# Porch Pirate
![](https://i.imgur.com/CWW5b0D.png)
Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were "secret-agnostic", and had enough flexibility to capture false-positives that still provided offensive value.
Porch Pirate enumerates and presents sensitive results (global secrets, unique headers, endpoints, query parameters, authorization, etc), from publicly accessible Postman entities, such as:
- Workspaces
- Collections
- Requests
- Users
- Teams
## Installation
```bash
python3 -m pip install porch-pirate
```
## Using the client
![](https://i.imgur.com/t2PJ2jF.png)
The Porch Pirate client can be used to nearly fully conduct reviews on public Postman entities in a quick and simple fashion. There are intended workflows and particular keywords to be used that can typically maximize results. These methodologies can be located on our blog: **Plundering Postman with Porch Pirate**.
Porch Pirate supports the following arguments to be performed on collections, workspaces, or users.
- `--globals`
- `--collections`
- `--requests`
- `--urls`
- `--dump`
- `--raw`
- `--curl`
#### Simple Search
```bash
porch-pirate -s "coca-cola.com"
```
#### Get Workspace Globals
By default, Porch Pirate will display globals from all active and inactive environments if they are defined in the workspace. Provide a `-w` argument with the workspace ID (found by performing a simple search, or automatic search dump) to extract the workspace's globals, along with other information.
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8
```
#### Dump Workspace
When an interesting result has been found with a simple search, we can provide the workspace ID to the `-w` argument with the `--dump` command to begin extracting information from the workspace and its collections.
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump
```
#### Automatic Search and Globals Extraction
Porch Pirate can be supplied a simple search term, following the `--globals` argument. Porch Pirate will dump all relevant workspaces tied to the results discovered in the simple search, but only if there are globals defined. This is particularly useful for quickly identifying potentially interesting workspaces to dig into further.
```bash
porch-pirate -s "shopify" --globals
```
#### Automatic Search Dump
Porch Pirate can be supplied a simple search term, following the `--dump` argument. Porch Pirate will dump all relevant workspaces and collections tied to the results discovered in the simple search. This is particularly useful for quickly sifting through potentially interesting results.
```bash
porch-pirate -s "coca-cola.com" --dump
```
#### Extract URLs from Workspace
A particularly useful way to use Porch Pirate is to extract all URLs from a workspace and export them to another tool for fuzzing.
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --urls
```
#### Automatic URL Extraction
Porch Pirate will recursively extract all URLs from workspaces and their collections related to a simple search term.
```bash
porch-pirate -s "coca-cola.com" --urls
```
#### Show Collections in a Workspace
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --collections
```
#### Show Workspace Requests
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --requests
```
#### Show raw JSON
```bash
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --raw
```
#### Show Entity Information
```bash
porch-pirate -w WORKSPACE_ID
```
```bash
porch-pirate -c COLLECTION_ID
```
```bash
porch-pirate -r REQUEST_ID
```
```bash
porch-pirate -u USERNAME/TEAMNAME
```
#### Convert Request to Curl
Porch Pirate can build curl requests when provided with a request ID for easier testing.
