Skip to content

REST API Reference

Complete documentation for the Stentor REST API: authentication, endpoint catalog, request/response schemas, error codes, and example requests using curl.

Introduction

The Stentor REST API provides programmatic access to all C2 operations. It follows standard REST conventions with JSON request and response bodies.

Property Value
Base URL https://stentor.app/api/v1
Content Type application/json
Authentication JWT Bearer token (see Authentication below)
Rate Limiting Auth endpoints: strict brute-force limits. All other endpoints: standard abuse-prevention limits.

All protected endpoints require an Authorization header:

Authorization: Bearer <access_token>

Authentication

Stentor uses JWT (JSON Web Tokens) for authentication. Access tokens are short-lived and returned in the JSON response body. Refresh tokens are delivered via httpOnly secure cookies (never exposed to JavaScript).

Login

Authenticate with email and password to obtain an access token.

POST /api/v1/auth/login

Request Body:

Field Type Required Description
email string Yes Operator email address
password string Yes Operator password

Response Body:

Field Type Description
access_token string JWT access token for API requests
user.id string User UUID
user.email string User email
user.role string User role (admin or operator)
user.created_at string ISO 8601 timestamp

A stentor_refresh httpOnly cookie is also set with the refresh token.

curl -s -X POST https://stentor.app/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-password"
  }'

Response (200 OK):

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "[email protected]",
    "role": "admin",
    "created_at": "2026-01-15T10:30:00Z"
  }
}

import requests

resp = requests.post("https://stentor.app/api/v1/auth/login", json={
    "email": "[email protected]",
    "password": "your-password"
})
token = resp.json()["access_token"]
headers = {"Authorization": f"Bearer {token}"}

Error Responses:

Status Body Cause
400 {"error": "invalid request body"} Missing or malformed fields
401 {"error": "invalid credentials"} Wrong email or password
500 {"error": "failed to generate tokens"} Server-side token generation failure

Token Refresh

Exchange the refresh token (from httpOnly cookie) for a new access token. Implements token rotation -- each refresh issues a new refresh token and revokes the old one.

POST /api/v1/auth/refresh

No request body required. The refresh token is read from the stentor_refresh cookie.

Response Body:

Field Type Description
access_token string New JWT access token

A new stentor_refresh cookie is set with the rotated refresh token.

curl -s -X POST https://stentor.app/api/v1/auth/refresh \
  -b "stentor_refresh=<refresh_token>"

Error Responses:

Status Body Cause
401 {"error": "refresh token required"} No refresh cookie present
401 {"error": "refresh token expired"} Token has expired
401 {"error": "token revoked"} Token was explicitly revoked

Token Revocation (Logout)

Revoke the current refresh token and clear the cookie. This is the logout endpoint.

POST /api/v1/auth/revoke

No request body required. Reads and revokes the refresh token from the cookie.

curl -s -X POST https://stentor.app/api/v1/auth/revoke \
  -H "Authorization: Bearer $TOKEN" \
  -b "stentor_refresh=<refresh_token>"

Response (200 OK):

{"message": "logged out"}

WebSocket Ticket

Generate a short-lived opaque ticket for WebSocket authentication. Used by the frontend to establish authenticated WebSocket connections without exposing the JWT in query parameters.

POST /api/v1/auth/ws-ticket

Response Body:

Field Type Description
ticket string One-time-use opaque ticket 
curl -s -X POST https://stentor.app/api/v1/auth/ws-ticket \
  -H "Authorization: Bearer $TOKEN"

Register Operator

Create a new operator account. Admin-only -- requires an authenticated admin user.

POST /api/v1/auth/register

Request Body:

Field Type Required Description
email string Yes New operator's email
password string Yes Password (minimum 8 characters)

Response (201 Created):

Field Type Description
id string New user UUID
email string User email
role string Assigned role 
curl -s -X POST https://stentor.app/api/v1/auth/register \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "securepassword123"}'

Error Responses:

Status Body Cause
400 {"error": "invalid email format"} Malformed email address
400 {"error": "password must be at least 8 characters"} Password too short
409 {"error": "email already registered"} Duplicate email

Current User

Get the authenticated user's profile.

GET /api/v1/auth/me

Response Body:

Field Type Description
id string User UUID
email string User email
role string User role
created_at string ISO 8601 timestamp 
curl -s https://stentor.app/api/v1/auth/me \
  -H "Authorization: Bearer $TOKEN"

Common Patterns

Error Response Format

All error responses follow a consistent format:

{"error": "description of what went wrong"}

Standard HTTP Status Codes:

Status Code Meaning
200 Success
201 Created (new resource)
400 Bad Request (invalid input, validation error)
401 Unauthorized (missing or invalid token)
403 Forbidden (insufficient permissions)
404 Not Found (resource does not exist)
409 Conflict (duplicate resource)
429 Too Many Requests (rate limited)
500 Internal Server Error
503 Service Unavailable

Rate Limiting

Authentication endpoints (/auth/login, /auth/refresh) have strict rate limits to prevent brute-force attacks. All other protected endpoints have standard abuse-prevention limits. When rate limited, the API returns 429 Too Many Requests.

