CLI Reference

Table of Contents

Complete reference for all TantoC2 CLI commands. Covers the global shell, agent shell, group shell, and tools shell.

Starting the CLI
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Classic readline shell
tantoc2-cli

# With server URL pre-set
tantoc2-cli --url https://teamserver:8443

# TUI mode (recommended)
tantoc2-cli --tui
tantoc2-cli --tui --url https://teamserver:8443

# JSON output mode (all output is JSON — for scripting)
tantoc2-cli --url https://teamserver:8443 --json-mode

Per-command JSON output (also works inside the shell):

1
tantoc2> agents list --json

Tab Completion
#

Tab completion is available at every argument position:

Command and sub-command names
Agent hostnames and hostname:shortid pairs
Listener names, module names, build names, credential IDs
Flag names (--listener, --kill-date, etc.)
Flag values where they are enumerable (protocol types, credential IDs)
Local filesystem paths for upload source files
Remote filesystem paths for download targets (cached from previous ls results — no implicit C2 traffic)
Background task indices for results

Global Shell Commands
#

These commands are available at the tantoc2> or tantoc2[engagement]> prompt.

Connection
#

Command	Description
`connect <url>`	Set the teamserver URL
`login <username>`	Log in (prompts for password)
`logout`	Log out

1
2
3
4
tantoc2> connect https://teamserver:8443
tantoc2> login alice
Password: ****
tantoc2> logout

Engagements
#

1
2
3
4
tantoc2> engagements list
tantoc2> engagements use <name-or-id>
tantoc2> engagements create <name>           # prompts for passphrase
tantoc2> engagements create <name> --use     # create and immediately activate

Agents
#

1
2
3
4
5
6
tantoc2[eng]> agents list
tantoc2[eng]> agents info <hostname>
tantoc2[eng]> agents use <hostname>          # enter agent shell
tantoc2[eng]> agents kill <hostname>
tantoc2[eng]> agents topology                # show P2P relay tree
tantoc2[eng]> agents chain <agent-id>        # show relay path to teamserver

Building agents:

1
2
3
4
5
6
tantoc2[eng]> agents generate                           # show packages and usage
tantoc2[eng]> agents generate <package> \
    --listener <name>[:<ip>] \
    --kill-date 2026-12-31 \
    --interval 60 --jitter 10 \
    --name my-build

--kill-date and --kill-days are mutually exclusive. One is required.

Viewing and downloading builds:

1
2
3
4
tantoc2[eng]> agents builds
tantoc2[eng]> agents builds info <name-or-id>
tantoc2[eng]> agents builds download <name-or-id>
tantoc2[eng]> agents builds download <name-or-id> --output /tmp/agent.bin

Agent groups:

1
2
3
tantoc2[eng]> agents group create webservers id1 id2 id3
tantoc2[eng]> agents group use webservers      # enter group shell
tantoc2[eng]> agents group list

All agents in a group must share the same capability set.

Agent identification: Agents are identified by:

hostname — unambiguous if only one agent on that host
hostname:shortid — always unambiguous (e.g., WORKSTATION-01:a1b2c3d4)
UUID or UUID prefix — direct ID match

Listeners
#

1
2
3
4
5
6
7
tantoc2[eng]> listeners list
tantoc2[eng]> listeners create http --name main-http --port 8080
tantoc2[eng]> listeners create tcp --name main-tcp --port 4444
tantoc2[eng]> listeners create external \
    --name redir --host redirector.example.com --port 443 --protocol https
tantoc2[eng]> listeners start <name-or-id>
tantoc2[eng]> listeners stop <name-or-id>

Modules (Agent-Loadable)
#

1
2
3
4
5
tantoc2[eng]> modules list
tantoc2[eng]> modules list --format bof
tantoc2[eng]> modules info <module-name>
tantoc2[eng]> modules compatible <agent-id>   # only modules the agent can load
tantoc2[eng]> modules refresh                 # reload from plugin directory

Credentials
#

1
2
3
4
5
6
7
tantoc2[eng]> creds list
tantoc2[eng]> creds add --type <type> --username <user> --secret <secret>
              [--domain <domain>] [--notes <notes>]
tantoc2[eng]> creds search [--type X] [--username X] [--domain X]
tantoc2[eng]> creds export --format json
tantoc2[eng]> creds export --format csv
tantoc2[eng]> creds export --format hashcat

Credential types: plaintext, hash, ticket, ssh_key, token, api_key, certificate

File Transfers
#

Upload and download are agent-scoped — use them from the agent shell. To manage completed transfers from the global prompt:

