It all started with a closet full of old computers. They looked like the laptop version of the zombie apocalypse. We had this crazy notion to vulnerability scan the entire freaking Internet and publish the results for free -- because that’s the sort of thing we think up on a Tuesday -- and we came up with the novel approach of using a distributed computing framework to do it. That zombie hoard of laptops was our first Hadoop cluster, and that crazy idea went on to become our first open source project, PunkSPIDER.
Hyperion Gray is a small research and development company focused on web security, software development and distributed computing. Full disclosure: We're slightly off. We color outside the lines and put the square peg in the round hole. We like to come up with ideas and solutions that push the boundaries of the web security status quo, because, if you haven’t noticed, the status quo isn’t going so well, and we’d like to make it better. We don't have to try to be different, it's just how our minds operate. We see the box and we instictively want to kick and punch our way out of it. Work with us and you'll see. :)
PunkSPIDER is our flagship open source project, so it holds a special place in our dark little hearts. It's a distributed web application vulnerability scanner and search engine unleashed on the entire Internet. It checks sites for basic vulnerabilities and provides the results to the public for free. The concept is simple: a user can go to the PunkSPIDER website and search for any url to see if it has any basic vulnerabilities (currently our scanner checks for sqli, bsqli, xss, path traversal, mail header injection, operating system command injection, and xpath injection vulnerabilities). This can be the user's own website or one they use in their day-to-day lives. Either way, they can find out whether the site is vulnerable in just a few seconds and make an informed decision on whether to trust it with their information. This is something that most Internet users aren't empowered to do, but we think they should be.
So how does it work exactly? We'll tell you! PunkSPIDER 2.0 uses a custom-written crawler (version 1.0 used Apache Nutch) to crawl for sites and then it indexes them to a Solr database, where they are queued up to be scanned (aka "fuzzed") for vulnerabilities. Not all together complicated, but there's a twist! (::gasp::) Every part of this process is distributed across a Hadoop cluster, which makes it faster and more efficient than conventional crawling and fuzzing. (Quick shout out to Apache and the Hadoop community for their awesome projects).
PunkSCAN, which is what we call the fuzzer piece of it, is able to detect vulnerabilities far faster than any existing tool on the market because we're leveraging the power of distributed computing in a whole new way. We've scanned several million hosts so far and are working on a version 3 that's going to make Formula 1 look like a street parade.
The PunkSPIDER project was first unveiled at ShmooCon 2013 and received as much positive acclaim from the community as it created controversy. Most people loved it, and we were even successfully crowd-funded on Kickstarter, but some people freaked out a little bit. Sure, at first it's scary to think that we're publishing all this vulnerability information and making it publicly available. But what's scarier than that is the fact that the Internet's Dark Side already knows which sites are weak, while the average users of the web don't. We believe in what we're trying to do here, which is to empower the average Internet user to make informed decisions about which sites they visit, and to encourage web developers to treat security like a commitment to the users of their sites, a hallmark of good design just like any other. And based on the ever-growing volume of traffic to PunkSPIDER, we like to think we're getting somewhere.
So PunkSPIDER itself is pretty easy to use -- it's sufficiently Google-esque and is pretty intuitive -- but we have to admit that it's more geared toward the security community and security researchers. We wanted something that anyone with a browser could use, so we created a Chrome extension and a Firefox Add-On that harness the full power of PunkSPIDER seamlessly as you browse. The plugins, which are FREE, automatically check PunkSPIDER's extensive database to see if the site you are currently visiting has any of the 7 vulnerabilities we check for. The plugins are designed to be low-profile, with a small spider icon in the top right of your browser bar. If PunkSPIDER has found any vulnerabilities on the site, the spider icon will show a red X to warn you.