Health Check

Two health endpoints are available (no authentication required):

# Root health check
curl https://stentor.app/health

# Versioned health check (includes server identifier)
curl https://stentor.app/api/v1/health

Response:

{"status": "ok", "version": "3.0.0", "server": "stentor"}

Endpoint Reference

Listeners

Listeners are the C2 server endpoints that receive implant connections. Each listener runs on a relay agent and supports HTTP/HTTPS, DNS, SMB, or WireGuard transports.

List Listeners

GET /api/v1/listeners

Returns all configured listeners.

curl -s https://stentor.app/api/v1/listeners \
  -H "Authorization: Bearer $TOKEN"

Response (200 OK):

[
  {
    "id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "name": "HTTPS Relay",
    "type": "https",
    "host": "10.0.0.50",
    "port": 8443,
    "relay_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
    "status": "running"
  }
]

Create Listener

POST /api/v1/listeners

Request Body:

Field Type Required Description
name string Yes Display name
type string Yes Transport type: http, https, dns, smb, wireguard
host string Yes Bind address (relay IP)
port integer Yes Bind port
relay_id string Yes UUID of the relay to run the listener on
dns_domain string No Domain for DNS listeners
smb_pipe_name string No Named pipe for SMB listeners
profile_id string No Malleable C2 profile UUID
certificate_id string No Code-signing certificate UUID for HTTPS 
curl -s -X POST https://stentor.app/api/v1/listeners \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "HTTPS Relay",
    "type": "https",
    "host": "10.0.0.50",
    "port": 8443,
    "relay_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
  }'

Response (201 Created):

{
  "id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
  "name": "HTTPS Relay",
  "type": "https",
  "host": "10.0.0.50",
  "port": 8443,
  "relay_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "status": "stopped"
}

Start After Create

Newly created listeners have status "stopped". You must explicitly start them with POST /api/v1/listeners/:id/start.

Get Listener

GET /api/v1/listeners/:id

Update Listener

PUT /api/v1/listeners/:id

Uses the same request body as Create. Only provided fields are updated.

Delete Listener

DELETE /api/v1/listeners/:id

Listener Lifecycle

Method Path Description
POST /api/v1/listeners/:id/start Start the listener on its relay
POST /api/v1/listeners/:id/stop Stop the listener
POST /api/v1/listeners/:id/restart Restart the listener 
# Start a listener
curl -s -X POST "https://stentor.app/api/v1/listeners/$LISTENER_ID/start" \
  -H "Authorization: Bearer $TOKEN"

File Hosting

Method Path Description
POST /api/v1/listeners/:id/host Host a file on the listener
DELETE /api/v1/listeners/:id/host Remove hosted file

Additional Listener Endpoints

Method Path Description
GET /api/v1/listeners/:id/redirector-config Generate redirector configuration (Apache/nginx)
POST /api/v1/listeners/:id/generate-all Generate all payload variants for this listener
POST /api/v1/listeners/wireguard/keygen Generate WireGuard key pair

Relays

Relays are the Kali-based agents that run listeners and forward C2 traffic to the backend.

Method Path Description
GET /api/v1/relays List all relays
POST /api/v1/relays Register a new relay
GET /api/v1/relays/:id Get relay details
PUT /api/v1/relays/:id Update relay configuration
DELETE /api/v1/relays/:id Delete a relay 
curl -s https://stentor.app/api/v1/relays \
  -H "Authorization: Bearer $TOKEN"

Response (200 OK):

[
  {
    "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
    "name": "Kali Relay",
    "description": "Primary Kali relay agent",
    "ip_address": "10.0.0.50",
    "status": "online"
  }
]

Payloads

Payloads are the implant binaries and shellcode generated for delivery to targets.

Method Path Description
GET /api/v1/payloads List all payload records
POST /api/v1/payloads Create a payload record
POST /api/v1/payloads/generate Generate a payload binary
GET /api/v1/payloads/:id Get payload details
DELETE /api/v1/payloads/:id Delete a payload
GET /api/v1/payloads/:id/download Download the payload binary
POST /api/v1/payloads/:id/regenerate Regenerate the payload
POST /api/v1/payloads/:id/driveby Create a drive-by download URL

Generate Payload

POST /api/v1/payloads/generate

Request Body:

Field Type Required Description
listener_id string Yes Target listener UUID
format string Yes Output format (exe, dll, shellcode, powershell, hta, etc.)
arch string No Architecture (x64, x86). Defaults to x64
name string No Custom payload name 
curl -s -X POST https://stentor.app/api/v1/payloads/generate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "listener_id": "6ea88162-d558-404a-a19f-4b4cab34b22f",
    "format": "exe",
    "arch": "x64"
  }'

Beacons

Beacons are active implant sessions on compromised hosts. The beacon API provides management, task enqueueing, credential extraction, network enumeration, and post-exploitation capabilities.

