Releases: DragoQCC/HardHatC2
V0.3.03-Alpha
-
General / Misc
General performance and speed improvements due to various code rewrites
Rewrote various code classes to enable them to be more generic for 3rd party implants
Updated the various Nuget packages HardHat uses, giving a general improvement to bugs and UI issues
Working on upgrading the plugin system to support more generalized, powerful plugins vs. just overriding specific parts that are predefined
Added docker support
Teamserver and Client port are now on 0.0.0.0 by default to work with docker so make sure to edit the appsettings.json as needed if this is not desired
Cleaned up some console messages to make them clear
Lots of implant-related code on the team server & client are now virtual, so devs can fully override functionality where needed -
Team Server
Rewrote the logic for implant check-in and Tasking to support plugins and 3rd party implants and improve code flow
Added webhooks for Discord, Slack, and Matter Most can also support custom destinations
currently supports new implant check-in notifications or custom notifications
Added more asp.net APIs so users can be created via API calls with web posts vs having to use the UI
Updated logging logic to support the custom return types being logged as text
Enabled data chunking so implants can return large command output in pieces to help lower network traffic detections
Fixed some bugs related to implant creation when building dynamically and not including all commands/modules
Updated database logic to support adding arbitrary objects vs only predefined types
Added Event URLs to allow for implants to send and receive non-task-related communications (not currently used, still in testing)
Added OAuth to the swagger/asp.net API page to support authenticating via a bearer token
Rewrote implant task pre and post-processing to clean up code and improve speed
Fixed some bugs around serialization and deserialization
Removed hard-coded encryption keys that were added in 0.2 for ease of debugging
Performance increase in speed of processing implant check-ins
Performance increase to lower ram usage
Performance increase to socks on average
~30%-40% decrease in latency
~30%-40% decrease in jitter
~150%-200% increase in download speed
Added option to set server Ip address from command line args needs to passed in like 127.0.0.1:8000
Added support to set HARDHAT_ADMIN_PASSWORD and HARDHAT_ADMIN_USERNAME environment variables -
Client
Rewrote many components to support plugins and 3rd party implants
Improved scaling of UI elements when the browser window is not full-sized
Fixed UI display bugs where elements had fixed sizes, now use a % of screen size instead
Removed need to perform redirection on the first login, the client now gets implants when the implants page is first visited
Performance improvements for ram use, the client will now only use ram for command output when the implants tab is open and that commands panel is expanded; closing a command panel frees up the ram
Separated various command display pieces into unique components allowing for better control of rendering
Added a page for objective tracking, a basic list of objectives with sub-tasks can be created
Added a tagging system to go with objectives
tags can then be set on commands and local terminal commands and then can be filtered on the objectives page to see all commands related to a specific tag
Added a tab to the toolbox page to see and write new commands for the Engineer in a style similar to Ilspy
Added a view to see a disassembled .NET assembly, such as Rubeus in a similar manner to Ilspy
Added an edit file view, the file will be downloaded and opened, if it can be written to, then the operator can make changes and save it to update the copy on the target machine, so acts like a built-in notepad of sorts
Added a markdown notes page, that supports full markdown
Each operator will have a private notes tab as well as access to a shared notes tab that is replicated to all clients
Upgraded the file download command to enable viewing of the downloaded file content directly in the command result window
Updated C2 profile dialog to allow for supplying real lists for stuff like callback URIs and Headers to add
Changes to the default C2 profile now persist after leaving the page
Updated manager creation to automatically get a list of possible bind addresses for the team server, still allows adding a custom IP to bind to if desired
Cleaned up the final page of implant creation to make the chosen setting easier to read before finalizing implant creation
Limited the view of the administrator user to show better the user's intended purpose
Added ability to track user inside of the client, allowing commands to be tagged per issuing user
Added the ability to refresh plugins on the client & team server from the settings page
Added option to appsettings.json to allow for automatic installation of client cert to the trusted cert store, disabled by default
When used, this prevents the browser from warning for an untrusted site when browsing to the client
Tasks now track their own pre/post-processing needs, issuing user and implant ID -
Implants
