PunkSPIDER: An Open Source, Scalable Distributed Fuzzing Project Targeting the Entire Internet

Alejandro Caceres

Thu, 2nd May 2013


Questions and answers

Max, Concise Courses:
How is PunkSPIDER different to SHODAN? What is the main difference?

Alejandro Caceres:
Yeah, that’s a great question. We have been compared to SHODAN before so that’s why it is a good question. SHODAN itself, what it is doing is, it’s going out there and checking for open ports as well as grabbing banner information from those ports. What that means is that it is basically going down to the Operating System service level where you would be able to check for example what version of web server is being used or what version of FTP is being used on a machine. It doesn’t actually get to the application layer at all. For ‘web things’ it will tell you what version of web server is being used and some basic information on the web server, but it won’t tell you about the actual web site itself which is what we [PunkSPIDER] focus on.


Max, Concise Courses:
How would you like the PunkSPIDER project to develop? Perhaps becoming an ‘industry standard for pentesters?’

Alejandro Caceres:
The way that I would really like to see it develop is as a completely community-focused project. We do have some stuff that is useful for pentesters in that they might be able to find quick vulnerabilities on domains that they are pentesting but really I think the main focus is on the community. What we would really like to do is develop as many tools as possible to make it very simple to get PunkSPIDER data. So, for example, the Google Plugin project that I mentioned, that is exactly the direction we are trying to go in. We want to give the user something that they will be able to see if a site is vulnerable by doing the least amount of work as possible. We think that if we make just absolutely easy for everyone in the community, everybody will use it and everybody will be more informed on website security.


Max, Concise Courses:
You mentioned that PunkSPIDER respects a robots file, would an .htaccess file placed on a server block PunkSCAN?

Alejandro Caceres:
It will if you deny to a particular ‘user-agent.’ We actually haven’t published much about this but we don’t fudge our user agent at all. Basically we just keep at is ‘punkscan-1-3-0’. That is going to stay current even if we upgrade the version. It just makes it easier to manage. If anyone wants to block PunkSCAN then they absolutely can.


Max, Concise Courses:
At Concise Courses we have an interest in SCADA – can the program be tweaked to hit and scan known SCADA vulnerabilities?

Alejandro Caceres:
Not unless they have a web application to the interface but no it definitely doesn’t just concentrate on SCADA, that is actually more for SHODAN.


Max, Concise Courses:
There was a recent massive wordpress attack looking for admin default passwords and using brute force. Could PunkSPIDER have been used for that purpose – i.e. scanning for weak default passwords? Reason I ask is because it would help people firm up wordpress.

Alejandro Caceres:
That’s a great question. We currently don’t have that check in PunkSCAN which is again what powers PunkSPIDER and that is one of those that we purposely shied away from; given though that that is one of the most devastating ones right! Just the obvious ‘guess the default passwords, and get admin access’, but the reason we stay away from that is mostly because we want to avoid legal trouble, so in that sense we could get into trouble by someone saying, ‘you’re getting unauthorized access to this site.’ We will probably stay away from that not unless something pretty major changes in the law.


Max, Concise Courses:
Could you explain the PunkSPIDER scoring system?

Alejandro Caceres:
Sure, actually that is a new feature. The scoring system is actually really basic, there is no big secret to it. Blind SQL Injection and SQL Injection are given a vulnerability score of ‘2’ and cross site scripting is given a vulnerability of ‘1’. So it’s very simple. What we like to tell users, and this is in our documentation, that anything with a vulnerability score of ‘1’ be very weary of, be careful of using it. Anything with a vulnerability of over ‘1’ absolutely stay away from it. That is the ‘rule of thumb’, and we will probably stick to that as we add extra vulnerabilities that PunkSPIDER can scan for.


Max, Concise Courses:
Are you aware of any companies that are using PunkSPIDER or using it to generate business?

Alejandro Caceres:
We don’t know of any. If anybody is then we are fine with that. Our licensing schema for PunkSCAN, which is the engine that powers PunkSPIDER, is completely open source – we are under the Apache license, so if anybody does want to use it for commercial purposes we do allow that. If they want to use our data using our API instance that is fine with us, ‘the more the merrier,’ we are just trying to help!


Max, Concise Courses:
There are going to be many people watching this that are going to be like: A, what you are doing and B, loving your energy because you clearly love what you are doing which is amazing and will be inspired by what you – the question is, how did you get together with your team? How did this all happen, what was the process and is there any advice that you can share with your peers in essence that want to develop something themselves and put a team together as well?

Alejandro Caceres:
Really how this project started was just in my ‘off-time.’ I really wanted to do this and I enjoy learning new technologies. It originally just started with ‘just me’ and eventually I found that I was really sleeping enough and working overnight, and I really wanted to get the next feature done, and I went out to freelancer.com to find a freelancer that might be able to help me out and I got extremely lucky! I found a guy who is an incredible developer in Argentina and didn’t just want to charge me a bunch of money to get something done but instead he was absolutely totally into it. He ended up being one of the best developers I have ever worked with. It was just basically me and him coding and doing it during our ‘off-time’. So in terms of advice: be really into what you are doing, it’s easy to get into the cycle of, ‘I’d really like to create a tool and for it to be popular and attention for a particular reason, and maybe I want to get my company out there,’ but maybe the best advice is do something that excites you to the point where you don’t even want to sleep properly at night!