An overview of the tools available to you, with tips and strategies to aid you when you’ve hit a dead end. No spoilers or solutions here, just the tools to help you get yourself unstuck.
What This Guide Does
The aim of this guide is to give you pointers on using the tools at your disposal to help you out when you hit a brick wall in your investigations. It’s the type of info I wish I had earlier on before I gave up and googled for a few hints here and there.
What This Guide Does Not Do
This will not spoon feed you solutions. I’ve spent a good few hours playing now, and whilst initially I would have appreciated a spoilered solution every now and again (and still do on occasion!), it is much more enjoyable having worked out what to do when I’m stuck so I can solve the missions myself. I’d like to give you that satisfaction.
Before We Begin
Do all the academy missions. They tend to hold your hand through them, so you’re unlikely to get too stuck and whilst they may not answer every question (seriously, why nothing on Hydra when the first proper mission requires it?) but they’ll give you the foundations that will pave the way to many lightbulb moments.
You can copy and paste with Ctrl+C and Ctrl+V. You have an ingame notepad – store your bounty solutions!
Finally, I haven’t tried my hand at Open World missions yet so bear that in mind if you’re stuck on one of them.
These are good exercises in the various tools at your disposal and well worth playing with. Generally you’re given a domain and that’s it. Great practise at using the tools detailed below.
DNS & VHOST Mapping
- sfuzzer – use this to find subdomains you can fingerprint.
- Use: sfuzzer [domain] -t [seconds]
- Will only return subdomains, no IP addresses.
- ‘-t 90’ should find most subdomains.
- osintscan – use this to find subdomains or IP addresses you can fingerprint.
- Use: osintscan [domain] -s [search engine] -d [depth]
- ‘-s bing.com’ is generally better than ‘-s google.com’
- ‘-d 1000’ should find most subdomains.
- whois [domain] – hasn’t been useful so far, but I haven’t done everything in the game yet.
Remember: domains have one dot in them, subdomains have two dots.
- e.g. mail.google.com = subdomain
- google.com = domain
When using sfuzzer or osintscan, you can only use a domain – the tool is to find subdomains or IP addresses.
- Fingerprint – use this to find exploits you can use with a Fox Acid attack.
- Use: fingerprint [subdomain / IP address]
- Yes, you can fingerprint an IP address too – remember this!
- Version will say “Vulnerable” if you can exploit it. If it says Up to date, you need to fingerprint a different subdomain or IP address.
- searchsploit – Copy and Paste any vulnerabilities found from fingerprint to find out how to set up your fox acid attack.
- Use: searchsploit [vulnerability]
- Returns Preferred delivery method and exploit to use. This is how you access a network. Generally, this is your first goal.
Note: Sometimes searching for subdomains whilst on a hacked system can reveal new results.
- netscan – analyse a network you have broken into using fox acid, to find directory structures you can explore.
- Use: netscan
- Note: you can copy and paste the directories you find.
- dig – use this to find any exploits you can searchsploit and then fox acid attack to get further into a network.
- Use – dig [directory path]
- Airodump – identifies any Wi-Fi networks you can handshake.
- Use: airodump
- Note: If you’re not getting anywhere with the WMI Scanner results, you probably need to airodump and find a phone to break into.
Handshake – use the results of airodump to find all the devices that have accessed the wi-fi network. Pair this up with any data you have about your target’s daily routines or specific times you’ve been given to identify the phone to crack.
Use: Handshake [BSSID]
Gives you a list of users or policies you can use to gain access to a file directory, or provides information to help you password attack.
Use: paste in a directory from your netscan results and hit enter. It’ll be obvious if you’re using the right directory or not.
Note: Active directories are either labelled as such, or have AD or something in the directory list.
90% of the time, using this is your first major goal of any mission. Has it’s own user interface, you’ll fill this in using the info from a successful searchsploit.
Delivery and Exploit are given to your from searchsploit.
Rootkit – After Midnight is your go to, the others tend to be mission specific – basically, if After Midnight doesn’t work, try one of the others.