1
2
3
tantoc2[eng]> files list <agent-id>
tantoc2[eng]> files info <agent-id> <transfer-id>
tantoc2[eng]> files fetch <agent-id> <transfer-id> [output-path]

Tools (Agentless Operations)
#

1
2
3
4
tantoc2[eng]> tools list
tantoc2[eng]> tools info <module-name>
tantoc2[eng]> tools use <module-name>      # enter tools shell
tantoc2[eng]> tools refresh

Proxy Configuration
#

1
2
3
4
tantoc2[eng]> proxy list
tantoc2[eng]> proxy create --name corp-proxy --type socks5 --host 10.0.0.5 --port 1080
tantoc2[eng]> proxy info <id>
tantoc2[eng]> proxy delete <id>

Collection Requests
#

1
2
3
4
5
6
tantoc2[eng]> requests list
tantoc2[eng]> requests list --status pending
tantoc2[eng]> requests count                   # pending count
tantoc2[eng]> requests info <id>
tantoc2[eng]> requests approve <id>
tantoc2[eng]> requests deny <id> --reason "out of scope"

Operators (Admin Only)
#

1
2
3
4
5
6
7
tantoc2> operators list
tantoc2> operators info <username>
tantoc2> operators create <username> [--role admin|operator|spectator|collector]
tantoc2> operators update <username> [--role X] [--active true|false] [--password]
tantoc2> operators delete <username>
tantoc2> operators grant <username> <engagement>
tantoc2> operators revoke <username> <engagement>

Plugins
#

1
2
3
4
tantoc2> plugins list
tantoc2> plugins refresh
tantoc2> plugins load <path>      # load plugin from server filesystem path
tantoc2> plugins upload <path>    # upload a .whl file to the server and install it

Utility
#

1
2
3
4
5
6
tantoc2> help                    # list all commands
tantoc2> clear                   # clear the screen
tantoc2> local_shell             # drop to a local OS shell
tantoc2> !<command>              # run a local command inline
tantoc2> exit                    # exit the CLI
tantoc2> quit                    # same as exit

Agent Shell Commands
#

Enter the agent shell with agents use <hostname>. The prompt changes to hostname:shortid>.

Management Commands (always available)
#

Command	Description
`info`	Show agent details (mode, OS, IPs, capabilities)
`capabilities`	Show supported module formats and built-in commands
`loaded`	List currently loaded modules
`modules list`	Show compatible modules for this agent
`modules info <name>`	Show details for a specific module
`load <module> <format>`	Load a module (managed mode)
`load <module> <format> --daemonize`	Load a module (daemonized mode)
`unload <loaded-module-id>`	Unload a running managed module
`files list`	List file transfers for this agent
`files info <transfer-id>`	Show transfer details
`files fetch <transfer-id> [path]`	Download a completed transfer
`upload <local> <remote>`	Upload a file to the agent
`download <remote>`	Download a file from the agent
`tasks`	List background tasks
`results <N>`	Show result for background task number N
`history [N]`	Show command history (last N entries)
`help`	List available commands
`back` / `exit`	Return to global shell

Built-In Agent Commands
#

These depend on the agent’s capabilities. Common built-ins for the development agent:

Command	Description
`survey`	Collect full system metadata (OS, IPs, users, processes)
`whoami`	Current user and privilege level
`hostname`	System hostname
`ls [path]`	List directory contents (formatted table)
`cat <file>`	Read a file
`pwd`	Print working directory
`cd <path>`	Change directory
`env`	List environment variables
`ps`	List running processes
`netstat`	Network connections
`exec <command>`	Execute a shell command
`beacon_config <json>`	Adjust beacon interval/jitter: `{"interval": 30, "jitter": 10}`
`kill`	Terminate this agent

Use capabilities to see the exact built-in command list for your agent.

Task Execution Modes
#

1
2
3
hostname> survey                        # blocking — waits for result
hostname> survey &                      # background — returns immediately
hostname> whoami ;; hostname ;; ps      # multi-task — waits for all three

Press Ctrl+C during a blocking wait to move the task to background.

The ;; separator (double semicolon) submits all tasks before waiting, so they run concurrently on the agent.

Loaded Module Commands
#

When a module is loaded, its name becomes a top-level command:

1
2
3
hostname> load hashdump py
hostname> hashdump
hostname> unload <loaded-module-id>

Local Commands from Agent Shell
#

1
2
hostname> !ls /tmp           # run on your local machine
hostname> local_shell        # not available in agent shell — use back first

Group Shell Commands
#

Enter a group shell with agents group use <name>. The prompt changes to groupname[N]> where N is the number of agents.