```bash
porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl
```
#### Use a proxy
```bash
porch-pirate -s coca-cola.com --proxy 127.0.0.1:8080
```
## Using as a library
#### Searching
```python
p = porchpirate()
print(p.search('coca-cola.com'))
```
#### Get Workspace Collections
```python
p = porchpirate()
print(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))
```
#### Dumping a Workspace
```python
p = porchpirate()
collections = json.loads(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))
for collection in collections['data']:
requests = collection['requests']
for r in requests:
request_data = p.request(r['id'])
print(request_data)
```
#### Grabbing a Workspace's Globals
```python
p = porchpirate()
print(p.workspace_globals('4127fdda-08be-4f34-af0e-a8bdc06efaba'))
```
## Other Examples
Other library usage examples can be located in the `examples` directory, which contains the following examples:
- `dump_workspace.py`
- `format_search_results.py`
- `format_workspace_collections.py`
- `format_workspace_globals.py`
- `get_collection.py`
- `get_collections.py`
- `get_profile.py`
- `get_request.py`
- `get_statistics.py`
- `get_team.py`
- `get_user.py`
- `get_workspace.py`
- `recursive_globals_from_search.py`
- `request_to_curl.py`
- `search.py`
- `search_by_page.py`
- `workspace_collections.py`
Raw data
{
"_id": null,
"home_page": "https://github.com/mandconsultinggroup/porch-pirate",
"name": "porch-pirate",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "porchpirate porch pirate porch-pirate postman postmaniac postleaks osint recon enumeration secrets loot treasure",
"author": "Mand Consulting Group / Dominik Penner (zer0pwn) / Jake Bolam (@xixasec)",
"author_email": "zer0pwn@riseup.net",
"download_url": "https://files.pythonhosted.org/packages/b1/ae/5420f6243a57800f07236ec2093db26cb206f58be980cc3bc5a0c0d50322/porch-pirate-0.0.1.tar.gz",
"platform": null,
"description": "# Porch Pirate\n\n![](https://i.imgur.com/CWW5b0D.png)\n\nPorch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as \"secrets\", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were \"secret-agnostic\", and had enough flexibility to capture false-positives that still provided offensive value.\n\n\n\nPorch Pirate enumerates and presents sensitive results (global secrets, unique headers, endpoints, query parameters, authorization, etc), from publicly accessible Postman entities, such as:\n\n- Workspaces\n- Collections\n- Requests\n- Users\n- Teams\n\n## Installation\n\n```bash\npython3 -m pip install porch-pirate\n```\n\n## Using the client\n\n![](https://i.imgur.com/t2PJ2jF.png)\n\nThe Porch Pirate client can be used to nearly fully conduct reviews on public Postman entities in a quick and simple fashion. There are intended workflows and particular keywords to be used that can typically maximize results. These methodologies can be located on our blog: **Plundering Postman with Porch Pirate**.\n\nPorch Pirate supports the following arguments to be performed on collections, workspaces, or users.\n\n- `--globals`\n- `--collections`\n- `--requests`\n- `--urls`\n- `--dump`\n- `--raw`\n- `--curl`\n\n#### Simple Search\n\n```bash\nporch-pirate -s \"coca-cola.com\"\n```\n\n#### Get Workspace Globals\n\nBy default, Porch Pirate will display globals from all active and inactive environments if they are defined in the workspace. Provide a `-w` argument with the workspace ID (found by performing a simple search, or automatic search dump) to extract the workspace's globals, along with other information.\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8\n```\n\n#### Dump Workspace\n\nWhen an interesting result has been found with a simple search, we can provide the workspace ID to the `-w` argument with the `--dump` command to begin extracting information from the workspace and its collections.\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump\n```\n\n#### Automatic Search and Globals Extraction\n\nPorch Pirate can be supplied a simple search term, following the `--globals` argument. Porch Pirate will dump all relevant workspaces tied to the results discovered in the simple search, but only if there are globals defined. This is particularly useful for quickly identifying potentially interesting workspaces to dig into further.\n\n```bash\nporch-pirate -s \"shopify\" --globals\n```\n\n#### Automatic Search Dump\n\nPorch Pirate can be supplied a simple search term, following the `--dump` argument. Porch Pirate will dump all relevant workspaces and collections tied to the results discovered in the simple search. This is particularly useful for quickly sifting through potentially interesting results.