Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Listeners are the communication channels through which Havoc agents (Demons) connect back to the teamserver. They handle incoming connections from deployed agents and manage bidirectional command and control traffic.

Listener Types

Havoc Framework supports multiple listener types to accommodate different operational scenarios:

HTTP/HTTPS

Standard web-based listeners for external agent communication with customizable profiles

SMB

Named pipe listeners for internal lateral movement and peer-to-peer communication

How Listeners Work

Listeners are configured in your Havoc profile (.yaotl file) and automatically start when the teamserver launches. Each listener type serves a specific purpose:

HTTP/HTTPS Listeners

HTTP/HTTPS listeners bind to network interfaces and handle agent callbacks over HTTP or HTTPS protocols. They support:
  • Multiple callback hosts with rotation strategies
  • Custom headers and URIs for traffic shaping
  • TLS/SSL encryption for secure communications
  • Proxy support for agents behind corporate proxies
  • Customizable response headers for evasion

SMB Listeners

SMB listeners enable peer-to-peer communication between agents using named pipes. They’re primarily used for:
  • Lateral movement within networks
  • Communication with agents that cannot directly reach the teamserver
  • Establishing parent-child agent relationships
  • Operating in environments with strict egress filtering

Profile Configuration

Listeners are defined in the Listeners block of your profile: 
Listeners {
    Http {
        Name = "Primary HTTP Listener"
        Hosts = ["teamserver.example.com"]
        PortBind = 443
        PortConn = 443
        Secure = true
        // Additional options...
    }

    Smb {
        Name = "Pivot Listener"
        PipeName = "msagent_pipe"
    }
}

Operational Considerations

Always use Secure = true for HTTP listeners in production environments to encrypt agent communications with TLS.

Kill Dates and Working Hours

Both HTTP and SMB listeners support operational security features:
  • KillDate: Automatically terminate agent operations after a specified date/time
  • WorkingHours: Restrict agent callbacks to specific time windows (e.g., business hours)
These features help agents blend in with normal network traffic and prevent discovery after operation completion.

Listener Management

Listeners can be:
  • Started automatically from your profile at teamserver launch
  • Added dynamically through the Havoc client interface
  • Stopped and restarted without interrupting active agents
  • Edited to update headers, URIs, and other configuration options

Next Steps

HTTP/HTTPS Configuration

Learn about all HTTP/HTTPS listener options and configuration examples

SMB Configuration

Configure SMB listeners for lateral movement scenarios

Build docs developers (and LLMs) love

Get started for freeTalk to us