Version: 1.1
Date: 2025-07-15
Purpose: Standardized communication protocol between beacons and the C2 manager
BeaconatorC2 uses a pipe-delimited (|) protocol for all beacon-to-manager communication. This document defines the standard communication patterns to ensure consistency across all receiver implementations and beacon types.
All commands follow the basic format:
{command}|{parameter1}|{parameter2}|...
- Delimiter: Pipe character (
|) - Encoding: UTF-8 text (with optional encoding strategies)
- Transport: TCP, UDP, SMB, HTTP, or Metasploit sessions
* Required commands
| Command | Direction | Format | Purpose | Parameters | Response |
|---|---|---|---|---|---|
register* |
Beacon → Server | register|{beacon_id}|{computer_name} | Initial beacon registration | beacon_id, computer_name | "Registration successful" |
request_action* |
Beacon → Server | request_action|{beacon_id} | Request pending commands | beacon_id | Command or "no_pending_commands" |
execute_module* |
Server → Beacon | execute_module|{module}|{params} | Execute beacon module | module_name, parameters | Executes module |
command_output* |
Beacon → Server | command_output|{beacon_id}|{output} | Submit command results | beacon_id, output | None (logged) |
shutdown* |
Server → Beacon | shutdown | Terminate beacon | None | Beacon exits |
execute_command |
Server → Beacon | execute_command|{command} | Execute raw OS command | command_string | Executes command |
checkin |
Beacon → Server | checkin|{beacon_id} | Heartbeat without command request | beacon_id | "Check-in acknowledged" |
keylogger_output |
Beacon → Server | keylogger_output|{beacon_id}|{keystrokes} | Submit keylogger data | beacon_id, encoded_keystrokes | None (logged) |
to_beacon |
Server → Beacon | to_beacon|{filename} | Download file to beacon | filename | File transfer |
from_beacon |
Beacon → Server | from_beacon|{filename} | Upload file from beacon | filename | File transfer |
download_complete |
Beacon → Server | download_complete|{beacon_id}|{filename} | Report successful download | beacon_id, filename | None (logged) |
download_failed |
Beacon → Server | download_failed|{beacon_id}|{filename} | Report failed download | beacon_id, filename | None (logged) |
register|{beacon_id}|{computer_name}
Purpose: Initial beacon registration with the C2 server
Parameters:
beacon_id: Unique identifier for the beacon (8-16 chars, alphanumeric)computer_name: System hostname/computer name
Server Response: "Registration successful" or error message
Implementation: Required by all receivers
Example:
register|a1b2c3d4|DESKTOP-ABC123
request_action|{beacon_id}
Purpose: Beacon requests pending commands from server
Parameters:
beacon_id: Beacon identifier
Server Response: Queued command or "no_pending_commands"
Frequency: Every 15-60 seconds (configurable)
Example:
request_action|a1b2c3d4
checkin|{beacon_id}
Purpose: Status heartbeat without requesting commands
Parameters:
beacon_id: Beacon identifier
Server Response: "Check-in acknowledged"
Usage: Lightweight status updates
execute_command|{command}
Purpose: Execute arbitrary system commands
Direction: Server → Beacon
Parameters:
command: Raw OS command string
Usage: Direct shell/cmd execution (e.g., whoami, systeminfo, ls -la)
Example:
execute_command|whoami
execute_module|{module_name}|{parameters}
Purpose: Execute predefined beacon modules with structured parameters
Direction: Server → Beacon
Parameters:
module_name: Name of the module to executeparameters: Comma-separated parameter list (optional)
Examples:
execute_module|BasicRecon
execute_module|PortScanner|192.168.1.1-254,80,443,3389
execute_module|EncryptDirectory|C:\temp,txt,MySecretKey123
command_output|{beacon_id}|{output}
Purpose: Beacon reports command execution results
Direction: Beacon → Server
Parameters:
beacon_id: Beacon identifieroutput: Command output (stdout/stderr combined)
Server Processing:
- Logged to
output_{beacon_id}.txtin logs directory - Clears pending command for the beacon
- Updates last response timestamp
Example:
command_output|a1b2c3d4|DESKTOP-ABC123\user1
keylogger_output|{beacon_id}|{encoded_keystrokes}
Purpose: Specialized output for keylogger data
Direction: Beacon → Server
Parameters:
beacon_id: Beacon identifierencoded_keystrokes: URL-encoded keystroke data
Encoding:
%20= Space%0A= Newline%09= Tab- Special characters URL-encoded for safe transmission
Server Processing: Logged to keylogger_output_{beacon_id}.txt
to_beacon|{filename}
Purpose: Beacon downloads file from server
Direction: Server → Beacon
Parameters:
filename: Name of file in server's files directory
Process Flow:
- Server sends
to_beacon|filename - Server immediately begins sending file data in chunks
- Beacon receives and reassembles file
- Optional: Beacon reports completion status
Supported Transports: TCP, SMB, HTTP
