While looking for what's happening at this years Defcon that I'll be attending, I stumbled across a blog entry from 360 Security talking about SeamlessRDP. After seeing how easy it is to setup and use, I don't know why I haven't heard more about it. But that's probably because I've never really looked into running Windows apps in Ubuntu.

What is SeamlessRDP

SeamlessRDP is an extension for remote desktop/terminal servers that allows a single application to be remoted into instead of the entire computer. In my scenario, I have an Ubuntu system and I run a virtual Windows XP in the background. I install SeamlessRDP onto the Windows VM and I can now run individual applications without messing around with the VM itself.

The company Cendio created SeamlessRDP when they were trying to get their own products to work with rdesktop. They realized that it could be of use to other in the community and released it under GPL.

How to

It's extremely easy to setup:

1. On the remote desktop server, download SeamlessRDP binary file.
2. Extract it to an easy to use location like C:\seamlessrdp
3. On the client, make sure you have at least version 1.5 of rdesktop installed (Hardy is all set). Download it from here if you need
4. Now you're ready to use it - here's an example of running Word 2007: rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\microsoft office\office12\winword.exe" 192.168.1.5:3389 -u administrator -p password
   Running Internet Explorer: rdesktop -A -s "c:\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" 192.168.1.5:3389 -u administrator -p password

I admit, I haven't done any research into other products or alternatives that may work better, so let me know if you find anything

External Links

http://www.cendio.com/seamlessrdp/ - Cendio's page about seamless RDP
http://www.rdesktop.org/ - rdesktop.org for the client
http://blog.ncircle.com/ - where I originally found the post

This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.

And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.

Password Protect Grub Entries

This shows you how to password protect individual Grub entries

1. Generate your Grub password with the following command
> grub-md5-crypt Password: Retype password: $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
2. Copy the last string because this is what you'll use inside the Grub configuration file
3. Using your editor of choice, edit /boot/grub/menu.lst
4. Find the part that shows the different boot options at the bottom of the page where you'll see something like this:
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic
There are some options which are not an issue to boot but the recovery mode ones would be
5. Edit the section for the recovery mode so that it looks like this
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic password --md5 $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
This will force a password if a user attempts to boot into recovery mode but automatically boot into the default installation without one.
6. Save the menu.lst file and reboot to see if you were successful

Password Protect Editing Grub Entries

This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file

1. Edit the menu.lst file
2. Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
# e.g. password topsecret password $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30 # password topsecret

3. Go through each entry that you want to lock out from editing by adding the word "lock" right after the title

Load Alternative Menu On Password

This is a way of loading a separate boot menu when the user presses 'P' and enters a password.

1. Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
2. Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.
title Ubuntu 8.04.1, kernel 2.6.24-19-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-19-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-19-generic title Ubuntu 8.04.1, kernel 2.6.24-18-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-18-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-18-generic

Disclaimer

This is NOT by any means, a very good security measure. It's just a way to stop a lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what whatever you want. If you want to be serious about protecting a system from physical attacks, you'll need to look at encrypting the entire hard drive.

External Links

http://www.gnu.org/software/grub/manual/grub.html#Security

My company uses LogMeIn [www.logmein.com] for remote support for some of their clients. One of the problems for me was that the company doesn't support Linux, officially. I've talked to support twice, one saying that they are working on Linux support and the other saying they don't and there are no plans to.

The problem: If you have the wrong version of Java installed and you go to remote control a remote system using LogMeIn, every time you click on an area of the screen it refreshes the entire page. Every mouse movement reloads the page to update what it think you just did. Also keyboard input is not visible until you actually click.

The solution:I don't have a perfect solution, but this will "almost always" work at least for Ubuntu systems and I've tested it on Gusty and Hardy. The key is installing the specific version of Java that LogMeIn supports along with the appropriate Firefox plugins. It took a lot of trial and error but I finally found the perfect combination of java versions and plugins.