If you see a red X, you should proceed cautiously on this site. Avoid giving any personal information to this site and, if you must create an account, don't re-use usernames or passwords from other accounts. If the site you are currently visiting has been checked for vulnerabilities and is clean, the icon will show a green check mark. If PunkSPIDER hasn't yet gotten any information on the site you are currently visiting, the spider will not show a red X or a green check mark. At any time you can click on the spider icon for additional information.
PunkSCAN is a massively scalable automated web application vulnerability scanner, or fuzzer, and it's the engine behind our PunkSPIDER project. Like pretty much everything we do, it runs over a Hadoop cluster and is able to find vulnerabilities in thousands of sites per day. What's unique about PunkSCAN is that the speed at which it conducts web app scans is greatly increased as machines are added to the Hadoop cluster. The more machines you add, the more sites you can scan - it's near infinitely scalable.
Unlike most other web app fuzzers, PunkSCAN is built for speed, stability, and massive scans. With a single PunkSCAN instance it is possible to scan thousands of sites per day and to keep the vulnerability data up-to-date without any user intervention. We index the results to two Solr instances, which makes them easily searchable on the PunkSPIDER front-end.
PunkCRACK is our open source MapReduce-based distributed password cracker that runs on a Hadoop cluster, and Mr. Injector is a distributed version of everyone’s favorite automated SQLi tool, SQLMap, that also runs on a Hadoop cluster (sensing a theme here?). We built these as proof-of-concepts for our DEF CON 21 talk on conducting massive attacks with distributed computing.
There are a few great services out there for cracking passwords, but we hadn't really come across an open source tool that provides the ability to (easily) set up a cluster from commodity hardware that leverages the power of distributed computing specifically for cracking. This means you either have to pay for one of the myriad password cracking services or crack passwords like they used to do in the stone age - with a single computer and lots of hours.
So, as we tend to do, we figured we'd try to apply a home-grown distributed computing solution to password cracking, and while we were at it we figured we may as well write Mr. Injector because why not?? Crazy thing -- they actually worked pretty well! At least for POCs. Now, if you have a bunch of old computers laying around, or have some spare cash to spend on an Amazon EMR cluster, you can spin up your own Mr. Injector and PunkCRACK instances! (Or you could, you know, donate that spare cash to us. Just saying.) You can find the code on BitBucket for PunkCRACK here and for Mr. Injector here. Just remember that these are still in Alpha, and we don't have any instructions written up for them, so they're more of a learning tool at this point. That being said, you can still have fun with them -- we do!
As we mentioned, we presented PunkCRACK and Mr. Injector at DEF CON 21. You can watch the video of our talk at our DEF CON section below.
Alejandro Caceres, owner, founder of Hyperion Gray, had the honor of speaking at ShmooCon 2013, where he unveiled the PunkSPIDER project to a great crowd. They provided some great feedback on the project and even laughed at some of Alex's jokes! You can watch the video of the talk below. Wait 'til you find out what the angry Iranian man is all about...
So we were over the moon about getting a talk at ShmooCon, but then Alex got accepted to be on the Closing Plenary panel at ShmooCon 2014, moderated by Bruce Potter himself! ::swoon:: If you weren't able to make it to the con this year, you can watch the closing panel here. Let's just say it was wholly entertaining. Where else but ShmooCon can you get a scan of the entire Internet in record time, a real time screenshot of someone typing "porn" into Google, and a fiery defense of American-made nipple covers all on the same stage?? Oh, and of course there's an interesting discussion on the ethics and legalities around mass scanning the Internet.
Perhaps we should try to play it cool, but we fully admit that presenting at DEF CON 21 was kind of a big deal for us. When we found out that we actually got accepted for **two** talks, we yelled "omg" at the tops of our lungs like teenage girls at a 1D concert. We had the time of our lives and even got to experience a little on-stage spanking that we hadn't quite expected. If you didn't make it to the con, don't worry, you can watch both talks right here!
