Hacking

Hacking software and Firewalls

Hacking software is a computer program designed to manipulate and interfere with a computer’s regular operations.

By installing or executing one of these programs, it completes a specific task on the targeted device.

It could be a piece of spyware that’s designed to maliciously gather data and transmit it to the hacker, or it could be malware, a program designed to interfere with or disable the computer system’s functions.

Their counterpart, firewalls, can also be used to protect devices and their systems.

Caliber

Every operating system, hacking program, and firewall has a caliber from 1 to 5.

It’s caliber is a general indicator of how powerful it is, from simple screen loggers to deadly viruses that disable complex computer systems.

In order to requisition a program of a higher caliber, your mission’s challenge rating must be high enough.

Installed programs

Before a hacker run a program, they must have the program installed on a device they can use.

A device can have any number of programs installed on its operating system, and each device has an operating system, based on its caliber.

That operating system can support a number of programs and paired items, known as executable slots that allow programs to be used, providing the processing power to run this complex software.

When a hacker uses a program, an executable slot is in use and it cannot support another piece of software for the duration of the program’s effect.

This means that while a hacking program or firewall can effectively run indefinitely, in reality any time it is in use it ‘fills’ an executable slot.

If all executable slots are in use, then the hacker can’t use another program until one of the programs filling the slots is closed.

When a hacker runs a program using an executable slot that is of a higher caliber than the program, the program assumes the higher caliber for that instance.

For example, if a Hacker runs Battering Ram using one of their OS’ caliber-2 slots, that use of Battering Ram is caliber 2. Effectively, the program expands to fill the slot it is run in.

Some programs, such as Battering Ram and Screenlogger, have more powerful effects when run at a higher caliber, as detailed in a program’s description.

An operating system’s Armor Class measures how difficult it is to corrupt its programming, and its innate security features.

The Operating System Statistics table provides these AC values by caliber.

An operating system’s hit points measure how much coding damage it can take before being corrupted entirely.

Lower-caliber operating systems have fewer hit points than more complex, highercaliber ones.

Once an operating system has been reduced to 0 hit points, it is corrupted, and the software and device cannot be used until repaired.

The Operating System Statistics table provides these hit point totals by caliber.

Troubleshooting and fixing software corruption takes time and some expertise. Anyone with proficiency in the Computer skill can spend a long rest with a device that has 0 hit points to restore it to working order and its hit points to their maximum.

Devices can have any number of installed programs, but can only support a limited number running at the same time.

Each piece of software running on the device takes up an executable slot, and the caliber of the operating system dictates how many slots it has, and what caliber of software it can support—a caliber-1 OS can support caliber-1 software, while a caliber-5 OS can support caliber-5 software.

The Operating System Statistics table provides the number of executable slots by caliber.

Triggering a Firewall

Most firewalls are triggered when a hacker does something or installs something that the firewall’s user wanted to protect. Common triggers include the installation of new software (including hacking software), being scanned by a vulnerability scanner, or a hacker modifying or attempting to delete software.

When a firewall’s trigger activates, its effects are resolved immediately, interrupting the hacker’s action.

Detecting and Bypassing Firewalls

Some firewalls are obvious, in the case of a password prompt from a Password firewall, while others may not be so obvious when a device is first accessed.

A firewall’s description specifies the checks and DCs needed to detect it, disable it, or both. If you are actively scanning for a firewall you can use a hacking program to make an Hacking skill check against the firewall’s DC.

If you detect a firewall before triggering it, you may be able to disable it, either permanently or long enough to do what you need.

You might need to make an Computer skill check to deduce what needs to be done, followed by another hacking program to disable or delete it.

Any character can attempt an Hacking skill check to detect or disarm a firewall using a computer or similar device and a hacking program, in addition to any other checks noted in the firewall’s description.

The DCs are the same regardless of the check used.

AdBlocker

• Trigger: Spyware installed.
• Effect: When a hacker successfully dupes a user into installing a piece of spyware, then an adblocker will automatically block the malware unless the hacker succeeds an Mind saving throw.

