havocframework/havoc

★ 8,352GoAudience · ops devopsComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((Havoc))
    What it does
      Red team C2
      Post-exploitation
    Components
      Teamserver
      Qt GUI client
      Demon agent
    Features
      SMB pivoting
      Token management
      Python extensions
    Platform
      Linux server
      Windows target

mindmap root((Havoc)) What it does Red team C2 Post-exploitation Components Teamserver Qt GUI client Demon agent Features SMB pivoting Token management Python extensions Platform Linux server Windows target

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Run a red team engagement with multiple operators sharing one team server to simulate coordinated attacker activity.

USE CASE 2

Test whether your organization's endpoint detection tools catch common post-exploitation techniques using the Demon agent.

USE CASE 3

Extend the framework with custom Python API modules for specific evasion or automation scenarios.

USE CASE 4

Simulate lateral movement through a network using Demon's SMB pivoting and token impersonation features.

Tech stack

GoCC++QtPythonAssembly

Getting it running

Difficulty · hard Time to first run · 1day+

Requires Debian/Ubuntu/Kali Linux for the teamserver, Qt 6, Python 3.10, and a separate Windows test target to deploy the Demon agent.

In plain English

Havoc is an open-source command and control framework used in offensive security and red team engagements. Security professionals use tools like this to simulate what an attacker would do after gaining initial access to a target network, helping organizations understand and test their defenses. The framework has three main parts. The teamserver is the central server component, written in Go, that multiple operators can connect to simultaneously. It handles incoming connections from compromised machines, generates payloads, and manages communication channels over HTTP and HTTPS. The client is a desktop application with a graphical interface, built with C++ and Qt, that the security operator uses to interact with the teamserver and see what is happening across all active sessions. The third part is called Demon, an agent written in C and assembly that runs on the target system and communicates back to the teamserver. Demon includes a range of post-exploitation capabilities: running commands on target machines, managing authentication tokens, communicating through other compromised machines via SMB, and various techniques designed to avoid detection by security monitoring tools. The framework is described by its author as designed to be modular and configurable rather than optimized for any specific evasion technique out of the box, with the idea that operators extend it for their own needs. Extensibility is built in through a Python API, a custom modules system, and support for plugging in third-party agents beyond Demon. The teamserver runs best on Debian, Ubuntu, or Kali Linux and requires a modern version of Qt and Python 3.10 to build. Documentation lives in the project wiki and on the official website.

Copy-paste prompts

Prompt 1

Walk me through setting up Havoc's teamserver on Debian with HTTPS listeners, then connecting the Qt client and deploying a Demon agent to a test Windows VM.

Prompt 2

Write a Havoc Python API extension that automates credential harvesting via token impersonation and logs all results to a local file.

Prompt 3

Generate a red team engagement checklist using Havoc: from initial Demon deployment through lateral movement to reaching the objective, with operator notes for each stage.

Prompt 4

Explain how Havoc's Demon agent communicates over HTTP/HTTPS in a way that security monitoring tools may not flag as suspicious.

Open on GitHub → Explain another repo

← havocframework on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.