Computers, Programming, Technology, Music, Literature

Getting hackazon up and running on Wamp on Nov 2016

leave a comment »



Of all the vulnerable applications from the OWASP’s vulnerable web applications directory, Hackazon is up to date with the latest technology stack and customizable vulnerabilities. It’s is a great choice to learn and teach ethically hacking today’s web applications. As of today, although the project on GitHub reports an update nine months ago, the application still uses recent web technologies to that we can learn hacking like it is 2016. This article helps you set up hackazon on a windows machine.


Things to be downloaded before we get started:

1. Hackazon User guide

Download from

Direct Download Link


2. Wamp server


Here’s the story

I had a Wamp installed on Nov 2014 and I tried using the same Wamp server for hackazon deployment. After following the instructions on the user guide, and going to a browser, hitting the install page came up, and after you put the credentials for the MySQL user hackazon, and hit the Next Step button, the page would load the same page over and over again. So basically I was stuck at the first step of the wizard where you supply the administrator credentials. [Bug #5 filed at “Installation – unclickable buttons "next step" ”]

I tried everything in the Hackazon User Guide (here after referred to as the user guide) on a Kali linux machine, set up went smooth, just as described in the User Guide and the site was up and running in no time. It was happiness to see the second step of the installation page where you provide the MySQL database credentials.

Though I cant technically confirm if the older version of Wamp was the cause of bug # 5. My guess was may be to reinstall the Wamp to a recent version on a window machine and try the same steps as the user guide. And it indeed, helped me get over the bug # 5.

For Windows, the User Guide describes installation on Wamp 2.some version. However the current stable version available for release is Wamp 3.0.6 at the time of this writing. So something in MySQL changed, some things in Apache changed and hopefully this post will help you fill the gaps between the Hackazon User guide and the recent changes to the Wamp.


1. Download Wamp server


Please ensure your computer has the recent version of VC++ Runtime. If you want to install the VC++ runtime to the recent version, either have it done via Windows Update, or download it from the Microsoft website as recommended by the Wamp servers download page (as in the screenshot above). It is so important for Wamp to function properly that they have even updated their installation agreements during the installation wizard to reflect the installation and update of VC++ runtime. I had to download VC++ runtime for Visual Studio 2015 here at

Ok. Install Wamp. Pretty straight forward installation, go with the defaults.

This is the current Wamp installation on my computer right now.


2. Download Hackazon source code

Head over to the hackazon source code download page at github and download a zip of the hackazon source code.


Have them zip file contents extracted to c:\home\hackazon


3. Rename db.sample.php to dp.php

Head over to C:\home\hackazon\assets\config and rename the file db.sample.php to db.php


4. Create hackazon db and username in MySQL console

Open ‘MySQL console’ from the Wamp server system tray.


Press Enter on the ‘Enter password’ prompt if you did not create a MySQL root account password, which is the default during installation. Or if you had created a password for your MySQL installation, authenticate.


Enter the below query to create a database named hackazon.

create database hackazon;


Enter the below query to create a user named ‘hackazon’ and give it a password. In the screenshot below and in the query below, admin123!  is the password, feel free to choose your favorite.

The password you provide here is important as you would need it on the first step of the Hackazon Installation wizard.

GRANT ALL ON hackazon.* TO hackazon@’localhost’ IDENTIFIED BY ’admin123!’;


After this step, if you are curious, only if you are, head over to phpMyAdmin (from the Wamp Server system tray), login with your root server credentials, to see a database named hackazon, and a user named hackazon. Or just imagine, if the above two queries worked fine, a user name and a database named hackazon would have been created.


Do a restart by selecting Restart All Services from the Wamp server system tray menu.


5. Configuring or Verifying Apache’s default port

Open apache’s httpd.conf file. From Wamp Server System tray  -  Apache  – httpd.conf


Search for the word Listen, and ensure Apache listens on port 80. I tried changing it from the default settings and tried to configure Apache to run on 7070 port, and hackazon kept giving me 400 Invalid Referrer error message, I couldn’t find out why. So I reversed back to the default settings.

Tip: Let’s try to configure Apache on the default port 80.

If you have Skype or IIS, running on port 80, change them, at least for now to give hackazon a preference to run on apache’s port 80.


Also, search for ServerName and verify if Server localhost also says port 80. I honestly do not know what this for, read the description and figure out. For now, all we are trying to do is configure apache to run on port 80.


6. Configuring the hackazon website set up

Open apache’s httpd-vhosts.conf file. From Wamp Server System tray  – Apache  – httpd-vhosts.conf


Copy paste the below contents of the httpd-vhosts.conf file in to your httpd-vhosts.conf file.

# Virtual Hosts

<VirtualHost *:80>
ServerName localhost
DocumentRoot c:/wamp64/www
<Directory "c:/wamp64/www/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all


<VirtualHost *:80>
DocumentRoot "c:/home/hackazon/web"
<Directory "c:/home/hackazon/web/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all



Save the file. The vhost settings provided above is good enough to even access from another machine on the LAN.

7. Edit Windows hosts file to bind to loopback address

C:\Windows\System32\drivers\etc open hosts file with administrative privileges and add the below entries

8. Restart DNS service from wamp server tools (right click wamp server from system tray)


After Restarting DNS, Restart All Services from wamp server from system tray.

This is all is required to start hackazon installation wizard. For the first time you hit, you will automatically be redirected to the installation wizard.

9. Final tinkering

If you just go with this set up and continue with the Installation Wizard, on step 4 – the final step of the installation wizard will give you an error message as below:

Error 42S02: SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘hackazon.tbl_product_options_values’ doesn’t exist”.

