punk.sh - recon

Mass Recon has been around for a little while with the advent of our own tool PunkSPIDER, Shodan, MassScan, ZScan etc. Today we're announcing the beta release of our new tool punk.sh. Let me tell you how it's different.

Mass recon at its massiest

Along with a much faster, better web app scanner (Ferret), we are running several hundred nmap NSE scans against our targets. Our target: the entire Internet. So far we have a few million domains, this will quickly be expanded to several billion in the near future. What scans are we running you ask? For web app scans, they are largely the same scans as in PunkSPIDER, that is:

  • bsqli (blind sql injection)
  • sqli (sql injection)
  • osci (OS command injection)
  • mxi (mail header injection)
  • traversal (path traversal)
  • xss (cross-site scripting)

However, this is old news, we were doing this in PunkSPIDER, and even though we're now doing it a lot faster it's not that exciting. What is exciting (we think) is the nmap scans we've added. It'd be difficult to list all of the nmap options and NSE scripts we've enabled and distributed to run across our cluster, but here is a snippet of the command we are using:

script_arg = "--script \"(safe or malware or discovery or external or version or vuln) and (not -traceroute and not traceroute- and not intrusive and not exploit and not dos)\"" sudo nmap -Pn -O -sC -T3 -sV ' + script_arg + ' -oX ' + nmap_output + ' --open --top-ports=100 -iL ' + nmap_input_host_list

so yeah, lots of stuff :). With that in mind, let's talk a little more about how you can use punk.sh.

Exploring punk.sh

We've tried to make punk.sh search much more powerful than other tools out there (including PunkSPIDER). To get started simply go here. You should see a screen like the following:

If you're just exploring and want to see some results, the left hand navigation pane is your best friend. If you're looking for a site or specific group of sites, use the search bar. For now let's assume you're exploring.

Clicking on each tab will expand it, let's see what happens when we click on the NSE tab:

Gah holy shit that's a lot of options! This is one of just a few reasons punk.sh is still in beta :), we are trying to make it easier to slice and dice the massive amounts of data in the system. Each entry under the NSE tab is a particular nmap NSE script that has been run against all targets. This is several hundred reconnaissance, vulnerability checks and general tomfoolery scripts against each target that we're providing back to you. We have taken precautions to ensure the checks we are running are safe and low-risk. Explore the NSE scripts we are running and find interesting results! Chances are you'll find something new everytime you play with punk.sh.

The other tabs allow you to explore our data in a variety of ways. In order, you can explore by:

  • Web vulnerabilities detected
  • Ports open on the machines
  • NSE script results
  • Services detected on the machine (e.g. specific versions and implementations of FTP, Telnet, SSH, etc.)
  • Products and product versions
  • Countries the domain is registered in

Searching punk.sh

punk.sh has what we call in the data science world: a fuckton of data. While exploring it is fun, we also want you to be able to find what you want. Let's take a look at the advanced search. Expand the advanced search tab and you should get a screen with a bunch of text boxes. Each of these boxes allows you to input a different facet for you to search over.

As an example search let's try to find boxes that are running Microsoft IIS httpd on port 80 and are vulnerable to the particularly nasty CVE 2015-1635 (this is checked for by an nmap NSE script). For your searching pleasure punk.sh autocompletes each box once you type a couple of numbers or letters in, allowing for easier search. Anyway, under port let's put 80, under product lets put Microsoft IIS httpd (you should see an autocomplete option for this once you've typed Microsoft I) and lets make the NSE script name http-vuln-cve2015-1635. So your search boxes will look like this:

and let's check out the first result. Expand its contents, click on the NSE tab for that record and scroll down until you find the relevant NSE script. You've now found a server (or rather a lot of servers) with this vulnerability. The search possibilities are endless.


I usually don't like to compare our stuff to other tools, but this is a good time to mention the "banner" NSE. This allows you to search through all of our banner grabs (we attempt to grab banners from 100 ports) for any types of devices you want, including IoT devices. We basically have made a Shodan on crack, and it's provided to you for free, no ads, no payment, no motherf***** recaptchas. And that's just one of several hundred checks we are doing. Side note: I love Shodan, but I also believe that free information should be readily available to researchers and other end users alike.


punk.sh is still in beta. A big reason for this is that the checks that we're running don't always have intuitive names and finding the data you want can be a bit tricky sometimes. We are working to improve that as we speak. For now know that using punk.sh is not for the feint of heart, it is currently best for security researchers and avid techies looking to explore the Internet and its endless sea of vulnerabilities. For those just dabbling https://punkspider.org is still up and may be a better place for you to start, though the data is getting a bit stale (scans are expensive - which now that I think about it is probably why Shodan isn't free... :)

A couple of things we suggest:

  • Spend some time getting to know the system, trust us, it's worth it. Spend some time with advanced search or just clicking around to see what we have in there.
  • Email us at support@hyperiongray.com or tweet at me on Twitter with any burning questions. I am @DotSlashPunk.

Use Responsibly

As always please use this system responsibly. If we find it misused we will take it down. We are serious about this.

Thanks all for reading.