Stinger command help-guide

Discussion in 'General' started by zaelong, May 11, 2017.

  1. zaelong

    zaelong Moderator

    codex asked me to write some stuff about the various commands you can encounter in the NT4/stinger client, so ill try to see what i can do here;

    (also, please let me know if you think there's something that absolutely must be covered in this)
    Help: the most helpfull tool of all; it gives you a list of commands you can use in a module and explains what it does. this command is also the basis of the guide im writing here.

    1) information gathering
    • DNS&VHOST MAPPING module:
      • osintscan
        • Online lookup of indexed domain names or IP adresses
        • osintscan [target] -s [source; examples are,, and TBW] -d [limit; number of results to scan from the source database]
        • note: since osintscan only works on indexed domain names, it would give you the same results whether you run this from inside or outside a network
      • sfuzzer
        • Dictionary attack on common vhost name and possible variations (common vhosts: www, email, vpn, login, etc. variations: www-01, emails, vpn02 etc)
        • sfuzzer [target root level domain name] -t [time limit in seconds]
        • note: when you are connected to a network you can scan the internal network for hidden DNS's by adding the "-i" to your command. sometimes you can find interesting things inside
    • PORT SCANNER module
      • portscan
        • Scan TCP/UDP open ports on a designated target (domainname or server ip). it uses a guessing algorithm to prioritize the portscanning, but it will scan all ports to see which are open.
        • portscan [target domain or server ip]
      • fingerprint
        • injects a series of commands on open ports of a designated target and identifies the technology behind it. it also returns wheiter or not this technology is vulnerable to a foxacid attack.
      • fingerprint [target domain or server ip]
    • WMI SCANNER module
        • This module is a recon and mapping tool designed to help you discover a target's entities hosted outside distinct URL's. this tool is used to map the target's internal network and will only work if you are already connected to their VPN.
      • netscan
        • run a scan within the internal network you are currently accessing. after scanning, it returns a list of network paths which can be analyzed with "dig"
      • dig
        • Digs into a network path to index all ports and technologies hosted within this path.
    • AIR CRACK module
        • this module is designed to scan for nearby wifi hotspots and cracks their security; it can only be used on networks you are connected to, and have a wifi access point connected to it. usually named "wifi.[domain.tld]"
      • airodump
        • Scan and collect all nearby access points nearby the compromised computer. it only works on networks with an active WIFI-ethernet card or WIFI-router
      • handshake
        • Hack a wifi hotspot passcode and download the log files. these downloaded files will be collected in the aircrack module and combined with the previous logs that were collected in this session.
        • handshake [target MAC-address]
    2) network intrusion
      • you can input the mac adress and vendor (LG, Samsung, Apple, etc) in the input fields and "quickly" break into vulnerable phones. you can usually skip the typing part by accessing this through the AIR CRACK module, but if you've written down the details you need, it could save you some time. it is also usefull when the mission gives you this data from the get-go
      • This is a database containing all exploits known by NT4, "fingerprint" and "dig" also reference the found technologies against this database, to indicate wether if said technology is known to be vulnerable.
      • funfact: this database is based on real exploits:
    • MITM-Module
      • wip... ill work on a description later
    3) password attack
    • PASSWORD ATTACK module
      • first you need to insert the DNS and username you want to crack, if youve written the wrong details you'll get one of the following warnings:
        • ERROR: No active host/proxy; this means your targeted site doesnt exist or you cant access it, because you need to connect to their network first
        • ERROR: Form not found; the site does exist, but there is no password input field available for the PAmodule
        • ERROR: User not found; the username you provided doesnt work, maybe you used the wrong format, or made a typo.. or the username should be inserted at another site
      • when youre done inserting the username and targeted site, you have to select your wordlist (ill only list them for completeness, youll have to look for yourself to see which one works for your attack)
        • RockYou
        • John the Ripper
        • Gmail & Hotmail
        • Social Media
        • LinkedIn
        • eHarmony
      • and last but not least, you insert some details about your target to lower the time you are working on cracking your targets password; sometimes you are given these details in your briefing (like phone-number, bank acount or car) and during other missions you need to look for stuff yourself (what bank do they use, who are their closest friends, what is their favorite sports team etc)
      • note: you need to be connected to another network before you can actually use this, and you need to have acces to the DNS you want to target. This doesnt mean you actually have to be connected to the site you are targeting.
    4) turbine C2-registry
    • TURBINE C2 REGISTRY module
      • here you can find all available networks that you can connect to. the networks are classified/grouped by "NT4 controlled", "Agent Controlled", "HIVEMIND network" and "Rogue Network" most of the networks you encounter/crack will be added into the "Agent controlled" tab and all hivemind networks go into the "hivemind network" tab. I'm not sure when a network will be put into the NT4 controlled network, but i think its because those networks are known from the TBW client. last but not least; the rogue network little is known about it, all i can say is that these are supposed to provide extra content later ingame, and that these are supposed to be "very powerful". (I'll provide more intel, when there is more intel)
      • after succesfully launching a foxacid attack, the targeted network will be added to this list and will become available as a proxy network. meaning that you can access the internal site from that specific domain; you need to be connected to your targeted network if you want to use netscan or airodump
    5) foxacid server
    • FOXACID SERVER module
      • this server is an intrusion and malware injection platform designed to attack a software/technology behind an open port of a specific target. foxacid will try multiple known exploit attack strategies on a specific target to inject malware or compromise its defenses. if an attack has been succesfull, the targeted network will be added to your turbine C2 registry
      • foxacid [target] -p [open port] -t [technology behind the port]
    • known ROOTKITs:
      • AfterMidnight: used to gain vpn acces to your targeted network
      • Assassin: Used to gather intel for XKEYSCORE from inside a network
    6) hivemind
    • HIVEMIND REMOTE module
        • this module is used to gain intel from the hivemind nodes
      • hvm
        • used to manually gain acces to a hivemind network, you dont need to use this much, since the hivemind network provides you with a shortcut, when youve gained access
        • hvm [target.hvm/whereeverHVMuserislocated] -u [username] -p [password]
      • ls
        • displays a list of tradeable intel and their identifier
      • info
        • gives a description of the intel (there are some nice entries in here)
      • trade
        • initiates the downloading of the specified intel, and uploading a copy for the 'demanded' intel.
        • trade [tradeID]
    Last edited: Dec 11, 2017
  2. zaelong

