External C2¶

The External C2 listener enables integration with third-party C2 frameworks (Metasploit, Sliver, custom controllers) by exposing a TCP interface that proxies C2 traffic through Stentor's relay infrastructure. This allows external tools to control Stentor beacons or relay traffic through Stentor's transport layer.

This is equivalent to Cobalt Strike's External C2 specification.

Configuration¶

Create an External C2 Listener¶

curl -s -X POST https://stentor.app/api/v1/listeners \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "External C2",
    "type": "external_c2",
    "port": 2222,
    "relay_id": "RELAY_UUID"
  }'

Protocol¶

The External C2 protocol uses 4-byte little-endian length-prefixed frames over TCP:

[length (4 bytes LE)] [frame data (N bytes)]

Handshake Flow¶

1. Controller connects to the External C2 TCP port
2. Optional metadata frames: arch=x64, pipename=\\.\pipe\beacon, block=100
3. Optional stager request: Controller sends stager frame to receive beacon shellcode
4. Session start: Controller sends go frame to initiate the beacon session
5. Bidirectional proxy: Controller sends task frames, relay responds with pending output

Metadata Options¶

Use Cases¶

• Metasploit integration: Route Meterpreter sessions through Stentor infrastructure
• Custom transport development: Build custom C2 transports that plug into the Stentor relay
• Framework chaining: Use Stentor as a relay layer for other C2 frameworks
• Research: Test custom C2 protocols using Stentor's beacon infrastructure