CLI Reference

Starting the CLI

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Classic readline shell
tantoc2-cli

# With server URL pre-set
tantoc2-cli --url https://teamserver:8443

# TUI mode (recommended)
tantoc2-cli --tui
tantoc2-cli --tui --url https://teamserver:8443

# JSON output mode (all output is JSON — for scripting)
tantoc2-cli --url https://teamserver:8443 --json-mode

Per-command JSON output (also works inside the shell):

1

tantoc2> agents list --json

Tab Completion

#

Tab completion is available at every argument position:

• Command and sub-command names
• Agent hostnames and hostname:shortid pairs
• Listener names, module names, build names, credential IDs
• Flag names (--listener, --kill-date, etc.)
• Flag values where they are enumerable (protocol types, credential IDs)
• Listener IPs for builds: --listener name:<TAB> completes with the IPs reported by the teamserver for that listener, so you do not have to look them up manually
• Parent listener for external listeners: --parent <TAB> completes with the names of existing listeners when creating an external (redirector) listener
• Local filesystem paths for upload source files
• Remote filesystem paths for download targets (cached from previous ls results — no implicit C2 traffic)
• Background task indices for results

Global Shell Commands

#

These commands are available at the tantoc2> or tantoc2[engagement]> prompt.

Connection

#

1
2
3
4

tantoc2> connect https://teamserver:8443
tantoc2> login alice
Password: ****
tantoc2> logout

Engagements

#

1
2
3
4
5

tantoc2> engagements list
tantoc2> engagements use <name-or-id>
tantoc2> engagements create <name>                          # prompts for passphrase
tantoc2> engagements create <name> --description "text"    # with description
tantoc2> engagements create <name> --use                   # create and immediately activate

Agents

#

1
2
3
4
5
6

tantoc2[eng]> agents list
tantoc2[eng]> agents info <hostname>
tantoc2[eng]> agents use <hostname>          # enter agent shell
tantoc2[eng]> agents kill <hostname>
tantoc2[eng]> agents topology                # show P2P relay tree
tantoc2[eng]> agents chain <agent-id>        # show relay path to teamserver

The Last Seen column in agents list shows relative time for beacon agents (e.g., 2m ago). For session agents, it shows Connected when the agent is active, or Disconnected when it is not.

Tags and notes:

1
2
3
4
5
6
7

tantoc2[eng]> agents tags <hostname>                        # show current tags
tantoc2[eng]> agents tags <hostname> --add <tag>            # add a tag
tantoc2[eng]> agents tags <hostname> --remove <tag>         # remove a tag
tantoc2[eng]> agents tags <hostname> --set tag1,tag2,tag3   # replace all tags

tantoc2[eng]> agents notes <hostname>                       # show current notes
tantoc2[eng]> agents notes <hostname> web server, root access, check /var/www

Tags are free-form labels used to categorize agents (e.g., web-server, domain-controller, initial-access). Notes are free-text and visible to all operators with engagement access.

Building agents:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

tantoc2[eng]> agents generate                           # show packages and usage
tantoc2[eng]> agents generate <package> \
    --listener <name>[:<ip>] \
    --kill-date 2026-12-31 \
    --interval 60 --jitter 10 \
    --name my-build

# Override build mode (default auto-detected from transport type):
tantoc2[eng]> agents generate <package> \
    --listener relay-agent:10.0.1.5 \
    --kill-date 2026-12-31 \
    --mode beacon   # or session

--kill-date and --kill-days are mutually exclusive. One is required.

--mode session|beacon overrides the build mode that would otherwise be inferred from the transport type. This is useful when building a beacon-mode agent that relays through a TCP transport (which would otherwise default to session mode).

If the selected listener is not currently running, a warning is shown before the build proceeds.

Viewing and downloading builds:

1
2
3
4

tantoc2[eng]> agents builds
tantoc2[eng]> agents builds info <name-or-id>
tantoc2[eng]> agents builds download <name-or-id>
tantoc2[eng]> agents builds download <name-or-id> --output /tmp/agent.bin

Agent groups:

1
2
3

tantoc2[eng]> agents group create webservers id1 id2 id3
tantoc2[eng]> agents group use webservers      # enter group shell
tantoc2[eng]> agents group list

All agents in a group must share the same capability set.

Agent identification: Agents are identified by:

• hostname — unambiguous if only one agent on that host
• hostname:shortid — always unambiguous (e.g., WORKSTATION-01:a1b2c3d4)
• UUID or UUID prefix — direct ID match

Listeners

#

1
2
3
4
5
6
7
8
9

tantoc2[eng]> listeners list
tantoc2[eng]> listeners info <name-or-id>
tantoc2[eng]> listeners create http --name main-http --port 8080
tantoc2[eng]> listeners create tcp --name main-tcp --port 4444
tantoc2[eng]> listeners create external \
    --name redir --host redirector.example.com --port 443 \
    --parent main-https
tantoc2[eng]> listeners start <name-or-id>
tantoc2[eng]> listeners stop <name-or-id>

listeners info <name-or-id> prints a formatted detail panel for one listener, showing name, type, status, bind address, port, external host (for redirector listeners), parent listener, IPs reported to the teamserver, active agents currently checking in, and the creation timestamp.

