Wednesday, December 24, 2003

U SCAN (Unless U are an idiot)
I really didn't want to go shopping today. At all. But I had to go to the grocery. As you might guess, it was a fucking nightmare. All the lanes were open, and the manager of the store was literally running around trying to make things run smoother. He had my pitty. But they were just not keeping up. Lines were backing into the aisles, and the line to the U-Scan's were heading into loops.

They really need a sign on these machines. Something to the effect of "if you have trouble working simple machinery, go stand in the other line (dumbass)". I watched some woman squint her eyes and bare her teeth (that DUH look) as she scanned something twice and not put it in the bag. Meanwhile, the machine is yelling at her in that calm female voice, "put the last scanned item back in the bag". After repeating it about 3 times, the machine gives up and says, "please wait for cashier assistance". I think I also heard it mutter, "you fucktard" under it's breath.

On the other side of U-Scan land, I watched this guy put a $20 into the machine, which it rejected. He shoved it back in, it came back out. So on the third try he held his finger over the slot and kept it from being rejected! SMART MOVE!!! That'll teach it! Oh wait, it JAMMED??!? Why? Call the technician! This line will be getting longer in a moment.



As I was escaping the store, I bumped into a guy who took one look at the solid mass of people and simply said "holy shit!". And I replied, "yeah, good luck". He turned around, following me back out of the store and said "Fuck this! I'm going to Speedway!". Not a bad idea really, that's what I should have done.

Oh yeah, Merry Christmas.

Monday, December 22, 2003

Been a while!
I apologize to those of you who have been checking in and hoping to find something interesting to read. I have been a lazy bastard. Seems I been climbing into bed at night, and I just haven't had the urge to 'blog out my day' like I had. So here is what has kept me so busy.

I celebrated a birthday! Yay for me. It's a birthday party! Ray is now 28 years old. One step closer to 30. I got some fun stuff for my birthday. Some clothes, socks, you know. But I also got a pencam to do some blog shots. It works great ... but my iBook hates it. I plug it into the USB port, and it just blinks. Low and behold neither of the webcam/digi-cam driver efforts cover this model. What a bummer. I have gathered the specs and sent them to the "IOExperts" who hopefully will be able to aid me in making it work. In the meantime it works fine on my PC. If I am really desperate, I can run Windows with Virtual PC on my Mac, and then run the camera utilities on that! It's slow as shit, but it actually works.

Two days ago we went thrifting. We had a couple bucks to blow, but we didn't want to try and attack the mall crowds this close to Christmas. So we hit the thrift stores. About 5 in all, along with some "discount store" that has popped up next to an old thrift store we rarely visit. It was a little like odd lots. Some prices were low, while others seemed a bit unreasonable. They had quite a bit of refurbished electronics ... but they were asking too much. And you have to run fast from those "No Returns" signs. Eeek.

I was impressed with the aisle of plastic though. Everything was under a dollar. Neat. That's a lot of discounted tupperware!



I was also pretty excited to find Randy Savage Slim Jim collector tins! They were about 1 inch off from being the perfect cantenna measurements. Too bad. It would have looked nice on my dashboard. Still, $1 for a Randy tin ain't too shabby. Oh, and he had his arm around some whore named "George". Nice touch!



I was disappointed with the thrift store junk. I like a good deal on old shit when I can find it. But there were no good deals. A few shops had nothing but clothing (bad clothing too), while others had piles of good junk, that was way overpriced.



There were dozens of monitors at one shop. All of them priced around $30. It's also fun when you pick up an old 486 and find a price tag for $69.99. What the hell? My guess is that the hicks working the price-guns have no idea how to judge the value of electronics. And I guess that they can't take a hint when nothing sells.

After picking up the kids (they stayed with their aunt all day) we made a quick pass through Taco Bell. I don't know that it was a good idea with all of us on the verge of being sick, but I think we all managed to keep our food down.



And speaking of being sick. Blah! My stomach feels like its full of rocks. This flue just won't leave me be.

