New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them
Auto-pwn code glues device search engine Shodan to Metasploit weapons cache
Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets.
You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to unpatched security bugs – and automatically takes over them for you. No super-l33t skills required.
We're surprised it took this long.
The software, posted publicly on GitHub this week by someone calling themselves Vector, is called AutoSploit. It makes mass hacking exceedingly easy. After collecting targets via the Shodan search engine – an API key is required – the Python 2.7 script attempts to run Metasploit modules against them.
Metasploit is an open-source penetration testing tool: it is a database of snippets of code that exploit security flaws in software and other products to extract information from systems, or open a remote control panel to the devices so they can be commanded from afar. Shodan allows you to search for public-internet-facing computers, servers, industrial equipment, webcams, and other devices, revealing their open ports and potentially exploitable services.
"The available Metasploit modules have been selected to facilitate remote code execution and to attempt to gain reverse TCP Shells and/or Meterpreter sessions," the GitHub-hosted repository explains.
Because automated attacks of this sort could bring legal trouble, the repo also includes a warning that running the code from a machine easily traceable to you "might not be the best idea from an OPSEC standpoint."
Other security industry types contend this isn't the best idea in general.
"There is no need to release this," said Richard Bejtlich, founder of Tao Security, via Twitter. "The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn't make it wise to do so. This will end in tears."
At the same time, there may be some value in explicitly connecting the dots between vulnerability scanning and vulnerability exploitation. The exercise makes it clear that automation defeats security through obscurity.
Vector, reached via Twitter, told The Register that the code has been received fairly well in the security community.
"I have seen comments critical of the tool for sure as well, but what they say can be said for every other attack tool that implements automation to some end," Vector said.
"As with anything, it can be used for good or bad," the security researcher added. "The responsibility is with the person using it. I am not going to play gatekeeper to information. I believe information should be free and I am a fan of open source in general." ®