HardHatC2

Managers (Listeners)

Managers

A manager is a listener that opens and waits for an engineer to connect to it and send data.

Managers come in a few flavors that being HTTP, HTTPS, SMB, and TCP

HTTP & HTTPS bind to a port on the team server, while TCP and SMB only inform generated implants on how to connect back.

To create a manager, either select the generate manager button on the home page or visit the managers' page on the navigation window.

Manager Table

  • At the top of the manager page is a table containing info about existing managers

  • shows: Name, Type, Connection Address, Connection Port, Creation time, and active status

  • It can be disabled via the options menu on the far right

Manager Creation Form

  • At the bottom of the table is the manager creation form. This form lets the user fill in some key info about the manager they want to make.

  • Tab 1

    • Name

      • The name of the manager must be unique and shows in the implant metadata

    • Manager Type

      • Sets the communication protocol to use. If HTTP/HTTPS is selected, then the port on tab two will be opened on the teamserver.

  • Tab 2 - Options depend on Manager Type Selected

    • HTTP / HTTPS

      • Connection Address

        • The address implants made with this manager should call back to

      • Connection Port

        • The port implants should call back to, also is opened on the ts

      • C2 Profile

        • The C2 profile see the C2 profile section below for details

    • TCP

      • Connection Address - reverse only

        • the address that the parent engineer is hosting the TCP connection to call back and connect to

      • Connection port - reverse only

        • the port that the parent engineer is hosting the TCP connection to call back and connect to

      • Listen Port - bind only

        • The port to open and wait for incoming TCP connections from parent engineers.

      • Listen On LocalHost - bind only

        • A boolean value. When true, the implant only starts the TCP server for localhost connections (useful, for example, in privilege escalation). When false, it will listen on every interface it can

      • Connection Mode

        • This determines if the engineers generated with this manager are the TCP server(bind), or the TCP client(reverse)

    • SMB

      • Named Pipe

        • In reverse, this is the pipe name to try and connect into. In bind, this is the named pipe to create and wait for incoming connections on

      • Connection Address - reverse only

        • the address to try and connect to the parent engineer on

      • Connection Mode

        • This determines if the engineers generated with this manager are the SMB server(bind), or the SMB client(reverse)

C2 Profiles

A C2 Profile in HardHat atm is for HTTP/HTTPS managers/engineers. When creating an HTTP/HTTPS manager, you can create or edit an existing C2 profile to meet your needs. A C2 profile allows the following to be set.

  • Name

    • The name for the C2 profile is just for tracking. Make it unique.

  • Description

    • Again just for the operator to have some extra notes or ideas as to what the profile is meant to mimic

  • URLS

    • This is a comma-separated list like /index.html,/,/tacotuesday,/hardhat the implants generated will cycle thru each of these URIs during callbacks to try and mix up traffic.

  • Cookies

    • fills in the cookie header for requests, can a comma-separated list

  • Request Headers

    • The default HTTP headers are already removed by default. Headers are a comma-separated list.

    • ⚠️NOTE: you must include the VALUE keyword between the header name and the header value. This is stripped out later but is used to break the string down. Without it, the parsing will fail. ex. AcceptVALUEJson/Application,HostVALUEwww.hardhat.com

  • Response headers

    • Response headers come from the Teamserver manager responding to an implant. They are a comma-separated list. The server header is removed from the teamserver, so it is recommended to include a Server response header.

    • ⚠️NOTE: you must include the VALUE keyword between the header name and the header value. This is stripped out later but is used to break the string down. Without it, the parsing will fail. ex. ServerVALUEMicrosoft IIS,Cache-ControlVALUEprivate,max-age=0

    • ⚠️ This does also mean ATM headers cannot contain a comma in the value.

  • User Agent

    • the user agent header to fill in for the requests from the engineer

Note on C2 Profiles

Many other common C2 profile options in other C2 frameworks, such as sleep, jitter, kill date, steal token mask, injection technique, etc., are either a per engineer or per command setting so that way they can be customized or updated as needed vs. being forced to make new C2 profiles as often.

Last updated