code in the ruins

Last week I posted about a program I wrote to RickRoll someone at will by controlling their computer over the network. Basically, you tell their computer to play "Never Gonna Give You Up" whenever you want. I call it Remote RickRoll, and I'm making it available to download today, including prebuilt binaries and source code.

In the victim's list of Windows services:

In the victim's application log:

• Download: RemoteRickRoll.zip
• README file (included in zip): readme.txt

The README file contains complete instructions for preparing your victim's computer without physical access to it.

Remote RickRoll runs as a Windows service, so you will need administrative rights on the victim's machine to make it work. The victim's machine needs to be running Windows and have the .NET Framework 2.0 installed (although that can also be installed remotely without their knowledge). You'll find that Sysinternals PsExec comes in handy.

The source code is C# and it's a Visual Studio 2005 solution. But the zip file includes binaries, so you don't need to compile anything to use it. It's GPL, so if you want to modify it, knock yourself out.

I've used this on two people so far, to great effect. That said, messing with people's computers without their knowledge can turn ugly, so be smart.

I'd like to hear about your questions/comments/success stories/failures/modifications, so please comment below if you're inclined.

Thanks and enjoy!

This weekend I finally did something I've been meaning to do for a while - I installed the dd-wrt firmware on my Linksys WRT54G wireless router. dd-wrt is based on the original firmware from Linksys, but it adds a ton of new features.

Since installing it three days ago, I've done various things that I couldn't have done before:

• Static DHCP leases for my machines, so they always get the same IP address. This also makes the router act as a DNS server for free.
• SSH access to the router
• WPA2 wireless security
• Increased the transmission power of the router's wireless signal
• Set up NTP to keep the router's time current
• Set up IPv6 on my home network using 6to4. The router will automatically assign IPv6 addresses to all clients.
• Mounted a Samba share on the router

I love doing this kind of thing. dd-wrt is a fantastic piece of work, and has increased the value of my router a great deal.

The most satisfying bit was the IPv6 setup.  I find it kind of nifty that simply having a single IPv4 address entitles me to several quintillion contiguous IPv6 addresses. You know, just in case.

Since the boot drive on my home server, obelix, died, I've been trying to get at its data.  The large part of the important data had been on a separate drive, mounted as /home, so there was nothing of critical importance, but I still wanted to recover some of the config files and such that I'd spent years setting up.

I knew that it wouldn't be easy - the first sign of trouble with the server, after all, was when it hung during boot with the message "Remounting root partition read/write."  Sure enough, when I pulled out the drive and put it in another machine, it couldn't be mounted, not even read-only.

First thing I did was to run fsck on the malfunctioning reiserfs partition. After a while, it exited, telling me that the drive had bad blocks. Great.

So I ran badblocks and got a list of five block numbers, and then fsck.reiserfs –fix-fixable, passing it the list of bad blocks, to see if it could work around them. It choked on one, telling me I'd have to run fsck.reiserfs –rebuild-tree on the partition. When I did, it died at the same point - I wouldn't be able to repair the filesystem while it was still on the malfunctioning drive. I'd need to dump it out to a file on a good drive. Unfortunately, I didn't have anything handy that could hold the entire partition, so I took the bad drive to work with me.

Once there, I hooked the drive back up and dumped it to a file on a network share (thanks for the space, John). As fsck.reiserfs recommended, I used dd_rescue, which can nicely handle bad blocks by zeroing them out on the destination. It completed successfully, finding several bad blocks and dealing with them gracefully. Then I ran fsck.reiserfs –rebuild-tree on the dumped file. It also completed successfully this time, so I held my breath and mounted the dumped file with mount -t reiserfs -o ro,loop, and, thankfully, it worked. I'm now copying everything I need onto a good drive.

Even though it wasn't that important, I'm glad it worked out. I've never had to recover a bad drive before, so now that I've had the chance, I'll know more about what to do when the time comes again.