API Path

All beacon endpoints are under /api/v1/c2/beacons. Do not use /api/v1/cockpit/beacons -- that path does not exist.

List Beacons

GET /api/v1/c2/beacons 

curl -s https://stentor.app/api/v1/c2/beacons \
  -H "Authorization: Bearer $TOKEN"

Response (200 OK):

[
  {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "hostname": "WORKSTATION-01",
    "username": "CORP\\jsmith",
    "ip_internal": "192.168.1.50",
    "ip_external": "10.0.0.20",
    "os": "Windows 10 Pro 19045",
    "arch": "x64",
    "pid": 4832,
    "integrity": "Medium",
    "last_seen": "2026-02-19T14:05:30Z",
    "sleep": 5000,
    "jitter": 10
  }
]

Get Beacon

GET /api/v1/c2/beacons/:id

Delete Beacon

DELETE /api/v1/c2/beacons/:id

Update Beacon Note

PUT /api/v1/c2/beacons/:id/note

Request Body:

Field Type Required Description
note string Yes Operator note for this beacon

Update Beacon Tags

PUT /api/v1/c2/beacons/:id/tags

Request Body:

Field Type Required Description
tags string[] Yes Array of tag strings

Enqueue Task

Send a command to a beacon. The task is queued and delivered on the next beacon check-in.

POST /api/v1/c2/beacons/:id/task

Request Body:

Field Type Required Description
command string Yes Command to execute (e.g., shell, ps, ls)
args object No Command-specific arguments 
curl -s -X POST "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/task" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "shell", "args": {"command": "whoami"}}'

Response (200 OK):

{
  "task_id": "t-550e8400-e29b-41d4-a716-446655440000",
  "status": "queued"
}

Beacon State Management

Control beacon runtime behavior.

Method Path Description
PUT /api/v1/c2/beacons/:id/state/sleep Set sleep interval and jitter
PUT /api/v1/c2/beacons/:id/state/ppid Set parent PID for spoofing
PUT /api/v1/c2/beacons/:id/state/syscallMethod Set syscall execution method
PUT /api/v1/c2/beacons/:id/state/blockdlls Enable/disable blocking non-Microsoft DLLs
GET /api/v1/c2/beacons/:id/state/beacongate Get BeaconGate (syscall gate) configuration
PUT /api/v1/c2/beacons/:id/state/beacongate Set BeaconGate configuration
POST /api/v1/c2/beacons/:id/state/checkin Force immediate check-in
POST /api/v1/c2/beacons/:id/state/pause Pause the beacon
POST /api/v1/c2/beacons/:id/state/exit Exit the beacon (terminate implant)
DELETE /api/v1/c2/beacons/:id/queue Clear all pending tasks

Set sleep example:

curl -s -X PUT "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/state/sleep" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"sleep": 5000, "jitter": 20}'

Token Operations

Manage Windows access tokens on the beacon host.

Method Path Description
GET /api/v1/c2/beacons/:id/token/list List stolen/created tokens
POST /api/v1/c2/beacons/:id/token/steal Steal a token from a process
POST /api/v1/c2/beacons/:id/token/make Create a token with credentials
POST /api/v1/c2/beacons/:id/token/use Impersonate a stored token
POST /api/v1/c2/beacons/:id/token/revert Revert to original token
POST /api/v1/c2/beacons/:id/token/getprivs Enable all available privileges

Credential Extraction

Extract credentials from the beacon host.

Method Path Description
POST /api/v1/c2/beacons/:id/hashdump Dump SAM database hashes
POST /api/v1/c2/beacons/:id/logonpasswords Run Mimikatz sekurlsa::logonpasswords
POST /api/v1/c2/beacons/:id/mimikatz Run arbitrary Mimikatz command
POST /api/v1/c2/beacons/:id/chromedump Extract Chrome browser credentials
POST /api/v1/c2/beacons/:id/dcsync DCSync attack to replicate AD credentials
POST /api/v1/c2/beacons/:id/keylogger/start Start keylogger
POST /api/v1/c2/beacons/:id/keylogger/stop Stop keylogger
Active Directory Attack Endpoints

These endpoints implement advanced AD attack techniques. All require an active beacon with appropriate privileges.