There is also a bug filed for it. [Bug #9 Database problem]


After digging and digging and executing the contents of the db.sql file at C:\home\hackazon\database manually at phpMyAdmin Sql console, it occurred that the default value given for the timestamp data type is not supported by MySQL anymore or you would need to turn off date zero validation for the query execution.


To fix, add the below line at the very top of the db.sql file in C:\home\hackazon\database and save the file.



Now, for one last time, Restart All Services from the Wamp server system tray.

10. Navigating through the Hackazon installation wizard

Open a browser and hit


You will be redirected to

Provide the admin123! password, that is the one we typed in the MySQL console. Hit Next Step.



Provide the same password under the Password field, and hit Next Step




Leave the defaults, hit Next Step


Leave the defaults, hit Install

In a couple of seconds, you should be automatically redirected to


Basically, that’s it. The hackazon user guide has more information on how to use the vulnerabilities configuration and other things that are specific to the hackazon application itself.


Just to do a walk through, hit, provide user name as admin and password as the password we entered in the MySql console admin123!

Navigate to Vulnerability Config, and choose account from the drop down. Or simply hit the url –


to see an error page as below:


To fix, click Wamp Server system tray icon  -  PHP   -   php.ini


Go to the very end of the php.ini file and comment out the zend_extension line by adding a semi colon ; in the front.

Save the file. Restart All Services.



If you want to access from another computer (let’s say ‘X’) on the same Local Area Network (LAN), Open drivers/etc/hosts file on computer X and add the ip address of the to point to

For every computer on the LAN, modify their windows hosts file to point to the Wamp servers ip address.

That’s how I set up hackazon and got it working. Do you have similar experiences?

Written by gmaran23

February 21, 2017 at 11:40 pm

Creating a virtual machine in Schuberg Phillis Cosmic Client / Apache Cloudstack for the first time

leave a comment »


Let’s say you want to create a virtual machine with Apache Cloudstack or an IAAS provider like SchubergPhilis that has a Apache Cloud Stack based client called Cosmic Client. Follow the instructions below:

I am not going to explain in words, but the pictures below, point you to places you need to click and edit. If any of the settings below don’t work, chances are that you might have chosen an incorrect VPC, Tier, offering, feel free to reach our to your cloud provider for assistance.


1. Let’s start by adding a VPC, that is a Virtual Private Cloud.


2. Give it a Name, Choose a Zone, Super CIDR (the subnet range within the Virtual Private Cloud), and a VPC offering as advised by your cloud provider.



3. Once the VPC is created, click on Create network to Add new tier.
Give it a Name, Choose a network offering, provide the gateway address, a subnet mask.



4. Once the Tier is created, Click on the Virtual Machines, to add a new VM.


5. Next screen, click on Add Instance


6. Select a zone. Choose either ISO or Template. Choose ISO, if you would like to use an ISO image as bootable media and install the Operating System yourself. Choose Template, if you would like to choose from preinstalled Operating System VM templates.

We are going to choose ISO for this example.


7. Choose an ISO image.


8. Choose the amount of RAM, CPU from the available offerings.


9. Choose the required HDD size.




11. Give an IP address for this machine




13. Give a hostname and hit Launch VM


14. Once the VM is created, Click the View Console icon to access the running VM


15. Your VM is ready, you can start installing and perform the required work.



In case you get any Network Errors during the creation of VPC, or Tiers, ask your IAAS Cloud provider for assistance.

Written by gmaran23

February 21, 2017 at 4:37 pm

Troubleshooting Remote VPN and Internet access at the same time

leave a comment »



Issue: When connected to Remote Access VPN, internet cannot be reached because of IP routing conflicts

Solution: Enable Split Tunneling for the VPN connection, and add routing for the IP addresses on the device


On a Windows 10, When Remote VPN is connected, internet disconnects. Let’s say, is an IP address on the VPN. In the screenshot below, when internet is connected, pings, however doesn’t ping. Expected behavior because we are not connected to VPN yet.



When Remote VPN connectivity is established, the internet goes off, and the VPN machine starts pinging.


So, that’s the issue.


Step 1:

Disconnect the VPN.

Open Windows Powershell, and type in the command to enable Split Tunneling for the VPN connection.

Set-VpnConnection  -Name “TheVPNConnectionName” –SplitTunneling $True –PassThru



If VPN connectivity is attempted now, after the Split Tunneling change, notice the internet works, however VPN machine cannot be reached.



Step 2:

Add a persistent route for the destination.

We need four things to add a permanent route:

  1. The destination IP address [Eg:]
  2. Subnet mask [Eg:]
  3. Destination gateway [Eg:]
  4. VPN network interface id (route print command, and identify the Interface ID of the VPN connection)

[Eg: In the example below, the Interface Number for the VPN connection is 69]



Open a command prompt with Elevated Privileges, and type in the below command to add a permanent route to the destination IP address. For more IP addresses, repeat the command by changing the destination IP address.


route add –p MASK IF 69


Now, internet connectivity works as expected. If there is a request for IP address which is on the VPN, then the route would go through the VPN interface.


That’s it.

Written by gmaran23

February 21, 2017 at 3:32 pm

The love and trust affair

leave a comment »


December 1, 01.15 AM IST

I can’t express how much I love you these days
I wish it was it was only the sex, we had to haste
The moment I gave you a place in my heart
Every time we fought it ripped me to shrapnels apart

I don’t like anger, neither do you?
But I can’t control, the way I am, can you?
You don’t understand how much I love you
You have deep trust paranoia, sad but true

I threw away things that I ever cared for
You misunderstand me, you tell me to fuck off
Be careful next time what you say
Words that hurt, put me in ceaseless dismay

Hell, I can’t fucking count the number of stars
As my body, you left me with so many scars
You asked me to write a poem for you the times we met
Here I am, pouring down my feelings, I am now a whiskey’s pet

You think I am drunk, you think you can blame me
Well, I am slam dunk, you still can’t assume me
I am a man of duty, pride and honor
In love’s court, I plead not guilty your honor!