Authorization Policy

• Trigger: Any hacking action.
• Effect: When a hacker attempts to change or otherwise manipulate data on a device, an authorization policy checks whether they have permission for that action.
  Whenever any hacking action targets the system with an authorization policy, they must take and succeed an Mind saving throw to complete their action, unless they have proved themselves to be an authorized user.

Certificate Checker

• Trigger: Installation attempt.
• Effect: When a hacking program is installed, a certificate checker references a list of trusted software and alerts a user if the program is not on the list.
  A device installed with a certificate checker means manually installing a hacking program requires an Hacking skill check with a DC equal to the certificate checker’s armor class. Users of a device with a certificate checker have advantage on their saving throws or contested rolls in order to see through deceptive tools.

Encryption

• Trigger: None.
• Effect: Encryption firewalls use an algorithm to scramble plain text into seemingly random numbers and symbols.
  When an Encryption firewall is installed, data on the operating system is unreadable unless the encryption is cracked (by reducing the firewall to 0 HP), and any data intercepted and sent to a hacker is unreadable unless they can break the encryption.
  Alternatively, the encryption firewall can support one other firewall, and provide 1d8 temporary hit points as long as it runs.
• Higher Calibers: When you use this firewall using a slot of caliber 2 or higher, a supported firewall gains an additional 1d8 hit points for each caliber above 1.

Intrusion Prevention System

• Trigger: Keylogger, Rootkit, Scanning, and Spyware programs.
• Effect: The hacker must succeed an Mind saving throw, or be prevented from completing their action.

Password

• Trigger: See description.
• Effect: Whenever someone tries to use a device with password protection, they must input a username and password that the firewall recognizes as a valid user of the device, in order to continue their access to the OS.
  Actions to use, modify the OS, or install programs cannot be completed until the user has submitted a recognized username and password, bypassed the firewall, or the password firewall’s hit points are reduced to 0.

Proxy

• Trigger: None.
• Effect: A proxy server allows hackers or other users to mask their identity and location from firewalls or any kind of tracking software.
  A proxy server acts as an intermediary, that is located somewhere else. If the device is tracked by any piece of software over a server, it is hidden, and a proxy server will be shown as the origin of the action or data.

Tracer

• Trigger: See description.
• Effect: A tracer attempts to track an intruder’s location, allowing users to alert authorities, find the hacker themselves, or make their own hacking actions against the hacker.
  When a hacker fails a saving throw because of triggering another firewall, they are found by this firewall and their device becomes targetable by hacking program installed on this device.

Virus Scanner

• Trigger: Program installed.
• Effect: A virus scanner looks for malware in real time.
  Whenever the OS has a hacking program installed the virus scanner checks the file against a directory of malicious files and vulnerabilities.
  When a hacker installs or convinces a target to download their program, it is quarantined by the virus scanner and doesn’t work.
  If this firewall is reduced to 0 hit points, any previously quarantined hacking program become active again and their effects resolved immediately.

Network Cloak

• Trigger: None.
• Effect: A network cloak hides a local network, including wireless networks, from the view of other users.
  Hackers must take and succeed an Technology check with a DC equal to the firewall’s detection DC in order to find the network.

Retaliation Program

• Trigger: Any hacking programs, hacking Attack actions.
• Effect: The retaliation program is an active search and destroy utility that traces tools and connections that pose a threat.
  Whenever a hacker uses a hacking program or makes a hacking Attack action targeting another firewall or the device’s OS, they must succeed an Mind saving throw or their operating system suffers 1d8 coding damage.

Virtual Private Network (VPN)

• Trigger: None.
• Effect: A virtual private network allows a user to access a device on a wide area network (like the internet) more securely, simulating a private network by making a more direct connection.
  Any data sent or received by the VPN is much more secure from scanners, and as such increases the DC by 5 of Bypass and Modify actions, and for any hackingprogram to find devices on the network.

