Documentation Index Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt
Use this file to discover all available pages before exploring further.
YAOTL Profiles Havoc Framework uses YAOTL (Yet Another Operator Translation Language) files to configure the teamserver, operators, listeners, and agent behavior. These profiles define everything from network settings to agent sleep times.
Overview YAOTL is a custom configuration language similar to HCL (HashiCorp Configuration Language). It provides:
Block-based syntax : Hierarchical configuration structureType safety : Validated configuration with clear error messagesComments : Document your profiles inlineProfiles : Reusable configurations for different operations
YAOTL profile files use the .yaotl extension and are typically stored in the profiles/ directory.
Profile Structure A complete YAOTL profile consists of five main blocks:
Teamserver { } # Server configuration and build tools Operators { } # User authentication Listeners { } # HTTP/HTTPS/SMB listener definitions (optional) Demon { } # Default agent configuration Service { } # External C2 / custom agent API (optional)
Only Teamserver, Operators, and Demon blocks are required. Listeners and Service are optional.
Teamserver Block Configures the teamserver host, port, and build tools.
Basic Configuration Teamserver { Host = "0.0.0.0" Port = 40056 Build { Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc" Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc" Nasm = "/usr/bin/nasm" } }
Parameters Parameter Type Required Description Hoststring Yes IP address to bind WebSocket server (0.0.0.0 for all) Portint Yes Port for operator client connections (default: 40056) Buildblock No Build tool configuration
Build Block Specifies paths to compilation tools:
Parameter Type Required Description Compiler64string No Path to x64 MinGW compiler (auto-detected if omitted) Compiler86string No Path to x86 MinGW compiler (auto-detected if omitted) Nasmstring No Path to NASM assembler (auto-detected if omitted)
If you omit the Build block, the teamserver will search for compilers in your PATH.
Operators Block Defines authorized users and their credentials.
Configuration Operators { user "5pider" { Password = "password1234" } user "Neo" { Password = "password1234" } }
Parameters Each user block:
Parameter Type Required Description Label string Yes Username (in quotes after user) Passwordstring Yes Plain-text password (hashed with SHA3-256 during auth)
Passwords are stored in plain text in the profile but transmitted as SHA3-256 hashes during authentication.
Demon Block Configures default agent behavior and injection settings.
Basic Configuration Demon { Sleep = 2 Jitter = 15 TrustXForwardedFor = false Injection { Spawn64 = "C:\\Windows\\System32\\notepad.exe" Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe" } }
Parameters Parameter Type Required Description Sleepint No Default sleep time in seconds (default: 2) Jitterint No Jitter percentage 0-100 (default: 15) IndirectSyscallbool No Enable indirect syscalls (default: true) StackDuplicationbool No Duplicate stack during sleep (default: false) SleepTechniquestring No Sleep obfuscation: “Ekko”, “Zilean”, “FOLIAGE” ProxyLoadingstring No DLL proxy loading technique AmsiEtwPatchingstring No AMSI/ETW bypass method TrustXForwardedForbool No Trust X-Forwarded-For header (for redirectors) Injectionblock Yes Process injection configuration
Injection Block Defines processes to spawn for injection:
Injection { Spawn64 = "C:\\Windows\\System32\\Werfault.exe" Spawn32 = "C:\\Windows\\SysWOW64\\Werfault.exe" }
Parameter Type Required Description Spawn64string No Full path to x64 process for injection Spawn32string No Full path to x86 process for injection
Choose inconspicuous processes like notepad.exe, Werfault.exe, or RuntimeBroker.exe for injection targets.
Binary Block (Advanced) Customize compiled binary properties:
Binary { Header { MagicMz-x64 = "MZ" MagicMz-x86 = "MZ" CompileTime = "2023-01-15 10:30:00" ImageSize-x64 = 1024000 ImageSize-x86 = 512000 } ReplaceStrings-x64 = { "KERNEL32.DLL" = "KENNEL32.DLL" } }
Listeners Block Defines HTTP, HTTPS, SMB, and External C2 listeners.