Created a Rust demo implant (Rivet) to showcase the new 3rd party implant system
Engineer -> Fixed some errors in the Engineer for token use
Engineer -> Added an ldap whoami command for the Engineer to enable verification of network authentication changes, such as after a make token command
Engineer -> Added command to enable opening a file on target and editing the file, if the file cannot be edited, it opens in read-only mode
Engineer -> Added command to enable disassembly of a target assembly, allowing for viewing source in a style similar to Ilspy
Engineer -> Added a command to get current modules
Engineer -> Cleaned up tasking logic to know better when a command is not intended for the client UI, such as socks traffic
Engineer -> Fixed parsing bug in inline assembly when sending a command with quotes in the arguments
Engineer -> Updated implant task key to be a secure string to help protect it in memory
Engineer -> Updated encryption functions to use the secure string to avoid the encryption keys for tasks being in memory any longer than needed
Engineer -> Updated tasking logic to increase speed -
V3 -> 3.03
- Includes some small UI bug fixes and pushed the Docker & Plugins folders to Master from Dev branch
- Updated plugin logic to enforce interface contracts while still allowing utilization of base functions to simplify plugin development where possible
- fixed bug where autocomplete was using Engineer command list for all plugins
V0.2.01-Alpha
This is a large update for the full patch notes and screenshots. Check out the change log here. https://docs.hardhat-c2.net/changelog/alpha-0.2-update-july-6-2023
• Implant
o Implants are now dynamic
commands and modules are selected at compile time, and new ones can be loaded into the implant during execution
o Sleep Encryption & BOF execution are now optional modules
o Added RunAs & GetSystem commands
o Added BOF execution & in-memory PE execution commands
o Added commands to load new commands & modules
o Added command to view currently loaded commands
o Added a token store and token store command
o Decreased number of API calls made during shellcode execution and sleep encryption
o Download command updated to properly chunk data
Currently set at 500 KB per sleep cycle, a 2000 KB file with a 5-second sleep cycle will take ~20 seconds to download.
o All commands have been updated to work with the new dynamic loading system
o When the sleep encryption module is loaded postEx sleep encryption will activate automatically
o Remove all P/Invoke signatures (except the new ones for BOF & RPC) now using all D/Invoke
The remaining P/Invoke code will be replaced soon
o Whoami command now properly prints group names
o Updated default SpawnTo from calc.exe to notepad.exe
o Added ping command
o Added “/noDecoy” flag to InlineDLL to increase stability but skips module overloading
o Updated command logic to stream back data as it is received per sleep cycle
o Created DyanmicEngineerLoading DLL, which is packed during compile time
• Team Server
o Command read status is now tracked in the DB
o Account roles to active connections is now tracked in the DB
o Implant Tasking can now carry additional serialized objects between the client and team server at the time of tasking
o Alongside the client file preview feature, the code handling file downloads has been cleaned up and improved
o Code to handle BOF packing added
o Added code to handle sending dynamic commands and modules to implants
o Added new shellcode functions to help with "execute assembly"
o Improved JSON serialization & deserialization
o Added new objects to database tracking as required
• Client
o Commands that change user context (ex. Getsystem) now cause the UI to update, showing impersonation happened and updates the icons and notes as needed
o Added table column for notes on implants
Notes can be added via the “options” dropdown on the implants page
o Added a new tab to the Implants page to see previously compiled implants
This includes configured settings, included commands & modules, saved location, and download option
o Added icon to implant table and implant interact tab to show the number of tasks that the operator has not opened the panel/read the response for yet
o The unread tasks have markers to denote which ones they are
o Added client-side UI element to allow viewing of some file types inside the C2
PDF, ZIP, and IMAGES formats
o Added command aliases, input on the interact tab can now contain “$hh_AliasName” and so long as the name is correct, it will be replaced with its assigned value
This allows short-handing commands and command arguments
Aliases can be nested, so an alias may contain another alias so long as it is a valid entry in the alias table
o Opsec enforcement has been activated
commands at a high level produce a prompt asking for a second confirmation
blocked opsec level prevents tasking
team lead approval setting sends a notification to the team lead to approve or deny tasking
o Commands that create new implants (ex. Inject) will cause a dialog window to select the implant build options same as a normal creation
o Tasks now have a copy button in the header of the expansion panel to easily copy command text (ex. whoami)