Kerberos Attacks:

Method Path Description
POST /api/v1/c2/beacons/:id/pkinit PKINIT certificate-based authentication
POST /api/v1/c2/beacons/:id/unpac UnPAC the hash from PKINIT
POST /api/v1/c2/beacons/:id/golden_ticket Forge Golden Ticket
POST /api/v1/c2/beacons/:id/diamond_ticket Forge Diamond Ticket
POST /api/v1/c2/beacons/:id/sapphire_ticket Forge Sapphire Ticket
POST /api/v1/c2/beacons/:id/skeleton_key Deploy Skeleton Key
POST /api/v1/c2/beacons/:id/sid_history SID History injection

ADCS (Certificate Services) Attacks:

Method Path Description
POST /api/v1/c2/beacons/:id/esc1 ESC1 - Misconfigured certificate template
POST /api/v1/c2/beacons/:id/esc2 ESC2 - Any-purpose certificate template
POST /api/v1/c2/beacons/:id/esc3 ESC3 - Enrollment agent template
POST /api/v1/c2/beacons/:id/esc4 ESC4 - Vulnerable certificate template ACL
POST /api/v1/c2/beacons/:id/esc6 ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
POST /api/v1/c2/beacons/:id/esc7 ESC7 - CA officer abuse
POST /api/v1/c2/beacons/:id/esc8 ESC8 - NTLM relay to ADCS HTTP

Shadow Credentials:

Method Path Description
POST /api/v1/c2/beacons/:id/shadow_creds Add shadow credential to target

ACL Abuse:

Method Path Description
POST /api/v1/c2/beacons/:id/acl_pwreset Force password reset via ACL
POST /api/v1/c2/beacons/:id/acl_setspn Set SPN for Kerberoasting
POST /api/v1/c2/beacons/:id/acl_addmember Add member to group via ACL
POST /api/v1/c2/beacons/:id/acl_dcsync Grant DCSync rights
POST /api/v1/c2/beacons/:id/acl_owner Take ownership of AD object
POST /api/v1/c2/beacons/:id/acl_sdhold Modify AdminSDHolder

RBCD (Resource-Based Constrained Delegation):

Method Path Description
POST /api/v1/c2/beacons/:id/rbcd_addcomputer Add computer account for RBCD
POST /api/v1/c2/beacons/:id/rbcd_write Write msDS-AllowedToActOnBehalfOfOtherIdentity
POST /api/v1/c2/beacons/:id/rbcd_attack Execute RBCD attack chain

GPO Abuse:

Method Path Description
POST /api/v1/c2/beacons/:id/gpo_enum Enumerate Group Policy Objects
POST /api/v1/c2/beacons/:id/gpo_modify Modify GPO for persistence/lateral movement
POST /api/v1/c2/beacons/:id/gpo_cleanup Clean up GPO modifications

DCShadow:

Method Path Description
POST /api/v1/c2/beacons/:id/dcshadow DCShadow attack (full)
POST /api/v1/c2/beacons/:id/dcshadow_register Register rogue DC
POST /api/v1/c2/beacons/:id/dcshadow_push Push DCShadow changes
POST /api/v1/c2/beacons/:id/dcshadow_cleanup Clean up rogue DC registration

Credential Dumping:

Method Path Description
POST /api/v1/c2/beacons/:id/laps_dump Dump LAPS passwords
POST /api/v1/c2/beacons/:id/gmsa_dump Dump gMSA account passwords
POST /api/v1/c2/beacons/:id/trust_enum Enumerate domain trusts

Network Enumeration

Discover network resources from the beacon host.

Method Path Description
POST /api/v1/c2/beacons/:id/net/domain Enumerate domain information
POST /api/v1/c2/beacons/:id/net/group Enumerate domain groups
POST /api/v1/c2/beacons/:id/net/user Enumerate domain users
POST /api/v1/c2/beacons/:id/net/localgroup Enumerate local groups
POST /api/v1/c2/beacons/:id/net/logons Enumerate logged-on users
POST /api/v1/c2/beacons/:id/net/sessions Enumerate active sessions
POST /api/v1/c2/beacons/:id/net/share Enumerate network shares
POST /api/v1/c2/beacons/:id/net/time Get domain controller time

Registry Operations

Read and modify the Windows registry remotely.

Method Path Description
POST /api/v1/c2/beacons/:id/reg/query Query a registry key or value
POST /api/v1/c2/beacons/:id/reg/create Create a registry key or value
POST /api/v1/c2/beacons/:id/reg/delete Delete a registry key or value

Process Injection

Inject code into remote processes.

Method Path Description
POST /api/v1/c2/beacons/:id/inject/beacon Inject a new beacon into a process
POST /api/v1/c2/beacons/:id/inject/dll Inject a DLL into a process
POST /api/v1/c2/beacons/:id/inject/shellcode Inject raw shellcode into a process
GET /api/v1/c2/beacons/:id/elevate/list List available privilege escalation exploits
POST /api/v1/c2/beacons/:id/elevate/:exploit Run a privilege escalation exploit

Persistence

Install and manage persistence mechanisms.

Method Path Description
POST /api/v1/c2/beacons/:id/persist/dll_hijack Install DLL hijack persistence
POST /api/v1/c2/beacons/:id/persist/com_hijack Install COM hijack persistence
POST /api/v1/c2/beacons/:id/persist/list List installed persistence mechanisms
POST /api/v1/c2/beacons/:id/persist/remove Remove a persistence mechanism

Beacon Variables

Server-side variables associated with a beacon (no task sent to the implant).

