Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets

[jah <jah () zadkiel plus com>]

On 24/04/2008 04:56, Fyodor wrote:
> It may be OK that windows RAND_MAX is 32K (15 bits), because we only
> use 16 bits per call anyway:
>
>   for(i=0; i < sizeof(bytebuf) / sizeof(short); i++) {
>       iptr = (short *) ((char *)bytebuf + i * sizeof(short));
>       *iptr = rand();
>       }
>
> Maybe we should only be doing one byte at a time, since the high bit
> of every 2nd byte we generate may always be zero on Windows.  Anyone
> want to test this and make a patch?  The patch could check RAND_MAX
> and use that to decide the number of bytes to user per call.
It certainly is the case that the second byte returned by a call to
rand() never has a value of more than 127!!  Quite shocking.
I've made an attempt at the change you suggested Fyodor and attached the
patch.
Here's some test results with the patch applied:

$ for i in 100 200 400 600 800 1200 1600 3200 6400 10000 100000 500000 ; do
COUNT=`nmap -n -sL -iR $i | egrep '^Host' | sort -u |wc -l`; echo $i
$COUNT; done
100 100
200 200
400 400
600 600
800 800
1200 1200
1600 1600
3200 3199
6400 6400
10000 9999
100000 99901
500000 495727

One thought that occurred to me is whether it might be a more economical
use of our random numbers if, instead of throwing away 4 bytes each time
a reserved IP address is generated, we drop the first byte, shift the
remaining three along and fetch a single byte to complete a new IP
address.  I'm not sure whether this would have any positive or negative
effects on either the randomness or in performance.  It might be worth
looking into though?

Regards,

jah

--- nbase_rnd.c.orig    Mon Mar  3 15:21:50 2008
+++ nbase_rnd.c Thu Apr 24 23:15:11 2008
@@ -103,6 +103,7 @@
 #include "nbase.h"
 #include <string.h>
 #include <stdio.h>
+#include <stdlib.h>
 #if HAVE_SYS_TIME_H
 #include <sys/time.h>
 #endif
@@ -117,6 +118,7 @@
   FILE *fp = NULL;
   unsigned int i;
   short *iptr;
+  short step;
   
   if (numbytes < 0 || numbytes > 0xFFFF) return -1;
   
@@ -142,12 +144,14 @@
        gettimeofday(&tv, NULL);
        srand((tv.tv_sec ^ tv.tv_usec) ^ getpid());
       }
-      
-      for(i=0; i < sizeof(bytebuf) / sizeof(short); i++) {
-       iptr = (short *) ((char *)bytebuf + i * sizeof(short));
+      if (RAND_MAX >= 0xFFFF) {
+        step = sizeof(short);
+      } else step = 1;
+      for(i=0; i < sizeof(bytebuf) / step; i++) {
+       iptr = (short *) ((char *)bytebuf + i * step);
        *iptr = rand();
       }
-      bytesleft = (sizeof(bytebuf) / sizeof(short)) * sizeof(short);
+      bytesleft = (sizeof(bytebuf) / step) * step;
       /*    ^^^^^^^^^^^^^^^not as meaningless as it looks  */
     } else fclose(fp);
   }


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org