HardHatC2 v0.3.02 alpha releases: C# Command & Control framework

HardHat C2

HardHat is a multiplayer C# .NET-based command and control framework. Designed to aid in red team engagements and penetration testing. HardHat aims to improve the quality of life factors during engagements by providing an easy-to-use but still robust C2 framework.
It contains three primary components, an ASP.NET teamserver, a blazor .NET client, and C# based implants.

Features

Teamserver & Client

• Per-operator accounts with account tiers to allow customized access control and features, including view-only guest modes, team-lead opsec approval(WIP), and admin accounts for general operation management.
• Managers (Listeners)
• Dynamic Payload Generation (Exe, Dll, shellcode, PowerShell command)
• Creation & editing of C2 profiles on the fly in the client
• Customization of payload generation
  • sleep time/jitter
  • kill date
  • working hours
  • type (Exe, Dll, Shellcode, ps command)
  • Included commands(WIP)
  • option to run confuser
• File upload & Downloads
• Graph View
• File Browser GUI
• Event Log
• JSON logging for events & tasks
• Loot tracking (Creds, downloads)
• IOC tracing
• Pivot proxies (SOCKS 4a, Port forwards)
• Cred store
• Autocomplete command history
• Detailed help command
• Interactive bash terminal command if the client is on linux or powershell on windows, this allows automatic parsing and logging of terminal commands like proxychains
• Persistent database storage of teamserver items (User accounts, Managers, Engineers, Events, tasks, creds, downloads, uploads, etc. )
• Recon Entity Tracking (track info about users/devices, random metadata as needed)
• Shared files for some commands (see teamserver page for details)
• tab-based interact window for command issuing
• table-based output option for some commands like ls, ps, etc.
• Auto parsing of output from seatbelt to create “recon entities” and fill entries to reference back to later easily
• Dark and Light 🤮 theme

Engineers

• C# .NET framework implant for windows devices, currently only CLR/.NET 4 support
• atm only one implant, but looking to add others
• It can be generated as EXE, DLL, shellcode, or PowerShell stager
• Rc4 encryption of payload memory & heap when sleeping (Exe / DLL only)
• AES encryption of all network communication
• ConfuserEx integration for obfuscation
• HTTP, HTTPS, TCP, SMB communication
  • TCP & SMB can work P2P in a bind or reverse setups
• Unique per implant key generated at compile time
• multiple callback URI’s depending on the C2 profile
• P/Invoke & D/Invoke integration for windows API calls
• SOCKS 4a support
• Reverse Port Forward & Port Forwards
• All commands run as async cancellable jobs
  • Option to run commands sync if desired
• Inline assembly execution & inline shellcode execution
• DLL Injection
• Execute assembly & Mimikatz integration
• Mimikatz is not built into the implant but is pushed when specific commands are issued
• Various localhost & network enumeration tools
• Token manipulation commands
  • Steal Token Mask(WIP)
• Lateral Movement Commands
• Jump (psexec, wmi, wmi-ps, winrm, dcom)
• Remote Execution (WIP)
• AMSI & ETW Patching
• Unmanaged Powershell
• Script Store (can load multiple scripts at once if needed)
• Spawn & Inject
  • Spawn-to is configurable
• run, shell & execute