Method Path Description
GET /api/v1/c2/beacons/:id/variables Get all beacon variables
PUT /api/v1/c2/beacons/:id/variables Set a beacon variable

Beacon Highlights

Visual highlighting for beacons in the UI (shared across operators).

Method Path Description
GET /api/v1/beacons/highlights List all beacon highlights
PUT /api/v1/beacons/:id/highlight Set highlight color for a beacon
DELETE /api/v1/beacons/:id/highlight Remove highlight from a beacon

Sessions

Sessions track post-exploitation access to hosts, including credential associations.

Method Path Description
GET /api/v1/sessions List all sessions
POST /api/v1/sessions Create a session
GET /api/v1/sessions/:id Get session details
PUT /api/v1/sessions/:id Update a session
DELETE /api/v1/sessions/:id Delete a session
GET /api/v1/sessions/:id/credentials List credentials for a session
POST /api/v1/sessions/:id/credentials Associate a credential with a session

Credentials

Standalone credential management (not tied to a specific session).

Method Path Description
POST /api/v1/credentials Create a standalone credential
GET /api/v1/credentials List all credentials
PUT /api/v1/credentials/:credId Update a credential
DELETE /api/v1/credentials/:credId Delete a credential 
curl -s https://stentor.app/api/v1/credentials \
  -H "Authorization: Bearer $TOKEN"

Cockpit

The cockpit is the primary operator interface for interacting with beacons. It provides the shell, file operations, process management, pivoting, and more.

WebSocket Connection

The cockpit WebSocket (/api/v1/cockpit/ws) provides real-time event streaming. See the WebSocket Protocol page for details.

Shell and Command Execution

Method Path Description
GET /api/v1/cockpit/ws WebSocket endpoint for real-time events
POST /api/v1/cockpit/chat Send operator chat message
GET /api/v1/cockpit/operators List connected operators
POST /api/v1/cockpit/shell Execute a shell command on a beacon
POST /api/v1/cockpit/shell/open Open an interactive shell session
POST /api/v1/cockpit/shell/close Close an interactive shell session
POST /api/v1/cockpit/shell/sleep Set sleep interval via shell
POST /api/v1/cockpit/execute Execute a technique by ID
GET /api/v1/cockpit/techniques Get all supported techniques
GET /api/v1/cockpit/opsec Get all OPSEC risk assessments
GET /api/v1/cockpit/opsec/:techniqueID Get OPSEC warning for specific technique

File Operations

Method Path Description
POST /api/v1/cockpit/file/browse Browse remote filesystem
POST /api/v1/cockpit/file/download Download a file from the beacon
GET /api/v1/cockpit/file/content/:taskId Get downloaded file content
POST /api/v1/cockpit/file/upload Upload a file to the beacon
POST /api/v1/cockpit/file/cancel Cancel an active download
GET /api/v1/cockpit/file/active List active file transfers

Process Management

Method Path Description
POST /api/v1/cockpit/beacons/:beaconId/processes List processes on the beacon host
POST /api/v1/cockpit/beacons/:beaconId/processes/kill Kill a process by PID

SOCKS Proxy

Method Path Description
POST /api/v1/cockpit/socks/start Start a SOCKS5 proxy through a beacon
POST /api/v1/cockpit/socks/stop Stop a SOCKS5 proxy
PUT /api/v1/cockpit/socks/logging Toggle SOCKS traffic logging
GET /api/v1/cockpit/socks List all active SOCKS proxies
GET /api/v1/cockpit/socks/:beaconId Get SOCKS proxy for a specific beacon

Port Forwarding

Method Path Description
POST /api/v1/cockpit/portfwd/start Start a reverse port forward
POST /api/v1/cockpit/portfwd/stop Stop a reverse port forward
POST /api/v1/cockpit/portfwd/start_local Start a local port forward
POST /api/v1/cockpit/portfwd/stop_local Stop a local port forward
GET /api/v1/cockpit/portfwd List all port forwards
GET /api/v1/cockpit/portfwd/:beaconId Get port forwards for a specific beacon

Browser Pivot

Method Path Description
POST /api/v1/cockpit/browserpivot/start Start a browser pivot (inject into browser)
POST /api/v1/cockpit/browserpivot/stop Stop a browser pivot
GET /api/v1/cockpit/browserpivot List active browser pivots
GET /api/v1/cockpit/browserpivot/:beaconId Get browser pivot for a beacon

Covert VPN

Method Path Description
POST /api/v1/cockpit/covertvpn/start Start a covert VPN tunnel
POST /api/v1/cockpit/covertvpn/stop Stop a covert VPN tunnel
GET /api/v1/cockpit/covertvpn List active covert VPN tunnels
GET /api/v1/cockpit/covertvpn/:beaconId Get covert VPN for a beacon

