When using a Linux desktop, I often run into situations where I need Windows Office applications. While I am a fan of the Wine project, it does not support all the features that I need (for example: OneNote syncing with SharePoint/OneDrive).

As a result, using a Windows Virtual Machine is often unavoidable. The ideal situation is, however, that the virtualized Windows applications are integrated as much as possible within the Linux desktop environment. Recently I have been experimenting with the available options in this area.

⁽¹⁾ I am listing explicitly Workstation 11 here. The unity feature was removed from VMWare Workstation for Linux per version 12.
⁽²⁾ For the Virtual Machine + RDP solution I ran a Windows Server 2016 VM and used xfreerdp in my Linux host. The amount of glitches was quite high and every time your suspend/unsuspend your host system the xfreerdp needs to reconnect to your VM.
⁽³⁾ Office in wine is not feature complete; for example OneNote does not have SharePoint/OneDrive sync.

With regards to performance:
Initially I thought that the VirtualBox approach would be faster than the VM+RDP due to the networking overhead. In reality, the responsiveness on a large screen (UHD resolution) was better with the VM+RDP than the native VirtualBox display. I haven’t compared the CPU loads, but I did get the impression that the VM+RDP is more expensive in CPU load.

Of all the options, the VM+RDP comes the closest to Linux integrated with a Windows desktop, if you can handle the glitches and increased CPU load. There currently is no perfect solution.

P.S.: this post does not cover the other way around: Windows 10 + WSL + X-server.

Say that you’re doing a pentest/RT with one end of a device connected to 4G dongle and the other end connected to the target network via ethernet. In such cases you want the box to fetch updates via 4G and only use the ethernet for the security test. Split DNS tunneling is a solution. However, sometimes you may already have a process bound to port 53/udp that you don’t want to kill (e.g. a C&C server such as CS / MSF). Unfortunately /etc/resolv.conf does not allow you to specify a port on Linux (as far as I’m aware).

The following settings allow you to run dnsmasq on a different port but still work for a local resolver.

Dnsmasq step:

## vim /etc/dnsmasq.conf:

# Set the alternative port
port=5353

# Ignore /etc/resolv.conf
no-resolv

# Upstream DNS for normal traffic
server=192.168.1.1

# Upstream DNS to resolve domain names for the security test
server=/clientnetwork.local/10.0.0.1

Local DNS resolver step:

## vim /etc/resolv.conf:

# Dummy nameserver. Will not be actually queried
nameserver 192.0.2.3

Iptables step:

# Redirect the DNS queries towards the dummy server
# to go to the local dnsmasq instead
iptables -t nat -I OUTPUT --dst 192.0.2.3 \
-p udp --dport 53 -j DNAT --to 127.0.0.1:5353

Say that you are working with two laptops side by side. You may not like the automatic screensaver kicking in on a laptop while you are momentarily working on the other, in particular if it requires a password to unlock. This may be especially true at certain locations that are trusted (e.g. home).

The following PowerShell script for Windows can be used for suspending the screensaver when you are connected to a specific Wi-Fi network.

$wsh = New-Object -ComObject WScript.Shell
# Idea to use WSH comes from: https://stackoverflow.com/questions/9794893/powershell-toggle-num-lock-on-and-off

while ($true) {
  $wifi = get-netconnectionprofile | Out-String -Stream | Select-String -Pattern ""
  if ($wifi) {
    $wsh.SendKeys('+')
  }
  Start-Sleep -Seconds 60
}

I bought an ASRock C2750D4I motherboard for my NAS in October 2014. In March 2017, my board was struck by a firmware bug that involves the BMC flash storage being worn out too quickly because of a bug in the watchdog. This is a well-known issue.

Since my board died after more than two years, I was worried whether I could still get it RMA’ed. The shop where I bought the board stated I only had two years warranty.

Luckily, the folks at ASRock were very helpful. I discovered that (also) in The Netherlands you have three years warranty on the C2750D4I.

I received a replacement board from ASRock quickly. As of now, half a year later, the new board is still operating perfectly. I can only say that my RMA experience with ASRock has been positive.

Update 2022: my board died again, this time because of the C2000 bug. ASRock was very considerate in sending me a new board, this many years after I bought it.

The MITRE ATT&CK framework is a great tool for blue teams.

As an exercise, I tried mapping the Stuxnet attack onto the ATT&CK framework. As a source, I used the excellent Symantec Stuxnet paper.

CC-BY-SA.

• I tried cramming it all into one slide, sorry for that. Defense evasion is indeed that big.
• There are multiple ways to do the mapping. There could also be mistakes (caveat emptor). I welcome any bugfixes.
• The credential access row is empty, since from what I read it used the user’s credential token not their actual passwords. The exfiltration row is empty because the paper shows that this instance was primarily meant for infecting the SCADA systems. Of course, the malware was able (via its C&C connection) to have exfiltration modules, but these were not discussed.

PDF version: ATT&CK – Stuxnet.