Wi-Fi Protected Access (WPA)

• Trigger: See description.
• Effect: The wi-fi protected access restricts a wi-fi network’s connections, so that only devices with network password can connect.
  WPAs encrypt data between devices that are communicated, so even if the network traffic is intercepted, it is unreadable unless the hacker has access to the network or has the cypher.

When faced with a protected operating system or password protected software you can use the Bypass action in an attempt to circumvent that security and gain access to the targeted device.

The DC varies, based on the complexity of the software or firewalls installed.

You can rewrite software in order to change its function within an operating system.

Doing so may also alter the function, or disable other pieces of software.

The base DC is 10, modified depending on the complexity of the software and how many other pieces of software use it within the operating system, as well as any firewalls present.

You can make an attack targeting operating systems or firewalls manually, against their AC and hit points.

Attacking software follows rules outlined in Using Hacking Software. All hacking attacks deal coding damage. Making an attack using this hacking action deals 1d4 coding damage.

Most hacking programs require an action to execute, but some require a bonus action, or even a reaction, to use.

Some hacking programs have a longer runtime to complete their operation, and this time will be given in minutes or seconds—a time measured by the GM in game rather than in real time.

A hacking program deployed with a bonus action is especially swift.

You must use a bonus action on your turn to use the hacking program, provided you haven’t already taken a bonus action this turn.

Some hacking programs can be deployed as reactions.

These programs take a fraction of a second to deploy and are used in response to some event or trigger. If a hacking program is deployed as a reaction, the program will describe in what circumstances it can be used.

Certain programs require more time to complete their operation: minutes or even hours—or you may want to keep a program running.

When you activate a hacking program with a runtime longer than a single action or reaction, you must keep running the program in an executable slot, and maintain a connection with your target each turn until it is complete. If your connection is broken or your operating system is reduced to 0 HP, the program fails, and if you want to try using the program again, you must start over.

When a hacking Software allows you to make a Hacking attack against a firewall, OS, or other piece of software, you make an attack as if you would attacking a character or object, but instead of using Strength or Dexterity, you use your Hacking ability, which is based on your Technology score.

Hacking attack modifier = Hacking skill = Technology (+ Proficiency) (+ Expertise).

When you use a hacking program to make an attack, you do not add your Technology modifier to the damage.

A brute-force attack is a software that attacks a password firewall, attempting to break it by submitting all possible password combinations until it finds the right one.

This can be done either by submitting all possible letter, number, and symbol combinations or using a dictionary attack whereby common words from a wordlist are submitted with common number and symbol combinations to break longer, usersubmitted passwords.

Brute-force attacks target password firewalls exclusively, and require you to make a hacking attack.

Encryption is the scrambling of data by using an algorithm that turns plaintext into ciphertext. So long as you have the encryption algorithm you can decrypt the information without making a check.

Using encryption software to decrypt data involves unscrambling that information from its ciphertext state into its normal plaintext format so that it can be read/accessed. If you do not have the algorithm then the DC varies based on the complexity of the cypher.

A keylogger records the input of a keyboard or touchscreen on the device it is installed on, making a log of each key pressed or button tapped on and transmits that information so that a hacker can read messages or passwords typed into the computer.

Using this information, a hacker could bypass password firewalls by inputting the correct password, or gather intelligence typed into the computer by its user.

A rootkit is a software package that, once installed, can access areas of an operating system that is usually off limits to all but the most highest clearance users.

Once installed it masks its appearance by modifying existing software to allow it more and more access.

A scanner is a type of program that looks for and identifies particular software, including firewalls, so that the hacker can effectively deploy and install other programs.

Scanners are usually the first thing a hacker will utilize when hacking a target device or network.

Most scanners can detect software remotely while connected to a network, while some may be installed and perform surveillance for the hacker inside the operating system.

Spyware is a type of hacking software that monitors and transmits data from a target device, without the system or user’s knowledge.

It is typically installed amongst the operating system in order to gather information, sending it to a remote user that is engaging in surveillance of the device’s users.