HTTP/HTTPS Listener Listeners { Http { Name = "Primary HTTP" Hosts = [ "example.com", "192.168.1.100", ] HostBind = "0.0.0.0" HostRotation = "round-robin" PortBind = 443 PortConn = 443 Secure = true KillDate = "2024-12-31 23:59:59" WorkingHours = "08:00-17:00" UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" Uris = [ "/api/v1/updates", "/api/v2/sync", ] Headers = [ "Accept: application/json", "Accept-Encoding: gzip, deflate", ] Response { Headers = [ "Content-Type: application/json", "Server: nginx/1.18.0", ] } } }
HTTP Parameters Parameter Type Required Description Namestring Yes Unique listener identifier Hosts[]string Yes List of callback domains/IPs (for agent rotation) HostBindstring Yes Interface to bind (0.0.0.0 for all) HostRotationstring No Host selection: “round-robin”, “random” PortBindint Yes Port to listen on PortConnint No Port agents connect to (for port forwarding) Securebool No Enable HTTPS (default: false) KillDatestring No Date to stop listener (YYYY-MM-DD HH:MM:SS) WorkingHoursstring No Active hours (HH:MM-HH:MM) UserAgentstring No Custom User-Agent string Methodstring No HTTP method: “GET”, “POST” (default: POST) Uris[]string No List of callback URIs (random selection) Headers[]string No Additional HTTP headers Responseblock No Custom response headers Certblock No Custom TLS certificate
Teams Profile Example Mimic Microsoft Teams traffic:
Http { Name = "teams profile - http" Hosts = ["teams.microsoft.com"] HostBind = "0.0.0.0" PortBind = 443 PortConn = 443 Secure = true UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" Uris = ["/Collector/2.0/settings/"] Headers = [ "Accept: json", "Referer: https://teams.microsoft.com/_", "x-ms-session-id: f73c3186-057a-d996-3b63-b6e5de6ef20c", "x-ms-client-type: desktop", "x-mx-client-version: 27/1.0.0.2021020410", ] Response { Headers = [ "Content-Type: application/json; charset=utf-8", "Server: Microsoft-HTTPAPI/2.0", "x-ms-environment: North Europe-prod-3", ] } }
This profile makes agent traffic resemble legitimate Microsoft Teams communications, helping evade detection.
Custom TLS Certificate Cert { Cert = "/path/to/server.crt" Key = "/path/to/server.key" }
SMB Listener For pivot/lateral movement via named pipes:
Smb { Name = "Pivot - SMB" PipeName = "demon_pipe" KillDate = "2024-12-31 23:59:59" }
SMB Parameters Parameter Type Required Description Namestring Yes Unique listener identifier PipeNamestring Yes Named pipe for SMB communication KillDatestring No Date to stop listener WorkingHoursstring No Active hours
SMB listeners are used for agent-to-agent communication in pivot scenarios, not for initial callbacks.
External C2 Listener For custom agent integrations:
External { Name = "Custom Agent" Endpoint = "custom-endpoint" }
Service Block Enables the Service API for custom agents (External C2).
Configuration Service { Endpoint = "service-endpoint" Password = "service-password" }
Parameters Parameter Type Required Description Endpointstring Yes URL path for service endpoint Passwordstring Yes Authentication password for custom agents
Usage Custom agents POST to:
https://teamserver:40056/{Endpoint}
With authentication:
Authorization: Bearer {Password}
Use the Service API to integrate custom implants like Talon or your own agents.