In the evening on Monday, December 31, my venerable home Linux server, obelix, went down for the last time.  His boot drive developed a bad block and could no longer be mounted.  Efforts are still underway to recover the data from the drive, but on Tuesday, I made the decision to decommission obelix for good.

obelix was a Dell Dimension L667R with a Pentium III and 384 megabytes of RAM.  I've had him for about seven years.  I bought him (refurbished!) on a whim, somewhere in the distant past.  He was extremely versatile; he acted as web, file, and database server, as well as providing services to our network as a Samba domain controller and an LDAP, DHCP, and DNS server.  In his early years, he was also my primary workstation, running countless window managers, desktop applications, and games over the years.  Due to his having a FireWire card installed, I used him to capture DV from my video camera to edit on another machine.  He spent most of his lifetime as a Gentoo Linux box, no doubt logging thousands of hours of software compilation.

Until recently, he served my websites over my home connection, although since I recently began hosting with Dreamhost, he no longer performed this function.  This was a major factor in my decision not to stand him back up after the disk failure.  Although he had still been providing network, file, and database services, I knew that I would no longer need a dedicated server at home once the websites had been moved to external hosting.  So I moved his large data disk to another computer and dismantled the Samba domain, which was more or less unnecessary to begin with.  His primary function as a database server was to host my Amarok music collection database, which was easily rebuilt after he went down.

I will miss having obelix around, though; I named him after my favorite Asterix character, I've had him longer than I've known my own children, and I knew him backwards and forwards.  Tinkering with Gentoo, Apache, MySQL, OpenLDAP, and Samba on obelix was how I began to truly solidify my knowledge of Linux system administration; using obelix absolutely helped get me where I am today.

It's somehow fitting that he should go out on the last day of 2007; it's been quite a year.  There's been a lot of anxiety, some deaths, a birth, some sickness, some health, some successes, some failures, a new job, many highs, many lows.  It hasn't been the easiest year to live through in a lot of ways.  In no way is the loss of obelix anywhere near a significant event in the face of what's happened this year, but it does sort of reinforce the feelings I have about 2008 - cautiously hoping for a clean slate.  The new year always brings new things and does away with some of the old.  Whether that's for good or ill, we'll just have to wait and see.

When I read about INSERT COIN, the Perl script that changes the ready messages on HP network printers, I was overjoyed. It seems to be a perfect way to wreak mild havoc without really harming anything. I showed it to my buddy John this morning; it's right up his alley, too (for an idea of what John's alley is like, check this out).

Of course, he's a Windows guy (although not a Windows 95 guy). And INSERT COIN is a Perl script, and he doesn't have ActivePerl installed, because when you have cmd, you have everything you need!

So I decided to get him a standalone version of INSERT COIN that will run on his box. I decided to try to port the thing to D. Mainly because I have a short attention span, and I recently read an article about D.

I'm a scripting guy, only recently having delved into statically-typed-but-still-use-a-runtime languages like Java and C#, and hardly at all into lower levels of programming. C and C++ scare me a bit, frankly, but D seems a little more accessible. And by accessible, I mean that it seems like it would be harder to make a total ass of yourself as a newbie. Image is everything.

So I ported INSERT COIN to D. And I have to say it was a very enjoyable experience. Here's the source and the Windows binary (compiled with MinGW). Now John can happily tweak the printers anytime he likes.

Today I registered a new domain - mogrify.org - and began the process of migrating my websites to my new host, Dreamhost. The now-venerable mogrify.homelinux.org, as you may have noticed, redirects to the shiny new code.mogrify.org. I'll be moving other things across in the coming days and fixing problems whenever I notice them.

I've been wanting to host offsite for some time, since I'm currently running three separate sites on a single, beige Pentium III Dell box in my study. This is not exactly the most robust of setups, and there have been issues with power and network outages.

I expect to love Dreamhost for the same reason I love hosting at home - because I genuinely enjoy administering Linux systems, and Dreamhost gives you a lot of control - shell access, .htaccess files, log files, email accounts, etc., as well as a whole ton of other options.

So, the dream is becoming a reality.

• Desktop
• Network shares
• NTLM
• Exchange server (mail, contacts, calendar)
• Remote desktop
• Printing
• Limitations

At home, I use Linux. But at work, I have to use Windows. They don't support Linux desktops, and that's not all: our network has a lot of Microsoft services running that don't play nice with Linux. Still, I've managed to set up a Linux box at work; and slowly, I've managed to get enough things working that I only rarely need to go back to Windows to get something done. Details of what I've worked out are below.