It can track user’s internet movement, application use, and other pertinent system data.

Wireless connections rely on high-frequency radio signals to connect devices in a short range of each other.

This is true of wireless devices that require pairing, as well as laptops and tablets that connect to a router.

If a device has a wireless connection it can connect to another wireless device within 20 feet, but loses its connection with the targeted device if moved out of this range.

Wired connections use a port to physically connect two devices.

Data cables provide a stable connection between these devices.

If a device supports a wired connection then it can connect to another device when both have a data cable inserted to ports on the devices.

The internet allows individual computers and other smart devices around the world to connect to a shared network of servers that allows users to access mailboxes, websites, and other data.

Providing you have identified the physical and IP address of a device, you can target it while it has a connection to the internet. The vast majority of remote hacking is done this way, using malicious software that grants access to the device across the internet from anywhere in the world. If the target device is not connected to the internet, it cannot be targeted, but malware monitoring the device may still be running without the user’s knowledge, and transmit its data to the hacker’s device when a connection is reestablished.

DNS Attack

• Type: Brute-force attack
• Runtime: 1 action.
• Duration: Varies
• Effect: You target a device using a combination of other devices connected to a network, to make repeated data requests of the target device to effectively “spam” it, so the device can no longer be connected or paired to for 1d12 minutes.
• Higher Calibers: When you use this program using a slot of caliber 2 or higher, the duration increases by 1d6 minutes for each caliber above 1.

• Type: Brute-force attack
• Runtime: 1 action.
• Effect: Battering Ram breaks through a password firewall using dictionary and incremental attacks to find a password.
  It deals 1d6 coding damage to targeted password firewalls.
• Higher Calibers: If you use Battering Ram with a slot of caliber 3 or higher, deal an additional 1d6 coding damage for every two calibers above caliber 1.

DeCryptTile

• Type: Encryption
• Runtime: 1 action.
• Effect:You target an encryption firewall, and run this program’s algorithm to break its cypher. You deal 1d6 coding damage to the encryption firewall.
  When you reduce the Encryption firewall’s HP to 0, you can read any information the firewall was encrypting.

Keylogger

• Type: Keylogger
• Effect:Keystroke logging is the practice of recording the user input from a keyboard to record passwords or other sensitive information typed by users.
  Using a keylogger on a target device allows you to monitor the keystrokes in real time whenever a connection is established.
  The hacker must keep the hacking program running in an executable slot for the duration of their surveillance.
• Higher Calibers: When you use the keylogger using an executable slot of caliber-2 or higher, the keylogger can record the keystrokes of its target device while the hacker isn’t connected, and transmit the recording every time they re-establish a connection.

Nmap

• Type: Scanner
• Runtime: 18 seconds.
• Effect: You scan a network, identifying other devices connected to the same local network that you could get access to.
  Once you have identified devices connected to this network, you can perform hacking actions and use hacking programs targeting those devices and the software installed there.

Phisher

• Type:Spyware
• Runtime: 1 action.
• Effect: Phishing is an example of a social engineering attack to a target system or device, where the user themselves is spoofed into delivering sensitive information to the attacker. By disguising your spyware as an official communication to a targeted user, you can manipulate them into installing the program, which allows you to maintain a connection with the targeted device across the internet.
  You target a user of the device who must make a Mind saving throw or be fooled into installing the phisher program.

Quickscan

• Type: Scanner
• Runtime: 1 bonus action.
• Effect: You deploy a quick bot to scan the device for any firewalls present.

Screenlogger

• Type: Spyware
• Runtime: 1 action.
• Effect: While a connection is maintained, a screenlogger intercepts a visual copy of the target device’s display (or screen) to the hacker, letting them monitor what the device shows its user.
  To monitor the target device’s screen, the hacker must keep the hacking program running in an executable slot for the duration of their surveillance.
• Higher Calibers: When you use the screenlogger using an executable slot of caliber-2 or higher, the program can record the screen of the device it’s installed on, and transmits the recorded video to the hacker every time they re-establish a connection.

