Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 24 Apr 2008 01:54:45 +0000

Hash: SHA1

I have located the error.

main.cc calls srand() properly but later code calls it again.

To generate a random IP address a random u32 is generated
(get_random_u32()) which in turn gets the random bytes via a call to
get_random_bytes() in nbase/nbase_rng.cc.

get_random_bytes attempts to use one of /dev/{a,u,}random to get the
bytes and if opening those fail, falls back onto rand().

The issue is that when the fallback is used, srand() is always re-called
like so:

        /* Seed our random generator */
        gettimeofday(&tv, NULL);
        srand((tv.tv_sec ^ tv.tv_usec) ^ getpid());

The problem here is that the rng is being seeded with time every time it
is called.  Time is pretty biased and will generate a collision which
will create a cycle in the prng (calls to rand()).

The solution to this is to drop the re-seeding code starting at line
184 of nbase/nbase_rng.cc (it is redundant and done in main.cc).

This issue only shows up on OSes that do not offer randomness
from /dev/...


On Wed, 23 Apr 2008 18:14:53 -0700
Fyodor <fyodor () insecure org> wrote:

On Thu, Apr 24, 2008 at 01:15:36AM +0100, jah wrote:

With nmap -n -sL -iR 500 I find there's an average (mean) of 143
duplicate targets generated (std. deviation approx 5).

Wow, I can reproduce the same thing on Windows.  I used this command
under cygwin to count the number of uniq IPs for a given -iR size:

nmap -n -sL -iR NNN | egrep '^Host ' | sort | uniq | wc

Wher 'NNN' is replaced with the number of hosts to try.  Here are the

100 -> 100
200 -> 200
300 -> 300
400 -> 348
500 -> 359
600 -> 352
700 -> 356
800 -> 430
900 -> 528
1000 -> 646

So these are about the same results as you saw.  This is Windows XP
SP2 running on VMWare using our stock 4.60 binary.  I tried the same
command on Linux and much more expected and proper numbers:

1000 -> 1000
10000 -> 10000
100000 -> 100000
500000 -> 499958

Something is broken or poorly implemented in either Windows' rand() or
the way Nmap is using it.

I'd be very interested to know if anyone else can reproduce the
issue and any pointers to where I might look next.

I'm not sure, but please let us know if you figure this out.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
Version: GnuPG v2.0.7 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]