Hummingbird Asychronous Scanning Engine
Page last updated: Thu Aug 11 15:25:47 PDT 2005
thehandofgod:~/Projects/hummingbird% ./hummingbird -v
Hummingbird asynchronous scanning engine version 1.8 (Mike Schiffman )
libraries used:
libnet version 1.1.3-RC-01
libpcap version 0.8.3
libxml2 version 2.6.19
modules loaded:
dns_chaos version 1.0
tcp_port version 1.1
icmp_echo version 1.0
arp_whohas version 1.0
[rounder:mike/Projects/hummingbird] root# ./hummingbird -ien1 -stcp_port test_server_list.txt
Hummingbird asynchronous scanning engine
loading tcp_port scan module
parsed configuration file
listener initialized, output file will be written to hb.8250
injector initialized
listener thread spun
injector thread spun
injector: [00053]
injector: completed, waiting 2 seconds for responses
all clear
[rounder:mike/Projects/hummingbird] root# tail -10 hb.8250
----------------------------------------------
running time: 2 seconds
----------------------------------------------
ports open: 21
ports closed: 7
----------------------------------------------
total probes sent: 53
total responses received: 28 (52.83% of probes sent)
total timeouts or drops: 25 (47.17% of probes sent)
----------------------------------------------
Hummingbird is a module-based asynchronous scanning engine. It is a generic
platform useful for scanning large sets of target devices in very short periods
of time. So we can get better acquainted, let's qualify some of those terms:
- Scan: to construct and send packets or frames across a network and decode and
record the responses (or lack thereof)
- Large sets: Targets on the order of several hundred to several hundred thousand
devices
- Target devices: IPv4, IPv6 or Ethernet devices
- Short periods of time: Packet injection and capturing is split into different threads of execution enabling complete asynchronous execution (the above example took two seconds to scan 53 hosts because hummingbird had to wait for
the responses before exiting -- if it didnt wait, the program would send its
packets and exit long before all of the responses would have had a chance to
trickle in. Trust me, this scales much better for large target sets)
Main Logic Flow
Hummingbird consists of two main components, an injector and a listener. The
program starts in the main driver which operates according to the following
basic logic:
- Proccess command line and configuration file options
- Determine scanning module to be loaded
- Create and initialize listener control context
- Create and initialize injector control context
- Spin listener thread
- Spin injector thread
- Wait for injector to complete
- Terminate listener
- Report results to user
- Exit
Scanning Modules
A scanning module is comprised of eight functions:
- The configuration file parsing function
Parses the relevant section in the configuration file to process and load
options into either the listener or injector contexts. This has to be
module specific since each module can have different user-defined data
sections with different options.
- The listener user-defined data creation function
- The injector user-defined data creation function
- The listener user-defined data initialization function
- The injector user-defined data initialization function
Create and Initialize the user-defined data structures. For any given scanner, there
will some information that needs to be specific to the scan, either
statistical results that the listener will need to track, or monotonicly
incrementing variables that the injector will need to update. This
information is initialized here. The pcap filter, which is dependent on the
scan type is stored here as well.
- The builder function
Builds the packet or frames. Is called through every iteration by the
injector.
- The decoder function
Decodes the responses from the listener.
- The logfile reporting function
Reads the results of the statistics from both contexts and appends this
information to the end of the logfile.
Built on top of libnet (use libnet-1.1.3-RC-01.tar.gz or newer) and libpcap and libxml2.
Download
Not yet.
Back to Projects
