The Sysadmins

Tips and tricks from the Sysadmins

Category: Networking (page 1 of 2)

Unifi Wireless – 1. Installing the Controller

This mini-series will guide you through installing and configuring Ubiquiti’s Unifi Wireless solution using 802.1x, Windows NPS (radius) and Group Policy. This post will cover the installation of the Unifi Controller. The following posts will cover configuring the controller, NPS and deploying Wireless settings via Group Policy to your endpoints. I will add any relevant or helpful links at the bottom of each post.

The setup for this mini-series is as follows:

  • Server 2012 R2 member server hosting the Unifi Controller and Network Policy Server (NPS)
  • Windows 7/8.1/10 Clients
  • Unifi Controller

Unifi Controller Installation

From the Server 2012 R2 member server:

  1. Install the latest Java. Unifi recommend that if you are using an x64 operating system to install both x86 and x64 version of Java for the Unifi controller service to correctly start
  2. Offline Java Installs:
  3. Install the latest Unifi Controller:
  4. Accept the defaults, but untick “Start Unifi Controller after installation”


The controller installs into “C:\Users\%username%\Ubiquiti Unifi” by default and there is no way to change this when installing, however moving it isn’t too difficult. Simply Copy the entire folder and move it to the required location e.g. C:\Ubiquiti Unifi.

Now that the installation has been moved, you will want to configure the Unifi Controller to run as a service. If this is not done, the Unifi Controller will need manually starting by a logged in user. When the user logs out, the controller software will close.

From an elevated command prompt run

java –jar "C:\Ubiquiti Unifi\lib\ace.jar” installsvc

Start the service with

net start “Unifi Controller"


Continue reading

Get Default Gateway from List of Remote Servers


Find the default gateway on a list of remote servers.


Create a textfile with a list of servers you would like to query, use a new line for each server. If you have an OU of servers you would like to query you could use the following to create a text file with all computer accounts within an OU (requires Active Directory Module for Windows PowerShell).

Get-ADComputer -LDAPFilter "(name=*)" -SearchBase "OU=Servers,DC=domain,DC=local" | Select -expand name | Out-File -Encoding utf8 "\\server\share\Servers.txt"

This would create a textfile with every computer account in the “Servers” OU on domain.local.

I tend to put a “dummy” line at the top of the text file as PSEXEC has issues with the first entry.

List of servers to obtain default gateway

Now use PSEXEC to execute the following, don’t forget to run the command prompt as administrator (using an account with the required permissions on the remote servers).

psexec @c:\Serverlist.txt ipconfig /all | findstr "Default Gateway Host" >> c:\Servergateways.txt

PSEXEC Command

…and here’s the final result.

Output text showing host name and default gateway

Configuring DHCP Split-scope in Server 2008 R2

Split-scope is a quick and easy way to provide redundancy and load balancing for DHCP in your network. Server 2008 R2 introduces a handy wizard for creating a split-scope and saves some administrative effort, however it can only be used if both servers are running R2.


Here are two ways in which you can utilize split scope.

Primary / Backup

In this scenario, the 1st DHCP server will dish out all leases and the 2nd DHCP server should only be utilized if the 1st server fails. You can accomplish this with the “Delay in DHCP offer” setting when configuring split-scope (prior to to 2008 R2 you could use the “Conflict detection attempts” for the same effect). DHCP clients accept whichever server responds first to the DHCP DISCOVER packet, so we delay the response from the 2nd server which allows the 1st to respond and therefor serve the client.

Here is the 80/20 rule in action

DHCP 80_20

Now, as you’ve probably guessed the 80/20 is rather arbitrary, and can be shuffled around to suite your network.

Load balanced

For this method you’d leave the “Delay in DHCP offer” equal when configuring split scope, which would give both servers a 50% chance of dishing out leases. You’ll probably want to set the scope to 50/50 and I’d make sure that each 50% could serve the majority if not all of the clients in your network.

Configuring Split Scope

Here we will setup the 80/20 rule. In versions prior to Server 2008 R2, you would have to manually configure the scope on the 2nd server, the wizard included in R2 does this for you.

At this point you should have 2 DHCP servers configured. The 1st server should have a scope with the full range of addresses, and the 2nd server should be scopeless. In this example I’ve configured the scope on AD1 for – and added both DHCP servers to the DHCP MMC console.