This morning we let the kids open their Christmas gifts. We have all been trapped in the house, bored to death. And later this week we will be running house to house for all the various family christmas get togethers. So Santa came early.

Santa brought me "The Art Of Deception" by Kevin Mitnick. I have been longing to read it, so it's first day in my hands, I have all ready read the first 4 chapters. Not a bad book. Each chapter so far reveals some interesting stories which are meant to guide you into a better social engineer. Gooood stuff.

I have also been reading some Cisco study materials. I got my hands on a few eBooks, and also a big rar archive off of the eDonkey network. After about 5 days of waiting for it to finish, I was pleased with what was in it. Not only did I get both Cisco Press books (821 and 811 exams) I also got all four Cisco Academy's. The Adademy stuff is flash based content and HTML. It's self study reading, with a lot of visual aids, exams, and other things to keep it entertaining. I was happy! I also found the Sybex 801 book, which prepares you to take the one big CCNA exam. Great book! It's a much better read than the Cisco Press stuff.

Now I must go. I need to go to the store between my visits to the restroom. God damn this flue.

Friday, December 12, 2003

IP THIEF
Seems like it's been a while since I blogged. Truth is, I did about two days worth on my laptop and then didn't copy it off before replacing the hard drive. You wouldn't believe what a pain in the ass that was. But Audrey has gone from 3.2GB to 18.6GB. I had suspected that little drive was going bad. When I pulled it out, it rattled. Are they supposed to rattle?

Well now I am getting ready to start a night class. Hooray. Been a tough day really. I thought I would play on lunch in the McDonalds parking lot like I had been. But when I got there I found that my bandwidth was SUCKING. I needed to download a few things. A few packages to make ethereal work, the newest version of KisMac for wardriving, and maybe a few songs to listen to on the way home.

I was getting an average of 1.2k per second on my downloads. What the hell? I thought maybe my signal was weak. So I re-parked the car a few times. No difference. Seeing how I didn't have Ethereal, it would be tough to see what the hell was happening. So I ran tcpdump. Sure enough, someone was stealing all the bandwidth for gnutella traffic. Ass monkey.

I decided I would let him know what I thought about him.

Ray-Haques-Computer:/sw/bin root# smbclient -IM 216.206.239.145 "You should turn off some of your filesharing bullshit. You are saturating this network. Have some respect."


Then I got pissed and drove off into town in search of better bandwidth. I found a pretty nice AP serving up a signal strength of 32! Nice! It seemed to be a tunneled network of some kind though, and the AP was ignoring me. I thought "hell, now is my chance to change my MAC address". I was sure that this AP was using MAC filtering as a means of security (no WEP). Imagine my disappointment when I was told "not permitted" when changing it. I would later learn that I can change the MAC address of my built in Ethernet, but not the WiFi card. That's gay.

After some frustration, and a dirty look from a redneck on her porch who was probably calling the local police on my loitering ass, I was headed back to McDonalds. Still, all the bandwidth was being consumed and I was pissed.

Here is how I achieved vengeance.

  1. Run tcpdump to get the IP address of the evil bandwidth hog.
  2. Assume that IP address as an alias to my own network card (ifconfig alias)
  3. Ping the gateway/router.
  4. Laugh, and enjoy all the bandwidth


It's not nice at all. But what I basically did is tell the router that the bandwidth whore's IP address had moved onto a new MAC address (my own). The router then starting sending his packets to me. Realizing what had happened, his computer stated a conflict to the user, and then went back to the router asking for a re-association through the ARP process. Naturally, he didn't stand a chance. I was playing a much more aggressive game at this tug-o-war battle.

Watching the packets dumping by in terminal I could see all of his downloads were timing out, and bombing, until I was seeing very little traffic headed his way. My downloads shot up to 34k. Not bad.

