Rand brute - ONsec-Lab/Rand-attacks GitHub Wiki

What is this?

Script file rand-brute.php is PoC tool for brute PHP seeds in function mt_rand().

It usefull to solve all string which generated by serial mt_rand calls by first bytes.

You can generate random strings for test by randString(strlen) calls.

Then define first 5 bytes of your 5+ bytes string in $str variable (line 7). And try to recover another bytes.

Example

• randString(16) get "sKH2nNHa3cSGxPEA"
• define $str="sKH2nNHa"; at 7 line of code and try to determine another bytes ("3cSGxPEA")

Run tool

First, you need determine how many processes be optimal for your system.

Type #cat /proc/cpuinfo for that and count a CPU items (i.e. 4 for i7 on Macbook Air 2012).

That run one brute worker per each cpuinfo item:

php -f rand-brute.php 1 4 &

php -f rand-brute.php 2 4 &

php -f rand-brute.php 3 4 &

php -f rand-brute.php 4 4 &

• First argument is process number (from 1 to N)
• Second argument is total count of processes (N)