Pivot Listeners

Method Path Description
POST /api/v1/cockpit/pivot Create a pivot listener (TCP bind)
DELETE /api/v1/cockpit/pivot Stop a pivot listener
GET /api/v1/cockpit/pivot List active pivot listeners

Beacon Operations

Method Path Description
POST /api/v1/cockpit/spawn Spawn a new beacon process
GET /api/v1/cockpit/beacons/:beaconId/tasks Get task history for a beacon
GET /api/v1/cockpit/beacons/:beaconId/spawnto Get spawn-to configuration
PUT /api/v1/cockpit/beacons/:beaconId/spawnto Update spawn-to binary
GET /api/v1/cockpit/beacons/:beaconId/jobs List running jobs on a beacon
POST /api/v1/cockpit/beacons/:beaconId/jobkill Kill a running job

SSH Sessions

Full SSH session management through a beacon.

Method Path Description
POST /api/v1/cockpit/ssh/connect Connect to a host via SSH
POST /api/v1/cockpit/ssh/inject Inject SSH agent key
POST /api/v1/cockpit/ssh/disconnect Disconnect SSH session
POST /api/v1/cockpit/ssh/shell Execute command in SSH session
POST /api/v1/cockpit/ssh/upload Upload file via SSH
POST /api/v1/cockpit/ssh/download Download file via SSH
POST /api/v1/cockpit/ssh/list List directory via SSH
POST /api/v1/cockpit/ssh/cd Change directory in SSH session
POST /api/v1/cockpit/ssh/pwd Print working directory in SSH session
POST /api/v1/cockpit/ssh/sudo Execute command with sudo
POST /api/v1/cockpit/ssh/timestomp Copy timestamps between files

SSH Chunked Downloads:

Method Path Description
POST /api/v1/cockpit/ssh/download/init Initialize chunked download
POST /api/v1/cockpit/ssh/download/chunk Get next download chunk
POST /api/v1/cockpit/ssh/download/cancel Cancel chunked download

SSH Reverse Port Forwards:

Method Path Description
POST /api/v1/cockpit/ssh/rportfwd/start Start SSH reverse port forward
POST /api/v1/cockpit/ssh/rportfwd/stop Stop SSH reverse port forward
GET /api/v1/cockpit/ssh/rportfwd/:beaconId/:sessionId List SSH reverse port forwards

SSH SOCKS Proxy:

Method Path Description
POST /api/v1/cockpit/ssh/socks/start Start SOCKS proxy through SSH
POST /api/v1/cockpit/ssh/socks/stop Stop SSH SOCKS proxy
GET /api/v1/cockpit/ssh/socks/:beaconId List SSH SOCKS proxies
GET /api/v1/cockpit/ssh/socks/:beaconId/:sessionId Get specific SSH SOCKS proxy

SSH P2P (Peer-to-Peer):

Method Path Description
POST /api/v1/cockpit/ssh/p2p/connect Connect to peer through SSH
POST /api/v1/cockpit/ssh/p2p/unlink Unlink SSH P2P connection
POST /api/v1/cockpit/ssh/p2p/list List SSH P2P connections

SSH Pivot Listeners:

Method Path Description
POST /api/v1/cockpit/ssh/pivot/start Start pivot listener through SSH
POST /api/v1/cockpit/ssh/pivot/stop Stop SSH pivot listener
POST /api/v1/cockpit/ssh/pivot/list List SSH pivot listeners

PowerShell Operations

Method Path Description
POST /api/v1/cockpit/psinject Inject PowerShell into a process
POST /api/v1/cockpit/powerpick Execute PowerShell without powershell.exe

BOF Library

Manage and execute Beacon Object Files (BOFs).

Method Path Description
POST /api/v1/cockpit/bof/execute Execute a BOF
POST /api/v1/cockpit/bof/upload Upload a BOF to the library
GET /api/v1/cockpit/bof/list List BOFs in the library
DELETE /api/v1/cockpit/bof/:id Delete a BOF
POST /api/v1/cockpit/bof/pack Pack BOF arguments

Argument Spoofing

Method Path Description
POST /api/v1/cockpit/argue Configure argument spoofing rules

Postex Kit

Method Path Description
POST /api/v1/cockpit/postex/execute Execute a post-exploitation DLL
POST /api/v1/cockpit/postex/send Send data to a running postex job

Topology, Machines, and Playbooks

Method Path Description
GET /api/v1/cockpit/topology Get live network topology
GET /api/v1/cockpit/machines/:hostname Get machine details by hostname
GET /api/v1/cockpit/playbooks List all playbooks
POST /api/v1/cockpit/playbooks Create a playbook
GET /api/v1/cockpit/playbooks/:id Get playbook details
PUT /api/v1/cockpit/playbooks/:id Update a playbook
DELETE /api/v1/cockpit/playbooks/:id Delete a playbook
POST /api/v1/cockpit/playbooks/:id/execute Execute a playbook

LDAP Queries

Method Path Description
POST /api/v1/cockpit/ldap/query Execute an LDAP query through a beacon
GET /api/v1/cockpit/ldap/templates Get pre-built LDAP query templates

Windows Error Lookup

Method Path Description
GET /api/v1/cockpit/winerror/stats Windows error code database stats
GET /api/v1/cockpit/winerror/lookup/:code Look up a Windows error code

Profiles

Malleable C2 profiles define how implant traffic looks on the wire.

