SBM Labs

Cyber Security Collaboration Project

Get Cleartext Password from SHA1 Hash
18 Sep 2017

1. Input Data:

SHA1 hash in base64 format:

2. Data decoding:

05 Jul 2017

Proxychains-ng allows redirect application traffic through SOCKS/HTTP proxy. More info here.

1. Installation.

$ git clone
$ cd proxychains-ng
$ ./configure --prefix=/usr --sysconfdir=/etc

Hashcat - Tool for Password Attacks
26 May 2017

1. Install OpenCL Framework.

Go to

Download and install driver.

# cd ~/Downloads/opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25/

Google Search Operators
28 Mar 2017

cache:URL - searches through Google’s cache.

site:domain - searches for pages for a specific domain.

intitle:string - searches for pages that contain the string in the title.

inurl:string - searches for pages with the string in the URL. Read more...

MSFvenom - Payload Generator
22 Mar 2017


You must create malicious exe file using msfvenom tool.

Example of usage.

# msfvenom -p windows/exec CMD="SOME_MALICIOUS_COMMAND" -f

Mirroring Network Traffic Using IPTables
10 Mar 2017

Sometimes you don't have access to network equipment in order to perform port mirroring. For example, Virtual Private Cloud (VPC). But you need to analyze network traffic for malicious activity. In this case you can use iptables in order to send copy of network traffic to monitoring host (for example, IDS)

Example of usage.

MySQL Network Traffic Analysis
09 Mar 2017

How to perform MySQL network traffic analysis for malicious activity?

Let's look at tshark tool and its usage. More info about tshark you can find here.

1. Start tshark.

sudo tshark -i lo -f "port 3306" -E separator=";" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e -e mysql.user -e mysql.query Read more...

Gathering Non-Volatile Data
10 Dec 2016

1.Files and folders.

> dir
> dir /AH

> fsutil volume dikfree C:
> attrib /?

Gathering Volatile Data
09 Dec 2016

1. System Time.

> date /t & time /t
> net statistics server

2. Logged-On Users.

> net sessions

Eventcreate - Windows tool for custom events
07 Dec 2016

Eventcreate - Windows tool for custom events.

Example of usage.

1. Create new event.
> eventcreate /L Apllication /SO "SBM Labs" /T SUCCESS /ID 0624 /D "Test Message."

2. Check the event.

Snow - Whitespace Steganography Tool
05 Dec 2016

1. Download tool snow.

2. Create text file with some information. Its content we will use in order to hide secret information.

3. Use snow to hide secret information.

> SNOW.EXE -C -m "Secret Key is XXXX-XXXX-XXXX" Steganography.txt "Steganography + Secret.txt" Read more...

Using NTFS Data Streams
04 Dec 2016

1. Create new file.
> echo "Hello, World" > info.txt

2. Write to alternative data stream of the file.
> echo "My Secret" > info.txt:secret

3. Test result.

Hide information using Windows copy
02 Dec 2016

1. Create the file with confidential information. For example, project-X.txt.

2. Add to archive secret file project-X.txt.

3. Get image file. For example, car.jpg.

4. Hide archive file.

SELinux Policy for custom Rsyslog configuration
08 Nov 2016

1. Change SELinux Policy for allowed input Rsyslog ports.

Get allowed input Rsyslog ports:
# semanage port -l | grep syslogd_port_t

Add new input Rsyslog port:
# semanage port -a -t syslogd_port_t -p udp 5514 Read more...

ICMP Redirect Attack
13 Jul 2016

In order to send ICMP redirect packet you can use hping3 utility.

$ man hping3

hping3 - send (almost) arbitrary TCP/IP packets to network hosts.

Example of usage.

Recursive search of Active Directory users
14 Mar 2015


We need to find AD users in domain group XXX and all included groups.


Connect to AD server using LDAP protocol and execute recursive search. Read more...

Log file transfer using Syslog
21 Feb 2015


We have some application on the host hostName1 that write audit events to the log file and can't send them to another server for the further analysis. So we need to configure log file transfer to the host hostName2.

Solution.

Analysis of event logs using awk
17 Jan 2015


We need analyze web-server logs and gather information about IP addresses that were used in order to get access to administration panel.

Event example. - - [17/Feb/2015:15:06:40 +0300] "POST /administrator

Logging configuration for easy search in Linux
10 Jan 2015

1. Configuration of rsyslog.

Create configuration file custom.conf.

# vim /etc/rsyslog.d/custom.conf

Filter messages using syslog tag and write to file. Read more...

How to check service for POODLE vulnerability?
08 Nov 2014

You can use TestSSLServer utility in order to discover POODLE.

Example of use.

java -jar TestSSLServer.jar serverName serverPort.

POODLE is vulnerability in protocol SSL 3.0.

Analysis of Google Chrome browsing history
05 Sep 2014

1. Install add-on "SQLite Manager" for the browser Mozilla Firefox.

2. Open file History.
- Ubuntu -> [user_home_directory]/.config/google-chrome/Default/History.
- Windows -> [user_home_directory]/AppData/Local/Google/Chrome/User Data/Default/History.

3. Go to the tab "Execute SQL" and execute sql query. Read more...

Analysis of Mozilla Firefox browsing history
25 Aug 2014

1. Install add-on "SQLite Manager" for the browser Mozilla Firefox.

2. Open file places.sqlite.
- Ubuntu -> [user_home_directory]/.mozilla/firefox/xxxxxxxx.default/places.sqlite.
- Windows -> [user_home_directory]/AppData/Roaming/Mozilla/Firefox/Profiles/xxxxxxxx.default/places.sqllite.

Gathering information about Active Directory users
19 Jul 2014

Let's write python script in order to do simple audit of Active Directory users. We will send ldap request and save results to the file.

AD users have two similar attributes - lastLogon and lastLogonTimestamp. The first one is not replicated between DC servers and contains timestamp of last logon on the specific Domain Controller. Read more...

SSH connection through Tor
18 Aug 2013

Installation of Tor client (Ubuntu Desktop 12.04 LTS).

$ sudo apt-get install tor

Tor client listens port 9050/TCP by default.

SocksPort 9050 # what port to open for local application connections Read more...

How to create image of HDD for forensics and security?
08 Jun 2013

You should use dcfldd in order to create image of hard disk for forensics and security.

$ man dcfldd
dcfldd - enhanced version of dd for forensics and security.

Example of use:
dcfldd bs=32k if=/dev/sda of=./image_sda.dd md5log=./image_sda.dd.md5

Local port forwarding over SSH
20 Oct 2012


You need to connect to the server dstServer:dstPort. Access to this server is denied by firewall for your PC network. But you have access to the server jumpServer by SSH which can connect to the server dstServer:dstPort.

Solution.

How to check DNS server for zone transfer?
14 Jul 2012

It's misconfiguration of DNS server if you can do transfer of DNS zone.

You can use dig for testing.

$ man dig

Example of use.

File transfer using nc
12 May 2012


We need to transfer file fileName from host hostName1 to host hostName2.


We will use nc utility.