• Type: Rootkit
• Runtime: 1 action.
• Effect: A shellcode provides the hacker with high-privileged processes on the target OS, circumventing any firewalls that were stopping the hacker from modifying software on the device.

The Spoof Call

• Type: Spyware
• Runtime: 1 action.
• Effect: You modify your caller ID to appear as any other comm ID you know, or as a custom name on the user’s device, and make a call to them.
  This program gives you a 1d6 bonus to People (Deception) checks made to appear as the caller.

Trap Sensor

• Type: Scanner
• Runtime: 1 action.
• Effect: The trap scanner detects any caliber-1 firewalls present on the target system.
• Higher Calibers: When you use this hacking tool using a slot of 2nd level or higher, the trap sensor can detect firewalls of equal caliber to the executable slot used.

Air-Cracker

• Type: Brute Force Attack
• Runtime: 1 action.
• Effect: You target a wireless network protected by Wi-Fi Protected Access, disabling you from connecting to the network and infiltrating the devices it’s connected to, and attack it with a specialist brute force attack suite.
  Make a hacking attack, targeting a password firewall protecting a wireless network, if successful you deal 2d6 coding damage.
• Higher Calibers: When you use this program using an executable slot of caliber 3 or higher, the damage increases by 1d6 for each caliber above 2.

CrackedWeb

• Type: Rootkit
• Runtime: 1 action.
• Effect: You install a package that disrupts network traffic and rewrites search engine results, making the device’s browser and file manager inoperable to a normal user.
  Once installed the user experience is so bad that operation of the device is all but impossible.

Clone

• Type: Spyware
• Runtime: 1 action.
• Effect: With a clone program, you can copy the entire contents of a target hard drive onto your personal device for decrypting/reading later.
  Make a Modify action, if successful you copy over the data on an entire target hard drive.
  This may take several rounds, depending on the size of the hard drive as determined by the GM.

Devtrack

• Type: Scanner
• Runtime: 12 seconds.
• Effect: You use the device’s IP address combined with an illicit catalogue of physical addresses throughout the world to find a target device.
  When you complete this scan, you can locate the targeted device. You do not learn its precise location, but are provided with an area 300 feet in diameter where it is operating.
  If you keep this program running, you can track this location if the device moves outside of it.
• Higher Calibers: When you use this program with a slot of caliber 3 or higher, you increase its accuracy by 100 feet for each caliber above 2, to a minimum of 5 feet.

Hide.ME

• Type: Rootkit
• Runtime: 1 bonus action.
• Effect: You can use Hide.ME to disguise another hacking program so that it doesn’t trigger any firewalls until the start of your next turn.

I.R.User

• Type: Rootkit
• Runtime: 1 action.
• Effect: You can confuse a device to recognize you as a valid user of its operating system.
  Make a Bypass action. If successful you gain admin privileges and do not trigger any caliber-1 and 2 Authorization Policy firewalls.
• Higher Calibers: If you use this program with an executable slot of caliber 3 or higher, you do not trigger Authorization Policy firewalls of the same caliber as the slot used to run this tool.

Nessus

• Type: Scanner
• Runtime: 1 action.
• Effect: Nessus is a vulnerability scanner, allowing you to scan a device for missing updates in an OS, misconfigured access points like open ports, and even scans password firewalls for basic, default passwords.
  Once used, attacks against the target device and any installed firewalls have advantage.
• Higher Calibers: If you use this program with an executable slot of caliber 3 or higher, its runtime becomes 1 bonus action.

TombCrypt

• Type: Scanner
• Delivery: Manual/Remote.
• Effect: You can scan an Encryption firewall, studying its encrypted data against already known algorithms and cyphers.
  Subsequent attacks you make against the firewall has advantage, and you deal bonus damage equal to your Technology modifier.