The Massive Attacks project came about when Alejandro was surreptitiously accused of building a "cyber weapon" with PunkSPIDER and, after giggling to himself a little bit, thought, "Hey, what would a mass scale distributed cyber weapon actually look like?" So he went about creating the PunkCRACK and Mr. Injector tools. He threw his hat in the ring to speak at DEF CON 21 and, holy crap, was accepted. This talk demos these two proof-of-concept tools and discusses the theoretical repercussions of distributed cyber weapons.
This talk was based on our DARPA Cyber Fast Track (CFT) project, whiched we audaciously named Web 3.0. The project came about when a fellow developer, Teal Rogers of Trinary Software, saw Alejandro's PunkSPIDER project on KickStarter. He contacted Alejandro, they soul-gazed via Skype, and then decided to go after a DARPA CFT together. Since the program has, sadly, come to an end, we were thrilled to have been accepted to the last round of awards AND get accepted to speak at DEF CON about it.
The idea of the Web 3.0 project was to create a powerful yet beautiful, intuitive 3D view of the Internet that shows interconnections between domains while also showing which pages within a domain contain vulnerabilities. The interface is designed to give the user an experience of "flying" through 3D space as they navigate their domains of interest, just like in the movies but for real. We developed a proof of concept model for the CFT, and we're currently devising plans for the future of the Web 3.0 concept.
As we mentioned in the DEF CON section, the Web 3.0 project is a research project funded through the DARPA CFT program. Hyperion Gray and our partner Trinary Software wanted to try to create a 3D map of the Internet that would show the interconnections between domains and pages in a more intuitive, nuanced way. As part of that map, we wanted to include vulnerability information on pages to demonstrate, for example, when a healthy domain might link direclty to a very vulnerable domain.
On the back-end, we used Apache Nutch distributed across a Hadoop cluster to perform crawling of domains, and we used a custom-built distributed fuzzer based on our PunkSCAN project to fuzz the domains for basic vulnerabilities. On the front-end, Trinary Software used the graphic design engine Unity to build an amazing, extremely beautiful and responsive 3D landscape that uses physics concepts and algorithms to determine how far away or close together the domains are displayed. There are multiple levels of detail based on how zoomed in or out you are, and the domains "spawn" out or retract back in seamlessely as you zoom. The user can travel around the landscape in a mechanism that looks and feels like "flying" -- it's really cool, words can't really do it justice. We'll be spinning up a demo site soon so you can play around with it. Stay tuned...
In addition to our open source work, we've teamed up with Concise Courses to offer quick but effective training on a number of security topics. Our first course, developed and taught by our founder Alex, is called "How to Hack and Defend Your Website in Just 3 Hours. It's a quick and dirty intro to web security with hands-on web hacking tutorials. If you're interested you can check out the course contents and read the student reviews. It will be available for purchase from Concise Courses soon so you can take it at home on your own time, preferably while wearing your PJs. Or, if you want to set up a training for your organizaton, you can arrange that through Concise Courses.
We're a small company focused on innovative research and development in the web security field. Currently we're into finding new and creative ways to apply distributed computing concepts and technologies to the problems of web security, but who knows what we'll think of next. Our backgrounds are as hackers, pen testers, developers, engineers, security researchers and analysts. We spent some time in the information security services world but we just aren't cut out for business suits and trade shows.
So, we decided to start Hyperion Gray as a way to develop and release our open source projects -- a tough business model, we admit, but so far we're loving it. We get to think up crazy ideas and make them happen without anyone telling us we can't, and we still get to tell our parents that we have real jobs -- with business cards and everything!
Our goal is to become the go-to source for disruptive research and development in our field. We don't want to grow into a billion dollar behemoth of the industry or anything; we're small but immensely talented and we like it that way (hey, we already told you that we're slightly off). We want to create and maintain an intellectual space where we can be free to create revolutionary solutions to complex problems, without the distractions of board meetings or stock prices. If you want to love what you do, do what you love, right?
In addition to the folks listed below, we also have a roving group of incredibly talented people whom we call upon as needed. We all wear matching rings and assemble like super heroes. It's awesome.
