AutoSploit: Automated mass exploitation of remote hosts using Shodan and Metasploit
A “cyber security enthusiast” that goes by VectorSEC on Twitter has published AutoSploit, a Python-based tool that takes advantage of Shodan and Metasploit modules to automate mass exploitation of remote hosts.
“Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache,IIS, etc, upon which a list of candidates will be retrieved,” the tool’s creator explained.
“After this operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programmatically comparing the name of the module to the initial search query. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions.”
Users of the tool can add more modules by merely editing the used modules.txt file.
Mixed reactions
The public release of the code has elicited mixed reactions from the information security community.
Most of those who lamented the move noted that the tool is a boon for script kiddies, and some said it might be even considered malware.
The fact that AutoSploit seems to be designed to target systems across the internet you likely don't control or have permission to attack puts it much closer to malware category for me. https://t.co/L16boqpUgv
— Craig Williams (@security_craig) January 31, 2018
It is true that every tool can be used for good and bad purposes, but AutoSploit is much more likely to be used for the latter.
Others pointed out that the idea behind the tool and the tool itself is so simple that any script kiddy could have written it, and chances are that some variant of this script has been created and is being used by many attackers already.
Errata Security CEO Rob Graham, says that the release of AutoSploit is a good thing for cybersecurity.
“Anything that makes a script-kiddy’s job easier means such systems are hacked then fixed with little actual damage, making them less vulnerable to well-funded cybercriminals and nation-states,” he opined.
Others still argued that AutoSploit doesn’t make any more people a target. “It just makes those targets an order of magnitude more likely to be popped because of the accessibility and ease of use of this tool.
But whatever your opinion is on this issue, the fact of the matter is that the code is now public, and already in the hands of many – there is no going back.
With that in mind, some have decided to help users not become a victim of AutoSploit (or anyone else who uses Shodan to pinpoint vulnerable servers):
While everyone is freaking out I hacked together antiautosploit to stop autosploit from sploiting you (This just blocks Shodan from scanning you). https://t.co/YgkfrTuBvw
— Jerry Gamblin (@JGamblin) February 1, 2018
The AntiAutoSploit tool obviously has its limitations and is a poor substitute for fixing the actual vulnerabilities/implementing patches regularly, but could be of some help as script kiddies (and possibly other attackers) rush to take advantage of AutoSploit.