External listeners require --parent: When creating an external (redirector) listener, --parent <listener_name> specifies the real listener it fronts. The protocol for agent callbacks is derived from the parent listener’s transport type — no --protocol flag is needed. Tab completion is available for --parent: type --parent <TAB> to see running listeners.

listeners info shows active agents: The detail panel includes a list of agents currently checking in through the listener. This makes it easy to see which agents depend on a listener before stopping or removing it.

Warning before removing a listener used in builds: If a listener has active agents or is referenced in existing builds, the CLI displays a warning before proceeding with removal.

Modules (Agent-Loadable)

#

1
2
3
4
5

tantoc2[eng]> modules list
tantoc2[eng]> modules list --format bof
tantoc2[eng]> modules info <module-name>
tantoc2[eng]> modules compatible <agent-id>   # only modules the agent can load
tantoc2[eng]> modules refresh                 # reload from plugin directory

Credentials

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

tantoc2[eng]> creds list
tantoc2[eng]> creds add --type <type> --username <user> --secret <secret>
              [--domain <domain>] [--notes <notes>]
tantoc2[eng]> creds update <id> --notes "new notes"
tantoc2[eng]> creds update <id> --domain NEWDOMAIN
tantoc2[eng]> creds update <id> --tags tag1,tag2,tag3
tantoc2[eng]> creds delete <id>
tantoc2[eng]> creds search [--type X] [--username X] [--domain X]
tantoc2[eng]> creds export --format json
tantoc2[eng]> creds export --format csv
tantoc2[eng]> creds export --format hashcat

Credential types: plaintext, hash, ticket, ssh_key, token, api_key, certificate

creds update accepts any combination of --notes, --domain, and --tags. Fields not specified are unchanged.

creds delete <id> permanently removes a credential and its encrypted secret from the engagement store. The operation is irreversible — the credential ID is accepted as a positional argument and tab-completes from the current credential list.

File Transfers

#

Upload and download are agent-scoped — use them from the agent shell. To manage completed transfers from the global prompt:

1
2
3

tantoc2[eng]> files list <agent-id>
tantoc2[eng]> files info <agent-id> <transfer-id>
tantoc2[eng]> files fetch <agent-id> <transfer-id> [output-path]

Tools (Agentless Operations)

#

1
2
3
4

tantoc2[eng]> tools list
tantoc2[eng]> tools info <module-name>
tantoc2[eng]> tools use <module-name>      # enter tools shell
tantoc2[eng]> tools refresh

Audit Log

#

1
2
3
4
5
6

tantoc2[eng]> audit list
tantoc2[eng]> audit list --security-only                           # security events only
tantoc2[eng]> audit list --principal alice                         # filter by operator
tantoc2[eng]> audit list --action login                            # filter by action type
tantoc2[eng]> audit list --since 2026-03-01 --until 2026-03-31    # date range
tantoc2[eng]> audit list --limit 50                                # cap results

--security-only is a bare flag (no value). --since and --until accept ISO 8601 dates or datetimes. Results are paginated using --limit and --offset.

An engagement must be active (engagements use <name>) before querying the audit log.

Proxy Configuration

#

1
2
3
4

tantoc2[eng]> proxy list
tantoc2[eng]> proxy create --name corp-proxy --type socks5 --host 10.0.0.5 --port 1080
tantoc2[eng]> proxy info <id>
tantoc2[eng]> proxy delete <id>

Collection Requests

#

1
2
3
4
5
6

tantoc2[eng]> requests list
tantoc2[eng]> requests list --status pending
tantoc2[eng]> requests count                   # pending count
tantoc2[eng]> requests info <id>
tantoc2[eng]> requests approve <id>
tantoc2[eng]> requests deny <id> --reason "out of scope"

Operators (Admin Only)

#

1
2
3
4
5
6
7
8

tantoc2> operators list
tantoc2> operators info <username>
tantoc2> operators create <username> [--role admin|operator|spectator|collector]
tantoc2> operators update <username> [--role X] [--active true|false] [--password]
tantoc2> operators delete <username>
tantoc2> operators grant <username> <engagement>
tantoc2> operators revoke <username> <engagement>
tantoc2> operators passwd    # change your own password (any role)

operators passwd is available to any authenticated operator (not admin-only). It prompts for the current password, new password, and confirmation. Use this for routine password rotation.

operators info <username> displays a Rich-formatted table with the operator’s profile: username, role, active status, last login timestamp, and all engagement access grants. The output is a structured table rather than raw JSON.

Plugins

#

1
2
3
4

tantoc2> plugins list
tantoc2> plugins refresh
tantoc2> plugins load <path>      # load plugin from an absolute server filesystem path
tantoc2> plugins upload <path>    # upload a local .whl file and install it on the server

plugins load takes an absolute path on the server to an already-present .whl file. The server installs it with pip and refreshes all registries. The source file is not deleted.

plugins upload reads a .whl file from your local filesystem, uploads it to the server’s plugin inbox directory, installs it, and refreshes registries.