Target URL – this will be the URL or IP address you used in fingerprint to find the vulnerability.
Target Technology and Target Port – automatically filled in when you choose the Target URL.
If it fails, you’ve picked the wrong delivery, exploit, rootkit or URL/IP. Review against searchsploit, or double check the URL/IP you’ve picked.
Note: If you’re doing a bounty mission, leave your fox acid UI up after you’ve broken into a server. Bounty servers have a time limit and will delete themselves. Leaving the fox acid screen open means you can quickly regain access without having to go through fingerprinting and searchspoliting again.
Phone CID Backdoor
Used to get into a phone to find out answers, file directory paths, password hints, etc.
- MAC Address: ##:##:##:##:##:##:##
- Vendor: [Vendor name]
If you’ve accessed this via Aircrack, the info will be automatically filled in, just click Start Intrusion and away you go, otherwise you’ll need to manually enter the data – you probably found it from a successful active directory search.
Note: Be careful with 8 and B, the font in the game makes them look very similar. If you’re sure you’re entering the right MAC address and not getting anywhere (I’m looking at you drone bounty mission) this might be the problem.
Once you’re into the phone, in settings you may find a personal hotspot – clicking this will give you access to a server like a successful fox acid attack. Usually leads to a file browser path.
Use this to get the password you need to access a file directory. You will need the target directory and a username.
Basic attack – the most common use of the tool
Target – The directory you are trying to access in File Browser.
Username – Can sometimes be in the directory path itself, or is found in an active directory listing.
You just need to copy and paste the hash in – will be a bit long string of ascii characters – quite rare.
Once you’re in you’ll need to pick a type of attack. John the Ripper is the quickest, so should be your go to. If John the Ripper doesn’t work, you’ll have to try one of the others – they take longer and will require you to add in variables to reduce the time and increase the success rate. The name should be in the active directory. Guess the age – start at 25 and work up until the indicator changes.
For other variables you’ll need personal information either from the active directory, or from various texts and notes. Job titles, companies, partners, interests try different things until the inidicator changes – you don’t need to fill in all the variables, but the more the better.
Man in the middle – a mission will usually let you know you need to use this but it does turn up on some bounties. If you’re in a network with no netscan hits, no airodump results and even Hydra is shrugging its shoulders at you, try launching a man in the middle attack. It’ll most likely be an ARP Poisoning and the router IP will end 1.1, the rest is trial and error until you get a hit.
RTMP is a camera feed, URL snapper gives you URLs. Look for recurring URLs or ones that tie in with the information you’ve been hired to find.
It’ll either give you XKeyscore hits, or URLs you can then use to dig deeper into the network using the info gathering steps from before.
Social Engineering Toolkit
Not getting anywhere with fingerprinting? You probably need to be using this.
Start by building an email database.
- Email Crawler will use a domain.
- Dictonary Pattern will need the precise company name.
- Manual Entry will be for a specific target – very rare.
Now pick a delivery method.
Some missions will require a specific set up, e.g. a policy you found in an active directory saying “All requests must be sent via pdf” but usually it’s not a big deal what you choose.
Now pick a payload – I’ve only ever had one choice, so if there are others, they will be mission specific.
Now pick a template.
Like a delivery method, some missions require specific templates, otherwise pick one that suits the company you’re targeting. I don’t know how much it impacts the success, mostly I figure it will affect how long you’ll be looking at the screen when you launch the attack.
You can get an idea as to how successful your attack will be with the information in the top left of the UI. If it’s below 60%, you probably need to tweak some settings, or check for some protocols in an active directory.
Once configured, launch the attack with the ‘yes’ command and wait for a successful hit.
If you succeed, you’ll be given a network you can access just like if you managed a successful fox acid attack.
Note: Worth saying again, if you’re not getting anywhere finding info to set up a fox acid attack, you probably need to be using this toolkit.
Pretty much a mission specific tool, especially in the story missions. Will be apparent when you need to use it and comes with instructions. When everything else has failed, give this a shot.