Past is past, and the past is done, can’t be undone
You can’t recover what’s been said and done
Either we live in the dark, worrying about shattered dreams
Or start a new life spark, with new joyful schemes

I sorry I can’t be like your father or him
I am me! It’s our ego, we both need to trim
At least I have the to courtesy to accept my mistakes
If you confide in me, I don’t have to say you manipulate

Where there is anger, there is intense love
Its fear you monger, allow me to exalt you above
Remember, you used to ask me, "Who am I to you?!"
You realize now, how desperately I am the one who needs you?!

No matter what happens, we are family, we never leave the house
We stick together through our bitterly woes, my spouse
They say two same poles repel each other
We two similar souls, I wonder, can we propel together?

I know, I should learn to treat you better
I am learning, trying hard, and I never regretted
Seems like true care and affection are hard to come by
I happen to think, in my mind they are naturally imbibed

I don’t boast, I am the best you will ever get
I wanna be your dawn to dusk from the sun rise to set
What about my dreams of having kids with you?
You wanna give up, Damn, I thought you thought so too.

Hey baby, don’t you worry, what are you afraid of?
When you have our love to be proud of?!
It’s our life, we gotta live for ourselves
But at first, You gotta start believing in thyself

If I lived for people that will say whatever they say?!
Fuck the society, every fucking dog has its fucking day
You suffer people bitch; you live well, people still bitch
Think, do we have to be their bitch, you bitch?

Baby, I cry when your face strikes my mind
Like it rains, when lightning strikes, so the sky whined
You probably got the same feelings like I do
I object, your claims that you love me more than I do

End of day, it boils down to whether you marry me or not
What will I do, if I don’t tie you the knot?
I gotta ask your parents, how they made you so hot
Especially in bed, when you bring all your naught

You weren’t brought up like me, I will do my best
But, when I am off the edge, you gotta learn to adjust
My mom, your mom, my father, your father
They don’t matter to me anymore as they are farther

I am tired of people around you bleeding you dry
When you run out of money, guess what? They sigh
All our dreams comes don’t come true like in a story book
In real life, you gotta little bit broaden your outlook

I get angry cause it’s about your wellbeing I care
Don’t you question my love and trust, don’t you dare!
I recon I have to be an even kinder man
Or what’s the difference between me and a garbage can?

It’s the love we need to cherish
Not the arguments that will let us perish
None of my words here are meant to piss you
You don’t trust me? hah! I still miss you

It’s surprising that I let another girl become my priority
Sometimes I feel I loaned myself some hypocrisy
Like I don’t follow what I preach
Then I realize, it’s my code, I breached

My love is pure like the orgasm we have, you know it
Thank you for loving me back, to you I owe it
I can’t hold on to my leash when you are naked
Our sexual hormones we unleash, we become sacred

We always fight about our possessiveness, and forgiveness
But now you starting to question my trust, my highness?
I am sitting here thinking about the taint spew on my trust
Labelling me to be stingy and causing unrest

You think its money after all to me that’s important
Let alone my compassion, let it lay dormant
You think I don’t trust you for the loan money
It’s funny, retrospect, is that all you understand me, my honey?

Who should you give money or not? Wishing well for you is my fault?!
When you finger it as my shortcoming and start an assault
My actions may be frenzy, do you fail to see my intentions?
I don’t give up, though I am fed up of these tensions!

The day we give up, our family dies
Worse than a corpse fed by maggot flies
It’s our relationship, we respect
If we are true, ain’t no room for suspect

There is nothing wrong in saving for oneself and being selfish
Though I don’t mean we become scavenger fetish
It’s time we start saving for our marriage
And correct the abortion and all the papaya miscarriage

You like a flower that is soft to even fondly touch
Am I a gardener, not qualified to owe you as such?
I don’t want you be my next failed episode
Hence I write you and dedicate my profound ode

Tit for tat, ain’t gonna make our bonding work
I bash, many times I know I too can be too curt
Will I ever get another partner like you miss?
I still beg you pardon I promise

I know I hurt you too, that’s why I said I am a hypocrite
I want to apologize too, and express my plight
I pretty much had to say what I had in mind
In time you will comprehend the true meaning of my rhyme



Written by gmaran23

December 1, 2016 at 1:16 am

Posted in literature, love, poems, quotes, rage

Tagged with , , , ,

Test from writer

leave a comment »


Written by gmaran23

November 21, 2016 at 12:03 am

Posted in Uncategorized

that delicious lamb meat

leave a comment »

That roasted lamb’s a delicacy
It’s parents would have made it with love
Well, they made love, hence the meat

And that exotic sauce on ’em for your taste buds
The chef should have made it with love
Well, he made love, hence the sauce


Written by gmaran23

October 6, 2016 at 5:56 pm

Powerful and contextual sentences for the Constellations activity

leave a comment »


During the Coaching Agile Teams training by Michael Hammond, and Michael Spayd, we explored ways of using the Tribes, Constellations, and Explorers activity at different situations. Today I tried the tribes and constellations activity with a team with the below questions to get started with, to get a sense of the team’s dynamics before I started coaching the team.