Thursday, December 04, 2003

Teaching Monkeys Philosophy
Let me quote to you a line from one of my favorite films of all time, A Fish Called Wanda. In it, Kevin Kline plays the best role of his acting career in the character Auto. Auto believes that reading philosophy makes him an intilectual. Which is what he strives for. Jamie Lee Curtis playing Wanda, sees through this front and knows that he is just a big dumb american who thinks he is cool. In an arguement, Wanda calls Auto a 'big dumb ape', and then we cue the lines.

Auto: Apes don't read philosophy!
Wanda: Yes they do Auto, they just don't understand it.

This morning, my mission will be teaching the monkeys how a computer works on the inside. We have a book to shoot through, which should be an 8 hour class done in two four hour sessions. I am doing the whole thing in four, and I am going to skim the material. I wonder if my students would care how a processor actually registers information. Or how physical memory handles binary code. Only about half of these students have really used a computer, that is more or less to play 'soli-tairy' or to 'do e-mail'.

The whole concept of this particular course is rediculous. I plan on zipping through it, and focusing on what a 'monitor' is versus a 'liquid crystal display'. I would like to leave a nice long lunch in place so that I might explore the network I found this past Tuesday. Yes, I plan on setting up shop in the McDonalds parking lot again. This time, I WILL be getting out on this network. I brought with me a secret weapon ... Ethereal.

Ethereal is really simple Packet Analyzer for just about any flavor of *nix that runs X-Windows. What I found is that I needed something called 'Fink' which will allow me to install Ethereal as a package. It was a pain in the butt to get running, and it failed to find Ethereal, or download a current package list. After some searching I came across a utility called Fink Commander. Basically, it's a front end for fink that beats the piss out of the terminal based front end that came with the binaries. From the Commander, I was able to get a current package list, and install not only Fink, but also all the gnome libraries I was missing. I also had to install a dev-compat package of some kind that fixed some broken lib dependencies. Thankfully, a Google search lead me to someones Blog that explained that whole process that lead me to an error message.

Now I have Ethereal running like a champ under the X11 utility for OS X. It's neat. I can't wait to start grabbing those packets. It was such a busy network, it shouldn't be long before I have enough to discover my gateway, and DNS servers to use.

Now, it's class time. Wish me luck with my monkeys.

Big Mac Attack Part II
Today was the day I would invade the McNetwork. Pulling into the McParking McLot and checking the time, I had a good 2.5 hours to blow. I went ahead through the drive through and got a small Coke, so that I could call myself a McCustomer. Then I parked the car, and went to work.

Once again, connecting to the non-WEP network was a breeze, but I was unable to obtain an address from DHCP. I went ahead and started up Ethereal. I am really impressed with the speed and ease of use with Ethereal. Like most packet analyzers, when you start it up you are opening a 'fish net' for packets. Once you have tallied up a handful or more, you can stop the scan (retrieve the net) and see what you picked up.

I was interested in finding two pieces of information. A gateway to send traffic through to the Internet, and a DNS server to resolve host names. After several searches I was finding nothing. Strange thing about networking. I was seeing packets coming from the local network and going to the outside world. I could also see packets coming from the Internet back to local hosts. Never are you getting a hint about the router, or the gateway that took the packets there. This would be a problem. I threw out the net about four times before I was 'shown the way'. When it finally appeared in my scan, it was like Indiana Jones when the light shined into the small temple, exposing the location of the Arc of the Covenant.



If you notice in the photo, the line I have highlighted is the router. It stuck out like a sore thumb because the protocol for this packet was marked as an "arp request". Arp is a process by which a host knows the IP address of a destination, but it needs the MAC address. We only need this information for someone we plan on sending information DIRECTLY to without the use of another router. Generally, you need to know the MAC of your router or gateway, and you ask for that information on the network. I happened to catch it. It was either luck, or patience. Once you have the MAC, you will not ask for it again for probably 10 minutes or more.

