UI Walkthrough¶
A guided tour of the Stentor operator interface -- from the sidebar navigation to the cockpit workspace where you interact with beacons in real time.
Stentor uses a single-page React application with a collapsible sidebar for navigation and a central content area that adapts to each page. The interface supports both dark and light mode (toggle in the top-right of any page), is mobile-responsive, and includes a command palette for fast navigation.
Sidebar Navigation¶
The sidebar is organized into five groups that mirror the operator workflow: operate, manage what you deploy, collect intelligence, report findings, and configure the system.
Collapsible Sidebar
Click the Collapse button at the bottom of the sidebar (or the expand chevron when collapsed) to switch between full labels and icon-only mode. The sidebar remembers your preference across sessions using localStorage. In collapsed mode, hover over any icon to see its label and live count in a tooltip.
Operate¶
Day-to-day operational pages for running engagements.
| Page | Description |
|---|---|
| Dashboard | Landing page after login. Shows an operational summary of active beacons, running listeners, and recent activity. |
| Cockpit | The primary operator workspace. Pivot graph, interactive shell, and beacon detail panels. See The Cockpit below. |
| LDAP Browser | Browse and query Active Directory objects via LDAP. Useful for reconnaissance and target discovery during engagements. |
Manage¶
Configure and deploy the tools and infrastructure used during an engagement.
| Page | Description |
|---|---|
| Listeners | Create, start, stop, and configure C2 listeners (HTTP/S, DNS, SMB). Each listener is assigned to a relay agent. |
| Payloads | Generate implant payloads in various formats (EXE, DLL, shellcode, staged/stageless). |
| Profiles | Manage malleable C2 profiles that control how implant traffic looks on the wire. |
| Artifact Kit | Customize payload templates and artifacts used during payload generation. |
| Resource Kit | Manage resource files (scripts, HTA, macros) used in social engineering and delivery. |
| Sleep Mask Kit | Configure sleep masking techniques that protect the implant in memory between check-ins. |
| Extensions | Load and manage BOF (Beacon Object File) extensions and third-party modules. |
| Phishing | Create and manage phishing campaigns with email templates, landing pages, and tracking. |
Collect¶
View intelligence gathered from compromised targets.
| Page | Description |
|---|---|
| Targets | All discovered machines across the engagement, whether compromised or not. |
| Applications | Applications discovered on target machines. |
| Services | Network services identified during scanning and post-exploitation. |
| Credentials | Harvested credentials (passwords, hashes, tickets) from all sources. |
| Downloads | Files downloaded from target machines. |
| Keystrokes | Captured keystrokes from keylogger modules running on targets. |
| Screenshots | Screenshots captured from target desktops. |
Report¶
Generate engagement deliverables.
| Page | Description |
|---|---|
| Campaigns | Manage phishing campaign results and statistics. |
| Reports | Generate engagement reports with activity timelines, IOCs, and findings. |
System¶
Platform configuration and administration.
| Page | Description |
|---|---|
| Scripts | CNA (Cobalt Strike Aggressor) script editor with Monaco code editing. Load, edit, and run automation scripts. |
| Profiler | View system profiling data and connection diagnostics. |
| Infrastructure | Manage relay agents, redirectors, and C2 infrastructure topology. |
| Preferences | Operator-level settings: accent color, console font size, notification preferences, and display options. |
Live Count Badges¶
Several sidebar items display live count badges showing real-time data:
- Cockpit -- number of active beacons
- Listeners -- number of running listeners
- Targets -- total discovered targets
- Services -- total discovered services
- Credentials -- total harvested credentials
- Downloads -- total downloaded files
- Keystrokes -- total keystroke captures
- Screenshots -- total captured screenshots
These counts update automatically via a single consolidated API call, so you always have situational awareness at a glance.
The Cockpit¶
The cockpit is the primary operator workspace -- the page you will spend most of your time on during an engagement. It provides a two-panel resizable layout: a topology view on top and an interactive console on the bottom.
Topology View¶
The top panel offers two view modes, toggled via the graph/list buttons in the cockpit header:
- Graph View (Pivot Graph)
-
A visual network topology powered by React Flow. Machines appear as interactive nodes connected by edges representing network relationships. Compromised machines display beacon indicators, and the graph updates in real time as beacons check in or go offline.