  • I feel good when someone tells me what to do
  • I feel comfortable when someone teaches me
  • I am afraid of failures, it hurts
  • I am afraid of failures, it hurts, but it brings the best out of me
  • I am committed to my team, not to my tasks
  • I do not like feedback from others
  • I sometimes encourage feedback from others
  • I voluntarity believe in asking feedback from others for my improvement
  • I do not like cofessing my mistakes to my team because it makes me feel insecure
  • I like confessing mistakes to my team because I am trying to elicit help
  • I like to create best customer experience and I do not know how to do it
  • I like to create best customer experience and I know exactly what needs to be done
  • I have feedback for some team members but I am afraid to tell them because they once did not receive the feedback well
  • I gave feedback for some team members but I do not know if they are working on it
  • Sometimes I do not know if we are transparent at all
  • Sometimes I do now know if we are transparent enough

Written by gmaran23

October 20, 2015 at 7:23 pm

Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August 08 2015

leave a comment »

Written by gmaran23

August 10, 2015 at 7:14 pm

SSIS – An Effortless Two Step Approach to Protect Sensitive Information in Xml Configuration Files

leave a comment »


I wanted to grab some text regarding DPAPI and RSA Encryption providers for my talk Beefing up Security in ASP.NET Part 2. But I couldn’t find it handy, I had to download a pdf version of this below SSISCipherBoy support guide. Posting here for easy access.


SSIS – An Effortless Two Step Approach to Protect Sensitive Information in Xml Configuration Files


I. Introduction

II. Competitive approaches

III. Prerequisites

IV. Preparing your package for configuration

V. Step 1 – Using SSISCipherBoy.exe – Select and encrypt configuration entries

VI. Step 2 – Using SSISCipherBoy.exe – Prepare the package to decrypt information

VII. Deploying package with encrypted configuration to server – Using SSISCipherBoy.exe – Export/Import RSA key pair

VIII. Common errors and debugging options

IX. What now?

X. Glossary

a. Using SSISCipherBoy.exe – Processing multiple packages sharing same config

b. Using SSISCipherBoy.exe – Dump SSISCipherUtil.dll to GAC / local directory

c. Manually installing SSISCipherUtil.dll to GAC

d. Manually create a ScriptTask to decrypt information

e. What does the automatic Package Processor do?

f. How does the cipher algorithm work?

XI. References and further reading


Writing a tool or an article becomes best when it is a communal effort. While I conceived and developed the library and tool, I want to acknowledge a few people who contributed in various ways.

Balabhadra Pavan Kumar, Dheeraj Dhamija, Balakrishna Allidi for constantly proving feedback, improvement aspects, and for reviewing sections of the support guide.

Manohara Mahadevappa for putting up with me during early development cycles and suggesting a bit of user friendly features.

Narasimha A Prakash, Sriram Seshan for being good enough to support me whenever I approached them.

I. Introduction

One of the ways of saving configuration entries for SSIS packages is an Xml configuration file, probably because they are simple editable text files, portable, and so on. When developing ASP.Net or Windows applications, most of us are cautious enough to encrypt the sensitive information that is saved in their configuration files. Reasons? May be it is thought that ASP.Net applications may reside on a web server that is exposed to outside world and hence they might be susceptible to attacks of sorts, and when that happens, we would not want to expose sensitive information in plain text, so we encrypt them. And the .Net framework provides it as an out-of-the-box functionality. In the most common scenarios that we have known, SSIS packages run as scheduled jobs inside a server that is located far inside the corporate firewall with ports closed, just sitting there in a good hope that ‘I am not vulnerable to attacks, so I can just be here with an xml configuration file that has connections strings, besides others things, in plain text’. As protection comes with security applied in various layers, the kind of attitude to rely on good hope and on firewall may just not be enough. In the wake of recent attacks in high profile organizations, if by any miracle, someone infiltrates and steals the data, we don’t want to expose further information in plain text. Do we? The risk could even come from a new developer that accidentally performs some unwanted activities on data (by using the information in the xml configuration file saved as plain text) that is meant to be protected from accidental damage, both foreign and domestic. That is the motivation to write this library and executable to help us encrypt information in our SSIS xml configuration files and hence this article. The entire process is done in two simple steps. If you are an experienced developer, read the prerequisites section and proceed directly to section V and VI.

II. Competitive approaches

That said, there are best practices that you can adhere to, like protecting the configuration using Access Control Lists that are tied to your Active Directory efforts, storing configurations in a SQL server database somewhere. Below are two blog entries that talk about our present options.

  1. SSIS: Storing passwords
  2. SSIS: Encrypted Configurations
  3. BI xPress Secure Configuration Manager

While there are pros and cons for approaches, they might not suit your need due to restrictions of company’s policies. And most developers prefer to encrypt and decrypt using a custom script task. While this is a viable option, it is a lot of effort to write a separate encryption module and unit test it, and not all developers are expert programmers that care about strong cryptography and key management. Most of the times the symmetric key used for encryption/decryption is hardcoded in the script task and the package itself is protected by a password. The encryption algorithm that the proposed library (referred to as SSISCipherUtil.dll from now on) uses state-of-the-art methods of encrypting information that hands over the cryptographic key management to the Windows operating system itself. As a matter of fact the ASP.Net out of the box functionality supports encrypting configuration information using DPAPI and RSA. SSISCipherUtil.dll comes with those two options. DPAPI associates cryptographic key with the windows user accounts and RSA uses key containers. That’s just a one liner. More at msdn – DPAPI, RSA.

When you have an encrypted configuration that you would like to be ported across multiple servers, use RSA, export the key pair from one server as xml, import it another server, then destroy the key pair xml file. If the package just sits on one server use RSA or DPAPI.

III. Prerequisites

1. Windows XP or later workstations, Windows Server 2003 or later server operating systems.

2. SSISCipherUtil.dll requires .Net framework 2.0 or later – is the library that helps in encryption/decryption during package setup and at package runtime.

