Web UI Guide

Accessing the Web UI

#

Navigate to your teamserver’s web address. The default port is 8443:

1

https://teamserver.example.com:8443

Log in with your username and password. The session token is stored in your browser and refreshes automatically.

The active engagement is shown in the sidebar with a green indicator. All pages operate within the active engagement context. Switch engagements from the Engagements page.

Real-Time Updates

#

Most pages update automatically via WebSocket (Socket.IO). You do not need to refresh the browser. Key events that trigger live updates:

Page Reference

#

Dashboard (/)

#

The entry point after login. Shows at a glance:

• Agent summary: Total agent count with breakdown by status (active, dormant, dead, killed)
• Sessions: Active session-mode agents
• P2P links: Active relay links between agents
• Relay agents: Agents currently serving as relays
• Active listeners: Running listeners with type and port
• Recent events: Live stream of agent check-ins, task results, and status changes

Use the Dashboard when you want a quick status overview or to monitor a live operation.

Agents (/agents)

#

Sortable, filterable table of all agents in the current engagement.

Columns: hostname:shortid, mode (beacon/session), user, OS, callback IP, relay (which agent it relays through), status, last seen, tags.

Filtering: Use the search box to filter by hostname, IP, OS, or user. Status badges (active, dormant, dead, killed) can be clicked to filter.

Click any row to navigate to that agent’s detail page.

Tip: An agent showing status dormant has missed 3 expected check-ins but may recover. Dead means it has missed 10+. Neither necessarily means the implant is gone — it may be on a slow network or sleeping.

Agent Detail (/agents/:id)

#

Full information and interaction panel for one agent. Tabs:

Info tab

• Hostname, OS, architecture, user, last seen, mode, beacon interval, internal IPs, tags, notes
• Kill button (sends kill task — agent terminates on next check-in)

Terminal tab

• xterm.js-based interactive terminal for the agent
• Submit tasks and see results inline, same as the CLI agent shell
• Supports all built-in commands

Modules tab

• List of currently loaded modules (name, status, loaded time)
• Load new module: pick from compatible modules, select format, optional daemonize mode
• Unload: click the unload button on any loaded module

Relay tab

• Shows the agent’s current relay configuration (which agent it relays through, if any)
• Set relay: enter the relay agent ID
• Remove relay: clear the relay assignment

Files sub-section

• Upload a file from your browser to the agent
• List completed file transfers with direction, remote path, size, and SHA-256 verification status
• Download completed inbound transfers

Agent Modules (/agent-modules)

#

Catalog of all agent-loadable modules registered with the teamserver.

Filters: Format (bof, shellcode, dll, py, etc.), platform (windows, linux, darwin), architecture.

Refresh: Click “Refresh Modules” to reload from the plugin directory without restarting the server.

Load into Agent: Click the “Load” button on any module, pick an agent from the dropdown, choose managed or daemonized mode, and submit.

Use modules compatible <agent-id> in the CLI to filter by a specific agent’s capabilities.

Listeners (/listeners)

#

Create, start, stop, and manage listeners.

Create: Click “Create Listener”. Select the transport type (populated dynamically from installed transport plugins). Fill in name, host (leave as 0.0.0.0 to bind on all interfaces), and port.

For external (redirector) listeners, provide the external hostname, port, and the protocol agents will use when calling back.

Start / Stop: Use the toggle on each listener row.

Status: running (accepting connections), stopped (created but not started), error (check server logs).

Builds (/builds)

#

Generate agent builds and download binaries.

Create Build:

1. Select an agent package (e.g., dev_agent)
2. Select a listener
3. If the listener is bound to 0.0.0.0, enter the callback IP
4. Set kill date (or kill days from today)
5. Set beacon interval and jitter (for beacon-mode builds)
6. Optionally set a build name
7. Click “Create Build”

A build job is queued. The Builds table updates via WebSocket when it completes.

Download: Click the download icon on any completed build row.

Build history: Shows name, ID, package, platform, kill date, and creation time. Sorted by creation time, newest first.

Credentials (/credentials)

#

Store and manage captured credentials.

Add: Click “Add Credential”. Fill in type, username, secret, domain (optional), and notes (optional).

Search and filter: Use the text search (searches username, domain, source, notes) and the type dropdown to filter results.