Alejandro (Alex) began his computer security journey at the ripe young age of 15, causing minor (read: probably not illegal) trouble on AOL. While studying Physics in college, he learned all about how distributed computing could help with massive simulations of scientific problems in heavy ion collisions, and he's been in love with distributed computing ever since. Upon entering the real world, he started working as a "cyber security" analyst, and it was fun for a while. But late at night, when no one was looking, he would play around with distributed computing, and he began applying it to web app hacking, thus effectively combining his two favorite things.
He originally started Hyperion Gray as a venue for releasing his open source stuff, but then it got real -- he won a DARPA grant **and** got accepted for two talks at DEF CON! At the same time! So obviously he decided to leave his day job to focus on Hyperion Gray and make the most of these amazing opportunities. We think he made the right decision.
Amanda began her career as a geopolitical intel analyst (think pirates and terrorists and rebel groups and such), and a few years ago she incidentally fell into the world of info sec and software development. She's glad she did -- it's fun here! After working as a security analyst, program manager, project manager and Security Operations Center lead, she joined Hyperion Gray, where she does pretty much everything but write code, although she will probably do that too some day. Her official titles is "Queen Overlord of All Things Business-y" but she is also the project manager, the accountant, the coffee and tea maker, the make-sure-you-eat-something-er, the are-you-sure-you-want-to-do-that-er and the all-around do-whatever-needs-doing-er (like building this website...).
Tomas joined our team very early on and we don't know where we would be if we hadn't (we don't like to think about it...). He has supported us on the PunkSPIDER project since the beginning and was fundamental to getting it off the ground. He is a highly skilled (understatement) Java and Python guru and is also well-versed in distrubuted computing technologies like Apache Nutch, Solr, Hbase, Hadoop and Hive. He's the kind of developer every CEO dreams of, and if you try to take him from us we'll hunt you down.
We can't neglect to mention all of the people who have helped us along the way on our great adventure here. This includes our families who've supported us leaving our stable day jobs to do what we love, the companies who believe in us enough to team up with us, and the security community, which has been an integral part of Hyperion Gray from the get-go. From the developers who've contributed to our projects, to folks like ReconNG who've put our stuff to good use, to the people who supported us on KickStarter, to the journalists who write about us, and the tons of people who've visited our sites, blogged about us, told your friends about us or re-Tweeted us -- THANK YOU for your support! We're so glad that you've come along for the ride. We take your input and feedback to heart and we hope you stick with us as we continue to grow up.
Here are a few articles about us and our projects. If you see any more floating around the web -- or if you write one yourself -- be sure to let us know so we can add it here!
The Register, one of our personal faves, released an article shortly after our ShmooCon debut of PunkSPIDER, you can read the article here.
Here's another article in The Register about our DEF CON talk on massive attacks with distributed computing. Zombie PCs are for crimelord chumps: Fear clusters, says infosec ace.
When PunkSPIDER was released, it understandably met with some controversy. Slashdot published one of our submissions here and things got a bit heated. If you love Internet haters, this article is a great place to see angry comments attacking Hyperion Gray and Alejandro personally! Enjoy!
We got another post on Slashdot about Web 3.0. We love poking the bear just a little bit -- it's fun! DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities.
Here's a guest post on Cloudera's blog about how we leveraged Hadoop for PunkSPIDER. It offers an admittedly biased perspective on the project (uh... because we wrote it).
Here's a blog entry by the popular SecurityMonkey about PunkSPIDER.
If you are with the media and are interested in covering any of our projects or just chatting with us in general, send an email to firstname.lastname@example.org and we'll be happy to talk your ears off.
Yes, we have a blog, but no, we're not bloggers. We mainly use it to communicate about new releases, give you a backstage view of our conference talks, and occassionally muse on things of our interest. Also, having a blog is an official business requirement these days, right?