Changelog v0.3.02 alpha

• General / Misc
  General performance and speed improvements due to various code rewrites
  Rewrote various code classes to enable them to be more generic for 3rd party implants
  Updated the various Nuget packages HardHat uses, giving a general improvement to bugs and UI issues
  Working on upgrading the plugin system to support more generalized, powerful plugins vs. just overriding specific parts that are predefined
  Added docker support
  Teamserver and Client port are now on 0.0.0.0 by default to work with docker so make sure to edit the appsettings.json as needed if this is not desired
  Cleaned up some console messages to make them clear
  Lots of implant-related code on the team server & client are now virtual, so devs can fully override functionality where needed
• Team Server
  Rewrote the logic for implant check-in and Tasking to support plugins and 3rd party implants and improve code flow
  Added webhooks for Discord, Slack, and Matter Most can also support custom destinations
  currently supports new implant check-in notifications or custom notifications
  Added more asp.net APIs so users can be created via API calls with web posts vs having to use the UI
  Updated logging logic to support the custom return types being logged as text
  Enabled data chunking so implants can return large command output in pieces to help lower network traffic detections
  Fixed some bugs related to implant creation when building dynamically and not including all commands/modules
  Updated database logic to support adding arbitrary objects vs only predefined types
  Added Event URLs to allow for implants to send and receive non-task-related communications (not currently used, still in testing)
  Added OAuth to the swagger/asp.net API page to support authenticating via a bearer token
  Rewrote implant task pre and post-processing to clean up code and improve speed
  Fixed some bugs around serialization and deserialization
  Removed hard-coded encryption keys that were added in 0.2 for ease of debugging
  Performance increase in speed of processing implant check-ins
  Performance increase to lower ram usage
  Performance increase to socks on average
  ~30%-40% decrease in latency
  ~30%-40% decrease in jitter
  ~150%-200% increase in download speed
  Added option to set server Ip address from command line args needs to passed in like 127.0.0.1:8000
  Added support to set HARDHAT_ADMIN_PASSWORD and HARDHAT_ADMIN_USERNAME environment variables
• Client
  Rewrote many components to support plugins and 3rd party implants
  Improved scaling of UI elements when the browser window is not full-sized
  Fixed UI display bugs where elements had fixed sizes, now use a % of screen size instead
  Removed need to perform redirection on the first login, the client now gets implants when the implants page is first visited
  Performance improvements for ram use, the client will now only use ram for command output when the implants tab is open and that commands panel is expanded; closing a command panel frees up the ram
  Separated various command display pieces into unique components allowing for better control of rendering
  Added a page for objective tracking, a basic list of objectives with sub-tasks can be created
  Added a tagging system to go with objectives
  tags can then be set on commands and local terminal commands and then can be filtered on the objectives page to see all commands related to a specific tag
  Added a tab to the toolbox page to see and write new commands for the Engineer in a style similar to Ilspy
  Added a view to see a disassembled .NET assembly, such as Rubeus in a similar manner to Ilspy
  Added an edit file view, the file will be downloaded and opened, if it can be written to, then the operator can make changes and save it to update the copy on the target machine, so acts like a built-in notepad of sorts
  Added a markdown notes page, that supports full markdown
  Each operator will have a private notes tab as well as access to a shared notes tab that is replicated to all clients
  Upgraded the file download command to enable viewing of the downloaded file content directly in the command result window
  Updated C2 profile dialog to allow for supplying real lists for stuff like callback URIs and Headers to add
  Changes to the default C2 profile now persist after leaving the page
  Updated manager creation to automatically get a list of possible bind addresses for the team server, still allows adding a custom IP to bind to if desired
  Cleaned up the final page of implant creation to make the chosen setting easier to read before finalizing implant creation
  Limited the view of the administrator user to show better the user’s intended purpose
  Added ability to track user inside of the client, allowing commands to be tagged per issuing user
  Added the ability to refresh plugins on the client & team server from the settings page
  Added option to appsettings.json to allow for automatic installation of client cert to the trusted cert store, disabled by default
  When used, this prevents the browser from warning for an untrusted site when browsing to the client
  Tasks now track their own pre/post-processing needs, issuing user and implant ID
• Implants
  Created a Rust demo implant (Rivet) to showcase the new 3rd party implant system
  Engineer -> Fixed some errors in the Engineer for token use
  Engineer -> Added an ldap whoami command for the Engineer to enable verification of network authentication changes, such as after a make token command
  Engineer -> Added command to enable opening a file on target and editing the file, if the file cannot be edited, it opens in read-only mode
  Engineer -> Added command to enable disassembly of a target assembly, allowing for viewing source in a style similar to Ilspy
  Engineer -> Added a command to get current modules
  Engineer -> Cleaned up tasking logic to know better when a command is not intended for the client UI, such as socks traffic
  Engineer -> Fixed parsing bug in inline assembly when sending a command with quotes in the arguments
  Engineer -> Updated implant task key to be a secure string to help protect it in memory
  Engineer -> Updated encryption functions to use the secure string to avoid the encryption keys for tasks being in memory any longer than needed
  Engineer -> Updated tasking logic to increase speed
• V3 -> 3.02
  • Includes some small UI bug fixes and pushed the Docker & Plugins folders to Master from Dev branch

Install & Use