Now I had to add the gateway like this.

audreyii:/Users/rayhaque root# route add default 216.206.239.188


To test my gateway to the outside world, I pinged the DNS servers I use at work. I got a reply which was good. I also needed a DNS to use, since I hadn't discovered the local DNS being used on this network. Here is how we add a DNS server really quickly for immediate use.

audreyii:/Users/rayhaque root# echo "nameserver 65.24.0.167" > /etc/resolv.conf


Now I have Internet, to test I connect to #thebroken on irc.gloop.net. The gangs all there! I also open up my Instant Messager and say howdy.

Then I am back out with Ethereal capturing more packets and having a look at this network. Two users on this network are abusing the hell out of it with Kazaa and Gnutella traffic. As you can imagine, it was hell digging through all that crap to get to the interesting stuff. Pretty quickly, I start coming across AIM info. Every time someones AIM buddy hops online, their 'presence' is sent to one of my two active users and I am picking it all up in my packet logs.

Here is a recieved message. Something about going to sleep later. Whatever.



Why stop with reading someone elses message. Why not message these people myself? I don't have to tell them how I came to meet them. I just want a new friend. I cannot resist, and I start adding these new found buddies to my list and messaging them.



I don't know who this guy is, but all of his friends suck. I messaged three of them and I never got a reply back. With all the AIM spam I get, I would probably ignore them too. But damn, I'm lonely here. Who else can I bother? I go back to fishing, picking up LOTS of Kazaa and Gnutella crap. But then I see this.



Oh man. This jerkwad is using Kazaa to download Charlie Brown's Christmas mp3's. He is probably the type of filetrader that has porno' with movie titles on it. So you download the latest hit film, and it's two bald German guys screwing each other.

A couple of times I pick up on some users who are checking their e-mail. But most of them have empty mailboxes, so I never get any messages to read through.



I thought it might be fun to message one of these people and ask "Hey, have you read your email today?", and when they say "yes" I could reply "well I read your e-mail too!".

Somehow I wasted well over two hours capturing packets and looking at them. I had a few conversations along the way on IRC and on my messengers. But damn did I waste some serious time. And boy was that fun.

I should do this EVERY Tuesday and Thursday that I am in this damn town.

Tuesday, December 02, 2003

Deep Forest
If you have never heard the musical stylings of the group Deep Forest, you should really give them a listen. I recommend the first two albums. These two guys travel deep into remote areas of the world, and record singing and chanting from villiagers. Then they bring it back home into a studio and lay it over a drum machine beat. The end result is very ambient and spiritual melody. You can close your eyes and imagine you are in a soft quiet wooded forest.

But I'm just not feeling it this morning. You can shove those woods up your ass. I am trapped in the middle of nowhere once again in a youth detention center without Internet access. My view of the woods is obscured by barbed wire, and meshed windows. The only sounds I hear are of the heating equipment just outside of this room, and of juvenile correction officers yelling at youth in the hallways.

What the hell am I doing here? My only comfort is in knowing that my resume is out there in postal mail, making it's way to what I hope becomes my next employer. I even dreamed about it.

In my dream, I was introduced to my new office. It had a nice window through which the sun came in and lit up my empty, but spacious suite (with a door). In all liklihood, my office will be a cubical in a farm of other cubicals. But this is my dream, so shut up. I am then shown an old computer that was left behind, and I am welcome to use it. It's a Blue and White Macintosh G3. Slightly outdated (I'm realistic in my dreams now) but very usable. My display is a flat panel too. Nice touch. As I make my way to my desk I notice the carpet is in need of vacuuming. Should I clean it? I just started here. I probably hadn't even met anyone. Should I get out the vacuum? Sometimes when you are dreaming you get carried away with the technical details.

I was probably awakened by my son, who decided he would get up at 4:00AM to get ready for school, which wouldn't be for another 3.5 hours. No one is sure why he insists on getting up before the roosters.

Now I am checking the time and thinking "shouldn't I be getting ready for class?". I have one student who has shown up. He is telling me that two people won't be here for reasons unexplained. My class tally for the morning should weigh in at two or three. I guess I will go teach now.