- Click a node to select it and view its details
- Right-click (or double-click) a node to open the context menu -- a full operational command palette with 12 technique categories, real-time search, favorites, and OPSEC risk indicators. See the Context Menu Guide for complete documentation
- Drag nodes to rearrange the layout
- Multi-select nodes for batch operations
- The layout strategy can be switched between hierarchy and other arrangements
- Table View (Beacon Table)
-
A tabular list of all beacons with sortable columns showing hostname, username, PID, integrity level, OS, internal/external IP, sleep interval, and last check-in time. Right-click any row to access the same context menu as the graph view.
View Persistence
Your preferred view mode (graph or table) is saved in localStorage, so it persists across page navigations and sessions.
Interactive Console¶
The bottom panel is a tabbed console interface where you interact with beacons and view operational events.
- Shell Tabs
-
Each beacon shell opens in its own tab. Type commands directly into the terminal-style input, and output appears inline with timestamps and task status indicators. Multiple shell tabs can be open simultaneously, and you can drag-and-drop tabs to reorder them.
Common shell commands include
ls,ps,pwd,download,upload,screenshot,hashdump,mimikatz, and dozens more. Tab completion helps you discover available commands. - Special Tabs
-
The context menu can open specialized tabs beyond the basic shell:
- Files -- graphical file browser for the target machine
- Processes -- live process list with filtering and injection options
- Desktop -- VNC-style remote desktop view of the target
- SOCKS -- SOCKS proxy tunnel management
- Port Forwards -- port forwarding configuration
- Event Log
-
A dedicated event log tab shows operational events across all beacons: new check-ins, completed tasks, errors, and system notifications. This provides a unified timeline of engagement activity.
Cockpit Header¶
The header bar across the top of the cockpit shows:
- Connection status -- a pulsing indicator showing whether the relay WebSocket is online or offline
- View toggle -- switch between graph and table view
- Beacon count -- total active beacons across all targets
- Target count -- total discovered machines in the topology
Boot Sequence
The first time you visit the cockpit in a session, a brief boot sequence animation plays. This only runs once per browser session.
Command Palette¶
Press Cmd+K (macOS) or Ctrl+K (Windows/Linux) from any page to open the command palette.
The command palette provides:
- Quick navigation -- type a page name to jump directly to it (e.g., "listeners", "scripts", "cockpit")
- Command execution -- run actions without navigating to the relevant page
- Search -- find beacons, targets, listeners, and other entities by name or property
The search bar in the sidebar (visible when the sidebar is expanded) also opens the command palette when clicked.
Keyboard Shortcuts¶
Stentor supports Vim-style keyboard shortcuts for fast navigation without reaching for the mouse.
Navigation shortcuts use a two-key sequence starting with G:
| Shortcut | Destination |
|---|---|
| G then D | Dashboard |
| G then C | Cockpit |
| G then L | Listeners |
| G then P | Payloads |
| G then S | Scripts |
Full Shortcuts List
Access the complete keyboard shortcuts reference at Help > Keyboard Shortcuts in the sidebar, or navigate directly to /help/shortcuts.
Dashboard¶
The Dashboard is the landing page after login. It provides an operational summary showing:
- Active beacon count and recent check-in activity
- Running listener status
- Recent tasks and their outcomes
- Quick links to common actions (create listener, generate payload, open cockpit)
Think of the Dashboard as your morning briefing -- a quick snapshot of the engagement state before diving into the Cockpit.
Multi-Server Mode¶
When you connect to two or more Stentor servers simultaneously, a server switch bar appears at the bottom of the screen. This enables distributed operations -- managing multiple independent C2 servers from a single browser session.
Each server connection is independent with its own beacons, listeners, and data. The switch bar lets you toggle the active server context, and the cockpit, shell commands, and API calls route to whichever server is currently selected.
Advanced Feature
Multi-server mode is designed for large engagements with distributed infrastructure. For single-server setups (the common case), the switch bar does not appear and no additional configuration is needed. See the Multi-Server API documentation for details.
Next Steps¶
Now that you know your way around the interface, learn how the underlying C2 platform works:
- Core Concepts -- understand beacons, listeners, relays, and the C2 lifecycle
- Listeners & Transports -- set up your first listener