HardHatC2

Operators & Authentication

Account Creation

On the first startup, the TeamServer will print the HardHat_Admin account password.

To create an account

  1. Login to the HardHat_Admin account

  2. navigate to the settings page

  3. create an account at the Operator or TeamLead role

  4. log out of the admin account and into the new account

⚠️ The password for the HardHat_Admin is only printed on the first startup of the teamserver until the database is wiped again. Make sure to save this somewhere, as it cannot be reset until a DB wipe happens.

Operators

HardHat allows for multiple users to connect and share information via a single teamserver. Each operator will start the HardHat C2 client with the address of the ts in the command line to connect.

Once connected, a new user will be able to log in. If this is the first startup of the teamserver and client, then login with the HardHat_Admin password that was printed out in the console when the teamserver was started.

Passwords are uniquely salted and hashed, so even the same two passwords appear differently when in the database. Only the salted hashed password is stored when the user logs in. The provided password is then salted and hashed on each login to compare to what is in the database for them.

HardHat uses JSON Web Tokens (JWT) to authenticate between the client and teamserver, as well as dictate page views and access in the client.

Each user must have a unique username. (Usernames are not case-sensitive)

10 Repeat failed login attempts will cause a forced account lock. If this happens, the admin user account can re-enable the account.

Authentication & Authorization

Once logged in, the user will automatically perform authentication against any page or API endpoint they interact with. If this interaction fails, it will be logged.

The JWT is stored in the local browser storage and should avoid requiring logging in more than once in a 28-day period unless cleared or the server restarts.

If someone visits the teamserver without authentication, they cannot interact with the APIs present, except for the API that retrieves the managers from the database to start allowing check-ins from existing implants before users log in.

If someone visits the client and attempts to bypass the login page without a proper JWT, the overall UI is hidden, and they are met with a popup that redirects them to the login page.

Teamserver Status

teamserver status is shown at the top of the client as well. If the connection is good, it will show a green message. Otherwise, it will be orange or red. This is not 100% foolproof. Always trust but verify.

Roles

  • Administrator - This is the one built-in account that can give other users the roles they need & restore locked-out accounts. The admin user also is responsible for operation management, such as database resetting, operation reset, log clearing, etc.

  • Team Lead- This role can perform all the same actions as the Operator role but with additional control. The team lead may also set the opsec levels for commands, set blocked commands, approve commands that need authorization, and control the operation details page(WIP).

  • Operator - the standard user account mode, this user may interact with the client/teamserver to create Managers, Engineers, Issue Commands, download & upload files, and perform all the other normal day-to-day operational needs.

  • Guest - This is an account that is read-only; they can see everything but cannot interact with anything. This can be useful to show something to a client, 3rd party, or new employee who is shadowing.

Permission Assignment

  • Permissions are assigned via the HardHat Admin account settings page.

  • The password for the admin account is generated and displayed on the teamserver console during startup. The username is always HardHat_Admin

Last updated