If you follow me on Twitter you know that I've been raving about our new tool punk.sh, a continuation of our punkSPIDER project. Internally I call it "Shodan on crack" as we are collecting far more data than Shodan and our tool is 100% entirely free. Its only downside is that it's in 1.0 whereas Shodan is on like 10.0 or whatever. Anyway, here is how to get the most out of your punk.sh experience.
What punk.sh is
punk.sh is a search engine for internet-scale vulnerability scans. We're currently scanning 100+ ports, using 150+ nmap NSE scans for a variety of things. We're also collecting banners from all 100+ ports in comparison to Shodan that only grabs banners from a handful of ports. If that wasn't enough any domain with ports 80 or 443 (web) ports open we are conducting web application crawls and scans. Vulnerability scans are performed using our custom-built web app scanner called Ferret (we will open source this soon). It is meant to find obvious and simple injection vulnerabilities.
All of that said, some get confused when first landing on punk.sh. They think they type a domain in and it gets scanned. That's not how it works. We are scanning what we want to scan on the back-end and streaming the results to you in real-time (or near real-time). What we have is a search engine not an on-demand scanner. We may add on-demand scanning upon popular request, so make sure to hit me up at @_hyp3ri0n on Twitter if this is something you'd like to see.
What we have scanned
Currently in the queue is a scan of all CommonCrawl domains. If you're not familiar with CommonCrawl, they're a super sweet crawler project that crawls the entire Internet and makes the data publicly available.
Currently we have scanned all of Turkey's TLDs (I know that sounds random, we picked it because it was a reasonable space we could scan in a fair amount of time - a great test) and whatever has been finished of the CommonCrawl corpus. This is billions of domains, so be patient. In other words, on an Internet scale we don't have a TON of data just yet, but just wait, our scanner is fast and new data is coming in every day for you to search.
How to use punk.sh
There are two ways to use punk.sh. First, if you are looking to see if we've scanned a particular domain, type it into the nifty little search bar
Chances are we have not scanned the domain yet (again working on it) and you'll get something like:
That's OK, we'll have scanned it at a later date, so keep checking in.
We may at some point implement a queue for users to add their own sites, but for legal reasons we're not sure about that one yet...
So if we haven't scanned the domain you want wtf are you supposed to do with the tool? Well let me tell you budding punk.sh'ers. The left hand side sports a nifty faceted search. Let's see how to use it. From the base screen of punk.sh you can expand the Advanced Search by clicking the little arrow next to it, let's do that:
Now we have advanced search ready to go, but we're not just going to type stuff in there. It's important to learn the kind of stuff we can type to find fun things of interest. Therefore, a good learning experience is to use the faceted search on the left hand side. Let's find some servers with open FTP ports:
This gives a list of servers scanned that have open telnet ports. Results should now be populated. Let's take a look at one of these daft things:
Notice the open ports have been enumerated and the banners have been grabbed. The appropriate search result has been automatically populated into the advanced search field, guiding you on how to find this or other similar results in a similar fashion.
Also note that all of the fields have autocomplete on them to guide you on your way. Let's find open MS SQL servers! Simply go to the
NSE(*) Name field in the advanced search and type "ms" (without quotes), you'll see it populate with all of the NSE scripts that we have scanned with. Let's go ahead and choose ms-sql-info
You'll see a bunch of results populate with MS SQL open ports. Browse at your leisure or further filter it with the
NSE Value field. Note the
products field works in exactly the same fashion.
I won't go through every example, but this is the basic process for which to find cool stuff on punk.sh
Why yes I'm glad you asked! One of the unique things about punk.sh is that we take mass scanning a bit further and actually report on vulnerabilities found. This is apparent mostly in the "Web" results where we are running our custom scanner called Ferret (open source soon, just putting finishing touches on it). Let's check those out:
All I've done is type the word sqli into the Web field (again this field has autocomplete). Valid values for this field are: xss, sqli, xpathi (xpath injection), trav (directory traversal), bsqli (blind SQL), osci (OS command injection). Expanding a domain using the little arrow then navigating to the Web tab shows you these results:
So this website is reasonably fucked from a web security perspective.
Hopefully this was a helpful primer to using punk.sh, there are many many more features and ways to slice and dice the data. Play around, see what works and what doesn't and complain to me @_hyp3ri0n for anything that isn't clear or isn't functional. We'll be writing full documentation approximately whenever we get to it. Thanks for reading and enjoy punk.sh!