Method Path Description
POST /api/v1/profiles Create a profile
GET /api/v1/profiles List all profiles
GET /api/v1/profiles/:id Get profile details
PUT /api/v1/profiles/:id Update a profile
DELETE /api/v1/profiles/:id Delete a profile
POST /api/v1/profiles/lint Validate a profile for syntax errors 
# Lint a profile before saving
curl -s -X POST https://stentor.app/api/v1/profiles/lint \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"content": "http-get { set uri \"/updates\"; ... }"}'

Certificates

Code-signing certificates for payload signing.

Method Path Description
POST /api/v1/certificates Upload a certificate
GET /api/v1/certificates List all certificates
GET /api/v1/certificates/:id Get certificate details
DELETE /api/v1/certificates/:id Delete a certificate
POST /api/v1/sign Sign a payload with a certificate

Phishing

Spear phishing campaign management.

Method Path Description
GET /api/v1/phishing/campaigns List phishing campaigns
POST /api/v1/phishing/campaigns Create a campaign
GET /api/v1/phishing/campaigns/:id Get campaign details
DELETE /api/v1/phishing/campaigns/:id Delete a campaign
POST /api/v1/phishing/campaigns/:id/targets/import Import targets from CSV
GET /api/v1/phishing/campaigns/:id/targets List campaign targets
POST /api/v1/phishing/campaigns/:id/send Send phishing emails
POST /api/v1/phishing/campaigns/:id/attachments Upload email attachment
GET /api/v1/phishing/campaigns/:id/attachments List attachments
DELETE /api/v1/phishing/campaigns/:id/attachments/:attachmentId Delete attachment
POST /api/v1/phishing/campaigns/:id/preview Preview email rendering
POST /api/v1/phishing/campaigns/:id/template/import Import email from EML file

Scripts

CNA (Aggressor Script) management and REPL console.

Method Path Description
POST /api/v1/scripts/load Load a CNA script
POST /api/v1/scripts/unload Unload a running script
POST /api/v1/scripts/reload Reload a script
GET /api/v1/scripts List loaded scripts
POST /api/v1/scripts/eval/x Evaluate expression (x command)
POST /api/v1/scripts/eval/e Evaluate script block (e command)
POST /api/v1/scripts/eval/q Query script state (q command)
GET /api/v1/scripts/help Get script help text
POST /api/v1/scripts/tab-complete Tab completion for script console
GET /api/v1/scripts/menubars Get menubar entries from scripts
GET /api/v1/scripts/popups/:hook Get popup menu items for a hook
POST /api/v1/scripts/popups/execute Execute a popup menu item
POST /api/v1/scripts/dialog-response Submit a dialog response

Extensions

Armory-style extension management (BOF packs, third-party tools).

Method Path Description
GET /api/v1/extensions List installed extensions
GET /api/v1/extensions/catalog Browse the extension catalog
GET /api/v1/extensions/:id Get extension details
POST /api/v1/extensions/install Install extension from catalog
POST /api/v1/extensions/upload Upload a custom extension
DELETE /api/v1/extensions/:id Remove an extension
POST /api/v1/extensions/:id/update Update an extension
POST /api/v1/extensions/:id/toggle Enable/disable an extension

C2 Campaigns

Operational campaign management for organizing beacons, listeners, and engagement tracking.

Method Path Description
POST /api/v1/c2/campaigns Create a campaign
GET /api/v1/c2/campaigns List all campaigns
GET /api/v1/c2/campaigns/:id Get campaign details
PUT /api/v1/c2/campaigns/:id Update a campaign
DELETE /api/v1/c2/campaigns/:id Delete a campaign
POST /api/v1/c2/campaigns/:id/beacons Associate a beacon with campaign
DELETE /api/v1/c2/campaigns/:id/beacons/:beaconId Disassociate a beacon
GET /api/v1/c2/campaigns/:id/beacons List campaign beacons
POST /api/v1/c2/campaigns/:id/listeners Link a listener to campaign
DELETE /api/v1/c2/campaigns/:id/listeners/:listenerId Unlink a listener
GET /api/v1/c2/campaigns/:id/listeners List linked listeners
GET /api/v1/c2/campaigns/:id/activity Get campaign activity log
GET /api/v1/c2/campaigns/:id/credentials Get campaign credentials
GET /api/v1/c2/campaigns/:id/export Export campaign data
GET /api/v1/c2/campaigns/:id/report/social-eng Generate social engineering report
POST /api/v1/c2/campaigns/:id/report/custom Execute custom report template
POST /api/v1/c2/campaigns/:id/report/validate-template Validate a report template
POST /api/v1/c2/campaigns/:id/record-mode Set recording mode

Targets

Discovered hosts on the network.

