Stinger command help-guide

Discussion in 'General' started by zaelong, May 11, 2017.

  1. zaelong

    zaelong Division-79

    codex asked me to write some stuff about the various commands you can encounter in the NT4/stinger client, so ill try to see what i can do here;

    (also, please let me know if you think there's something that absolutely must be covered in this)
    Help: the most helpfull tool of all; it gives you a list of commands you can use in a module and explains what it does. this command is also the basis of the guide im writing here.

    1) information gathering
    • DNS&VHOST MAPPING module:
      • osintscan
        • Online lookup of indexed domain names or IP adresses
        • osintscan [target] -s [source; examples are,, and TBW] -d [limit; number of results to scan from the source database]
        • note: since osintscan only works on indexed domain names, it would give you the same results whether you run this from inside or outside a network
      • sfuzzer
        • Dictionary attack on common vhost name and possible variations (common vhosts: www, email, vpn, login, etc. variations: www-01, emails, vpn02 etc)
        • sfuzzer [target root level domain name] -t [time limit in seconds]
        • note: when you are connected to a network you can scan the internal network for hidden DNS's by adding the "-i" to your command. sometimes you can find interesting things inside
    • PORT SCANNER module
      • portscan
        • Scan TCP/UDP open ports on a designated target (domainname or server ip). it uses a guessing algorithm to prioritize the portscanning, but it will scan all ports to see which are open.
        • portscan [target domain or server ip]
      • fingerprint
        • injects a series of commands on open ports of a designated target and identifies the technology behind it. it also returns wheiter or not this technology is vulnerable to a foxacid attack.
      • fingerprint [target domain or server ip] -p [targeted open port]
    • WMI SCANNER module
        • This module is a recon and mapping tool designed to help you discover a target's entities hosted outside distinct URL's. this tool is used to map the target's internal network and will only work if you are already connected to their VPN.
      • netscan
        • run a scan within the internal network you are currently accessing. after scanning, it returns a list of network paths which can be analyzed with "dig"
      • dig
        • Digs into a network path to index all ports and technologies hosted within this path.
    • AIR CRACK module
        • this module is designed to scan for nearby wifi hotspots and cracks their security; it can only be used on networks you are connected to, and have a wifi access point connected to it. usually named "wifi.[domain.tld]"
      • airodump
        • Scan and collect all nearby access points nearby the compromised computer. it only works on networks with an active WIFI-ethernet card or WIFI-router
      • handshake
        • Hack a wifi hotspot passcode and download the log files. these downloaded files will be collected in the aircrack module and combined with the previous logs that were collected in this session.
        • handshake [target MAC-address]
    2) network intrusion
      • you can input the mac adress and vendor (LG, Samsung, Apple, etc) in the input fields and "quickly" break into vulnerable phones. you can usually skip the typing part by accessing this through the AIR CRACK module, but if you've written down the details you need, it could save you some time. it is also usefull when the mission gives you this data from the get-go
    3) password attack
    • PASSWORD ATTACK module
      • first you need to insert the DNS and username you want to crack, if youve written the wrong details you'll get one of the following warnings:
        • ERROR: No active host/proxy; this means your targeted site doesnt exist or you cant access it, because you need to connect to their network first
        • ERROR: Form not found; the site does exist, but there is no password input field available for the PAmodule
        • ERROR: User not found; the username you provided doesnt work, maybe you used the wrong format, or made a typo.. or the username should be inserted at another site
      • when youre done inserting the username and targeted site, you have to select your wordlist (ill only list them for completeness, youll have to look for yourself to see which one works for your attack)
        • RockYou
        • John the Ripper
        • Gmail & Hotmail
        • Social Media
        • LinkedIn
        • eHarmony
      • and last but not least, you insert some details about your target to lower the time you are working on cracking your targets password; sometimes you are given these details in your briefing (like phone-number, bank acount or car) and during other missions you need to look for stuff yourself (what bank do they use, who are their closest friends, what is their favorite sports team etc)
      • note: you need to be connected to another network before you can actually use this, and you need to have acces to the DNS you want to target. This doesnt mean you actually have to be connected to the site you are targeting.
    4) turbine C2-registry
    • TURBINE C2 REGISTRY module
      • here you can find all available networks that you can connect to. the networks are classified/grouped by "NT4 controlled", "Agent Controlled", "HIVEMIND network" and "Rogue Network" most of the networks you encounter/crack will be added into the "Agent controlled" tab and all hivemind networks go into the "hivemind network" tab. I'm not sure when a network will be put into the NT4 controlled network, but i think its because those networks are known from the TBW client. last but not least; the rogue network little is known about it, all i can say is that these are supposed to provide extra content later ingame, and that these are supposed to be "very powerful". (I'll provide more intel, when there is more intel)
      • after succesfully launching a foxacid attack, the targeted network will be added to this list and will become available as a proxy network. meaning that you can access the internal site from that specific domain; you need to be connected to your targeted network if you want to use netscan or airodump
    5) foxacid server
    • FOXACID SERVER module
      • this server is an intrusion and malware injection platform designed to attack a software/technology behind an open port of a specific target. foxacid will try multiple known exploit attack strategies on a specific target to inject malware or compromise its defenses. if an attack has been succesfull, the targeted network will be added to your turbine C2 registry
      • foxacid [target] -p [open port] -t [technology behind the port]
    6) hivemind
    • HIVEMIND REMOTE module
        • this module is used to gain intel from the hivemind nodes
      • hvm
        • used to manually gain acces to a hivemind network, you dont need to use this much, since the hivemind network provides you with a shortcut, when youve gained access
        • hvm [target.hvm/whereeverHVMuserislocated] -u [username] -p [password]
      • ls
        • displays a list of tradeable intel and their identifier
      • info
        • gives a description of the intel (there are some nice entries in here)
      • trade
        • initiates the downloading of the specified intel, and uploading a copy for the 'demanded' intel.
        • trade [tradeID]
    Last edited: May 23, 2017 at 8:27 AM
    sk2073, Lorina, Steelgramps and 3 others like this.
  2. zaelong

