SUGGESTION: Major changes to the SCP and WMI modules

Discussion in 'Closed Beta' started by Anashel, Nov 5, 2017.

Thread Status:
Not open for further replies.
  1. Anashel

    Anashel Puppet Master Staff Member

    Hi agent!

    I want to announce some significant changes for the WMI Scanner and the SCP module.

    SCP is a Linux protocol to be used with an SSH connection while WMI Scanner is for Windows networks. It causes some confusion as to why someone would infiltrate a network using WMI Scanner (windows) and then connect to the target's fileserver using SCP (Linux). Of course hybrid networks do exist, but from a user perspective, a Windows network would make files accessible via SMB protocol and not via SSH connection.

    Now, we can imagine that less technically versed players will not appreciate losing 30 minutes trying to connect to a server just to realize they used the SCP protocol instead of SMB.

    We felt this limitation could be in fact an exciting feature. Hacking Windows networks is by definition a different experience than hacking Linux network. NITE Team 4 should leverage this difference.

    Network Intrusion > New Upgrade!

    Screen Shot 2017-11-05 at 12.35.23 PM.png

    2 new subfolders will be added to the Network Intrusion menu: Windows and Linux. Generic modules, like Man in the middle and VOIP Attack, will stay at the root level.

    The WMI Scanner and SMB Hack modules will be in the Windows folder while the SCP Terminal and the NMAP Scanner will be in the Linux folder The game experience will slightly vary between module.

    Windows > WMI Scanner:
    - Lets you intercept network activity to detect paths of exposed servers, services and shared drives
    - More in-depth scan lets you analyze services to identify the technology behind them and their potential vulnerabilities
    - Graphic interface allows the generation of a visual network map

    Windows > SMB Hack:
    - Lets you connect to an SMB shared drive to access the server files and folders (Browse, Upload, and Download)
    - Basic security involving Usernames and Passwords that can be brute forced with the password attack module or through investigation
    - SMB's exploit can be used to escalate user permissions and rights. (Similar to a light version of Foxacid)

    Linux > NMAP Scanner
    - IP and port scan devices on a network to detect its components.
    - Wireshark option lets you dig deeper and detect services and their running technology.
    - Graphic interface allows the generation of a visual network map

    Linux > SCP Terminal
    - Lets you connect via SSH to a server to browse, upload and download files.
    - Basic security involving Usernames and Passwords that can be brute forced with the password attack module or through investigation
    - SSH key (gather trough investigation or trade) can be used to escalate a user permission and rights.

    Screen Shot 2017-11-05 at 12.36.07 PM.png

    When a player connects to the Turbine C2 card, Stinger OS will alert if the network is a Windows, Linux or Hybrid system. An alert will display if you try to use a Linux intrusion module on a Windows network.

    What's your feeling on this direction? Good idea, bad idea? Let me know!
    Last edited: Nov 5, 2017
  2. AgentZeus

    AgentZeus Senior Agent

    I like it :)

    There will always be a balance between designing for techies and designing just for a game audience - but I think if the C2 card gives a hint to the system used that is probably enough

    Also having to identify the OS first might make for an interesting first challenge - would any of the other intel gathering tools hint at the file system?

    Anyway. I like it. (Yes I said it twice I don’t care!!) :)
    codex-13 likes this.
  3. Jason

    Jason Active Agent

    I'm liking it :)
  4. codex-13

    codex-13 Senior Agent

    I really like this idea of OS identification being part of the information gathering process. It can give insight into what sorts of hacks would be effective, what sorts of exploits might be useful...
    AgentZeus likes this.
  5. Seshemw

    Seshemw Active Agent

    Fingerprint will reasonably do that. In fact, fingerprinting to identify OS is already (IRL) a survey thing. Like in NT4, when you get told technology is server2012r2 or the like.

    Overall, decent idea.

    Things that leap to mind:
    Wireshark analysis of raw intercepted traffic is useful for any OS (or app), and without having a rooted box to do your pcaps from I'm not sure how you'd GET wireshark the raw data it needs to do things.
    NMAP is already more or less what you're doing with Fingerprint's current functionality (combining portscan and fingerprint). Breaking it back out for internal scanning vs. including with sfuzzer -i or new switch for fingerprint -i, or something else similar, feels odd. or at least calling it that.

    Again, overall, excellent direction!
  6. Anashel

    Anashel Puppet Master Staff Member

Thread Status:
Not open for further replies.

Share This Page