Nmap Development mailing list archives
[Bug]? -iR <num_hosts> on windows XP generates duplicate targets
From: jah <jah () zadkiel plus com>
Date: Thu, 24 Apr 2008 01:15:36 +0100
Greets, I'm having a hard time getting to the bottom of this one... With nmap -n -sL -iR 500 I find there's an average (mean) of 143 duplicate targets generated (std. deviation approx 5). nmap -n -sL -iR 1000 -> 348 mean duplicates (std. dev. approx. 11). Around num_hosts = 340 I might see 1 duplicate in 10 passes. Below 300 I haven't seen any. Above 400 is where the duplicates start to get significant. This occurs on XP SP1, SP2 and SP3 with the official release of 4.60 as well as builds from svn. The SP1 machine I've used is a bare windows installation with no software other than nmap (and nmaps winpcap). SP2 machine has VS2005 and VC++ 2005 and 2008 Express Editions. SP3 machine has VC++ 2005 Express Edition. I spent some time stepping through the code in VC++ 2005EE to understand what happens with -iR and couldn't find any issue with the way bytebuf[2048] in nbase_rnd.c is filled with calls to rand() (in C:\Program Files\Microsoft Visual Studio 8\VC\crt\src\rand.c). I watched as bytebuf was refilled after 512 calls (2048/4bytes requested in each call) to get_random_bytes() and verified that the random data was different each time. I then realised that the issue doesn't occur in the DEBUG configuration - no duplicated IP's. This has to be significant, and I thought it might be due to the MS common runtime, but I'm really not sure given the various machines I've tried it on. An interesting and perhaps telling observation is that in one particular instance, with 1000 targets, the order of targets generated was: targets 1-359 followed by targets 360-717 which duplicate the first 358 exactly (same order) and were followed by targets 718-1000 unique targets ...so, two blocks of 358 duplicated targets separated by a single unique one and followed by 283 more unique ones. WTF? Another observation was that out of a single use of bytebuf (512 IP's) 169 were discarded leaving 343 non-reserved. This is roughly of the order of duplicates. Roughly. I wasn't able to get any useful information using depends.exe profiling, with -n -sL -iR <num_hosts> arguments to nmap. I'd be very interested to know if anyone else can reproduce the issue and any pointers to where I might look next. Regards, jah _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Bug]? -iR <num_hosts> on windows XP generates duplicate targets jah (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Fyodor (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Brandon Enright (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets jah (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Fyodor (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Brandon Enright (Apr 23)
- RE: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Thomas Buchanan (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Fyodor (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets jah (Apr 24)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Brandon Enright (Apr 30)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets jah (Apr 30)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Brandon Enright (Apr 23)
- Re: [Bug]? -iR <num_hosts> on windows XP generates duplicate targets Fyodor (Apr 23)