ODDREE.COM

Deep Forest

If you have never heard the musical stylings of the group Deep Forest, you should really give them a listen. I recommend the first two albums. These two guys travel deep into remote areas of the world, and record singing and chanting from villiagers. Then they bring it back home into a studio and lay it over a drum machine beat. The end result is very ambient and spiritual melody. You can close your eyes and imagine you are in a soft quiet wooded forest.

But I'm just not feeling it this morning. You can shove those woods up your ass. I am trapped in the middle of nowhere once again in a youth detention center without Internet access. My view of the woods is obscured by barbed wire, and meshed windows. The only sounds I hear are of the heating equipment just outside of this room, and of juvenile correction officers yelling at youth in the hallways.

What the hell am I doing here? My only comfort is in knowing that my resume is out there in postal mail, making it's way to what I hope becomes my next employer. I even dreamed about it.

In my dream, I was introduced to my new office. It had a nice window through which the sun came in and lit up my empty, but spacious suite (with a door). In all liklihood, my office will be a cubical in a farm of other cubicals. But this is my dream, so shut up. I am then shown an old computer that was left behind, and I am welcome to use it. It's a Blue and White Macintosh G3. Slightly outdated (I'm realistic in my dreams now) but very usable. My display is a flat panel too. Nice touch. As I make my way to my desk I notice the carpet is in need of vacuuming. Should I clean it? I just started here. I probably hadn't even met anyone. Should I get out the vacuum? Sometimes when you are dreaming you get carried away with the technical details.

I was probably awakened by my son, who decided he would get up at 4:00AM to get ready for school, which wouldn't be for another 3.5 hours. No one is sure why he insists on getting up before the roosters.

Now I am checking the time and thinking "shouldn't I be getting ready for class?". I have one student who has shown up. He is telling me that two people won't be here for reasons unexplained. My class tally for the morning should weigh in at two or three. I guess I will go teach now.

This mornings key thought: What the hell will I eat? I forgot my lunch, and I would have to drive about half an hour to get back to even a gas station. About 40 minutes to the nearest Subway. God, please deliver me to new employment.

Big Mac Attack

So I ask around and find out that there is a tiny town (called 'Mohican') just north-east of this forest. I spot it on the map, and head for it on my lunch hour. Audrey is being a slut, and my wireless card keeps coming up 'missing'. After like 5 reboots I get it to work, at which point I have made it into town, and so I swing into a McDonald's parking lot to straighten shit out! As soon as my war-driving utility comes up 'DING-DING!'. I found two access points. And they are right here at McDonalds! I look around. To me left there is a grave yard. On my right is a small chiropractors office. And far off in the distance on a hill sits a few large homes.

I don't know who's network I was on, but it was not WEP'd. Unfortunately, I tried to get an address, and I couldn't obtain one through a lease. So ... here is my journal of activity.

Step one, connect to the access point.



Step two, monitor traffic with tcpdump.

Here is me looking for an address, and them ignoring me. Thanks for nothing!

-4:-6:-50.070444 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, length: 300
-4:-6:-50.071727 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.088531 audreyii.local > ff02::2: icmp6: router solicitation
-4:-6:-50.373447 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.375797 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-50.676804 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.679154 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-49.079821 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-49.085764 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-49.382469 arp who-has audreyii.local tell audreyii.local
-4:-6:-49.512818 audreyii.local > ff02::2: icmp6: router solicitation
-4:-6:-49.688122 arp who-has audreyii.local tell audreyii.local
-4:-6:-49.919839 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, length: 300

But are there people on this network? I see a couple of addresses, and it's people surfing Kazaa and Gnutella.

-4:-7:-11.768330 81.64.117.21.gnutella-svc > 216.206.239.145.26700: P 6196:6239(43) ack 1135 win 33304 (DF)

-4:-7:-11.407034 24.132.10.126.kazaa > 216.206.239.132.qadmifevent: . ack 5425 win 17520 (DF)

Jerkies! I want to play too! I guess I will make up an address.

