Browser-based operator console for the CipherC2 platform. Gives a team of operators a shared, persistent view into a live Sliver C2 engagement — sessions, beacons, victims, post-exploitation primitives, implant generation, initial access tooling — without touching the Sliver CLI.
The frontend is one interface into the CipherC2 API. An MCP server is another. Both operate against the same REST layer and the same MongoDB-backed operational state.
Live session enumeration reconciled against the MongoDB session store, so full history — including dead implants — is always visible regardless of whether the Sliver server has restarted. Each session row shows transport, OS, remote address, first contact, and last check-in. Active and dead sessions are separated by liveness state derived from the backend reconciliation diff.
Clicking into a session opens the full detail view — OS, architecture, PID, UID, GID, file path, reconnect interval, burned flag, and a live ifconfig from the interactive session handle — with direct access to every post-exploitation primitive from the same view.
The victims view groups all sessions by SHA-256 device fingerprint (hostname + username + UID), giving operators a per-device history across multiple implant sessions on the same host — rather than a flat list of disconnected session IDs.
GeneratePanel constructs the full ImplantConfig payload — OS, architecture, output format (EXE, shellcode, DLL, service), C2 URLs, transport, beacon interval and jitter, reconnect interval, evasion flags — and POSTs it to the backend, which calls client.generate_implant() over gRPC and streams the compiled binary back for immediate download. Implant metadata is catalogued in MongoDB and accessible from the implant detail view.
ListenersPanel starts and terminates HTTP, HTTPS, DNS, TCP, mTLS, and WireGuard listeners. JobsList shows all active Sliver jobs with status.
All post-exploitation primitives are dispatched through an interactive_session handle, opened by calling client.interact_session(session_id) on the backend. Each is a standalone component in the session detail view.
Screenshot capture — raw PNG piped directly from the Sliver implant channel, no additional process spawned on the target.
File system browser — remote directory traversal with file download. DeviceFileUploads handles staging files back to the compromised host, with per-device SQLite-backed sync state tracking transitions from pending → uploaded → synced.
Network connections — active TCP/UDP connections enumerated with PID attribution (IPv4 and IPv6).
Command execution — dispatches to cmd.exe /c <command> or directly executes a binary path on the target, with stdout/stderr returned.
Additional primitives in the session view: ProcessList (full process enumeration with PID/PPID/owner), Rev2Self (drop impersonation tokens), PingSession (liveness check), PivotListeners (pivot configuration), Windows registry enumeration and query.
Payload generation for the pre-exploitation phase. HTA stager generation (VBScript embedded in an HTML Application file) and steganographic ZIP delivery using a custom magic byte sequence.
Tool catalog with download support. Planned expansion: tool staging through the file sync pipeline so operators can push tools directly to compromised hosts, with LLM-assisted selection based on session context (privilege level, process list, OS).
The frontend is one way to operate CipherC2. The other, explored in parallel, was wiring an LLM directly into the same REST API through a custom MCP server. With the MCP layer active, an agent can query live and historical sessions, pull process and network data from a specific host, generate implants, and read operator audit logs — all through the same endpoints the UI calls.
The planned expansion includes a CVE database with vector embeddings: opening a session would automatically trigger a semantic search against OS version, running processes, and open ports to surface relevant vulnerabilities inline in the session detail view — without leaving the console.
Full AI roadmap: C2-Control-Panel — AI Integration
Three React Context providers handle orthogonal concerns:
DashboardContext — owns all operational data: sessions, beacons, operators, jobs, Sliver connection state. Uses a ref-based client-side cache (5-minute TTL) to avoid redundant API calls across tab switches. Runs four independent polling intervals on mount: sessions, jobs, and beacons every 30s; operators every 60s; Sliver connection health check every 30s. forceRefresh() invalidates specific cache keys on demand.
AuthContext — JWT lifecycle: login, logout, token persistence in localStorage, user state.
UserActivityContext — writes operator-side telemetry (page visits, active time) to the backend on navigation events, feeding the per-operator SIEM data stored in MongoDB.
Single Axios instance in api.js with two interceptors. Request interceptor injects Authorization: Bearer <token> from localStorage on every call. Response interceptor handles 401 by clearing the token and redirecting to /login, so token expiry is transparent to every component without per-route error handling.
React Router 7, route-per-view. Every dashboard tab, session detail, device view, file explorer, implant detail, and operator activity dashboard is a separate route. All protected routes gate on AuthContext user state via ProtectedRoute.
| Framework | React 19 + Vite 6 |
| Styling | Tailwind CSS 4 |
| Routing | React Router 7 |
| HTTP | Axios with request/response interceptors |
| Maps | Leaflet + React-Leaflet (GeoIP visualization) |
| Animation | Framer Motion |
| Icons | Lucide React |
| UI | Material UI (MUI Lab) |
| Date handling | date-fns |
- Node.js 18+
- CipherC2 backend running and reachable
git clone https://github.com/vermarjun/CipherC2-Frontend.git
cd CipherC2-Frontend
npm install
cp example.env .env
# Set VITE_API_URL to your backend addressnpm run dev # development
npm run build # production build → dist/Two-stage build — Vite build in Node, served by Nginx. The included nginx.conf handles SPA routing (all paths fall back to index.html).
docker build -t cipherc2-frontend .
docker run -p 80:80 cipherc2-frontendsrc/
├── pages/
│ ├── Login.jsx
│ └── dashboard/
│ ├── SessionsTab.jsx # Live/dead session list
│ ├── BeaconsTab.jsx
│ ├── VictimsTab.jsx # Device-correlated host history
│ ├── OperatorsTab.jsx
│ ├── OperationsTab.jsx # Listeners, jobs, implant generation
│ ├── AccessTab.jsx # Initial access payload generation
│ ├── ArmouryTab.jsx
│ └── UserActivityDashboard.jsx
├── components/
│ ├── SessionDetail.jsx # Post-ex dispatch hub
│ ├── DeviceDetailView.jsx # Per-device session history by fingerprint
│ ├── DeviceFileUploads.jsx # File staging with SQLite sync state
│ ├── GeneratePanel.jsx # ImplantConfig builder + binary download
│ ├── ListenersPanel.jsx
│ ├── ProcessList.jsx
│ ├── NetworkConnections.jsx
│ ├── Filesystem.jsx
│ ├── Screenshotcapture.jsx
│ ├── Rev2Self.jsx
│ ├── PingSession.jsx
│ ├── PivotListeners.jsx
│ ├── ImplantDetail.jsx
│ ├── UserActivityDashboard.jsx
│ ├── OperatorActivityDashboard/
│ ├── Access/
│ │ ├── InitialAccessVectors.jsx
│ │ ├── Loaders.jsx
│ │ └── Reference.jsx
│ └── Armoury/
│ ├── ToolList.jsx
│ └── ToolCard.jsx
├── context/
│ ├── AuthContext.jsx # JWT state
│ ├── DashboardContext.jsx # Operational data, 5-min cache, polling
│ └── UserActivityContext.jsx # Operator telemetry writes
├── config.js # VITE_API_URL resolution
├── api.js # Axios instance + auth interceptors
└── App.jsx # Route tree + ProtectedRoute
- C2-Control-Panel — the FastAPI backend, MCP layer, and full technical design
For authorized security testing only. Use exclusively on infrastructure you own or have explicit written permission to test.
Built by Arjun Verma