and write new commands for the Engineer in a style similar to Ilspy

    • Added a view to see a disassembled .NET assembly, such as Rubeus in a similar manner to Ilspy

    • Added an edit file view, the file will be downloaded and opened, if it can be written to, then the operator can make changes and save it to update the copy on the target machine, so acts like a built-in notepad of sorts

    • Added a markdown notes page, that supports full markdown

      • Each operator will have a private notes tab as well as access to a shared notes tab that is replicated to all clients

    • Upgraded the file download command to enable viewing of the downloaded file content directly in the command result window

    • Updated C2 profile dialog to allow for supplying real lists for stuff like callback URIs and Headers to add

    • Changes to the default C2 profile now persist after leaving the page

    • Updated manager creation to automatically get a list of possible bind addresses for the team server, still allows adding a custom IP to bind to if desired

    • Cleaned up the final page of implant creation to make the chosen setting easier to read before finalizing implant creation

    • Limited the view of the administrator user to show better the user's intended purpose

    • Added ability to track user inside of the client, allowing commands to be tagged per issuing user

    • Added the ability to refresh plugins on the client & team server from the settings page

    • Added option to appsettings.json to allow for automatic installation of client cert to the trusted cert store, disabled by default

      • When used, this prevents the browser from warning for an untrusted site when browsing to the client

    • Tasks now track their own pre/post-processing needs, issuing user and implant ID

  • Implants

    • Created a Rust demo implant (Rivet) to showcase the new 3rd party implant system

    • Engineer -> Fixed some errors in the Engineer for token use

    • Engineer -> Added an ldap whoami command for the Engineer to enable verification of network authentication changes, such as after a make token command

    • Engineer -> Added command to enable opening a file on target and editing the file, if the file cannot be edited, it opens in read-only mode

    • Engineer -> Added command to enable disassembly of a target assembly, allowing for viewing source in a style similar to Ilspy

    • Engineer -> Added a command to get current modules

    • Engineer -> Cleaned up tasking logic to know better when a command is not intended for the client UI, such as socks traffic

    • Engineer -> Fixed parsing bug in inline assembly when sending a command with quotes in the arguments

    • Engineer -> Updated implant task key to be a secure string to help protect it in memory

    • Engineer -> Updated encryption functions to use the secure string to avoid the encryption keys for tasks being in memory any longer than needed

    • Engineer -> Updated tasking logic to increase speed

Details and Screenshots

  • In Progress

Performance Stress Testing

HardHat was tested on a few different machine configurations. When limited to only one CPU core and two gigs of ram while having 50 implants checking in at sleep 0 the teamserver and client still kept under 100 MB of ram.

Socks Performance Increases

Thanks to the code rewrite, the speed at which socks traffic is sent from the implant to the teamserver greatly improved, resulting in a large increase in performance.

performance increase to socks on average

  • ~30%-40% decrease in latency

  • ~30%-40% decrease in jitter

  • ~150%-200% increase in download speed

Assembly View Command

Hardhat client and Engineer support the assembly view command, allowing an assembly downloaded off target to be disassembled and viewed directly in the command result window.

Edit File Command

Files can be downloaded off-target and opened for editing/reading.

Command View Page

The client now supports viewing command code for implants, this allows modification of implant command code or creating a brand new command.

Last updated