3. SSISCipherBoy.exe requires .Net framework 3.5 or later – is the tool that helps you encrypt/decrypt a configuration entry at design time.

4. Auto code generation functionality of SSISCipherBoy.exe of requires a computer with Business Intelligence Development Studio (BIDS) installation.

5. Requires Administrator Privileges. Run as administrator option if UAC is switched on.

6. Supports only String encryption/decryption. No other data types are allowed.

7. Supports only Package.Variables and Package.Connections collections.

8. Supported Package ProtectionLevel values are DontSaveSensitive, EncryptAllWithPassword, EncryptSensitiveWithPassword. EncryptAllWithUserKey, EncryptSensitiveWithUserKey are supported only when the user account that modifies the package is used to run the package, in the same machine.

Below is the screenshot of the main window of SSISCipherboy.exe. Let’s explore the features one by one in later sections.


Fig. 3.1

IV. Preparing your package for configuration

If you here reading this article, I assume that you are an experienced developer that has configured and managed SSIS packages before. However, for the sake of completeness below are msdn references that explain saving SSIS configurations in xml files:

  1. Package Configurations
  2. Understanding Integration Services Package Configurations

Most important thing, if you don’t uncheck the Enable package configurations in SSIS Package Configurations Organize and if there is a configuration set up for the package, then the config files passed to the package using the /config option of dtexec.exe will not be effective. This might seem counter intuitive but that’s how SQL Server 2008 Integration Services works.

In the following steps, we will be running an unmodified package named AdvWrksLocalLoad2.dtsx with its original configuration AdvWrksLocalLoad2.dtsConfig, then run the modified package AdvWrksLocalLoad2-Mod.dtsx with an encrypted configuration AdvWrksLocalLoad2.dtsConfig, and then run the latter on a Windows 2008 R2 server (just like a production environment).

V. Step 1 – Using SSISCipherBoy.exe – Select and encrypt configuration entries

Now, without further delay, let’s pick a package and let’s encrypt its configuration entries. All the samples along with the tools are zipped and attached to this article. If someone’s interested in looking through the source code of SSISCipherBoy.exe and SSISCipherUtil.dll or enhancing its functionally or aesthetically, please contact me, I’d be pleased to share them.

Below is a list of files that we will be working with for demonstration.


Fig. 5.1

AdvWrksLocalLoad2.dtsx in Business Intelligence Development Studio is a package that does a few things, and the task the package performs is irrelevant here because we are concentrating on encrypting its configuration values in the xml configuration file. AdvWrksLocalLoad2.dtsx is protected with the password test [ProtectionLevel=EncryptAllWithPassword and PackagePassword=test].


Fig. 5.2

AdvWrksLocalLoad2.dtsConfig is the configuration file for AdvWrksLocalLoad2.dtsx that appears like below in Internet Explorer. As you could see the connection strings are mere plain text.


Fig. 5.3

Let’s encrypt them. Run SSISCipherBoy.exe as administrator. This program requires administrator privileges. On Windows systems with User Access Control (UAC) switched on, running as administrator is a mandatory requirement. Otherwise the program will not load properly; you will have to go to Task Manager to end it.


Fig. 5.4

When you run this program on a computer for the first time, it will install SSISCipherUtil.dll to the computer’s Global Assembly Cache (GAC).


Fig 5.5

Hit, OK to that warning, and proceed with the success message. Once the program is opened, let’s drag and drop the configuration file named AdvWrksLocalLoad2.dtsConfig. Use the Browse button to locate a configuration file if drag and drop does not work. The configuration file will be loaded in a tree view.


Fig. 5.6

Encrypting the values is as simple as selecting them and hitting the Encrypt button. However, if you pay attention to the third item, there is a User ID=EncrDemoUser, however, there is no Password provided for it in the configuration file. When you are exporting connections strings that contain a password, then SSIS Package Configurations Organizer does not export the Password property in the configuration file. It knows that a Password is sensitive information and it does not export the Password for ConnectionString. However, you could add it at your own risk – Just what we have been doing all along.

Before we do anything to this configuration file, lets test run it once.

dtexec.exe /file "C:\Maran\Project stuff\SSISCipherUtil\SSISCipher1.2.0.0\Demo\AdvWrksLocalLoad2.dtsx" /config "C:\Maran\Project stuff\SSISCipherUtil\SSISCipher1.2.0.0\Demo\AdvWrksLocalLoad2.dtsConfig" /DE test


Fig 5.7

The package runs just fine. Let’s get back to SSISCipherBoy.exe, right click on the item missing the Password property and click Edit Value to add a Password and hit the Save button.


Fig. 5.8

Nothing is saved to the original .dtsConfig file until you press the Commit changes to the config file button. Commit changes button gets enabled after the Encrypt/Decrypt buttons are clicked.

Once done, we have got two choices of encryption algorithm. To keep things simple: entries encrypted with DPAPI can only be decrypted on the computer on which it is encrypted on, however entries encrypted with RSA can be decrypted on any computer running windows if we export and import the key container used for encryption. So, if we encrypt a configuration entry on our development machine, in order to use the same configuration file across other environments, you will have to export and import the RSA key pair on the target machines using this tool SSISCipherUtil.exe. More about the algorithms are discussed in the Glossary section X-f.

Lets pick the entries that are sensitive, click the Lock/Unlock Selection button, provide a Key Container Name as myrsakey1 (you are free to provide any relevant name for the key container) and hit the Encrypt button. Wait for the success message, and now all the selected entries will be encrypted for you.


