STE WILLIAMS

Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit’s database of exploits to potentially hijack the computers and gadgets.

We’re surprised it took this long.

The software, posted publicly on GitHub this week by someone calling themselves Vector, is called AutoSploit. As its name suggests, it makes mass hacking exceedingly easy. After collecting targets via the Shodan search engine – an API key is required – the Python 2.7 script attempts to run Metasploit modules against them.

Metasploit is an open-source penetration testing tool: it is a database of snippets of code that exploit security flaws in software and other products to extract information from systems or open a remote control panel to the devices so they can be commanded from afar. Shodan allows you to search the public internet for computers, servers, industrial equipment, webcams, and other devices, revealing their open ports and potentially exploitable services.

At your fingertips … The Autosploit tool

“The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions,” the GitHub repository explains.

Because automated attacks of this sort could bring legal trouble, the repo also includes a warning that running the code from a machine easily traceable to you “might not be the best idea from an OPSEC standpoint.”

Other security industry types contend this isn’t the best idea in general.

S’kiddies

“There is no need to release this,” said Richard Bejtlich, founder of Tao Security, via Twitter. “The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn’t make it wise to do so. This will end in tears.”

At the same time, there may be some value in explicitly connecting the dots between vulnerability scanning and vulnerability exploitation. The exercise makes it clear that automation defeats security through obscurity.

Vector, reached via Twitter, told The Register that the code has been received fairly well in the security community.

“I have seen comments critical of the tool for sure as well, but what they say can be said for every other attack tool that implements automation to some end,” Vector said.

“As with anything, it can be used for good or bad,” the security researcher added. “The responsibility is with the person using it. I am not going to play gatekeeper to information. I believe information should be free and I am a fan of open source in general.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/auto_hacking_tool/