The following is the output from a dkpg --get-selections | grep "java" on my system:

java-common install libhsqldb-java install libjaxp1.3-java install libjline-java install libservlet2.3-java install libservlet2.4-java install libxalan2-java install libxerces2-java install openoffice.org-java-common install sun-java5-bin install sun-java5-fonts install sun-java5-jre install sun-java5-plugin install Download file java.cfg

So, looking at my other entry about re-installing software from a dpkg output, all you need to do is copy the above information and run the following command:

sudo dpkg --set-selections < java.cfg sudo dselect

This will install all of the above packages and hopefully get LogMeIn to work for you. Note: I haven't tested to see whether some of these library packages are extra so use at your own risk.

Let me know if you have any input on other versions of Linux. Email

External Links

www.logmein.com - A good tool oriented at providing remote support with a concentration on security

I wanted to create a VM that has the exact same programs installed as my host operating system. I'm using Ubuntu which makes it very easy to do.

So here's how you do it: export all of the packages that are installed, import all the packages, and install.

Export

dpkg --get-selections > installed.log

Import

dpkg --set-selections < installed.log dselect install

Make sure you have the appropriate permissions or else make sure you run as "sudo" user.

External Links

http://www.cyberciti.biz/tips/linux-get-list-installed-software-reinstallation-restore.html - The original blog post I found this information.

My company gave me one of their Verizon Wireless PC5740 EVDO PCMCIA cards with a Windows CD to install VZAccess. My boss explained, "Just install the VZAccess software from the CD, put in the card and you should be all set!" At the time, I hadn't let him in on the fact that I reformatted the hard drive on the company's Lenovo Thinkpad and installed Ubuntu Linux. I still have Windows XP Pro installed as a virtual machine but I have yet to figure out how to install the Verizon card onto the virtual machine.

So I installed it on Linux. I'm going to give an overview, as I understand it, of what needs to be done to get it working. Unfortunately some of this information is specific to my hardware and OS versoin so you'll have to check some of the links at the bottom for information on other configurations.

From what I've seen, it's basically the same except with some linux versions, you need to patch the kernel in order to fix a bug that causes disconnects after a few minutes.

The Environment

Here is what I was working with:

o Lenovo ThinkPad T43 1875 N2U o Ubuntu Feisty 7.04 o Verizon Wireless PC5740

Overview

Apparently like most EVDO cards, the PC5740 shows up as a USB PCMCIA host adapter to which a serial modem is attached. So here's an overview of what we're doing:

1. Activate the card [in Windows]
2. Install the drivers for the host controller
3. Install the drivers for the serial modem
4. Create the ppp configuration and chat script to use the modem
5. Test the connection
6. Add ppp0 to the list of interfaces

Activation

Unfortunately, I had to install the card on a Windows machine to activate the card. There really wasn't any way around this that I've found yet. Activate the card using the VZAccess software supplied with the card. It's pretty straight forward so I won't explain it.

Install Drivers

The OHCI is an open standard for allowing an operating system communicate a USB device. In this case, we're going to be installing the ohci-hcd module on Ubuntu with the following command:

modprobe ohci-hcd

Now we can plug in the card and install the usb serial modem drivers. These drivers require the exact model of the modem so before we install it, we will connect the card and and see what happens:

mmanning@tovalds:~$ cat /proc/bus/usb/devices > devices INSERT THE CARD mmanning@torvalds:~$ diff /proc/bus/usb/devices devices | grep Vendor vendor="0000" prodid="0000" rev=" 2.06" vendor="0000" prodid="0000" rev=" 2.06" vendor="106c" prodid="3701" rev="0.00

You'll see that the last line will show you that you have a vendor of "106c" and a product ID of "3701." This is the information we'll be supplying the usbserial module when we install it like so:

modprobe usbserial vendor="0x106c" prodid="3701"

If you are like me, there will be an error saying:

FATAL: Error inserting usbserial (/lib/modules/2.6.20-16-generic/kernel/drivers/usb/serial/usbserial.ko): Unknown symbol in module, or unknown parameter (see dmesg)

But, itgnoring that you'll have a new device install that will show up under /dev/ttyACM0

PPP Configuration

PPP is the peer to peer tool to connect to an ISP over a dial up connection. In this case, we're going to configure it to use the USB serial modem to make a connection. First we need to create a new configuration profile under /etc/ppp/peers/ named 1xevdo and here is what goes in it:

ttyACM0 115200 debug noauth defaultroute usepeerdns connect-delay 10000 user (Your phone number. No spaces or dashes)@vzw3g.com show-password crtscts lock lcp-echo-failure 4 lcp-echo-interval 65535 connect '/usr/sbin/chat -v -t3 -f /etc/ppp/peers/1xevdo_chat'

If you look at the last line of that script you'll see a reference to a call script named 1xevdo_chat. Well here it is. Put that under /etc/ppp/peers and like it says, name it 1xevdo_chat.

