gitwtfhub

wtf is havoc?

havocframework/havoc — explained in plain English

Analysis updated 2026-06-24

8,352GoAudience · ops devopsComplexity · 4/5Setup · hard

TL;DR

An open-source red team command-and-control framework with a GUI client, a Go team server, and a C/assembly agent (Demon) for simulating attacker post-exploitation activity during authorized security assessments.

Mindmap

mindmap
  root((Havoc))
    What it does
      Red team C2
      Post-exploitation
    Components
      Teamserver
      Qt GUI client
      Demon agent
    Features
      SMB pivoting
      Token management
      Python extensions
    Platform
      Linux server
      Windows target

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Run a red team engagement with multiple operators sharing one team server to simulate coordinated attacker activity.

REASON 2

Test whether your organization's endpoint detection tools catch common post-exploitation techniques using the Demon agent.

REASON 3

Extend the framework with custom Python API modules for specific evasion or automation scenarios.

REASON 4

Simulate lateral movement through a network using Demon's SMB pivoting and token impersonation features.

What's in the stack?

GoCC++QtPythonAssembly

How it stacks up

havocframework/havoccharmbracelet/bubblesandlabs/ui
Stars8,3528,3538,359
LanguageGoGoGo
Setup difficultyhardeasymoderate
Complexity4/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1day+

Requires Debian/Ubuntu/Kali Linux for the teamserver, Qt 6, Python 3.10, and a separate Windows test target to deploy the Demon agent.

Wtf does this do

Havoc is an open-source command and control framework used in offensive security and red team engagements. Security professionals use tools like this to simulate what an attacker would do after gaining initial access to a target network, helping organizations understand and test their defenses. The framework has three main parts. The teamserver is the central server component, written in Go, that multiple operators can connect to simultaneously. It handles incoming connections from compromised machines, generates payloads, and manages communication channels over HTTP and HTTPS. The client is a desktop application with a graphical interface, built with C++ and Qt, that the security operator uses to interact with the teamserver and see what is happening across all active sessions. The third part is called Demon, an agent written in C and assembly that runs on the target system and communicates back to the teamserver. Demon includes a range of post-exploitation capabilities: running commands on target machines, managing authentication tokens, communicating through other compromised machines via SMB, and various techniques designed to avoid detection by security monitoring tools. The framework is described by its author as designed to be modular and configurable rather than optimized for any specific evasion technique out of the box, with the idea that operators extend it for their own needs. Extensibility is built in through a Python API, a custom modules system, and support for plugging in third-party agents beyond Demon. The teamserver runs best on Debian, Ubuntu, or Kali Linux and requires a modern version of Qt and Python 3.10 to build. Documentation lives in the project wiki and on the official website.

Yoink these prompts

Prompt 1
Walk me through setting up Havoc's teamserver on Debian with HTTPS listeners, then connecting the Qt client and deploying a Demon agent to a test Windows VM.
Prompt 2
Write a Havoc Python API extension that automates credential harvesting via token impersonation and logs all results to a local file.
Prompt 3
Generate a red team engagement checklist using Havoc: from initial Demon deployment through lateral movement to reaching the objective, with operator notes for each stage.
Prompt 4
Explain how Havoc's Demon agent communicates over HTTP/HTTPS in a way that security monitoring tools may not flag as suspicious.

Frequently asked questions

wtf is havoc?

An open-source red team command-and-control framework with a GUI client, a Go team server, and a C/assembly agent (Demon) for simulating attacker post-exploitation activity during authorized security assessments.

What language is havoc written in?

Mainly Go. The stack also includes Go, C, C++.

How hard is havoc to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is havoc for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.