The main goal here is to see what's possible without any assistance from the IT department whatsoever, since that's how most people would be doing this. Fair warning, though: if you violate your company's IT policy or break something you can't fix, you're going to be in a sad, lonely place.

First, some background on what I'm looking to do. I'm a web developer. I have access to several servers where I work - some Windows, some Linux. I need to be able to administer them, and I need to be able to modify files on them. I need to be able to access our Exchange server - mail, contacts, calendar. I need to be able to access our Intranet, which uses NTLM (a.k.a. Integrated Windows Authentication). And there are certain pieces of proprietary software that I have to use. As I said, I haven't gotten everything to work, but I've put together a pretty good setup that solves most of these problems.

Linux on the desktop

The first step is to install Linux onto a workstation. The first option is to just nuke a workstation's hard drive. Non-destructive partitioning is also possible, and you might be able to put a new drive into the machine and dual-boot. Or bring in your own Linux box to use at work. Many of these things will get you into trouble with your IT department, and they may not even be possible if they have password-protected the machine's BIOS or have some means of preventing unauthorized PCs from connecting to the network.

I took option one - nuking a workstation's hard drive. My IT folks can restore a standard drive image, so this seemed like a minimally invasive way to go. So I kissed it goodbye and installed Ubuntu (although I eventually ended up using Kubuntu instead, because of Kontact. But more on that later).

Once I had a running Linux box, I started hooking up the network stuff.

I had to abandon the idea of logging into the Linux box with my Windows domain credentials. It requires that the machine be added to the domain, which requires a domain admininstrator. I created a local account on the machine to use.

Network shares

Thanks to the excellence of Samba, geeks everywhere can access Windows shares flawlessly. Or, almost. Initially, I used Gnome to connect to the various Windows shares I need, and everything was fine. But I began to notice an annoying problem - when opening a file on a Windows share in GEdit, it would tell me that it couldn't access the file. Only after trying again would it open the file. Apparently this is a bug in gnome-vfs. But it was sufficiently troubling that I went looking for a better way to access files on network shares.

I settled on autofs. Autofs will automatically mount a list of, well, anything, somewhere on the filesystem. It has a nifty 'ghost' feature that makes the shares visible, but does not mount them until they're accessed. I listed out my network shares, and now they're all available under /mnt/auto whenever I want them.

The details:

sudo apt-get install autofs smbfs

In /etc/auto.master:

/mnt/auto /etc/auto.misc --timeout=3600 --ghost

In /etc/auto.misc:

share -fstype=cifs,rw,credentials=/path/to/smb.auth,uid=user,gid=grp,file_mode=0644,dir_mode=0755 ://server/share
hidden -fstype=cifs,rw,credentials=/path/to/smb.auth,uid=user,gid=grp,file_mode=0644,dir_mode=0755 ://server/hidden\\$

In /path/to/smb.auth (make sure this file is chmod 600):

username=domainuser
password=domainpassword

Autofs will automatically create the directories /mnt/auto/share and /mnt/auto/hidden. When you (or your applications) access these directories, they'll be mounted and the file ownership and permissions will be set as specified.

The only drawback: it doesn't appear to be possible to mount directories within a share directly. You have to mount the root of the share.

NTLM

Our Intranet uses NTLM for authentication to provide personalized features. Good thing Firefox supports it. One authentication box and you're set until the browser closes.

Exchange Server

We use Exchange Server 2000 and Outlook 2000 where I work. The obvious choice of client for working with Exchange servers in Linux is Evolution, which has had Exchange interoperability for some time now. Unfortunately, I've never gotten the Exchange connector to work. It's possible that our server has WebDAV disabled, or that the authentication box that pops up when I visit my Outlook webmail is getting in the way. At any rate, I had to drop Evolution and look for something else.

I'm able to access the Exchange server via IMAP and retrieve my mail that way. Not perfect, but it works. The calendar (especially meeting request handling) and the user directory are more problematic.