    zaelong Moderator

    Strategies on attack a network:
    in the first missions you are being taught how to use your tools, but it wouldnt hurt to have a written guide on how to do this either.
    1. your first step is knowing the domain you want to target. most of the times you are given the domain-name itself; on which you can run an sfuzzer (my default setting is t=120, you can make this higher/lower) or osintscan (my prefered setting is -s -d 1500, you can lower this, but i like these 'high' settings). if the mission doesnt supply you with the domainname, but an IP-addres, dont get scared, and run an osintscan in the IP instead. (you dont need a deep search; -d 100 is good/fast enough, but you might need to try a lot of different ip's)
    2. for your next trick, you might want to determine which ports are open on the DNS's you found; that is where portscan comes into play
    3. and when youve got the open port, you should run a fingerprint on your target; just scan everything until you find a DNS with a port/technology that is marked "vulnerable" once youve found one, run a foxacid attack on it and access the server.
    4. once you are inside the server/network/domain/whatever you are able to run airodump to scan for wifi-access points (if abailable), run netscan (only available in the hivemind networks so far) or do other tricks like scanning for other hidden DNS's (yes, some parts of a network can only be accessed from within; you can find those by running sfuzzer again and using the "-i" parameter; this way it shows only the internal DNS's)
    How to crack a hivemind network:
    hivemind networks work essentially the same as the normal networks you've encountered in the training missions, there are some differences though;
    • you can find these networks by "scanning" in the hivemind network layers (theres eight different layers and only two are "unlocked" at this moment; the 'public layer' and the 'hidden layer')
    • since these networks exist on a different part of the internet, your usual search engines wont have these networks indexed; you would have to use "TBW" for these networks, rather than or
    • and last; netscan only works on these networks (though this might be because were still in the alpha phase)
    step by step hacking a hivemind node
    1. identify the network; for the public layer you target a node and 'triangulate its origin', basicly you target different spots on the globe, and look if your target it "near", "mid" or "far". there is also a tiny arrow that points you to the general direction.
    2. scan your network; when you now the domain of your hivemind network, you can treat it like a regular network; run sfuzzer/osintscan (-s TBW), portscan and fingerprint, until youve found a vulnerability
    3. infiltrate the network; launch foxacid on your network
    4. scan your network again; now that you have access to the internal network, you can launch netscan and airodump; the first is to find any sort of identifier for the employee you are using to get access (this could be a camera or some cardreader where your target has passed by), as well as the login-location on the network. more on this later.
      Airodump is used to get access to your targets phone; you can usually use the data from your netscan results, to narrow down the right mac-address/phone
    5. when youve located and have gotten access to the phone, you can launch a password attack; this can be done manually (url= [domain].hvm/[whereveryoucanfind'HVMuser'] and inserting your targets username (which is usually found in the phone) or you can 'click' on the 'shield' in the drone map to have it automaticly inserted for you.
    6. insert the parameters like usual, and get access to the trading node where you can 'trade' for new intel. dont worry; you wont lose anything during the trades.
    Last edited: May 23, 2017
  3. Orion

