Hummingbird Asychronous Scanning Engine

Page last updated: Thu Aug 11 15:25:47 PDT 2005

thehandofgod:~/Projects/hummingbird% ./hummingbird -v
Hummingbird asynchronous scanning engine version 1.8 (Mike Schiffman )
libraries used:
libnet version 1.1.3-RC-01
libpcap version 0.8.3
libxml2 version 2.6.19
modules loaded:
dns_chaos version 1.0
tcp_port version 1.1
icmp_echo version 1.0
arp_whohas version 1.0
[rounder:mike/Projects/hummingbird] root# ./hummingbird -ien1 -stcp_port test_server_list.txt 
Hummingbird asynchronous scanning engine
loading tcp_port scan module
parsed configuration file
listener initialized, output file will be written to hb.8250
injector initialized
listener thread spun
injector thread spun
injector: [00053]
injector: completed, waiting 2 seconds for responses
all clear
[rounder:mike/Projects/hummingbird] root# tail -10 hb.8250
running time:                        2 seconds
ports open:                                 21
ports closed:                                7
total probes sent:                          53
total responses received:                   28 (52.83% of probes sent)
total timeouts or drops:                    25 (47.17% of probes sent)

Hummingbird is a module-based asynchronous scanning engine. It is a generic platform useful for scanning large sets of target devices in very short periods of time. So we can get better acquainted, let's qualify some of those terms:

Main Logic Flow

Hummingbird consists of two main components, an injector and a listener. The program starts in the main driver which operates according to the following basic logic:

  1. Proccess command line and configuration file options
  2. Determine scanning module to be loaded
  3. Create and initialize listener control context
  4. Create and initialize injector control context
  5. Spin listener thread
  6. Spin injector thread
  7. Wait for injector to complete
  8. Terminate listener
  9. Report results to user
  10. Exit

Scanning Modules

A scanning module is comprised of eight functions:

  1. The configuration file parsing function
  2. Parses the relevant section in the configuration file to process and load options into either the listener or injector contexts. This has to be module specific since each module can have different user-defined data sections with different options.
  3. The listener user-defined data creation function
  4. The injector user-defined data creation function
  5. The listener user-defined data initialization function
  6. The injector user-defined data initialization function
  7. Create and Initialize the user-defined data structures. For any given scanner, there will some information that needs to be specific to the scan, either statistical results that the listener will need to track, or monotonicly incrementing variables that the injector will need to update. This information is initialized here. The pcap filter, which is dependent on the scan type is stored here as well.
  8. The builder function
  9. Builds the packet or frames. Is called through every iteration by the injector.
  10. The decoder function
  11. Decodes the responses from the listener.
  12. The logfile reporting function
  13. Reads the results of the statistics from both contexts and appends this information to the end of the logfile.

Built on top of libnet (use libnet-1.1.3-RC-01.tar.gz or newer) and libpcap and libxml2.


Not yet.

Back to Projects