First, the calendar. I first tried Thunderbird with the Lightning extension. It worked reasonably well, but I noticed that it appeared to be getting the time zone of my meetings wrong. When I accepted meeting invitations, the appointments would be scheduled several hours away from when they were actually supposed to occur.

Next, I tried Kontact, which turned out to work very well. For mail, I use IMAP to connect to the server. Kontact can also work directly with Exchange calendars - when I added a new calendar, Exchange was one of the options (though it says it is experimental). Happily, I saw that it added all of my current appointments, complete with notes, other participants, reminders, etc. Creating and editing events worked fine. Meeting requests received by mail have response links, and the meetings are scheduled on the calendar as you'd expect. The only problems I've encountered so far have been performance-related; there are long pauses while communicating with the server, and Kontact has very occasionally become unresponsive.

For the user directory, I was able to get Kontact to connect to our backup domain controller via LDAP. It works well, except there is a hard limit of 1000 records, and Kontact doesn't seem to be able to retrieve more than that. As a result, there are some employees who do not appear in Kontact's local version of the directory. We don't have much more than 1000 employees, so it's not a huge problem.

I should say that I'm a little privileged there. As a normal user, I wouldn't be able to access Active Directory and retrieve records via LDAP in our shop. I happen to have a user account with more abilities that is used by the web-based employee directory that I wrote. However, I believe that most domain controllers will allow a domain user to list records. Could be wrong though.

With mail, appointments, and contacts all managed by Kontact, the integration is quite good - as I've said, meeting requests are handled well, and contacts are conveniently suggested as you compose a new message. It's a very usable setup.

Remote desktop

Obviously, administering a Linux server from Linux via SSH is no problem. Windows servers are easy too, thanks to krdc and rdesktop. Both of these clients make it easy to log in to Windows boxes and do what you need to do.

Printing

We use HP network printers here, which can be accessed directly via TCP/IP on port 9100. They work flawlessly.

Limitations

The only reason I can't drop Windows entirely at this point is because of proprietary software that I still need to use.

As a web developer, I have to use Internet Explorer. It makes me cringe, but I have no choice - when 70% of our visitors still use it, it means I have to test everything in IE before it goes out. I've tried IEs4Linux (IE on Wine), but it was almost unusable - I couldn't type addresses in at all, though I could navigate with the mouse. Not good enough for rigorous testing.

Also, we use Dreamweaver to maintain site templates. Dreamweaver doesn't run on Wine because of its license enforcement component, so I still have to go back to Windows to modify templates. Soon we will be migrating to an open source content management system with a web interface, so I'll be able to drop Dreamweaver for good.

And finally, I need to use either Enterprise Manager or SQL Server Express to work with SQL Server databases. I haven't found anything that runs on Linux and still does everything I need, so it's back to Windows for those tasks. We'll be moving to Oracle gradually, which isn't my first choice but has a better Linux presence since its tools are written in Java.

And that's how I carved out a little Linux niche in my Windows shop.

Update: smbfs is required for mounting Windows shares using autofs.

How do you get into a Windows box when:

1. all user accounts are locked out,
2. the Administrator password is unknown,
3. the box has no working CD drive, and
4. you're too cheap to buy any extra hardware to boot from?

The answer, of course, is to spend all weekend learning how network booting works. I had the pleasure (yes, pleasure, for I am weird like that) of this experience. I Googled much, and tried many things that didn't pan out. I read many guides to PXE booting, TFTP, and such things.

I found the Offline NT Password and Registry Editor, which provides a handy boot disk. After getting it to boot with PXELINUX, I found that it would refuse to mount a "dirty" NTFS partition as writable. Even though it forced Windows to run a disk check, it still didn't clean up the drive, so there was no way for it to get in and change the Administrator password.

I remembered reading about NTFS-3g, the recently released NTFS filesystem driver for Linux, and how it was far more stable than older attempts to deal with NTFS volumes. It's included in Knoppix now, so I firmly resolved to figure out how to boot Knoppix over the network.