    Orion Active Agent

    This is an awesome all-in-one guide! Thanks for putting it together!
    gentianbrija2010 and zaelong like this.
  4. Twosheds

    Twosheds Active Agent

    That is a really helpful guide all in one place. Thank you for taking the time @zaelong!
  5. CantFindMyKeys

    CantFindMyKeys Active Agent

    Thanks for the guide. Really helpful to fall back on. Just a small note or maybe just personal preference on the strategies. For the sfuzzer attack it doesn't make sense to me to put in a short time frame. It keeps on giving addresses while running so you don't have to wait until it's finished. Have found some addresses even after 15mins of scanning (although exceptional, believe it was an A.018 mission) could be more like these in the future.

    Maybe there is something to add as well. Some of these might be very obvious to most but for me it took a while to figure out so might be helpful to others as well.

    Tab: One of the things that saves a lot of time is knowing to use Tab. If you fill in the first letter and press tab the rest of the command or address is added. If you Tab and find the wrong address, press Tab again to go to the next. For netscan press d-Tab-Tab and Enter. This way you can run through all addresses sequentially. The same goes for the handshake in the airodump. Press h-Tab-Enter and run through all the mac addresses.

    Up: If you press up you will get the latest syntax you typed. This can be helpful after a fingerprint that was cancelled because of discovery by the firewall.

    Ctrl-M: short cut key for the DNS&VHOST MAPPING module. This one and others can be found via the in-game menu

    Shortcut key for fingerprint isnt available yet as far as Ive seen. That's the major one missing for me atm.
  6. AgentZeus

    AgentZeus Senior Agent

    Tab and up - two of the buttons I use most! Good tips :)
  7. JackTyme

    JackTyme Active Agent

    Any wildcard support? I went through a few commands and tried some wildcards like, "*". Didn't work.
  8. codex-13

    codex-13 Senior Agent

    Not currently, but maybe someday!
  9. Xeen

    Xeen New Agent

    Tab auto-fill and copy-paste were used extensively in hacking the borked networks :p

    Kinda fun breaking into the broken that way.
  10. Xeen

    Xeen New Agent

    I noticed the same thing with the sfuzzer. Osintscan only returns results when finishsed, but sfuzzer returns them as they are found (though they may find different things, especially if you are already on the network and searching for internal resources with sfuzzer -i)

    None of the hiveminds have required more than a -t 200 sfuzzer or a -d 2500 osintscan. Even those values are probably overkill.

    f tab letter tab(s) enter
    d tab enter
    h tab enter

    all will speed up your fingers, digs, and handshakes dramatically + if you are really fast, you can run multiple of each module (except aircrack, all handshakes need to be on same graph to figure it out... unless you have a mini database of asset profiles and know their MAC's *wink wink*). I usually run 2 DNS maps (1 fuz 1 osint, then when I am on the network, go to the fuz window, 'up arrow' space -i 'enter' easy!) and 3 or more fingers (they take awhile). I also run up to 6 PWA's (used to until I mapped every asset profile), just input all known data into each one and attempt each word list in parallel! Saves so much time, start with the biggest word list/one that takes the longest.

Share This Page