# AT$QCMIPGETP "login" name used for MobileIP, which usually matches your MIN. # AT+GSN ESN in hex # AT+GMR firmware revision and build date. # AT+CSQ first number indicates the signal strength above -109 dBm (in # 2 dBm increments). A value of 7 or higher (-95 dBm) can be # considered adequate. 31 is the max. (Possible values in # Audiovox PC5740 are 0, 7, 15, 23, 31.) # AT+CDV=*22899 Update PRL. at+cdv=*22899 | OK | Lost carrier. ABORT 'NO CARRIER' ABORT ERROR ABORT 'NO DIALTONE' ABORT BUSY ABORT 'NO ANSWER' '' 'ATTEV1&F;&D2;&C1;&C2S0;=0S7=60' 'OK-ATTEV1&F;&D2;&C1;&C2S0;=0S7=60-OK-ATTEV1&F;&D2;&C1;&C2S0;=0S7=60-OK' 'AT+CSQ;D#777' TIMEOUT 70 'CONNECT-AT+CSQ;D#777-CONNECT'

Testing

So you've installed the device and created a PPP configuration to use it to connect to your ISP. Now it's time to test the configuration.

pppd call 1xevdo tail -f /var/log/messages

With any luck, you should get something like this:

mark@TORVALDS:~$ pppd call 1xevdo mark@TORVALDS:~$ tail -f /var/log/messages Jul 25 17:53:15 TORVALDS chat[28292]: send (ATDT#777^M) Jul 25 17:53:15 TORVALDS chat[28292]: expect (CONNECT) Jul 25 17:53:15 TORVALDS chat[28292]: ^M< Jul 25 17:53:17 TORVALDS chat[28292]: ATDT#777^M^M Jul 25 17:53:17 TORVALDS chat[28292]: CONNECT Jul 25 17:53:17 TORVALDS chat[28292]: -- got it Jul 25 17:53:17 TORVALDS chat[28292]: send (\d) Jul 25 17:53:18 TORVALDS pppd[28289]: Serial connection established. Jul 25 17:53:18 TORVALDS pppd[28289]: Using interface ppp0 Jul 25 17:53:18 TORVALDS pppd[28289]: Connect: ppp0 <--> /dev/ttyACM0 Jul 25 17:53:28 TORVALDS kernel: [515759.664000] bridge-ppp0: interface ppp0 is not a valid Ethernet interface Jul 25 17:53:28 TORVALDS pppd[28289]: local IP address 70.198.2.2 Jul 25 17:53:28 TORVALDS pppd[28289]: remote IP address 66.174.2.2 Jul 25 17:53:28 TORVALDS pppd[28289]: primary DNS address 66.174.2.2 Jul 25 17:53:28 TORVALDS pppd[28289]: secondary DNS address 66.174.92.14

The last part where it pulls an IP will take longer than the initial connection just like a normal internet connection.

Added the ppp0 to the list of interfaces

If you want to be able to issue the ifup ppp0 and ifdown ppp0 commands, just add the following lines to /etc/network/interfaces

iface ppp0 inet ppp provider 1xevdo

Conclusions

That's how I was able to setup the card. BUT, if you have anything but a Lenovo T43 running Ubuntu 7.04, you may run into problems. Check out the links below because they were very helpful to me in the first place.

External Links

Ken Kinder - wrote a great howto that goes deeper into the subject.

OHCI on Wikipedia - good overview about what OCHI is and why you need it

Linux PPP HowTo - everyting you could want to know about ppp