This mornings key thought: What the hell will I eat? I forgot my lunch, and I would have to drive about half an hour to get back to even a gas station. About 40 minutes to the nearest Subway. God, please deliver me to new employment.

Big Mac Attack
So I ask around and find out that there is a tiny town (called 'Mohican') just north-east of this forest. I spot it on the map, and head for it on my lunch hour. Audrey is being a slut, and my wireless card keeps coming up 'missing'. After like 5 reboots I get it to work, at which point I have made it into town, and so I swing into a McDonald's parking lot to straighten shit out! As soon as my war-driving utility comes up 'DING-DING!'. I found two access points. And they are right here at McDonalds! I look around. To me left there is a grave yard. On my right is a small chiropractors office. And far off in the distance on a hill sits a few large homes.

I don't know who's network I was on, but it was not WEP'd. Unfortunately, I tried to get an address, and I couldn't obtain one through a lease. So ... here is my journal of activity.

Step one, connect to the access point.



Step two, monitor traffic with tcpdump.

Here is me looking for an address, and them ignoring me. Thanks for nothing!

-4:-6:-50.070444 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, length: 300
-4:-6:-50.071727 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.088531 audreyii.local > ff02::2: icmp6: router solicitation
-4:-6:-50.373447 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.375797 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-50.676804 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-50.679154 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-49.079821 arp who-has audreyii.local tell 0.0.0.0
-4:-6:-49.085764 arp reply audreyii.local is-at 00:30:65:05:57:a1
-4:-6:-49.382469 arp who-has audreyii.local tell audreyii.local
-4:-6:-49.512818 audreyii.local > ff02::2: icmp6: router solicitation
-4:-6:-49.688122 arp who-has audreyii.local tell audreyii.local
-4:-6:-49.919839 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, length: 300


But are there people on this network? I see a couple of addresses, and it's people surfing Kazaa and Gnutella.

-4:-7:-11.768330 81.64.117.21.gnutella-svc > 216.206.239.145.26700: P 6196:6239(43) ack 1135 win 33304 (DF)

-4:-7:-11.407034 24.132.10.126.kazaa > 216.206.239.132.qadmifevent: . ack 5425 win 17520 (DF)


Jerkies! I want to play too! I guess I will make up an address.

Step 3 - Make up an address on this network.

audreyii:/Users/rayhaque root# ifconfig en1 216.206.239.140 255.255.255.0


Step 3 1/2 - Test connectivity!


audreyii:/Users/rayhaque root# ping 216.206.239.145
PING 216.206.239.145 (216.206.239.145): 56 data bytes
64 bytes from 216.206.239.145: icmp_seq=0 ttl=254 time=8.198 ms
64 bytes from 216.206.239.145: icmp_seq=1 ttl=254 time=13.366 ms


I need a gateway!! Don't know where I will get that from. I guess I monitor a while longer.

I find interesting stuff.

-3:-53:-45.162631 64.12.24.172.aol > 216.206.239.132.tclprodebugger: P 50934078:50934132(54) ack 3062354438 win 16384 (DF)


Dude, all my friends are on AOL!

What's this here?


-3:-51:-59.001017 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.002131 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.032699 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.033963 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.042814 216.206.239.140 > 224.0.0.2: igmp leave 224.0.0.251
-3:-51:-59.043752 216.206.239.140 > 224.0.0.251: igmp v2 report 224.0.0.251
-3:-51:-59.583053 216.206.239.140.mdns > 224.0.0.251.mdns: 0 [6q] [2n] PTR (Class 32769)? _register._mdns._udp.local.[|domain]
-3:-51:-59.833230 216.206.239.140.mdns > 224.0.0.251.mdns: 0 [2q] [2n][|domain]


This guy looks like a router!! Oh wait ... that guy is me. It looks as if Audrey here keeps sending out routing updates in attempts to learn about neighbors Too bad they all ignore me and pretend not to be my friend.