- Use: connect [path]
Note: the terms low-level protocol, internet of things and SCADA in your briefing material are a good indicator that Hydra will be useful to you in that mission.
A nifty tool that lets you find links between entities which will give you an image or a document that contains information you need to use to info gather or password attack. Mostly a story mission tool.
Paste a directory from a netscan result or a phone’s personal hotspot in here. If you see a “loading OS” graphic get ready to password attack your way in.
Alternatively put “localhost” in here to get into your own directory. Don’t worry Agent Dylan will remind you of this many times during your career.
I haven’t used this at all yet, probably an Open World mission thing. Those of you who have played the Black Watchmen will be very familiar with the archive.
So useful! Use it, especially if you can’t copy and paste a MAC address – put it in your notepad and you can copy and paste it til your heart’s content.
Also, again, very useful for saving your bounty solutions!
Turbine C2 Registry
A list of all the servers you’ve bashed your way into. Note – bounty servers often have a time limit, so will delete themselves over time.
Pop in a longitude and latitude and see what’s going on in the world! Will be very obvious when you need to use this – end goal type stuff.
User sandbox stuff – not been in here yet myself, I’m guessing it’s player created content.
Again, I haven’t tried it yet but it looks like co-op play.
At the bottom on your screen, next to the MITM icon is a shield with a flame in it. Click on this to get into your upgrades screen. Let’s you build a network to speed up your virtual rig as you unlock upgrades.
To the right of your screen are 5 boxes, these are extra desktops. I tend to use the first one for up to a successful fox acid attack, the second one for netscans and directory rummaging, the third one for less common tool use and the final two to run parallel searches or have documents open to save on-screen clutter.
To quickly clear a screen, type “purge” into an command line and it will close all open windows.
You can launch a tool with its command line from any other tool. e.g. typing “searchsploit [vulnerability]” in the fingerprint window will launch the Exploit Database. Save you a few mouse clicks.
Once you finish the story, I’d recommend turning the voice off so F.A.Y doesn’t keep saying “Information Gathering Module initiated” at you!
Check your objective – do you only need a vulnerable subdomain? If so, a successful fingerprint is all you need, no need to even fox acid. Is it a name, or a mac address? The objective will tell you how far you need to go and may save you some frustration when you’ve dug beyond the required information.
Osintscan the given IP or domain. Keep digging until you aren’t getting new results. Remember to search IP addresses as well, particularly if one is standing out amongst a lot of others.
Fingerprint your results. If the technology is vulnerable, searchsploit it, then get a fox acid attack going.
No vulnerable tech? Try sfuzzer to see if a new domain pops up, fingerprint that or try osintscanning it.
Still not getting anywhere? Time to try some social engineering, or a spot of Hydra.
Once you’re into a network, recheck your mission objectives. Do you need a name? Get your netscan on and look in the active directory.
Is it a file? You’ll need to gather info on your password attack target so you can break their password and get into the file server.
If your network access isn’t bearing fruit, dig some netscan paths for further vulnerabilities to lead to a new network to netscan, or try Air Crack and see if any phones are accessible to you. Try a MITM attack to find further URLs or XKeyscore entities.
If you’re in a network but not getting any further after all the above, try a new DNS & VHOST search, sometimes being in a network will throw up previously hidden subdomains.
Try a MITM poison attack, if the ARP Poisoning lists any IPs, that is a good indicator to use this tool.
Can’t find a vulnerable tech, social engineering doesn’t work and hydra is shrugging at you? Try file browsing any secure subdomains you’ve found. Remember, you don’t always need to be on a network to file browse a path, same goes for a password attack, though you will need a user name.
If you’ve made some headway, double check files you’ve accessed for potential new leads – IPs, domains, MAC addresses, user names. Make sure you haven’t entered a detail incorrectly – user error is still a thing, even with StingerOS!
Hopefully this will help you get yourself unstuck – and remember if all else fails, I hear the discord channel is very helpful and the Alice & Smith forums are a wealth of hints and tips.