Not Supported: UDP (returns ERROR)
from_beacon|{filename}
Purpose: Beacon uploads file to server
Direction: Beacon → Server
Parameters:
filename: Name of file being uploaded
Process Flow:
- Beacon sends
from_beacon|filename - Server responds
"READY" - Beacon sends file data in chunks
- Server responds
"SUCCESS"or"ERROR|details"
Supported Transports: TCP, SMB, HTTP
Not Supported: UDP (returns ERROR)
download_complete|{beacon_id}|{filename}
download_failed|{beacon_id}|{filename}
Purpose: Beacon reports file transfer status
Direction: Beacon → Server
Usage: Optional status reporting for file operations
Commands are defined in YAML schemas with standardized templates:
command_template: '{command}'Result: Direct parameter substitution
command_template: 'execute_module|ModuleName|{param1},{param2}'Result: Structured module execution with parameters
# Simple module
command_template: 'execute_module|BasicRecon'
# Parameterized module
command_template: 'execute_module|PortScanner|{target_ips},{ports},{timeout},{threads}'
# Complex module
command_template: 'execute_module|EncryptDirectory|{directory_path},{file_extensions},{encryption_key}'- Full Protocol Support: All commands supported
- Connection Type: Persistent socket connections
- File Transfers: Full chunked transfer with progress tracking
- Threading: Multi-threaded connection handling
- Encoding: All encoding strategies supported
- Limited Protocol Support: No file transfers
- Connection Type: Stateless datagram processing
- File Transfers: Returns
"ERROR|File transfer not supported over UDP" - Threading: Single-threaded datagram handling
- Encoding: All encoding strategies supported
- Use Case: Lightweight command execution and status updates
- Full Protocol Support: All commands supported
- Connection Type: Named pipes (Windows) / FIFOs (Unix)
- File Transfers: Custom pipe-based chunked transfer
- Platform Differences:
- Windows: Native named pipes (
\\.\pipe\{name}) - Unix: FIFO simulation (
/tmp/beaconator_c2_pipes/{name})
- Windows: Native named pipes (
- Encoding: All encoding strategies supported
- Full Protocol Support: All commands supported
- Connection Type: HTTP REST API server (GET/POST requests)
- File Transfers: HTTP POST/multipart upload and chunked download
- Endpoint: Root path ("/") for clean URL structure
- Threading: Multi-threaded HTTP request handling
- Encoding: All encoding strategies supported
- Request Methods:
- GET: Command requests and file downloads
- POST: Command output submission and file uploads
- Special Integration: Monitors Metasploit sessions as beacons
- Auto-Registration: Sessions register automatically as
msf_session_{id} - Limited Interaction: Primarily read-only monitoring
- Command Injection: Supports shellcode injection via
inject_shellcode|{base64_data}
All receivers support pluggable encoding for data obfuscation:
- PlainText: No encoding (UTF-8)
- Base64: Standard base64 encoding
- XOR: XOR encryption with configurable key
- Command transmission (both directions)
- File transfer data
- Response messages
# Example encoding strategy instantiation
encoding_strategy = Base64Encoding()
encoded_data = encoding_strategy.encode(b"command_data")ERROR|{error_description}
ERROR|File transfer not supported over UDPERROR|File not foundERROR|Invalid command formatERROR|Connection timeout
- Implement Core Commands: Register, request_action, checkin, command_output
- Handle File Transfers: Implement to_beacon/from_beacon or return appropriate errors
- Support Encoding: Use provided encoding strategy interfaces
- Error Handling: Return standardized error messages
- Logging: Log all communications for debugging
- Generate Unique IDs: Use system info + script path if desired, but the manager will accept most things.
- Implement Heartbeat: Regular request_action calls (15-60 seconds)
- Handle All Response Types: Commands, file transfers, errors
- Support Protocol Switching: Allow runtime protocol configuration
- Graceful Degradation: Handle unsupported features (e.g., UDP file transfers)
- Use Standard Templates: Follow execute_command vs execute_module patterns
- Parameter Validation: Define proper validation rules
- Clear Documentation: Provide examples and usage notes
- Platform Awareness: Note platform-specific limitations
- Basic Registration: Beacon successfully registers and appears in UI
- Command Execution: Both execute_command and execute_module work
- File Transfers: Upload/download work for supported protocols
- Error Handling: Unsupported operations return proper errors
- Protocol Switching: Same beacon works across different receivers
- Encoding: All encoding strategies function correctly
- Beacon registers successfully
- Commands execute and return output
- File transfers work (TCP/SMB only)
- Encoding/decoding functions properly
- Logs are generated correctly