Maybe I can find some DNS servers to use? If they are outside of this network, I am screwed, because I still have not found the gateway to get traffic out through.


audreyii:/Users/rayhaque root# tcpdump -i en1 | grep dns
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, capture size 96 bytes
-3:-41:-28.028391 216.206.239.140.49188 > 224.0.0.251.mdns: 53105+ PTR? 135.81.254.169.in-addr.arpa. (45)
-3:-41:-28.028878 216.206.239.140.49188 > 224.0.0.251.mdns: 53105+ PTR? 135.81.254.169.in-addr.arpa. (45)
-3:-41:-28.030732 216.206.239.140.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Class 32769) PTR[|domain]


224? That's not a valid address. Thats a class D (multi-cast address). My grep trick didn't work. Perhaps I should use tcdump the way I am supposed to ... that is, specify a port to search under (53 for DNS). That proves unsuccessful too.

I will open my search up again and monitor all traffic. Most is gnutella traffic to the 145 host. He is probably downloading some serious pr0n.


-3:-26:-55.474190 216.206.239.230.domain > 3.0.21.18.streetperfect: 1*- 1/0/0 A[|domain]
-3:-26:-53.417247 216.206.239.230.domain > 216.206.239.133.65464: 18090 NXDomain* 0/1/0 (138)
-3:-26:-53.433757 216.207.226.3.domain > 216.206.239.133.65465: 18090* 2/0/0[|domain]
-3:-26:-45.794876 216.206.239.230.domain > 3.0.21.20.1046: 1478*- 1/0/0 (59)
-3:-25:-51.399881 216.206.239.230.domain > 3.0.21.20.1046: 1479 1/0/0 (59)
-3:-25:-50.393049 216.206.239.230.domain > 216.206.239.133.65466: 24224 NXDomain* 0/1/0 (138)


Who the heck is this 3.0.21.20 guy, and what is he doing on this network? This is some puzzling traffic.


-3:-22:-43.077715 216.206.239.230.domain > 3.0.21.18.passwrd-policy: 1 1/0/0 (59)


Another schmoe from this 3.0. network. Doing something with a password policy? Tcpdump may be confused. It's probably just making assumptions based on the /etc/services file.

Oh crap! I'm going to be late getting back for this damn evening class. I will have to try to get out on this network again Thursday when I come back here in Mohican country. Be on the lookout for the Big Mac Attack Part II!

Monday, December 01, 2003

thebroken is busted
I come in to work this morning, park Audrey on an empty desk and get my messenger going, then log into IRC. Then after some coffee I decide it's high time I check the threads on thebroken forums. I log in, I start looking at threads ... then I realize I am seeing day-old stuff. So I reset my browser (dump the cache, etc) and go to log back in ... but ... it's dead. I get some SQL error. Woops. Wonder what happened there?



With Kevin on vacation, it could be a week or so before this gets repaired. But oh well. It's will give everyone some time off, namely me!

Last night I did it. I finished my resume. I went through my cover letter, dressed it up real nice. Then I began printing. This expensive 100 percent cotton paper I bought is crap. Half the sheets had some random cotton fibers stuck in them that were dark in color. But it did have the nice watermark on it, letting everyone know "I wasted money to print this". It's a sign of utter class. The envelope I put it into was also the nice 100 percent cotton kind. Now I wait. Please God, bring me a new job for christmas.

Meanwhile back at the office I am laying out my schedule for the week. Today ... nothing. I can play all day (and I have). Tomorrow, I go to Mohican again. Out in the middle of nowhere. No Internet. No nothing. Its a forest. Wednesday I go to Applecreek OH. This town consists of about two long roads. At least they have Internet access. But still ... it's a drive. Thursday, back to Mohican. Love it. Friday I get to come back to the office and sit some more.

I dread this week. I could really go for some aspirin. I don't know why I even bothered to show up. It's silly that I have to come in here and sit at a desk all day so that I can get paid for showing up. Even more rediculous that my hours of driving do not count as 'work time'. Again, get me out of here. If I get an unrecognised incoming call on my cell phone this week, I am dropping what I am doing to answer it. Operator, I need an exit.