\n\n```bash\nporch-pirate -s \"coca-cola.com\" --dump\n```\n\n#### Extract URLs from Workspace\n\nA particularly useful way to use Porch Pirate is to extract all URLs from a workspace and export them to another tool for fuzzing.\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --urls\n```\n\n#### Automatic URL Extraction\n\nPorch Pirate will recursively extract all URLs from workspaces and their collections related to a simple search term.\n\n```bash\nporch-pirate -s \"coca-cola.com\" --urls\n```\n\n#### Show Collections in a Workspace\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --collections\n```\n\n#### Show Workspace Requests\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --requests\n```\n\n#### Show raw JSON\n\n```bash\nporch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --raw\n```\n\n#### Show Entity Information\n\n```bash\nporch-pirate -w WORKSPACE_ID\n```\n```bash\nporch-pirate -c COLLECTION_ID\n```\n```bash\nporch-pirate -r REQUEST_ID\n```\n```bash\nporch-pirate -u USERNAME/TEAMNAME\n```\n\n#### Convert Request to Curl\n\nPorch Pirate can build curl requests when provided with a request ID for easier testing.\n\n```bash\nporch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl\n```\n\n#### Use a proxy\n\n```bash\nporch-pirate -s coca-cola.com --proxy 127.0.0.1:8080\n```\n\n## Using as a library\n\n#### Searching\n\n```python\np = porchpirate()\nprint(p.search('coca-cola.com'))\n```\n\n#### Get Workspace Collections\n\n```python\np = porchpirate()\nprint(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))\n```\n\n#### Dumping a Workspace\n\n```python\np = porchpirate()\ncollections = json.loads(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))\nfor collection in collections['data']: \n requests = collection['requests']\n for r in requests:\n request_data = p.request(r['id'])\n print(request_data)\n```\n\n#### Grabbing a Workspace's Globals\n\n```python\np = porchpirate()\nprint(p.workspace_globals('4127fdda-08be-4f34-af0e-a8bdc06efaba'))\n```\n\n## Other Examples\n\nOther library usage examples can be located in the `examples` directory, which contains the following examples:\n\n- `dump_workspace.py`\n- `format_search_results.py`\n- `format_workspace_collections.py`\n- `format_workspace_globals.py`\n- `get_collection.py`\n- `get_collections.py`\n- `get_profile.py`\n- `get_request.py`\n- `get_statistics.py`\n- `get_team.py`\n- `get_user.py`\n- `get_workspace.py`\n- `recursive_globals_from_search.py`\n- `request_to_curl.py`\n- `search.py`\n- `search_by_page.py`\n- `workspace_collections.py`\n",
"bugtrack_url": null,
"license": "",
"summary": "Porch Pirate is the most comprehensive recon / OSINT client and framework for Postman that facilitates the automated discovery and exploitation of API endpoints and secrets committed to workspaces, collections, requests, users and teams. Porch Pirate can be used as a client or be incorporated into your own applications.",
"version": "0.0.1",
"project_urls": {
"Homepage": "https://github.com/mandconsultinggroup/porch-pirate"
},
"split_keywords": [
"porchpirate",
"porch",
"pirate",
"porch-pirate",
"postman",
"postmaniac",
"postleaks",
"osint",
"recon",
"enumeration",
"secrets",
"loot",
"treasure"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "9eefe3f8351c61eec66d60e18054097fbe167be2c168d9ff2869929b2aa26da6",
"md5": "88ddd2b6ccfa2550789f2c5bdeee4b12",
"sha256": "49d893089dfaf7fbb9836f99b1756fe3cae0891141e1c8529a8c38da10cc4faf"
},
"downloads": -1,
"filename": "porch_pirate-0.0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "88ddd2b6ccfa2550789f2c5bdeee4b12",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 22359,
"upload_time": "2023-11-06T06:48:51",
"upload_time_iso_8601": "2023-11-06T06:48:51.986810Z",
"url": "https://files.pythonhosted.org/packages/9e/ef/e3f8351c61eec66d60e18054097fbe167be2c168d9ff2869929b2aa26da6/porch_pirate-0.0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "b1ae5420f6243a57800f07236ec2093db26cb206f58be980cc3bc5a0c0d50322",
"md5": "09439b583b70294600e8dd0b63caf8ed",
"sha256": "82ff237758484770260fa06a3f5519781c440495b30eb4c081a27a4dd5ec4623"
},
"downloads": -1,
"filename": "porch-pirate-0.0.1.tar.gz",
"has_sig": false,
"md5_digest": "09439b583b70294600e8dd0b63caf8ed",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 23097,
"upload_time": "2023-11-06T06:48:53",
"upload_time_iso_8601": "2023-11-06T06:48:53.604396Z",
"url": "https://files.pythonhosted.org/packages/b1/ae/5420f6243a57800f07236ec2093db26cb206f58be980cc3bc5a0c0d50322/porch-pirate-0.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-06 06:48:53",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mandconsultinggroup",
"github_project": "porch-pirate",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "porch-pirate"
}