By this time I had a fully working network boot setup (which involves a combination of DHCP server, a TFTP server, and the PXELINUX bootloader). Knoppix also requires an NFS server thrown into the mix - although the NT password boot disk is entirely contained in RAM, Knoppix is normally not, so there needs to be a network location where it can find its goodies. Luckily, I found an excellent guide over at BabyTux, which is why I won't write a full one here. After a little tweaking of the Knoppix boot options, I was watching Knoppix's familiar colorful boot sequence.

On to the matter at hand - resetting the Administrator password to allow access to the machine. With Knoppix's support for NTFS-3g, I was able to mount the NTFS partition as writable (although it complained that it was dirty). I downloaded the source code for the NT password utility, but it wouldn't build - for one, Knoppix doesn't ship with OpenSSL headers, and there are also some deprecated techniques in the code that were causing GCC 4 to give up. I don't know much about C, but I did find a diff that someone had posted for this problem. I built the utility on another box, dropped it in Knoppix's NFS share, and ran it. It worked.

So, the utility successfully changed the Administrator password and unmounted the volume. The fact that the partition was mounted dirty didn't seem to bother Windows - it booted, chkdsk'd, and rebooted. A quick F8 during boot and I was able to log in as Administrator. And the rest is history.

Today I listened to my computer's memory. Here's a sample. Kind of interesting, actually; I expected it to be all static, but some patterns do actually emerge. All in all, I think it sounds pretty much like what it is.

You can try this, too…. here's how:
sudo cat /dev/mem > /dev/audio

To record it:
sudo cat /dev/mem | oggenc -rq 1 -o mem.ogg -

oggenc assumes the raw data is 44.1khz at 16 bits per sample, so, if I calculate correctly, each second of audio represents 689K of RAM.

Update: IBM DeveloperWorks has an article on monitoring your system with audio. The idea is that you use the numeric values from a monitoring program like vmstat or top to synthesize musical tones using MIDI. When the CPU, memory, or I/O activity on the system increases, you can hear certain tones increase in intensity. I'm picturing a sysadmin sitting in the data center with all the machines humming along, occasionally going to investigate the occasional outburst of strings or horns…

Been trying out Opera 9 - great browser. Probably not as versatile as Firefox when you factor in the extensions, but it's fast, sexy, and highly polished. Where it particularly shines over Firefox is in the memory footprint - I've been using both browsers all day, and Firefox is right up around 173MB, with Opera sitting at a cool 47MB - and that's with the mail window open. Unscientific, yes. But you can feel it - with lots of tabs open in Firefox, the computer's not as responsive. So I'd like to use Opera more.

But it's lacking a killer feature for me - SOCKS support. When I get to work every morning, I open an SSH session to my home server. It sets up a dynamic tunnel that Firefox can use as a SOCKS proxy. And that ensures that I'll never be asked about "excessive Internet usage" - all they'd see would be a bunch of nonsense being sent over a nonstandard port. Not that I'm doing anything wrong; I just feel better not being monitored.

But anyway, this won't work with Opera, because it doesn't support SOCKS proxies. And that's kind of sad - or was, until I figured out a workaround. I installed tinyproxy (I like tiny), but it could just as well be Squid or Privoxy or some other HTTP proxy. It's set up on my home server. To prevent outside connections, I changed the "Listen" and "Allow" directives to "127.0.0.1". And I set up another tunnel in SSH - not dynamic, just a local tunnel from my work desktop to the home server on tinyproxy's port. And then I told Opera to use localhost as the HTTP proxy server.

Still, it'd be cool if Opera came out with SOCKS support - it'd probably be useful to some corporate IT departments in addition to the usual gang of tinfoil-hat types. A big problem with a setup like this is that DNS requests get leaked - they aren't passed through the proxy, so if those are monitored, it's still possible to guess what content you're viewing. With native SOCKS support, it would be possible to pass ALL network traffic through the proxy - HTTPS, DNS, email, etc.

The other option is something like FreeCap, which hooks into the Windows network stack to redirect connections through the SOCKS server. I haven't tried this one yet, but I've tried the non-free SocksCap and found that it made things pretty unstable. Maybe I'll give it a try…

Update, July 6: FreeCap works really well, much better than SocksCap. Score one for open source. So there's no need to do all the crazy server-admin stuff with tinyproxy. Unless you want to