New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them

Auto-pwn code glues device search engine Shodan to Metasploit weapons cache

By Thomas Claburn in San Francisco

Posted in Security, 31st January 2018 19:40 GMT

Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets.

You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to unpatched security bugs – and automatically takes over them for you. No super-l33t skills required.

We're surprised it took this long.

The software, posted publicly on GitHub this week by someone calling themselves Vector, is called AutoSploit. It makes mass hacking exceedingly easy. After collecting targets via the Shodan search engine – an API key is required – the Python 2.7 script attempts to run Metasploit modules against them.

Metasploit is an open-source penetration testing tool: it is a database of snippets of code that exploit security flaws in software and other products to extract information from systems, or open a remote control panel to the devices so they can be commanded from afar. Shodan allows you to search for public-internet-facing computers, servers, industrial equipment, webcams, and other devices, revealing their open ports and potentially exploitable services.

At your fingertips ... The Autosploit tool

"The available Metasploit modules have been selected to facilitate remote code execution and to attempt to gain reverse TCP Shells and/or Meterpreter sessions," the GitHub-hosted repository explains.

Because automated attacks of this sort could bring legal trouble, the repo also includes a warning that running the code from a machine easily traceable to you "might not be the best idea from an OPSEC standpoint."

Other security industry types contend this isn't the best idea in general.

S'kiddies

"There is no need to release this," said Richard Bejtlich, founder of Tao Security, via Twitter. "The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn't make it wise to do so. This will end in tears."

At the same time, there may be some value in explicitly connecting the dots between vulnerability scanning and vulnerability exploitation. The exercise makes it clear that automation defeats security through obscurity.

Vector, reached via Twitter, told The Register that the code has been received fairly well in the security community.

"I have seen comments critical of the tool for sure as well, but what they say can be said for every other attack tool that implements automation to some end," Vector said.

"As with anything, it can be used for good or bad," the security researcher added. "The responsibility is with the person using it. I am not going to play gatekeeper to information. I believe information should be free and I am a fan of open source in general." ®

Sign up to our NewsletterGet IT in your inbox daily

30 Comments

More from The Register

Popular hacker warkit Metasploit now hacks hardware and cars

Coming soon: Cracking IoT kit and industrial control systems

Metasploit upgraded to sniff out IoT weakspots in corporate networks

Radio frequency testing probes for foreign bodies

ID yourself or get NOTHING (except Framework), snarls Metasploit

Outside the US and Canada? Request licence and bend over

Metasploit maker Rapid7 gobbles web app security testing firm

Firm hopes you'll squirt some of its sealant gunge into leaky apps

Belkin flings out patch after Metasploit module turns guests to admins

Open guest networks turned on by default

Metasploit creator seeks crowd's help for vuln scanning

Project Sonar combines tools, data and research

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Salesforce sacks two top security engineers for their DEF CON talk

Revealing penetration-testing tool sealed staffers' fate

Embedded systems vendors careless says Metasploit author

AusCERT 2013 'Own five percent of the Internet without even blinking'

Infosec controls relaxed a little after latest Wassenaar meeting

A welcome dash of perspective