UpdateR

• Type: Rootkit
• Runtime: 1 action (3 minutes for target to install).
• Effect: By making what appears to be a regular software update, you can install surveillance software onto a target computer to take control of it.
  If you are targeting a device that is being used, the user must make a Mind saving throw or be fooled into installing the program. Alternatively you can install the program remotely.
  Once installed, you can remotely control the target device and therefore any gadgets or equipment paired with it.

Cache Verification

• Type: Rootkit
• Runtime: 12 seconds.
• Effect: The cache verification program checks the integrity of files or software in order to fix corruption or bugs.
  Deploying this program heals the target device’s OS by 1d8 hit points.
  The targeted device can be your own.

J/Ripper

• Type: Brute Force Attack
• Runtime: 1 action.
• Effect: J/Ripper is a password breaking program, designed specifically to crack password firewalls with a brute force attack, but more importantly password firewalls that have been encrypted. Make a hacking attack targeting a password firewall, dealing 3d8 damage. If the password firewall is encrypted, deal a bonus 1d6 damage.
• Higher Calibers: When you use this hacking program using an executable slot of caliber 4 or higher, the bonus damage increases by 1d6 for each caliber above 3.

Rogue Firewall

• Type: Spyware
• Runtime: 18 seconds.
• Effect: You can install a fake (“rogue”) anti-spyware program onto the targeted device.
  This rogue program mimics a legitimate firewall but instead acts for the benefit of the hacker.
  When a rogue firewall is installed, you have advantage on saving throws prompted by another firewall on this device.

Worm Support

• Type: Rootkit
• Runtime: 1 action.
• Effect: You install a program gaining admin permission to disable firewalls temporarily.
  While installed on the target device, instead of making a hacking attack you can instead attempt to disable a targeted firewall until the end of your next turn, making an Technology check with a DC equal to the firewall’s Bypass DC.

BIOS-Kit

• Type: Rootkit
• Runtime: 2 minutes.
• Effect: You install a BIOS-Kit program onto a target device and disable it and wipe the data from it.
  Once you install this tool, you may remove all the data stored on the device or disable it entirely by taking a Modify action, with a DC equal to the operating system’s AC.

Korruptor

• Type: Rootkit
• Runtime: 1 action.
• Effect: You install a rootkit on a device that exposes vulnerabilities in its operating system.
  Once installed, any firewalls installed on the device, as well as the operating system itself, have a vulnerability to coding damage.

Pivot

• Type: Brute-force attack
• Runtime: 1 action.
• Effect: A pivot exploitation attacks multiple firewalls on all identified devices connected to a network. If you have identified other devices connected to the current network, choose 3 firewalls on those devices connected to the current network. Deal 2d6 coding damage to each firewall.

Zombie

• Type: Rootkit
• Runtime: 1 action.
• Effect: You appropriate an already compromised device, so that your attacks originate from it while you and your device remain in a remote location.
  Creating a zombie device requires a Modify action, if successful your hacking attacks originate from this device, and any further hacking actions targeting this device have advantage.

Polymorphic Code

• Type: Rootkit
• Delivery: Remote
• Runtime: 1 bonus action.
• Effect: You deploy a polymorphic-coded bot that assists you with high-privileged processes on the target operating system, allowing you to use any other hacking action or program currently installed on your OS as a bonus action.
  Polymorphic code is written with some experimental AI infrastructure that changes itself in order to hide within a system, imposing disadvantage to any ability checks to detect the polymorphic code.

VPN Pivot

• Type: Rootkit
• Runtime: 1 action.
• Effect: You create an encrypted layer to tunnel into a device, bypassing a firewall by appearing legitimate and funnelling any network traffic through the current device.
  When you use this hacking program, you can target a firewall on this device or another device connected to the same network, and avoid its effects entirely while the pivot is running.

Triple-A

• Type: Rootkit
• Runtime: 30 seconds.
• Effect: Standing for Always Admin Access, Triple-A allows you to install a rootkit in the operating system of the target device, providing you with full access to the operating system and its installed software as if you were the administrator.
  When this rootkit is installed, your hacking tools ignore all firewalls, and you can use the targeted device without restriction.