Fig. 5.9

Hit Commit changes to the config file button to save the encrypted data back to the file system.


Fig. 5.10

You may, try clicking the Lock/Unlock Selection button and try Encrypt/Decrypt/Edit Value and other operations; however until the time you click Commit changes to the config file, the changes that appear in the tree view will not be saved to the file system.

That’s it! You sensitive values are now encrypted. Next step is to prepare your package to decrypt the package at runtime. Don’t close the tool already; we will have to use it to generate decryption code.


Fig. 5.11

VI. Step 2 – Using SSISCipherBoy.exe – Prepare the package to ready to decrypt information

In our example, the package AdvWrksLocalLoad2.dtsx uses the configuration file AdvWrksLocalLoad2.dtsConfig. That is the configuration file that we encrypted in the preceding step. The dts runtime in no way knows that the configuration file is encrypted; neither there is a way we could tell it in a command line option. If you have DelayValidation=false (which is the default) in the package, then as soon as it encounters an invalid connection string (a connection string that does not have a name value pair like Initial Catalog, Server, User ID..), it throws exception saying that the validation failed and quits the execution of the job. Let’s see how to make a package ready to decrypt information during runtime.

As the AdvWrksLocalLoad2.dtsConfig is open in SSISCipherBoy.exe, check all the encrypted nodes, hit Lock/Unlock Selection and hit Generate decryption code button. This action displays a tip, hitting OK; brings you to the DecryptorCode window.


Fig. 6.1


Fig. 6.2

You are left with two options here.

#1. Manually create a ScriptTask to decrypt information

You can copy the decryption code from the right pane, create a ScriptTask before all other tasks in the target package and replace the scriptmain.cs code with the decryptor code and set the DelayValidation=true. If DelayValidation=false, then an error will be thrown because of invalid connection strings even before any of the tasks are executed. More about manually adding ScriptTask, at Glossary X-d.

#2. Make the package ready for decryption automatically

Drag and Drop a package in to the Package processor, click the Start Processing Below Packages button, and let the tool do the rest of the job for you. If Drag and Drop does not work double click on the package processor area to browse and pick a package. More about how it works, at Glossary X-e.

I am going to demonstrate option #2 here and if you are interested in option #1, refer to Glossary X-d.

With the Decryptorcode window open, add AdvWrksLocalLoad2.dtsx to the package processor and hit Start Processing Below Packages button. Hit OK to the big warning message. If the package is password protected, you will be prompted to enter a password. Enter the password as test and hit Done.

To process multiple package sharing same configuration file that was encrypted, refer to Glossary X-a.


Fig. 6.3


Fig. 6.4


Fig. 6.5

Accept the success message and close the tool. Let’s run the modified package with the encrypted configuration file. The modified package will be saved with a –Mod suffix.

dtexec.exe /file "C:\Maran\Project stuff\SSISCipherUtil\SSISCipher1.2.0.0\Demo\AdvWrksLocalLoad2-Mod.dtsx" /config "C:\Maran\Project stuff\SSISCipherUtil\SSISCipher1.2.0.0\Demo\AdvWrksLocalLoad2.dtsConfig" /DE test

The package runs as expected. It prints some base64 encoded strings to the command window, which can be neglected.


Fig. 6.6

That’s about it. Now lets try deploying the modfied package AdvWrksLocalLoad2-Mod.dtsx and the config file AdvWrksLocalLoad2.dtsConfig to a Windows 2008 R2 server and test run it.

VII. Deploying package with encrypted configuration to server – Using SSISCipherBoy.exe – Export/Import RSA key pair

As mentioned before, we can use the same encrypted configuration file on any other Windows workstations or servers.

  • You would need SSISCipherUtil.dll installed to the Global Assembly Cache (GAC) on the server. GAC is located at C:\Windows\assembly. You can drag and drop the SSISCipherUtil.dll to that folder. Or let the tool do that for you. If you could remember, when the SSISCipherBoy.exe runs for the first time on a computer, it aumatically installs SSISCipherUtil.dll to the GAC. Easiest option, let’s to that. Refer to the glossary X-b and X-c on how to install an assembly (dll) to GAC.
  • Importing the RSA key pair (that was used to encrypt the configuration) to the the server.

You can even use this tool to encryt and modify packages directly on an staging or production server, if you have done necessary testing in the development environments. The point is, if you want to use the same encrypted configuration file across all machines, then you would need to export/import the key container on all other machines.

I have logged on to a Windows server and copied the modified package – AdvWrksLocalLoad2-Mod.dtsx – and its config file – AdvWrksLocalLoad2.dtsConfig – to a location, SSISCipherBoy.exe on to my desktop. (You can place it anywhere though) (DTPOutput1.txt and Query.txt are files used by the package)


Fig. 7.1

1. Right click SSISCipherBoy.exe and select Run as administrator. Accept the User Access Control prompts, if any. SSISCipherUtil.dll will be automatically installed to the GAC, and the program loads fine.


Fig. 7.2

2. From our workstation, or from the development machine where we encrypted the configuration, let’s export the RSA key container named myrsakey1 and import it to the server. Open SSIScipherBoy.exe on your workstation or development machine (make sure to Run as administrator), provide the key container name that we used for encryption myrsakey1 and hit Export Rsa key pair. Save the file as myrsakey1.xml. And copy it to the server.


Fig. 7.3

Copy the myrsakey1.xml file to the server and use the Import Rsa key pair to import it. You should provide the same name myrsakey1 in the Key Container Name text box.


Fig. 7.4

After, successful import of RSA key pair, Destroy the file myrsakey1.xml and SSISCipherUtil.exe from the server.