Utility

#

1
2
3
4
5
6
7
8

tantoc2> help                    # list all commands
tantoc2> help agents             # help for a specific command group
tantoc2> help agents tags        # help for a specific sub-command
tantoc2> clear                   # clear the screen
tantoc2> local_shell             # drop to a local OS shell
tantoc2> !<command>              # run a local command inline
tantoc2> exit                    # exit the CLI
tantoc2> quit                    # same as exit

help supports tab completion: type help <TAB> to see completable command group names, and help agents<TAB> to see sub-commands. This makes it easy to discover sub-command help without knowing the exact names.

Agent Shell Commands

#

Enter the agent shell with agents use <hostname>. The prompt changes to hostname:shortid>. When you exit the agent shell with back or exit, the prompt returns to the global or engagement prompt — the agent context is fully cleared from the prompt.

Management Commands (always available)

#

Built-In Agent Commands

#

These depend on the agent’s capabilities. Common built-ins for the development agent:

Use capabilities to see the exact built-in command list for your agent.

exec rest argument: The exec command treats everything after the command name as a single string — no quoting is required for commands with spaces or pipes:

1
2
3

hostname> exec whoami /all
hostname> exec net user administrator
hostname> exec cat /etc/passwd | grep root

Task Execution Modes

#

1
2
3

hostname> survey                        # blocking — waits for result
hostname> survey &                      # background — returns immediately
hostname> whoami ;; hostname ;; ps      # multi-task — waits for all three

Press Ctrl+C during a blocking wait to move the task to background.

The ;; separator (double semicolon) submits all tasks before waiting, so they run concurrently on the agent.

Loaded Module Commands

#

When a module is loaded, its name becomes a top-level command:

1
2
3

hostname> load hashdump py
hostname> hashdump
hostname> unload <loaded-module-id>

Local Commands from Agent Shell

#

1
2

hostname> !ls /tmp           # run on your local machine
hostname> local_shell        # not available in agent shell — use back first

Group Shell Commands

#

Enter a group shell with agents group use <name>. The prompt changes to groupname[N]> where N is the number of agents.

Commands are identical to the agent shell. Each command is sent to all agents in the group. Results are displayed per-agent.

1
2
3

webservers[3]> whoami
webservers[3]> survey
webservers[3]> ps ;; netstat

Tools Shell Commands

#

Enter a tools shell with tools use <module-name>. The prompt changes to module-name>.

Session Setup

#

1
2
3
4
5

ssh> set target 10.0.0.10
ssh> set targets 10.0.0.10 10.0.0.11 10.0.0.12   # multiple targets
ssh> set port 22
ssh> set cred <credential-id>
ssh> set proxy <proxy-id>                           # optional — route through proxy

Information

#

1
2

ssh> info          # show module metadata, protocol, options
ssh> operations    # list available operations

Executing Operations

#

1
2
3

ssh> exec whoami
ssh> exec whoami &                    # background
ssh> exec whoami ;; exec id           # multi-task

Specific operations depend on the loaded module. For the SSH tool:

shell prompt: When the SSH interactive session opens, the CLI prompt changes to host:port$ (e.g., 10.0.0.5:22$). Type commands normally. Exit with exit or logout. After the session ends, the tools shell prompt resumes automatically.

Task Management

#

1
2
3

ssh> tasks            # list background tasks
ssh> results <N>      # show result for background task N
ssh> history [N]      # show command history

Navigation

#

1
2

ssh> back    # return to global shell
ssh> exit    # same as back

TUI Keyboard Shortcuts

#

These shortcuts work in TUI mode (tantoc2-cli --tui):

TUI Themes

#

Press Ctrl+P to open the theme picker. Available themes:

TUI Layout

#

The TUI opens with a Main tab. Use agents use <hostname> to open an agent shell — it appears in a new tab automatically. Tools shells also open in new tabs.

Each tab has:

• Scrollable output log (all command output for that shell)
• Shared command input at the bottom
• Prompt label showing the current context

The status bar at the bottom shows: server URL, logged-in user, active engagement, and agent count.

Agents Panel

#

Ctrl+A opens a side panel listing all active agents for the current engagement. Click an agent to enter its shell in a new tab.

Local Shell Tab

#

Open a local shell tab from the global prompt with local_shell. The tab runs your OS shell ($SHELL) with a local:dirname$ prompt. Use back or exit to close it.

Common Mistakes

#

“Not connected” — Run connect <url> before login.

“No engagement selected” — Run engagements use <name> before agent or listener commands.

“Multiple agents on hostname” — Use hostname:shortid form. Run agents list to see short IDs.

Listener bound to 0.0.0.0 — Specify an IP: --listener main-http:10.0.0.1. You can also use tab completion: --listener main-http:<TAB> will complete with the IPs the teamserver knows about for that listener. Run listeners list to see them all.

Module format mismatch — Run capabilities inside the agent shell to see supported formats. Pass the correct format: load hashdump bof vs load hashdump py.