Documentation
Profiles
The Havoc Yaotl configuration language is a configuration file that contains everything that the teamserver needs to run. Yaotl is a fork of the popular configuration language HCL.
Syntax
A small introduction to the Yaotl language syntax.
Yaotl Block:
Block-Name { // content here }
Yaotl Block with label:
Block-Name "label" { // content here }
Yaotl string:
example = "string here"
Yaotl integer:
example = 1234
Yaotl float:
example = 13.23
Yaotl arrays:
array-string = [ "string", "string2" ] array-int = [ 1, 2, 3 ]
Example block with different types and values:
my-block "test-label" { val-int = 1234 val-str = "hello world" sub-block { array-str = [ "i like cats", "and dogs" ] } array-int = [ 400, 401 ] }
The Teamserver block
The Teamserver block holds the necessary information to bind the teamserver on a host and port where it is going to listen and accept client connections.
| Field | Type | Description |
|---|---|---|
Host | string | The specified address is going to be used to bind to. |
Port | integer | The specified port is going to be used to bind to. |
Both Host and Port are required to be specified. Those values are going to be used to listen to and accept incoming client connections. Example:
Teamserver { Host = "0.0.0.0" Port = 40056 }
The Teamserver block also has a sub block called Build where you can specify the compiler to use for compiling C and assembly files. If this block is not specified then the teamserver is going to search and use the Available mingw cross compiler (x86_64-w64-mingw32-gcc and i686-w64-mingw32-gcc). If the teamserver doesn't find the mingw/nasm compiler on the system and from the profile then it's going to exit.
| Field | Type | Description |
|---|---|---|
Compiler64 | string | What compiler to use to compile the C source code into an x64 binary |
Compiler86 | string | What compiler to use to compile the C source code into an x86 binary (currently not used. reserved for future use) |
Nasm | string | What compiler to use to compile the Assembly code into an x64/x86 binary |
Example:
Teamserver { Host = "0.0.0.0" Port = 40056 Build { Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc" Compiler86 = "/usr/bin/i686-w64-mingw32-gcc" Nasm = "/usr/bin/nasm" } }
The Operators block
The Operators block specifies the users that are going to be allowed to connect and interact with the teamserver. To add a new user you only need to specify the username and password.
Example User Block:
user "MyUsername" { password = "MyPassword" }
Example Operator Block:
Operators { user "5pider" { Password = "password1234" } user "Neo" { Password = "password1234" } }
The Listeners block
The Listeners block allows the operator to start a listener without doing it manually in the client interface.
This block has the following sub-blocks Http and Smb that allows starting a listener with the desired protocol.
The Http block allows configuring and starting an HTTP/HTTPS listener. The following fields can be configured.
| Field | Type | Description | Required |
|---|---|---|---|
Name | string | listener name | true |
KillDate | string | Date in which the Demon will terminate itself in UTC | false |
WorkingHours | string | during this working hour the agent is gonna activly request for new commands and execute them | true |
Hosts | string array | takes an array of hosts/ip strings. Those values can be formated as following: host:port (example: host.com:443) to set the host and port to connect to or simply host (example: host.com) to connect to. If only the host has been specified then the binded port is going to be used. If no hosts where specified then the binded host and port is going be used. Interface names such as tun0 can also be used. | false |
HostBind | string | Where the listener should to bind on. It accepts interface names. | true |
HostRotation | string | Host rotation technique to use. | true |
PortBind | integer | What port the listener should bind to | true |
PortConn | integer | What port the agent should connect to. If not specified the one from the Hosts field is gonna be used. | false |
HostRotation | string | Host rotation technique to use. | true |
UserAgent | string | What user agent can/should be used | true |
Headers | string array | What headers can/should be used. if nothing is provided then the listener is going to use Content-type: */*. Or else the agent wont be able to callback. | false |