That’s it! I am going to test run the package using the below command and you will see it working like it did in the development machine.

dtexec.exe /file "G:\Apps\SCOUT\Executables\ExpressNotice\AdvWrksLocalLostTest\AdvWrksLocalLoad2-Mod.dtsx" /config "G:\Apps\SCOUT\Executables\ExpressNotice\AdvWrksLocalLostTest\AdvWrksLocalLoad2.dtsConfig" /DE test


Fig. 7.5

VIII. Common errors and debugging options

  • If you get any CryptographicException during decryption, it is possible that

1. You are using DPAPI and trying to decrypt information on some other computer.

2. You are using RSA but you have not exported and imported the key pair (that was used to encrypt) yet.

3. The encrypted string is modified in some way or other and hence decryption failed.

  • If you get Connection Manager validations/runtime errors, it is possible that

1. Decryption failed

2. ConnectionString does not contain Password property

3. DelayValidation is set to false and you are getting an error because the ConnectionString property is encrypted. Since it is encrypted, it won’t contain strings like User ID, Password, Initial Catalog, Server etc., hence the validation error.

4. EnableConfiguration is set to true (i.e., Enable package configurations check box is checked in the Package Configuration Organizer wizard. And the design time associated configuration file is either missing or not encrypted).

  • To debug, the easiest way is to add a script task at the top of the package, and try accessing the Connection Manager’s ConnectionString property to see if values are getting decrypted properly. For instance, try logging them, or try a MessageBox.Show(). AdvWrksLocalLoad2.dtsx has a ScriptTask in the beginning that just alerts the ConnectionString values for a few connections.


Fig. 8.1

Or even better, add the package to a an Integration Services Project, set a break point on the ScriptTask and look if the values are getting set correctly.

  • If the Package Processor of DecryptorCode window throws any errors, close all Visual Studio instances, and try Start Processing Below Packages button again.
  • Rule of thumb, when running SSISCipherBoy.exe always Run as administrator.

IX. What now?

Hence you protect sensitive information in your SSIS Xml Config files. While the aforementioned methods describe an automated way of achieving encryption decryption, if any of the tasks fail, you could always try the manual lengthy process, or if you are interested in more information, the glossary section should suffice. Report any bugs, enhancement requests, set up assistance at

X. Glossary

a. Using SSISCipherBoy.exe – Processing multiple packages sharing same config

Under the heading “Step 2 – Using SSISCipherBoy.exe – Make the package ready to decrypt information” we saw how to process a package and make it ready for decryption. In that demonstration we added a package named AdvWrksLocalLoad2.dtsx that used a configuration named AdvWrksLocalLoad2.dtsConfig, which is a very common scenario. Another, common scenario is that we have one configuration file that will be shared by many packages. To make the job easier in these situations, the DecryptCode functionality allows you to add multiple packages to the Package Processor and process them all at one shot.

Let’s imagine that the configuration file named AdvWrksLocalLoad2.dtsConfig is used by multiple packages listed in the figure below.


Fig. a.1

In order to process them, Drag and drop all the packages or double click and select all the packages to the Package Processor of DecryptCode window; hit the Start Processing Below Packages button. Supply password if required, hit OK on the success message that appears after processing each package. If Drag and drop does not work double click and add multiple packages.


Fig. a.2

After processing, the processed packages are stored with a -Mod suffix on the same folder which looks like below.


Fig. a.3

b. Using SSISCipherBoy.exe – Dump SSISCipherUtil.dll to GAC / local directory

The encryption and decryption functionality is provided by the SSISCipherUtil.dll. The SSIS package in our example above that was modified to decrypt information at runtime, uses this dll. And the tool SSISCipherBoy.exe uses the same dll for all its primary operations. However, if you wanted to locate the SSISCipherUtil.dll in the file system, the only location you would find it is in the GAC. In case the assembly installation fails when the SSISCipherBoy.exe loads, you would be required to manually install the SSISCipherUtil.dll to GAC. Or when the package processor fails for some reason, you would want to create a Decryptor ScriptTask yourself manually. And when you create that Decryptor ScriptTask, you would need to Add a reference to the SSISCipherUtil.dll in Visual Studio in order to decrypt values at runtime. In order to accomplish any of these aforementioned tasks, you would need SSISCipherUtil.dll on some known file system location.

Run SSISCipherBoy.exe as administrator. Click the Assembly Administration … link at the top right corner.


Fig. b.1


Fig b.2

Use the buttons to perform the required operations.

c. Manually installing SSISCipherUtil.dll to GAC

Many might have observed that when adding a reference to a third party dll in a ScriptTask, we are bound to get AssemblyLoadException or FileNotFoundException if the referenced dll is not installed to the GAC. SSISCipherBoy.exe tries to install SSISCipherUtil.dll to the GAC at startup. If that does not work you can try installing it to the GAC using the Assembly Administration window. Remember that you need Administrator privileges to perform this task. So you run SSISCipherBoy.exe with administrator privileges at all times. If none of them works, the last resort is to emit the SSIScipherUtil.dll to a specific location and then manually install it to the GAC.

Installing to the GAC is simple.

1à Emit the SSISCipherUtil.dll to some file location (like explained in Glossary X-b)

2à Navigate to C:\Windows\assembly and Drag and Drop the SSISCipherUtil.dll to that folder C:\Windows\assembly. That’s it. You may also try to use the GacUtil.exe which is a program specifically meant for this purpose.


Fig. c.1


Fig. c.2

d. Manually create a ScriptTask to decrypt information

The package processor creates a ScriptTask inside a sequence container in the OnPreExecute EventHandler to decrypt information. If the Package Processor fails for some unknown reasons, you can try processing the package again or create a ScriptTask manually to decrypt information.