View secret: Secrets are hidden by default. Click the eye icon to fetch and display the plaintext (requires a server round-trip — the secret is not stored in the browser).

Delete: Click the delete icon on a credential row.

Export: Click the export dropdown in the page header. Options:

• JSON: Full credential data as JSON
• CSV: Spreadsheet-friendly format
• Hashcat: NT hash lines in user:hash format (only applicable to hash-type credentials)

Tools (/tools)

#

Execute agentless operations (SSH, SMB, etc.) without deploying an agent.

Select a module: Use the module picker to choose an available tool (e.g., ssh_command).

Configure targets: Enter one or more host:port targets.

Set credentials: Select a credential from the store. The teamserver decrypts and passes it to the tool automatically.

Set proxy (optional): Select a configured proxy for routing traffic.

Configure options: Options depend on the module. Common SSH options: command, timeout.

Run: Click the operation button (e.g., “exec”, “upload”, “download”). Results appear in the execution history below.

Execution history: Expandable rows show per-target results, stdout/stderr, exit codes, and timing.

Proxy CRUD: The Tools page also manages proxy configurations. Click “Add Proxy” to add a SOCKS5 or HTTP proxy.

Refresh: Click “Refresh Modules” to reload tool modules from the plugin directory.

Topology (/topology)

#

Visual tree of the P2P relay hierarchy for the current engagement.

• Teamserver is the root
• Direct-link agents are first-level children
• Relayed agents are children of their relay agent
• Click any node to navigate to that agent’s detail page

Useful for understanding your relay chain before targeting interior agents.

Engagements (/engagements)

#

List and manage engagements. Admin-only for create/archive/import.

Create: Admin only. Enter a name and passphrase.

Activate: Click an engagement to make it active. The sidebar indicator updates.

Archive: Click the archive icon, enter the passphrase. The engagement data is exported to an encrypted archive file on the server.

Import: Upload a previously archived engagement (requires the original passphrase).

File Explorer (/files)

#

Browse the agent’s filesystem as a tree. The tree is built from cached ls results — no implicit C2 traffic unless you expand a directory that has not been listed yet.

Expand a directory: Click to expand. If the directory has not been listed, a ls task is queued to the agent and the tree populates when the result arrives.

Search/filter: Filter the visible tree by filename or path prefix.

Collection request: Right-click a file (or use the context menu icon) to create a collection request for that file. The request goes to the Collection Requests queue for operator review.

Collection Requests (/requests)

#

Review and process file collection requests from collectors.

Filter: Use the status dropdown to filter by pending, approved, or denied.

Approve: Click “Approve” on a pending request. The file content becomes downloadable by the requesting collector.

Deny: Click “Deny”. Enter an optional reason. The collector sees the denial in their request list.

Download (collector view): Approved requests have a download button that fetches the file content from the teamserver.

Real-time updates via WebSocket — pending request counts appear in the sidebar.

Audit Log (/audit)

#

Filterable table of all actions performed within an engagement.

Filters: Principal (who did it), action type, date range.

Security events (authentication failures, permission denials) are highlighted.

Use case: Post-engagement review, investigating unexpected agent activity, team coordination audit.

Admin (/admin)

#

Operator management. Admin only.

Create operator: Enter username, password, and role.

Change role: Use the inline role dropdown on any operator row.

Activate/deactivate: Use the toggle. Deactivated operators cannot log in but their data is preserved.

Reset password: Click the password icon and enter a new password.

Delete: Removes the operator and their engagement access grants. Cannot delete or demote the last admin.

Engagement access: Click any operator to see their engagement access grants. Add or revoke access.

Plugins (/plugins)

#

Manage installed plugins (transports, tools, agent packages).

List: View all registered plugins by type (transport, agentless module, agent package).

Refresh: Reload plugins from the server’s plugin directory.

Load: Load a plugin from a server filesystem path. Opens a file browser rooted at the server’s plugin directory.

Upload: Upload a .whl file directly from your browser. The server installs it and registers the plugin.

Role-Aware UI

#

The web UI adapts based on your role:

• Spectator: Action buttons (create, start, stop, kill, execute) are hidden or disabled. View-only.
• Collector: Same as spectator. Collection requests show a download button on approved items.
• Operator: Full action controls for all granted engagements.
• Admin: Everything, including Admin and Engagements management pages.

Quick Navigation

#