Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

This quickstart guide will walk you through setting up Havoc Framework, starting the teamserver, connecting the client, and generating your first Demon agent.

Prerequisites

Before you begin, ensure you have:
  • A supported Linux distribution (Ubuntu 20.04/22.04, Debian 10/11, or Kali Linux)
  • All required dependencies installed (see Installation)
  • Successfully built both the teamserver and client

Start the teamserver

The teamserver is the backend component that handles agent communications, payload generation, and client connections.
1

Navigate to the Havoc directory

cd Havoc
2

Launch the teamserver with a profile

sudo ./havoc server --profile ./profiles/havoc.yaotl -v --debug
  • --profile: Specifies the configuration profile
  • -v: Enables verbose output
  • --debug: Enables debug logging
You should see output indicating the teamserver has started and is listening for client connections.

Connect the client

1

Start the Havoc client

In a new terminal window:
./havoc client
The client GUI will launch and display a connection dialog.
2

Configure connection settings

Enter your connection details:
  • Profile Name: A descriptive name (e.g., “Local Server”)
  • Host: The teamserver address (e.g., 127.0.0.1 for local)
  • Port: The teamserver port (default: 40056)
  • Username: Your operator username (defined in the profile)
  • Password: Your operator password (defined in the profile)
The default credentials in havoc.yaotl are:
  • Username: 5pider or Neo
  • Password: password1234
3

Connect

Click Connect to establish the connection. Once connected, you’ll see the main Havoc interface with the session graph, event log, and console.

Create a listener

Listeners are how agents communicate with the teamserver.
1

Open the Listeners view

In the top menu, navigate to ViewListeners.A new pane will appear at the bottom of the window.
2

Add a new listener

Click the Add button in the Listeners pane.
3

Configure the listener

In the Create Listener dialog:
  • Name: A descriptive name (e.g., “HTTP Listener”)
  • Payload: Select “Https” or “Http”
  • Hosts: The callback address (e.g., 192.168.1.100)
  • Port (Bind): Port to bind on the teamserver (e.g., 443)
  • Port (Conn): Port agents use to connect (default: same as bind)
  • User Agent: Browser user agent string
  • Headers: Custom HTTP headers (optional)
For HTTPS listeners, the teamserver will automatically generate a self-signed certificate.
4

Save the listener

Click Save. The listener will appear in the Listeners pane and begin accepting agent connections.

Generate a payload

1

Open the Payload generator

In the top menu, click AttackPayload.
2

Configure the payload

In the Payload dialog:
  • Listener: Select your HTTP/HTTPS listener
  • Agent: Select “Demon”
  • Format: Choose EXE, DLL, or Shellcode
  • Architecture: x64 (x86 coming soon)
Optional settings:
  • Sleep: Agent sleep interval in seconds (default: 2)
  • Jitter: Randomness in sleep timing (default: 15%)
  • Indirect Syscall: Enable for EDR evasion
  • Sleep Technique: Choose obfuscation method:
    • WaitForSingleObjectEx (no obfuscation)
    • FOLIAGE
    • Ekko
3

Generate

Click Generate. The teamserver will compile your payload.
You’ll see compilation progress in the client. Once complete, you’ll be prompted to save the payload file.
4

Save and deploy

Choose a location to save your payload, then deploy it to your target system.

Execute the payload

Transfer your generated payload to the target system and execute it. Within seconds (depending on your sleep configuration), you should see a new agent callback in the Havoc client.
For testing purposes, you can execute the payload on your local system. In production, use appropriate delivery methods for your engagement.

Interact with your agent

1

View the new session

When an agent checks in, it appears in the session graph and the Sessions pane.
2

Interact with the agent

Right-click on the session and select Interact.A new console tab will open for this agent.
3

Run commands

Try some basic commands:
help                    # List all available commands
whoami                  # Get current user
hostname                # Get computer name
pwd                     # Print working directory
ps                      # List running processes

Essential commands

Here are some frequently used Demon commands:

Session management

  • checkin - Request full agent check-in
  • sleep <seconds> - Change sleep interval
  • exit - Terminate the agent

File operations

  • ls / dir - List directory contents
  • cd <path> - Change directory
  • download <file> - Download a file
  • upload <local> <remote> - Upload a file

Process management

  • ps - List processes
  • kill <pid> - Terminate a process
  • proc module <pid> - List loaded modules

Token management

  • token getuid - Get current token UID
  • token steal <pid> - Steal token from process
  • token impersonate <id> - Impersonate a stolen token

Code execution

  • shell <command> - Execute shell command
  • inline-execute <assembly> - Execute .NET assembly
  • shellcode inject <pid> <path> - Inject shellcode

Enumeration

  • domain - Get domain information
  • net logons - Show logged-on users
  • net sessions - Show active sessions

Next steps

Explore Demon features

Learn about sleep obfuscation, indirect syscalls, and advanced capabilities

Configure profiles

Customize your C2 infrastructure with YAOTL profiles

Token management

Master privilege escalation and lateral movement techniques

Extend Havoc

Build custom agents, modules, and integrations

Troubleshooting

Check:
  • Firewall rules allow the listener port
  • Listener is running (View → Listeners)
  • Agent can reach the callback address
  • Sleep interval hasn’t elapsed yet (default: 2 seconds)
  • Check teamserver logs for connection attempts
Common causes:
  • Missing MinGW compiler (run make ts-build again)
  • Incorrect compiler paths in profile
  • Insufficient disk space
Solution: Check the teamserver output for specific compiler errors.
Check:
  • Teamserver is running
  • Correct host and port
  • Credentials match profile configuration
  • Firewall allows teamserver port (default: 40056)
Common issues:
  • Insufficient privileges (try token privs-get)
  • Blocked by AV/EDR (check event logs)
  • Invalid syntax (use help <command>)

Additional resources

For more help, join the Havoc Discord or check the FAQ.