Right click the scope, select advanced and then Split-scope


Add the 2nd DHCP server


Adjust the split, here we choose 80/20- note it will show you amount of addresses each server will have and the excluded range


Here is the delay in DHCP offer I mentioned earlier, for 80/20 you’ll probably want to use 1000ms for the 2nd DHCP server. If you wanted to load balance, leave both of these at 0


The scope will now have been added to the 2nd server, to finish the setup, right click the scope and choose activate



In this video I will walk you through configuring the DHCP role and split scope.

Wi-fi Protected Setup (WPS) Vulnerability Exploited

In the last few days I’ve been following this vulnerability with interest, and boy- it’s been fun!

What is WPS?

Wi-Fi protected set-up (WPS) was designed to ease the task of joining clients to a wireless network. The user simply types an 8 digit numeric pin, which transparently gives the user the WPA/WPA2 PSK and allows them to join the wireless network. So far so good.

So what is the exploit and how big a deal is it?

Currently WPA/WPA2 exploits are long winded and typically involve testing the PSK against large dictionaries, which takes a huge amount of computing resources and time. On top of that, more often then not they’re unsuccessful.

Stefan Viehböck discovered a vulnerability in WPS which allows its PIN to be discovered much quicker than brute forcing the PSK, which in turn exposes the WPA/WPA2 PSK. The exploit is explained in detail in a document here but here’s a quick break down of why it’s so fast.

There are 8 digits in the pin, the 8th being a checksum of digits 1-7. So with 7 digits left, it then gets interesting: during a WPS negotiation attempt, the system acknowledges when the first 4 digits of the PIN are correct. So we try up to 10^4 keys first, then 10^3 keys plus the checksum. There are around 11,000 keys/PINs to be attempted, but because of how the exploit works, searching half of the key space first, on average the number of keys that are probably tried before the right one is found is around half that. That small number means the key space can be tested in a relatively small amount of time, typically somewhere between 4 and 10 hours.

WPS is enabled on a lot of Wi-Fi access points by default, especially on Wi-Fi-equipped modem routers issued by ISPs. Some routers will actively block multiple attempts, or slow down requests- a spreadsheet of tried and tested devices can be found here.

The obvious solution is to disable WPS, if you can, but on a larger scale newer firmware will need to be deployed to completely mitigate the flaw. That’s something that will take time, and something that’s hard to communicate with the general public, so I foresee a lot of WPS-enabled APs in circulation for some time.

How to perform the exploit

There are a couple of valuable tools that can use the exploit that are available for pentesting your current AP infrastructure; it’s especially worth doing so if you’re unable to turn WPS off. The tools are very easy to use, and please note I don’t advocate performing this on anything but your own environment.

Linux distro of choice (Backtrack 5R1)
Supported Wireless Card (Realtek RTL8187L)
Reaver ( or (, I’ve focused on Reaver.

tar -xvf reaver-1.3.tar.gz
cd reaver-1.3/src
make install

##Make sure your wireless card is detected
##Put the wireless card into monitor mode
airmon-ng start wlan0
##Show Wireless networks with strength and more importantly the BSSID needed for Reaver
airodump-ng mon0

reaver -i mon0 -b BSSID 

…and off it goes. There are currently some bugs that are being ironed out and as mentioned earlier some APs will throttle or simply lock out multiple requests.

As you can quite clearly see this is extremely easy to perform and potentially exposes a large security flaw in any WPA/WPA2-protected network with WPS enabled. I’ve run Reaver against two of my spare APs and it’s been successful both times with a completion time of around 6 hours. The tools can be used for pentesting using exploit, but in the wrong hands the tools provide a ridiculously easy method for anyone to gain unauthorised access, if your AP infrastructure is vulnerable. If WPS-protected Wi-Fi networks you administer are vulnerable, take steps to protect them.

Draytek 2830 – Finishing Up

Sky LLU Broadband

I can confirm the Draytek 2830 works with Sky’s LLU service. Sky’s DSLAM and routers use the Broadcom chipset whereas the Draytek runs an Infineon Chipset- I’m finding sync speed is pretty much identical to the standard Sky router and have seen no stability issues. Sky don’t allow you access to your username and password, which I find pretty ridiculous and have personally heard of a few cases where the provided router has failed and they’ve had to wait x weeks for a replacement instead of popping out and buying a new router, inconvenient to say the least. There are methods of gaining these details but they do break Sky’s terms & conditions. Here are the settings I used with success:


Bandwidth Limiting

There are two main methods for limiting bandwidth, you can limit per SSID or per IP(range). Per SSID will limit the entire SSID to a particular speed, whereas limiting per IP you can choose from shared or per IP which seems like the more sensible option. Both methods work as described and are great in a guest wireless situation.