WebHook Block (Optional) Send notifications to Discord:
WebHook { Discord { Url = "https://discord.com/api/webhooks/..." AvatarUrl = "https://example.com/avatar.png" User = "Havoc Bot" } }
Complete Example Here’s the default havoc.yaotl profile:
Teamserver { Host = "0.0.0.0" Port = 40056 Build { Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc" Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc" Nasm = "/usr/bin/nasm" } } Operators { user "5pider" { Password = "password1234" } user "Neo" { Password = "password1234" } } # Optional: this enables the service API for custom agents Service { Endpoint = "service-endpoint" Password = "service-password" } Demon { Sleep = 2 Jitter = 15 TrustXForwardedFor = false Injection { Spawn64 = "C:\\Windows\\System32\\notepad.exe" Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe" } }
Advanced Example: HTTP + SMB From http_smb.yaotl:
Teamserver { Host = "0.0.0.0" Port = 40056 Build { Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc" Compiler86 = "/usr/bin/i686-w64-mingw32-gcc" Nasm = "/usr/bin/nasm" } } Operators { user "5pider" { Password = "password1234" } user "Neo" { Password = "password1234" } } Listeners { Http { Name = "teams profile - http" Hosts = ["5pider.net"] HostBind = "0.0.0.0" HostRotation = "round-robin" PortBind = 443 PortConn = 443 Secure = false KillDate = "2024-01-02 12:00:00" UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" Uris = ["/Collector/2.0/settings/"] Headers = [ "Accept: json", "Referer: https://teams.microsoft.com/_", "x-ms-session-id: f73c3186-057a-d996-3b63-b6e5de6ef20c", "x-ms-client-type: desktop", "x-mx-client-version: 27/1.0.0.2021020410", "Accept-Encoding: gzip, deflate, br", "Origin: https://teams.microsoft.com" ] Response { Headers = [ "Content-Type: application/json; charset=utf-8", "Server: Microsoft-HTTPAPI/2.0", "X-Content-Type-Options: nosniff", "x-ms-environment: North Europe-prod-3,_cnsVMSS-6_26", "x-ms-latency: 40018.2038", "Access-Control-Allow-Origin: https://teams.microsoft.com", "Access-Control-Allow-Credentials: true", "Connection: keep-alive" ] } } Smb { Name = "Pivot - Smb" PipeName = "demon_pipe" } } Service { Endpoint = "service-endpoint" Password = "service-password" } Demon { Sleep = 2 Jitter = 20 TrustXForwardedFor = false Injection { Spawn64 = "C:\\Windows\\System32\\Werfault.exe" Spawn32 = "C:\\Windows\\SysWOW64\\Werfault.exe" } }
Profile Validation The teamserver validates profiles on startup:
// From profile.go func ( p * Profile ) SetProfile ( path string , def bool ) error { err := yaotl . DecodeFile ( path , nil , & p . Config ) if err != nil { return err // Returns detailed parse errors } logger . Info ( "Havoc profile:" , path ) return nil }
Common Errors :
Syntax errors : Missing quotes, brackets, or commasType errors : Wrong data type (e.g., string instead of int)Required fields : Missing mandatory parametersInvalid values : Out-of-range values or unknown options
Test your profile with --debug flag to see detailed validation output.
Best Practices
Security
Use strong operator passwords
Change default passwords
Set appropriate kill dates
Use HTTPS for listeners
Rotate profiles between ops
Operational
Document profile purpose
Use descriptive listener names
Set realistic sleep/jitter
Configure working hours
Test before deployment
Network
Match legitimate traffic patterns
Use credible User-Agent strings
Customize HTTP headers
Configure appropriate URIs
Consider using redirectors
Evasion
Vary injection targets
Customize binary properties
Use sleep obfuscation
Enable indirect syscalls
Mimic known services (Teams, etc.)
Profile Library Havoc includes several example profiles:
Profile Description havoc.yaotlBasic profile with minimal configuration http_smb.yaotlHTTP listener + SMB pivot support webhook_example.yaotlDemonstrates Discord webhook integration
Create custom profiles for different operations, environments, or detection strategies. Store them in profiles/ with descriptive names.
