hadrian3689/havoc_c2decrypt.py

## havoc_c2decrypt.py
from Crypto.Cipher import AES
from Crypto.Util import Counter
import binascii

def decrypting(key,iv,data):
    key = binascii.unhexlify(key)
    iv = binascii.unhexlify(iv)
    encrypted_data = binascii.unhexlify(data)
    ctr_cipher = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=int.from_bytes(iv, byteorder='big')))
    decrypted_data = ctr_cipher.decrypt(encrypted_data)
    readable_data = decrypted_data.decode('utf-8','ignore')
    return decrypted_data, readable_data

def values(hex_string):
    binary_data = binascii.unhexlify(hex_string)
    size_in_bytes = len(binary_data)
    key = hex_string[40:104]
    iv = hex_string[104:136]
    data = hex_string[136:]
    print("SIZE: " +  hex_string[0:8] + " => " + str(size_in_bytes))
    print("Magic Value: " + hex_string[8:16])
    print("Agent ID: " + hex_string[16:24])
    print("Command ID: " + hex_string[24:40] + " => " + "DEMON_INITIALIZE" )
    print("AES Key: " + key)
    print("AES IV: " + iv)
    decrypted_data, readable_data = decrypting(key,iv,data)
    return key,iv,decrypted_data,readable_data

if __name__=="__main__":
    #An ad hoc script for decrypting the Havoc C2 framework traffic.
    #https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
    #https://github.com/HavocFramework/Havoc/tree/6e5bda49b506b0b0e1826a78fe6edbf6dcfcf607
    print("Printing command output\n")
    count = 0
    results_file = open('results','r') #tshark -r capture.pcap -Y 'http.request.method == "POST"' -T fields -e media.type > results
    results_list = []
    for each_entry in results_file:
        each_entry = each_entry.strip()
        if each_entry == "":
            continue
        else:
            results_list.append(each_entry)
    results_file.close()

    while count < len(results_list):
        if count == 0:
            key,iv,decrypted_data, readable_data = values(results_list[count])
            print("Decrypted data:", readable_data + "\n")
            count += 1
        else:
            entry = results_list[count]
            decrypted_data, readable_data = decrypting(key,iv,entry[40:])
            if "MZ" in readable_data:
                with open("binary","wb") as writing:
                    writing.write(decrypted_data)
            print("Decrypted data:", readable_data + "\n")
            count += 1
        print("*"*100)
    print("Printing commands sent\n")

    count = 0
    commands_file = open('commands','r') #tshark -r capture.pcap -Y 'http' -T fields -e data.data > commands
    commands_list = []
    for each_entry in commands_file:
        each_entry = each_entry.strip()
        if each_entry == "":
            continue
        else:
            commands_list.append(each_entry)
    commands_file.close()
    while count < len(commands_list):
        entry = commands_list[count]
        decrypted_data, readable_data = decrypting(key,iv,entry[24:])
        if "MZ" in readable_data:
            with open("binary","wb") as writing:
                writing.write(decrypted_data)

        print("Decrypted data:", readable_data + "\n")
        count += 1
        print("*"*100)
	from Crypto.Cipher import AES
	from Crypto.Util import Counter
	import binascii

	def decrypting(key,iv,data):
	key = binascii.unhexlify(key)
	iv = binascii.unhexlify(iv)
	encrypted_data = binascii.unhexlify(data)
	ctr_cipher = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=int.from_bytes(iv, byteorder='big')))
	decrypted_data = ctr_cipher.decrypt(encrypted_data)
	readable_data = decrypted_data.decode('utf-8','ignore')
	return decrypted_data, readable_data

	def values(hex_string):
	binary_data = binascii.unhexlify(hex_string)
	size_in_bytes = len(binary_data)
	key = hex_string[40:104]
	iv = hex_string[104:136]
	data = hex_string[136:]
	print("SIZE: " + hex_string[0:8] + " => " + str(size_in_bytes))
	print("Magic Value: " + hex_string[8:16])
	print("Agent ID: " + hex_string[16:24])
	print("Command ID: " + hex_string[24:40] + " => " + "DEMON_INITIALIZE" )
	print("AES Key: " + key)
	print("AES IV: " + iv)
	decrypted_data, readable_data = decrypting(key,iv,data)
	return key,iv,decrypted_data,readable_data

	if __name__=="__main__":
	#An ad hoc script for decrypting the Havoc C2 framework traffic.
	#https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
	#https://github.com/HavocFramework/Havoc/tree/6e5bda49b506b0b0e1826a78fe6edbf6dcfcf607
	print("Printing command output\n")
	count = 0
	results_file = open('results','r') #tshark -r capture.pcap -Y 'http.request.method == "POST"' -T fields -e media.type > results
	results_list = []
	for each_entry in results_file:
	each_entry = each_entry.strip()
	if each_entry == "":
	continue
	else:
	results_list.append(each_entry)
	results_file.close()

	while count < len(results_list):
	if count == 0:
	key,iv,decrypted_data, readable_data = values(results_list[count])
	print("Decrypted data:", readable_data + "\n")
	count += 1
	else:
	entry = results_list[count]
	decrypted_data, readable_data = decrypting(key,iv,entry[40:])
	if "MZ" in readable_data:
	with open("binary","wb") as writing:
	writing.write(decrypted_data)
	print("Decrypted data:", readable_data + "\n")
	count += 1
	print(""100)
	print("Printing commands sent\n")

	count = 0
	commands_file = open('commands','r') #tshark -r capture.pcap -Y 'http' -T fields -e data.data > commands
	commands_list = []
	for each_entry in commands_file:
	each_entry = each_entry.strip()
	if each_entry == "":
	continue
	else:
	commands_list.append(each_entry)
	commands_file.close()
	while count < len(commands_list):
	entry = commands_list[count]
	decrypted_data, readable_data = decrypting(key,iv,entry[24:])
	if "MZ" in readable_data:
	with open("binary","wb") as writing:
	writing.write(decrypted_data)

	print("Decrypted data:", readable_data + "\n")
	count += 1
	print(""100)