Method Path Description
GET /api/v1/targets List all targets
POST /api/v1/targets Create a target
POST /api/v1/targets/batch Batch create targets
POST /api/v1/targets/import/nmap Import targets from Nmap XML
PUT /api/v1/targets/bulk-os Bulk update OS information
GET /api/v1/targets/:id Get target details
PUT /api/v1/targets/:id/note Update target note
DELETE /api/v1/targets/:id Delete a target

Services

Discovered network services (ports, protocols).

Method Path Description
GET /api/v1/services List all services
POST /api/v1/services Create a service entry
PUT /api/v1/services/:id/note Update service note
DELETE /api/v1/services/:id Delete a service

Downloads

Centralized download history for files retrieved from beacons.

Method Path Description
GET /api/v1/downloads List all downloads
DELETE /api/v1/downloads/:id Delete a download record

Keystrokes

Aggregated keylogger results across all beacons.

Method Path Description
GET /api/v1/keystrokes List all captured keystrokes
GET /api/v1/keystrokes/captured List all keystrokes from cloned sites

Screenshots

Aggregated screenshot results across all beacons.

Method Path Description
GET /api/v1/screenshots List all captured screenshots

Cloned Sites

Site cloning for phishing and payload delivery.

Method Path Description
POST /api/v1/sites Create a cloned site
GET /api/v1/sites List cloned sites
GET /api/v1/sites/:id Get cloned site details
GET /api/v1/sites/:id/keystrokes List keystrokes captured from site
DELETE /api/v1/sites/:id Delete a cloned site

System Profiler

Target reconnaissance via browser profiling.

Method Path Description
GET /api/v1/profiler/visits List profiler visits
POST /api/v1/profiler/visits Record a visit
GET /api/v1/profiler/stats Get profiler statistics
DELETE /api/v1/profiler/visits Clear all visits

Kits

Artifact Kit, Resource Kit, and Sleep Mask Kit template management.

Method Path Description
POST /api/v1/kits/upload Upload a kit template
GET /api/v1/kits List all kits
GET /api/v1/kits/artifact Export artifact kit
GET /api/v1/kits/:id Get kit by ID
GET /api/v1/kits/:id/download Download kit file
DELETE /api/v1/kits/:id Delete a kit

Guacamole (VM Access)

Apache Guacamole integration for remote desktop access to lab VMs.

Method Path Description
GET /api/v1/guacamole/connections List connections
POST /api/v1/guacamole/connections Create a connection
GET /api/v1/guacamole/connections/:id Get connection details
GET /api/v1/guacamole/connections/:id/session Get active session
DELETE /api/v1/guacamole/connections/:id Delete a connection

Operator Preferences

Per-operator settings with JSONB storage.

Method Path Description
GET /api/v1/preferences Get operator preferences
PUT /api/v1/preferences Update preferences
POST /api/v1/preferences/logo Upload custom logo
GET /api/v1/preferences/logo Get custom logo
DELETE /api/v1/preferences/logo Remove custom logo

Audit Trail

Audit log for operator actions (admin only for listing).

Method Path Description
GET /api/v1/audit/events List audit events

Stats

Sidebar aggregation counts.

Method Path Description
GET /api/v1/stats/counts Get counts for sidebar (beacons, listeners, sessions, etc.)

Admin

Administrative data management endpoints.

Method Path Description
POST /api/v1/admin/data/clear Clear data by category (admin only)
GET /api/v1/admin/data/categories Get available data categories

C2 Profiles (Legacy)

File-based C2 profile listing (used by payload generation wizard).

Method Path Description
GET /api/v1/c2/profiles List file-based C2 profiles

C2 Protocol Endpoints

Internal Use Only

These endpoints are used by the relay and implant for C2 communication. They are not authenticated via JWT -- the relay uses a shared secret, and the implant uses encrypted key exchange. Do not call these endpoints from operator tools.

Method Path Description
POST /api/v1/c2/beacon Beacon check-in (heartbeat)
POST /api/v1/c2/task Retrieve pending tasks
POST /api/v1/c2/result Submit task results
GET /api/v1/c2/pubkey Get RSA public key for key exchange
POST /api/v1/c2/keyx Perform key exchange (RSA-OAEP + AES-256-GCM)

Relay WebSocket

The relay connects to the backend via WebSocket for real-time C2 forwarding.

Path Description
GET /ws/relay Relay agent WebSocket (authenticated via relay secret header)

This endpoint is not called by operators. See the WebSocket Protocol page for the operator-facing CockpitHub WebSocket.