The tools used by security researchers, penetration testers, and "red teams" often spark controversy because they package together, and automate, attacks to a degree that make some uncomfortable—and often, those tools end up getting folded into the kits of those with less noble pursuits. AutoSploit, a new tool released by a "cyber security enthusiast" has done more than spark controversy, however, by combining two well-known tools into an automatic hunting and hacking machine—in much the same way people already could with an hour or two of copy-pasting scripts together.
Malicious parties have weaponized scanning utilities, network commands, and security tools with various forms of automation before. By "stress testing" tools such as "Low-orbit Ion Cannon" (LOIC), High Orbit Ion Cannon (written in RealBasic!), and the Lizard Squad’s stresser site powered by hacked Wi-Fi routers, they took exploits known well to security pros and turned them into political and economic weapons. The Mirai botnet did the same with Internet of Things devices, building a self-spreading attack tool based on well-documented vulnerabilities in connected devices.
AutoSploit is slightly more sophisticated but only because it leverages two popular, well-supported security tools. "As the name might suggest," its author wrote on the tool's GitHub page, "AutoSploit attempts to automate the exploitation of remote hosts." To do that, the Python script uses command line interfaces and text files to extract data from the Shodan database, which is a search engine that taps into scan data on millions of Internet-connected systems. AutoSploit then runs shell commands to execute the Metasploit penetration testing framework.
I just released AutoSploit on #Github. #Python based mass #exploit#tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE.https://t.co/BNw6JvTVH9#OffSec#InfoSec#Programming#Securitypic.twitter.com/hvc3vrNCEJ
— VectorSEC (@Real__Vector) January 30, 2018
In addition to running individual Metasploit modules tailored to the type of target, the script can also launch automated "Hail Mary" attacks—throwing every module available to the Metasploit framework at each target. So, basically, AutoSploit is a mass attack tool with limited targeting capabilities.
The release of the tool on GitHub triggered an outcry from security doomsayers who were concerned that tapping into Shodan would give the tool the ability to mass-exploit thousands of vulnerable Internet of Things (IoT) devices like the Mirai botnet did last year. Richard Bejtlich of TaoSecurity decried the tool on Twitter, saying, "There is no need to release this. The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies."
In another conversation thread on Twitter, Security researcher Amit Serper agreed. "Exploits that I discovered and disclosed are now used to operate gigantic botnets. Giving script kiddies the ability to own hundreds of thousands of devices is a BAD idea."
However, the burst of moral outrage over this particular bit of code—just over 400 lines of Python spent mostly on pushing command strings to Shodan's API or to Metasploit's command-line interface—seems a little out of place for a number of reasons—including the fact that its code does nothing that a couple of much shorter, simpler scripts could do better.
To some degree, this outcry is a repeat of the controversy that Metasploit and Shodan generated on their own a decade ago. At that time, when H.D. Moore released the Metasploit framework, some people thought it went too far. And back in 2009, TaoSecurity's Bejtlich said that Shodan was "several steps along the Intrusion as a Service (IaaS) path" and predicted it would disappear.
That controversy has mostly faded. Metasploit is now professionally supported by the security software company Rapid7 and has been used by security professionals and law enforcement (as well as by others with less noble intentions). And Shodan now offers paid access for high volumes of queries through programming interface keys—while some openly offer tools to check the quality of Shodan keys scraped from the Web. ("You can find people's API keys all over the 'Net, yo.")
Even if AutoSploit attempts to stitch these tools into something more formidable (which, based on our review of the code, it does not do very well), it isn’t doing anything that hasn't been possible for nearly a decade. Dan Tentler, founder of Phobos Group, said that he thought all of the fear and outrage over AutoSploit was misplaced. "I did talks on how to pipe Shodan into the Hail Mary feature of Cobalt Strike close to 10 years ago," he said. "At the time, it fell on deaf ears. People didn't seem to care."
If anything, AutoSploit demonstrates how accessible to "cyber enthusiasts" of all stripes existing tools are—and they've become that way because of the demands of the organizations that use the tools internally. "We will continue to see this problem emerge as we continue to dumb down security and make it super easy for people who don't 'computer' to understand," said Tentler.
AutoSploit is an extremely blunt tool. Because of the way it automates both Shodan and Metasploit, the ability to be somewhat picky about the targets that are selected is severely limited. Whatever search string is run against Shodan will have to match up with text in the name or path of the Metasploit modules that correspond to it—meaning there's going to have to be a lot of upfront work to make this tool work against anything other than the usual Web and MySQL targets.
AutoSploit offers the bare minimum guidance on entering a query:
Please provide your platform specific search query I.E. 'IIS' will return a list of IPs belonging to IIS servers
Of course, entering "IIS" will also get you more than five million results, so this might take a while. For each result, the script will write out the Internet Protocol address of the system to a file called "hosts.txt".
And that's it for the Shodan interface. The next part is pumping that data into Metasploit. Using the text that was used for the Shodan search, the script finds the lines in a text file called modules.txt (which needs to be customized based on the contents of the module library) and dumps them into a sorted list. Alternatively, the user can just try to run all of them with that "Hail Mary" option.
Before the script can run any exploit, it has to make sure the Metasploit framework and its required components—including the PostgreSQL database—are running. It does so by running a few shell commands and presents these as "Hueristics" [sic]:
print "n[" + t.red("!") + "]Warning. Hueristics indicate Postgresql Service is offline"
If everything works, the script will then kick off Metasploit attacks against all the hosts in the previously written text file. This may take a while—and if performed from home, it could result in a visit from law enforcement.
"If anybody is concerned about this," researcher Kevin Beaumont said, "your threat model collapses at kids being bored running Python scripts."