    zaelong Division-79

    Strategies on attack a network:
    in the first missions you are being taught how to use your tools, but it wouldnt hurt to have a written guide on how to do this either.
    1. your first step is knowing the domain you want to target. most of the times you are given the domain-name itself; on which you can run an sfuzzer (my default setting is t=120, you can make this higher/lower) or osintscan (my prefered setting is -s -d 1500, you can lower this, but i like these 'high' settings). if the mission doesnt supply you with the domainname, but an IP-addres, dont get scared, and run an osintscan in the IP instead. (you dont need a deep search; -d 100 is good/fast enough, but you might need to try a lot of different ip's)
    2. for your next trick, you might want to determine which ports are open on the DNS's you found; that is where portscan comes into play
    3. and when youve got the open port, you should run a fingerprint on your target; just scan everything until you find a DNS with a port/technology that is marked "vulnerable" once youve found one, run a foxacid attack on it and access the server.
    4. once you are inside the server/network/domain/whatever you are able to run airodump to scan for wifi-access points (if abailable), run netscan (only available in the hivemind networks so far) or do other tricks like scanning for other hidden DNS's (yes, some parts of a network can only be accessed from within; you can find those by running sfuzzer again and using the "-i" parameter; this way it shows only the internal DNS's)
    How to crack a hivemind network:
    hivemind networks work essentially the same as the normal networks you've encountered in the training missions, there are some differences though;
    • you can find these networks by "scanning" in the hivemind network layers (theres eight different layers and only two are "unlocked" at this moment; the 'public layer' and the 'hidden layer')
    • since these networks exist on a different part of the internet, your usual search engines wont have these networks indexed; you would have to use "TBW" for these networks, rather than or
    • and last; netscan only works on these networks (though this might be because were still in the alpha phase)
    step by step hacking a hivemind node
    1. identify the network; for the public layer you target a node and 'triangulate its origin', basicly you target different spots on the globe, and look if your target it "near", "mid" or "far". there is also a tiny arrow that points you to the general direction.
    2. scan your network; when you now the domain of your hivemind network, you can treat it like a regular network; run sfuzzer/osintscan (-s TBW), portscan and fingerprint, until youve found a vulnerability
    3. infiltrate the network; launch foxacid on your network
    4. scan your network again; now that you have access to the internal network, you can launch netscan and airodump; the first is to find any sort of identifier for the employee you are using to get access (this could be a camera or some cardreader where your target has passed by), as well as the login-location on the network. more on this later.
      Airodump is used to get access to your targets phone; you can usually use the data from your netscan results, to narrow down the right mac-address/phone
    5. when youve located and have gotten access to the phone, you can launch a password attack; this can be done manually (url= [domain].hvm/[whereveryoucanfind'HVMuser'] and inserting your targets username (which is usually found in the phone) or you can 'click' on the 'shield' in the drone map to have it automaticly inserted for you.
    6. insert the parameters like usual, and get access to the trading node where you can 'trade' for new intel. dont worry; you wont lose anything during the trades.
    Last edited: May 23, 2017 at 8:15 AM
    sk2073, Lorina, Steelgramps and 3 others like this.
  3. Orion

    Orion Active Agent

    This is an awesome all-in-one guide! Thanks for putting it together!
    zaelong likes this.

Share This Page