Prerequisites#
- TantoC2 teamserver is installed and running. See Installation.
- You have been given a URL, a username, and a password by your admin.
- For the CLI: Python 3.11+ available on your machine (TantoC2 installed via
hatchorpip). - For the Web UI: a modern browser — Chrome, Firefox, or Edge.
First-Time Login#
CLI#
| |
The prompt changes to tantoc2> when you are connected and logged in. Once you select an engagement, it becomes tantoc2[engagement-name]>.
TUI mode (recommended for interactive use):
| |
The TUI opens a connection dialog automatically on startup. Enter the URL, press Enter, then enter credentials in the login dialog.
JSON mode (for scripting):
| |
Web UI#
Navigate to https://teamserver.example.com:8443 (or wherever the web server is hosted). Enter your username and password. After login, the web UI remembers your session until the token expires or you log out.
Choosing Your Interface#
TantoC2 provides three ways to interact with the teamserver. Use whichever fits your workflow — they all talk to the same backend.
| Interface | Best For |
|---|---|
| TUI | Interactive day-to-day operations. Tabbed layout, keyboard shortcuts, real-time status bar. |
| CLI (classic) | Scripting, automation, and lightweight terminal usage. Standard readline shell. |
| Web UI | Team coordination, visual topology, audit review, and working from a browser. |
The CLI and TUI are the same binary (tantoc2-cli). Pass --tui to start the TUI. Both support JSON output mode and all the same commands.
Prompt States#
| |
Key Concepts#
Before starting an engagement, familiarise yourself with these terms.
Engagement#
An engagement is an isolated project. Every object — agents, listeners, builds, credentials, tasks, file transfers — belongs to one engagement. Multiple engagements can run concurrently. Engagement data is stored in a separate encrypted database per engagement.
Activate an engagement to work with its objects:
| |
Agent#
An agent (or implant) is a binary that runs on a target host and communicates back to the teamserver. Agents check in at a configurable interval (beacon mode) or maintain a persistent connection (session mode).
Each agent is identified by a hostname:shortid display name, for example WORKSTATION-01:a1b2c3d4. When multiple agents share a hostname, use the full hostname:shortid form to avoid ambiguity.
Listener#
A listener is a network service on the teamserver that accepts agent callbacks. Create a listener before building agents — the agent’s callback URL is baked in at build time.
Transport types: http, tcp, and external (for redirectors or third-party listeners).
Module#
A module is a compiled payload (BOF, shellcode, DLL, Python script, etc.) loaded into a running agent. Modules run inside the agent’s process in managed mode (results return through the agent channel) or daemonized mode (the payload runs independently and may register as a new agent).
Tool#
A tool (also called an agentless module) runs on the teamserver and interacts directly with a remote service — SSH, SMB, etc. — without deploying an implant. Tools integrate with the credential store and proxy configuration.
Collection Request#
When a collector-role user downloads a file from an agent, a collection request is created. An operator or admin must approve it before the file content becomes accessible. This two-person integrity control ensures collected data is reviewed before leaving the teamserver.
Your First Commands#
After logging in:
| |
Quick Reference#
| Task | Command |
|---|---|
| Connect to server | connect <url> |
| Log in | login <username> |
| Log out | logout |
| List engagements | engagements list |
| Select engagement | engagements use <name> |
| Create engagement (admin) | engagements create <name> |
| Show all commands | help |
| Run local shell command | !<command> or local_shell |
| Clear screen | clear |
| Exit CLI | exit or quit |
Next Steps#
- Engagement Workflow — end-to-end walkthrough
- CLI Reference — every command documented
- Web UI Guide — browser interface walkthrough