Uris | string array | What uri's to use. if nothing provided then the listener is going to use /. | false |
Secure | bool | if SSL (HTTPs) should be used or not | true |
Cert | block | Certification files for HTTPs. If not specified the teamserver is going to generate a random cert/key files to use | false |
Proxy | block | Proxy configuration for HTTP/HTTPs requests | false |
Response | block | How should the listener responde to the agent request | false |
Available options for the HostRotation field:
| Field | Description |
|---|---|
random | randomly select a hostname from the list |
round-robin | loop through the list of host names in the order they are provided |
Available fields/values for the Cert block:
| Field | Type | Description | Required |
|---|---|---|---|
Cert | string | Path to the Cert file | true |
Key | string | Path to the Cert Key file | true |
Available fields/values for the Proxy block:
| Field | Type | Description | Required |
|---|---|---|---|
Host | string | Tells the agent where the proxy lives | true |
Port | integer | Tells the agent where the proxy lives | true |
Username | string | Username for the proxy connection | false |
Password | string | Password for the proxy connection | false |
Available fields/values for the Response block:
| Field | Type | Description | Required |
|---|---|---|---|
Headers | string | use the specified headers to respond to every request. | false |
Example Http/s listener configuration:
Listeners { Http { Name = "Agent Listener - HTTP/s" #KillDate = "2006-01-02 15:04:05" #WorkingHours = "8:00-17:00" Hosts = [ "5pider.dev", "havocframework.com:8080" ] HostBind = "0.0.0.0" PortBind = 443 PortConn = 443 HostRotation = "round-robin" Secure = true UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" Uris = [ "/funny_cat.gif", "/index.php", "/test.txt", "/helloworld.js" ] Headers = [ "Content-type: text/plain", "X-Havoc: true", "X-Havoc-Agent: Demon", ] Response { Headers = [ "Content-type: text/plain", "X-IsHavocFramework: true", ] } } }
The Demon block
The Demon block specifies the default behavior of the havoc demon agent.
| Field | Type | Description | Required |
|---|---|---|---|
Sleep | integer | Agent sleep delay | false |
Jitter | integer | Agent jitter percentage | false |
TrustXForwardedFor | boolean | trust X-Forwarded-For header | false |
Injection | block | Spawn & Injection block | false |
Binary | block | Binary modifications | false |
Available fields/values for the Injection block:
| Field | Type | Description | Required |
|---|---|---|---|
Spawn64 | string | x64 injection target for post exploitation modules | false |
Spawn86 | string | x86 injection target for post exploitation modules | false |
Example:
Demon { Sleep = 2 Jitter = 50 TrustXForwardedFor = false Injection { Spawn64 = "C:\\Windows\\System32\\Werfault.exe" Spawn32 = "C:\\Windows\\System32\\Werfault.exe" } }
Available fields/values for the Binary block:
| Field | Type | Description | Required |
|---|---|---|---|
ReplaceStrings-x64 | string map | String to match and replace for x64 payloads | false |
ReplaceStrings-x86 | string map | String to match and replace for x86 payloads | false |
Example:
Demon { Sleep = 2 Jitter = 50 TrustXForwardedFor = false Binary { ReplaceStrings-x64 = { "demon.x64.dll": "", "This program cannot be run in DOS mode.": "", } ReplaceStrings-x86 = { "demon.x86.dll": "", "This program cannot be run in DOS mode.": "", } } }
The Service block
The Service block lets you configure the service API endpoint and password.
| Field | Type | Description | Required |
|---|---|---|---|
Endpoint | string | Where the service api should be exposed | false |
Password | string | What password to use for the service api authentication | false |
The Webhook block
The Webhook block allows you to set where to send and log the initialized agent metadata.
| Field | Type | Description | Required |
|---|---|---|---|
Discord | block | Discord webhook block | false |
Available fields/values for the Discord block:
| Field | Type | Description | Required |
|---|---|---|---|
Url | string | Webhook Url | true |
AvatarUrl | string | Avatar Url to use | false |
User | string | Username to use for webhook bot | false |
On this page
- Profiles
- Syntax
- The Teamserver block
- The Operators block
- The Listeners block
- The Demon block
- The Service block
- The Webhook block