Tools (Remote Operations)

Overview

#

Tools modules run on the teamserver and interact directly with remote services (SSH, SMB, etc.) — no implant required. They integrate with the credential store and support proxy routing for pivoting.

Listing Modules

#

CLI:

1

tantoc2[my-op]> tools list

Web UI: Navigate to the Tools page.

Running a Tool

#

Single Target

#

1
2
3
4

tantoc2[my-op]> tools run ssh_command exec \
    --target 192.168.1.10:22 \
    --cred-id <credential-id> \
    --command "whoami"

Multiple Targets

#

1
2
3
4
5

tantoc2[my-op]> tools run ssh_command exec \
    --target 192.168.1.10:22 \
    --target 192.168.1.11:22 \
    --cred-id <credential-id> \
    --command "hostname"

Multi-target execution runs in parallel. Results are aggregated per target.

Interactive Session

#

1

tantoc2[my-op]> tools use ssh_command

Enters an interactive tools shell for the selected module.

Web UI

#

Tools page > select module > select operation > fill targets and options > Execute.

Viewing Results

#

1
2

tantoc2[my-op]> tools executions
tantoc2[my-op]> tools result <execution-id>

Each execution contains per-target results with success/failure status and output data.

Proxy Configuration

#

Route tools operations through SOCKS or SSH tunnels for pivoting:

Create a Proxy

#

1

tantoc2[my-op]> proxy create --name corp-proxy --type socks5 --host 10.0.0.1 --port 1080

Use a Proxy

#

1
2
3
4
5

tantoc2[my-op]> tools run ssh_command exec \
    --target internal-host:22 \
    --cred-id <id> \
    --proxy-id <proxy-id> \
    --command "id"

Proxy Management

#

Credential Integration

#

Tools modules consume credentials from the credential store. Pass --cred-id to reference stored credentials — the manager decrypts and passes them to the module automatically.

Modules can also contribute credentials back: any credentials discovered during execution are auto-extracted and stored with full provenance.

Module Refresh

#

Discover new or updated tools modules without restarting:

1

tantoc2> tools refresh