1à Create a ScriptTask on top of all other tasks in the Control Flow Tab of the Package Designer. Provide a relevant name.

Double click to open, hit the Edit Script button. Wait for the Visual Studio to load the project.


Fig. d.1

Add reference to the SSISCipherUtil.dll. (If you don’t have SSISCipherUtil.dll at you file system yet, use the Assembly Administration … link in SSISCipherBoy.exe and write the dll to some comfortable location – as in Glossary X-b)


Fig. d.2

4à Once the reference is added, replace the entire ScriptMain.cs code with the code from the DecryptorCode window of SSISCipherUtil.exe. Refer to the steps in Step 2 – Using SSISCipherBoy.exe – Make the package ready to decrypt information to copy the decryptor code.

Build the project; close the ScriptTask after successful build. Hit OK on the Script Task Editor. Save the dtsx package.

That completes everything, and now your package is modified to decrypt information at runtime. Let the ScriptTask and the SSISCipherUtil.dll do rest of the work for you.

e. What does the automatic Package Processor do?

When you add an SSIS package to the Package Processor of the DecryptorCode window, it does the following things:

  1. Tries to load the package at the specified location.
  2. If the package is protected with a password using EncryptAllWithPassword or EncryptSensitiveWithPassword, it prompts to enter the Password.
  3. On successful load of the package, it checks to see if there is an OnPreExecute EventHandler attached to this package.
  4. If an OnPreExecute EventHandler is attached to the package, it gets all the Tasks inside the OnPreExecute EventHandler and adds the DecryptionSequence on top of all those tasks.
  5. If an OnPreExecute EventHandler is not created for the package, it simply creates an OnPreExecute EventHandler and adds the DecryptionSequence to it.
  6. Inside the DecryptionSequence, there are two script tasks.
  7. First is a dummy ScriptTask that leads to the second ScriptTask that does the decryption.
  8. The decryption ScriptTask and the dummy ScriptTask are connected by a PrecedenceConstraint that allows the decryption ScriptTask to run only once during the execution of the package.

i.e., The decryption ScriptTask runs only during the OnPreExecute event of the package, when other tasks in the package fires an OnPreExecute event, the decryption ScriptTask is not called. This is done with the below Expression and Constraint check

@[System::SourceID]== @[System::PackageID]

  1. Sets DelayValidate=true for the package.
  2. Sets EnableConfiguration=false for the package. (the equivalent of un-checking Enable Package Configurations in Configuration wizard)


Fig. e.1

f. How does the cipher algorithm work?

SSISCipherUtil.dll supports DPAPI and RSA as we saw earlier. If you have a basic understanding of cryptography, please read forward, otherwise you may want to review the basics of Symmetric key cryptography, asymmetric key cryptography, and hashing. The following paragraphs are meant to give an overview of how DPAPI and RSA are implemented in SSISCipherUtil.dll. They might not depict the exact flow of how DPAPI and RSA work in SSISCipherUtil.dll. The source code is the only way to identify the exact implementation.


DPAPI – known as the Windows Data Protection API associates the cryptographic key used for encryption and decryption with the Windows User account and uses a machine wide key store. An application level entropy value is passed to the DPAPI method, so that only SSISCipherUtil.dll knows how to decrypt values that were encrypted by SSISCipherUtil.dll. The entropy value is an output of the Rfc2898DeriveBytes method that takes SHA-256 hash of some application wide constant values as input and salt.


RSA – an asymmetric cipher algorithm that in the .Net framework, not meant to encrypt inputs that are larger than the key size specified. In SSISCipherUtil.dll, the RSA algorithm is used to generate an exportable/importable public-private key pair stored at the RSA machine level key store. Later the public key components of the key pair are used to derive an entropy value, and the private key components are used to derive an input. The input and the entropy are later hashed with SHA-256 and sent to Rfc2898DeriveBytes. The output of Rfc2898DeriveBytes is used as a master key for RijndaelManaged algorithm which is a symmetric algorithm that works under the covers to encrypt and decrypt when using RSA.

C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys is the location in which the RSA key pairs are stored by Windows. That means, when you export/import an RSA key pair, the key pair with the specified key container name is accessed from this location.

References and Further Reading

1. SSIS: Storing Passwords –

2. SSIS: Encrypted Configurations –

3. BI xPress Secure Configuration Manager –

4. Understanding how SSIS configurations are applied –

5. Integration Services Error and Message Reference –

6. Dynamic Package Generation Samples –

7. Samples for creating SSIS packages programmatically –

8. Programmatically recompiling a ScriptTask –

9. RSA class –

10. Windows Data Protection –

11. CspKeyContainerInfo class –

Written by gmaran23

August 8, 2015 at 8:50 pm

Programmatically encrypting sections in a web.config file

leave a comment »


During the talk “Beefing Up Security in ASP.NET – Part 2 at Dot Net Bangalore 4th meet up Aug 08 2015 “ someone asked how to encrypt web.config programmatically. Here’s an extract from a snippet I have used in the past. The below code should help you with the libraries you need to call, it is not complete, some parts of the code are removed. Copy & Paste may not work Sad smile

public static void EncryptConfigurationSection(string configurationSection)
    Configuration configurationFile = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
    AppSettingsSection section = (AppSettingsSection)configurationFile.GetSection(configurationSection);

    if (!section.SectionInformation.IsProtected)
        section.SectionInformation.ForceSave = true;



Someone also asked if there is a way to specifically encrypt a particular attribute alone. I am afraid that is not possible out of the box. You could look at one of my RSCryptoServiceProvider implementation here to get started

Written by gmaran23

August 8, 2015 at 8:00 pm