Wireless Rate Control

Per IP
IP Control Bandwidth

Final Comments

The feature list of this router is pretty impressive, I was also able to connect a printer via the USB port to share, set-up VPN for remote support and various other helpful bits and pieces you won’t normally find without spending a little more. At £220 or so and with it’s feature set I can see it fitting well into a small office environment.

Draytek 2830 – Reboot Loop

I was asked to set-up some guest wireless access on a low budget and after looking and pricing up various solutions I decided that the Draytek 2830 fit the bill, in fact I’d been hearing nothing but good things about the 2820 and 2830 range for a little while now so was keen to have a play.

Out of the box things were fairly straight forward, I managed to get a basic config down and everything was going well… that was until I power cycled the router. The ACT, USB, CSM and DSL would light up for 20 seconds or so, then they’d all flash off for a second or two and this cycle would repeat itself. Neither the WLAN or LAN came up, so I dug into the sparse troubleshooting section of the manual.

If you turn the router on whilst pressing in the factory reset button it should reset to the default config whilst the ACT, USB and CSM lights flash, unfortunately this wasn’t the case for me. The LAN port came up and I could ping the router, but wasn’t able to access the webgui/ssh and after 30 seconds or so the router would reboot and get stuck in the same cycle.

Whilst in this ‘mode’ (flashing reset lights), you can also tftp a new firmware to the device which thankfully resolved the issue.

How to resolve the reboot cycle

Download the Firmware Upgrade Utility and latest firmware from here, there will be two versions. The .ALL is the firmware only and should maintain the config, and .RST includes the firmware and a clean config.

Hold the Factory Reset button in whilst turning the router on, the ACT, USB and CMS lights will flash.

Load up the Firmware Upgrade Utility, enter as the router IP, and select either the .RST or .ALL file. I tried the .RST at first and it seemed to complete the process, but didn’t resolve the issue so ended up using the .ALL. If the attempt times out, make sure you have no other active connections on the machine and/or bump up the time out accordingly (I ended up bumping it to 10 seconds). I did not have to enter a password.

Draytek Firmware Upgrade Utility

After the firmware has transferred across and the router has restarted you should be able to access from with the standard username and password of admin/admin.

You can export the configuration file by going to System maintenance -> Configuration Backup -> Backup- so if you’re reading this and have a 2820/2830 I’d recommend going ahead and taking a backup.

I’ll finish the configuration off tomorrow and write up anything else I find, bar this initial hiccup I’ve been pretty impressed.

Nslookup – Common Usage Examples

NSLOOKUP is a basic command line utility for DNS queries, it’s built into Windows and should be a tool you’re familiar with. Here are some real world examples which I deem common queries.

Query A and PTR records

This is as straight forward as you can get. NSLOOKUP FQDN or NSLOOKUP x.x.x.x

Nslookup Query

Query A and PTR records from another Name-server

You can query other name-servers to the one your client is configured with by adding the NS IP onto the end of the query, for example to use an OpenDNS NS ( you’d type:



NSLOOKUP x.x.x.x

Nslookup Query Alt NS

You may notice the non-authoritative answer, this simply means the name-server queried does not hold the entire zone for the domain (in other words it doesn’t have every single record)… more on that later.

Query other types of records

You can query pretty much any other type of record (see the full list here: with the set type= or querytype= command. The single line command would be:

nslookup -querytype=mx

The interactive mode command would be:

set type=mx

You can query another NS by appending the NS onto the end like the previous examples. If you have multiple records to lookup you might decide to head into interactive mode (see below). In interactive mode you can change the queried NS by using server

NSlookup Query type

Nslookup Full mode

Remember I mentioned earlier about non-authoritative answers? So, below what I’ve done is I’ve queried for the name servers for the and then queried them directly.

Nslookup Auth NS

You can do a lot more with nslookup for example use ‘set debug’ will give you verbose information on a record including things like TTL, here’s the output:

NSlookup set debug

I hope this gives you the basics and some good real world examples…

Older posts