Commands are identical to the agent shell. Each command is sent to all agents in the group. Results are displayed per-agent.

1
2
3
webservers[3]> whoami
webservers[3]> survey
webservers[3]> ps ;; netstat

Tools Shell Commands
#

Enter a tools shell with tools use <module-name>. The prompt changes to module-name>.

Session Setup
#

1
2
3
4
5
ssh> set target 10.0.0.10
ssh> set targets 10.0.0.10 10.0.0.11 10.0.0.12   # multiple targets
ssh> set port 22
ssh> set cred <credential-id>
ssh> set proxy <proxy-id>                           # optional — route through proxy

Information
#

1
2
ssh> info          # show module metadata, protocol, options
ssh> operations    # list available operations

Executing Operations
#

1
2
3
ssh> exec whoami
ssh> exec whoami &                    # background
ssh> exec whoami ;; exec id           # multi-task

Specific operations depend on the loaded module. For the SSH tool:

Operation	Description
`exec <command>`	Run a command on all targets
`upload <local> <remote>`	Upload a file
`download <remote>`	Download a file
`shell`	Open an interactive session (SSH shell)

Task Management
#

1
2
3
ssh> tasks            # list background tasks
ssh> results <N>      # show result for background task N
ssh> history [N]      # show command history

Navigation
#

1
2
ssh> back    # return to global shell
ssh> exit    # same as back

TUI Keyboard Shortcuts
#

These shortcuts work in TUI mode (tantoc2-cli --tui):

Shortcut	Action
Ctrl+T	Open a new tab
Ctrl+W	Close current tab
Ctrl+Left / Ctrl+Right	Navigate between tabs
Ctrl+R	Rename current tab
Ctrl+P	Open theme picker
Ctrl+A	Toggle agents panel (live agent list)
Ctrl+L	Toggle listeners panel
Ctrl+Z	Background the current blocking task
Ctrl+Q	Quit TUI
Escape	Toggle scroll mode (scroll output without losing input focus)

TUI Themes
#

Press Ctrl+P to open the theme picker. Available themes:

Theme	Description
`default`	Textual default
`tantoc2-monokai`	Monokai-inspired dark
`tantoc2-hotdog-stand`	High-contrast red/yellow
`tantoc2-light`	Light background
`tantoc2-matrix`	Green-on-black terminal

TUI Layout
#

The TUI opens with a Main tab. Use agents use <hostname> to open an agent shell — it appears in a new tab automatically. Tools shells also open in new tabs.

Each tab has:

Scrollable output log (all command output for that shell)
Shared command input at the bottom
Prompt label showing the current context

The status bar at the bottom shows: server URL, logged-in user, active engagement, and agent count.

Agents Panel
#

Ctrl+A opens a side panel listing all active agents for the current engagement. Click an agent to enter its shell in a new tab.

Local Shell Tab
#

Open a local shell tab from the global prompt with local_shell. The tab runs your OS shell ($SHELL) with a local:dirname$ prompt. Use back or exit to close it.

Common Mistakes
#

“Not connected” — Run connect <url> before login.

“No engagement selected” — Run engagements use <name> before agent or listener commands.

“Multiple agents on hostname” — Use hostname:shortid form. Run agents list to see short IDs.

Listener bound to 0.0.0.0 — Specify an IP: --listener main-http:10.0.0.1. Run listeners list to see available IPs reported by the teamserver.

Module format mismatch — Run capabilities inside the agent shell to see supported formats. Pass the correct format: load hashdump bof vs load hashdump py.

Starting the CLI#

Tab Completion#

Global Shell Commands#

Connection#

Engagements#

Agents#

Listeners#

Modules (Agent-Loadable)#

Credentials#

File Transfers#

Tools (Agentless Operations)#

Proxy Configuration#

Collection Requests#

Operators (Admin Only)#

Plugins#

Utility#

Agent Shell Commands#

Management Commands (always available)#

Built-In Agent Commands#

Task Execution Modes#

Loaded Module Commands#

Local Commands from Agent Shell#

Group Shell Commands#

Tools Shell Commands#

Session Setup#

Information#

Executing Operations#

Task Management#

Navigation#

TUI Keyboard Shortcuts#

TUI Themes#

TUI Layout#

Agents Panel#

Local Shell Tab#

Common Mistakes#