Step 3 - Make up an address on this network.

audreyii:/Users/rayhaque root# ifconfig en1 216.206.239.140 255.255.255.0

Step 3 1/2 - Test connectivity!

audreyii:/Users/rayhaque root# ping 216.206.239.145
PING 216.206.239.145 (216.206.239.145): 56 data bytes
64 bytes from 216.206.239.145: icmp_seq=0 ttl=254 time=8.198 ms
64 bytes from 216.206.239.145: icmp_seq=1 ttl=254 time=13.366 ms

I need a gateway!! Don't know where I will get that from. I guess I monitor a while longer.

I find interesting stuff.

-3:-53:-45.162631 64.12.24.172.aol > 216.206.239.132.tclprodebugger: P 50934078:50934132(54) ack 3062354438 win 16384 (DF)

Dude, all my friends are on AOL!

What's this here?

-3:-51:-59.001017 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.002131 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.032699 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.033963 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.042814 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.043752 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.583053 216.206.239.140.mdns > 224.0.0.251.mdns: 0 [6q] [2n] PTR (Class 32769)? _register._mdns._udp.local.[|domain]
-3:-51:-59.833230 216.206.239.140.mdns > 224.0.0.251.mdns: 0 [2q] [2n][|domain]

This guy looks like a router!! Oh wait ... that guy is me. It looks as if Audrey here keeps sending out routing updates in attempts to learn about neighbors Too bad they all ignore me and pretend not to be my friend.

Maybe I can find some DNS servers to use? If they are outside of this network, I am screwed, because I still have not found the gateway to get traffic out through.

audreyii:/Users/rayhaque root# tcpdump -i en1 | grep dns
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, capture size 96 bytes
-3:-41:-28.028391 216.206.239.140.49188 > 224.0.0.251.mdns: 53105+ PTR? 135.81.254.169.in-addr.arpa. (45)
-3:-41:-28.028878 216.206.239.140.49188 > 224.0.0.251.mdns: 53105+ PTR? 135.81.254.169.in-addr.arpa. (45)
-3:-41:-28.030732 216.206.239.140.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Class 32769) PTR[|domain]

224? That's not a valid address. Thats a class D (multi-cast address). My grep trick didn't work. Perhaps I should use tcdump the way I am supposed to ... that is, specify a port to search under (53 for DNS). That proves unsuccessful too.

I will open my search up again and monitor all traffic. Most is gnutella traffic to the 145 host. He is probably downloading some serious pr0n.

-3:-26:-55.474190 216.206.239.230.domain > 3.0.21.18.streetperfect: 1*- 1/0/0 A[|domain]
-3:-26:-53.417247 216.206.239.230.domain > 216.206.239.133.65464: 18090 NXDomain* 0/1/0 (138)
-3:-26:-53.433757 216.207.226.3.domain > 216.206.239.133.65465: 18090* 2/0/0[|domain]
-3:-26:-45.794876 216.206.239.230.domain > 3.0.21.20.1046: 1478*- 1/0/0 (59)
-3:-25:-51.399881 216.206.239.230.domain > 3.0.21.20.1046: 1479 1/0/0 (59)
-3:-25:-50.393049 216.206.239.230.domain > 216.206.239.133.65466: 24224 NXDomain* 0/1/0 (138)

Who the heck is this 3.0.21.20 guy, and what is he doing on this network? This is some puzzling traffic.

-3:-22:-43.077715 216.206.239.230.domain > 3.0.21.18.passwrd-policy: 1 1/0/0 (59)

Another schmoe from this 3.0. network. Doing something with a password policy? Tcpdump may be confused. It's probably just making assumptions based on the /etc/services file.

Oh crap! I'm going to be late getting back for this damn evening class. I will have to try to get out on this network again Thursday when I come back here in Mohican country. Be on the lookout for the Big Mac Attack Part II!