AutoSploit Automatically Finds Vulnerable Targets via Shodan and Uses Metasploit Exploits to Compromise Hosts
AutoSploit is a tool designed to automate the use of Metasploit exploits. It was announced on Twitter on Wednesday.
“I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE,” announced Twitter user VectorSEC, Wednesday. Just to be clear, this tool automatically finds vulnerable targets and uses Metasploit exploits to provide remote code execution for the user.
No great skill is necessary: all that is required is AutoSploit (available from GitHub), Python Blessings, Shodan, and Metasploit. Shodan locates the targets, Metasploit provides the exploits, and AutoSploit actions them. Since new vulnerability exploits are added to Metasploit faster than many companies can apply vulnerability patches, the immediate concern is whether this new tool will further commoditize cybercrime by facilitating a new army of unskilled, wannabee, skiddie, hackers able to hack computers automatically.
Just how dangerous is this? Opinions are varied. “[AutoSploit] makes being a script kiddie infinitely easier,” comments Chris Morales, head of security analytics at Vectra Networks. “It is combining a whole set of automated tools for identifying exposed hosts and then executing exploits. Where I think this will have the most dramatic effect, and what scares me most, is with IoT. I’m predicting a rash of new IoT DOS, cryptocurrency mining, and general debauchery.”
But he notes that it will simply lead to a compromised host — something security teams have to handle every day. There is still time for incident response. “We cannot rely on prevention and need to be vigilant in finding attackers once they infect systems and before they can cause real damage.”
Chris Roberts, chief security architect at Acalvio, agrees that it will attract the wannabees. “Good to know we’ve weaponized for the masses. Everyone can now be a script kiddie simply by plugging, playing and attacking.” But he points out that attack tools with ‘very nice interfaces’ are not new, and only exist because the root problem is the bad products, code, systems and infrastructures used by everyone.
“The kids are not more dangerous,” he says. “They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem.”
“The basic functionalities [of AutoSploit] were already accessible,” says ESET senior research fellow, David Harley, “but AutoSploit lowers the level of knowledge and competence necessary to take advantage of them. So, I guess there could be more skiddies snapping at the heels of companies and individuals whose patching isn’t up to scratch.”
He warns that companies cannot rely on prevention technologies to neutralize AutoSploit. “Security companies watch Metasploit with the intention of remediating where they can, so some (at least) of the modules used will be less effective on well-protected systems. Sadly, not every exploit can be 100% defended against by third-party security software. Not every system out there is well-protected. And it sounds as if AutoSploit will make it easier to find and probe systems that are less likely to be properly patched or defended with security software. Like the Internet-of-unnecessarily-interconnected-things…”
There are others who simply dismiss AutoSploit. Jerry Gamblin, lead security analyst at Carfax, tweeted, “While everyone is freaking out I hacked together antiautosploit to stop autosploit from sploiting you (This just blocks Shodan from scanning you).”
The general consensus from the security industry seems to be that AutoSploit will attract the kiddies but won’t change the current threat landscape — beyond perhaps making existing good practice (patching, incident response) more important and urgent.
“This doesn’t really change anything from way things are already,” says F-Secure principal researcher Jarno Niemela. “My 11-year-old son learned Metasploit when he was 10 years old, and there is a ton of tradecraft videos in YouTube for anyone who is interested… This tool simply makes something that was already very easy just a bit easier.”
But he also has a word of warning for wannabees attracted by AutoSploit. “The fact that something is really easy, does not make unauthorized computer access any less a crime. And tools like this leave a forensic footprint that is miles wide. Yes, you can compromise poorly protected systems very easily with this tool, but you can also end up in a lot of trouble.”