New Firewall Module

Discussion in 'General' started by Anashel, Oct 13, 2017.

  1. Anashel

    Anashel Puppet Master Staff Member


    I am excited to share some details on the new firewall module and its first implementation (available now in Alpha 0.8.9!).


    First, you can access the firewall status interface at the bottom of the screen (it's the third icon on the right).

    By default, Stinger OS uses your localhost when navigating on the internet. If you connect using a Turbine C2 card, all your traffic will pass through that proxy before reaching the internet, effectively concealing you from your target.

    During an attack, there is a risk that you may be detected, and stopped by your target's defenses. When this happens, Stinger OS will display an alert that you have been banned by the target's firewall.


    Once banned, you will be unable to make any request to the target's server. (Ex: Foxacid, Fingerprint, etc...) The duration of the ban may vary, depending on the automated defences that caught your attack. For now, 3 levels are implemented:
    • Lvl 1 "Too many requests" : You have been banned for 60 seconds
    • Lvl 2 "IP Locked" : You have been banned for 10 minutes
    • Lvl 3 "Excessive Usage" : You have been banned for 30 minutes

    The firewall status will report all active bans for your current network connection.


    To continue your attack, you will need to connect via a different network using another Turbine C2 card, or wait for the ban to expire.

    And that's where the fun starts. When you use a Turbine C2 card and that connection is banned, you are exposing your rootkit in the proxy's system. If detected, your rootkit will be removed and you will have to hack the network all over again to regain access to that Turbine C2 card.

    Highly protected networks will require an attack strategy. Doing your fingerprint and Foxacid attacks via different proxy, distributing your overall exposure on various Turbine C2 cards to avoid losing them, and so on....

    If you are not careful, you could easily get multiple bans and trigger a domino effect that will cost you valuable Turbine C2 cards.

    Future updates to this mechanics will include more advanced cloaking strategies, and even the possibility of being attacked by your target or other organisation.

    That's it for now! The firewall module is active in the current Alpha 0.8.9.
    Nioreh, NoShitSherlock, krane and 4 others like this.
  2. LogThatData

    LogThatData Moderator

    ooh, this sounds like it'll be a lot of fun, if a bit stressy at times
    can't wait for more :)
  3. AgentZeus

    AgentZeus Senior Agent

    Ooh... sounds awesome. And also sounds nasty! I like it! :cool::D
  4. Seshemw

    Seshemw Active Agent

    Bless you.
  5. Seshemw

    Seshemw Active Agent

    So, picked up my first ban today while restoring HVMs. I was doing a password attack in one workspace, and surveying a different HVM in a second workspace. I was connected to the first HVM's network, so the ban afflicted that card.
    I didn't, however, lose my card. Was my rootkit just 'not detected', or did something unusual happen? The ban also (which makes sense) only blocked me on the #2hvm, not the #1hvm I was working on the PW attack. It was a short ban, so I imagine only L1.
    Edit: got my second. Still didn't lose the card (since I stayed connected to the compromised network). Was definitely a L1 ban. I switched to another network anyway, so if I lost a card it would be an easy one to get back. If I lost an HVM card, does it even matter if I kept the HVM login info?
    Edit 2: Neat! Banned from coop.hvm, while doing internal surveys of coop.hvm. Which you can't do from another network, so not sure how to make this safer.
    Last edited: Oct 15, 2017
  6. Anashel

    Anashel Puppet Master Staff Member

    You will loose a card when ban accumulate on a card. But for now you can't loose it.

    Getting banned from internal probing is an issue indeed. We will fix it, although it's completely possible in real life! :)
  7. Seshemw

    Seshemw Active Agent

    If you could chain cards, maybe. So it would take the source card (leaving your internal exploit intact so you could continue to work). String of pearls is a normal methodology for the attacker, if you can code it in. Ultimate source they can find being the closest vpn to them? Peel it back one node at a time, with some penalty for the number of cards you string together?

    Edit: Example,
    My NIC (true source) on the naked internet. If I probe from here, bans really hurt, and people could show up at my house.
    I connect to my GRU card (so my initial 'detectable source' is Russia).
    To protect that card, I connect to my livenews card. Much lower security, but it's functioning as a cutout for me. Perhaps my commands take longer to execute.
    When the host under attack detects me, it bans the first card it comes to (in this case livenews) that isn't itself. Perhaps if they peel the onion back another layer or two, it also increases the odds they will do an internal and catch your card in their own network (since they'd have evidence of a real threat acting against them, not the noise of normal probes from the internet). It could also be used, to some degree, if you implement false flag attacks (say I want to degrade relations between Cronix and the GRU, I source my work from the GRU and do Things to Cronix until I get 'caught').
    Last edited: Oct 15, 2017
  8. SH4D0WZ0MB1E

    SH4D0WZ0MB1E Active Agent

    This looks like a fun addition, although it does appear it will be frustrating until we all get used to it. Guess we'll have to start planning out our attacks better instead of just brute forcing until something works.
  9. Anashel

    Anashel Puppet Master Staff Member

    The chanining of card is not possible for now but the notion of creating friction between two group (like Cronix and Gru) by attacking a target via their network is clearly part of the mission mechanics. :)

Share This Page