o General UI improvements to support new features, cleanup layout, and improve use on different-sized screens
o Added multiple methods of command entry on the interact page,
options can be changed via the settings
When not using the autocomplete, a search bar has been added to still easily find commands
o Command history using the arrow keys has been updated and fixed
o Implants can be added to the interact page now via a “+” icon at the top of the interaction page
o Replaced xtabs with mudtabs on the interact page for easier closing and tracking
o Improved JSON serialization & deserialization
o Commands that send files to implants now have a “/local” flag that will read file content off of the client machine vs. the team server
o JWTs are now checked for expiration and make the user log in again if expired
o Updated implant creation to be a multi-step UI to present all the configuration options better
o File browser UI can now be browsed by entering a file path in the top bar, similar to the Windows file browser
v0.1.2-Alpha
Team Server
- Added MessageData class which holds the string response so it can be sent as proper JSON
- made logging service auto pretty print JSON vs. new line delimited JSON
- updated post-processing for commands to use MessageData class vs. just a string
Client
- Added MessageData class which holds the string response so it can be sent as proper JSON
- Added a kill date to the engineer creation page
- removed working hours for now
- Fixed JSON parsing (client/ team server) when commands only returned strings
- reenabled seatbelt auto table parse
- added status icon for the
CompleteWithErrorsstatus - added helper function to clean up extra whitespace lines in the output
- updated help menu and command validation for updated command args
Engineer
- Added MessageData class which holds the string response so it can be sent as proper JSON
- kill date functions in UTC, so make sure the selected date and time are based on UTC at creation
- added unLoad AppDomain option to InlineAssembly
- it will now create an app domain, load the assembly, and then unload the app domain
- removing traces of the assembly from the loaded app domain list
- users can also set the /appdomain flag to set the name of the created appdomain, the name is mscorlib by default
- ex.
inlineAssembly /file rubeus.exe /args klist /execmethod unloaddomain /appdomain mscorlib
0.1.1.5 changes included in this release as well
- New update should help to resolve some display and interaction issues/command crashes
- Updated cancel task to work better
- updated shell and run to handle possible crashes better
- run now streams back data as it receives it
- cleaned up some UI responsiveness (thanks to @werdhaihai for the pr)
- added a slider that changes the size of the interact window
- fixed bug with manager deletion
- team server now only sends ids of tasks that have returned vs. all tasks to the client to help performance
- added better processing for odd JSON data that was failing to process
- added toast popup when a task is canceled
Contributors
Assets 2
v0.1.1-Alpha
Team Server
- Moved Pre/Post Process to be Engineer Specific
- Moved most of HandleImplant to HandleEngineer specific based on received metadata info
- This should allow calling other HandleX functions in the future to handle check in processes for other implant Types based on metadata
- Added some changes to encryption
- Fixed a bug where the team server wouldn't always use proper decryption key with P2P implants
- cleanup to some of the socks code (might a tad faster/ more stable)
- Added dictionary storage to allow for multiple socks servers at once, not just one
- Updated database functions to all use Async connections to help performance
- Fixed bug where Database as not storing TaskResponseType info
- fixed login bug where database was running creation code and not waiting for new tables / account to be made on first startup
- If present in your copy of this release perform a git pull to get the newest update
Client
- Fixed help menu error in the link and whoami commands
- Added an option on the interact page so that when a panel is collapsed it
- fixed error from MyAuthenticationStateProvider trying to fire js while pages were rendering
- Increased the response timer for the interact page. This should result in smoother interaction and help with bugs in the auto updating of panels
- Fixed bug where Interact page was deserializing output 6-7 times per command (yay blazor ) vs once when it was received
Engineer
- Engineers now contain the Implant_type name as a XOR byte array to the front of the metadata. This allows reading of the implant-type info to call the proper decryption functions before the metadata is known
- Engineers now contain the implant Id at the start of each command response. This allows id before decryption, so proper decryption functions can be called
- cleanup of some legacy code for checking if a task was running
- increased use of async code to help performance
- fixed bug where if an engineer had a TCP & SMB implant data was not always sent
- replaced json encoding a memory stream vs utf8 bytes
v0.1-Alpha
fix to add donut and sgn back in