Happy Day for Script Kiddies – This New Mass-Exploit Tool Automatically Finds and Hacks Vulnerable Devices
A new tool has been released by a security researcher that automatically finds and hacks vulnerable devices connected to the internet. While there have always been tools and programs available that enable newbies to start hacking into networks and devices, this new tool named AutoSpoilt makes the process a little more efficient, simple and quick.
I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE.https://t.co/BNw6JvTVH9#OffSec #InfoSec #Programming #Security pic.twitter.com/hvc3vrNCEJ
— VectorSEC (@Real__Vector) January 30, 2018
The tool released today combines Shodan and Metasploit to discover vulnerable targets and then to automatically exploit their vulnerabilities, making it easier for amateurs to hack vulnerable smart devices. "As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts," the tool's developer wrote on Github under the pseudonym of Vector. "The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved."
“I have added functionality to run all available modules against the targets in a 'Hail Mary' type of attack as well."
While the hacking tool reduces the barrier of skill required to hack vulnerable devices, tools similar to this have remained available in the public space for years now. However, a process that does both the functions of discovering vulnerable devices and then attacking those programmatically worries many. "There is no need to release this," Richard Bejtlich, a security expert tweeted. "The tie to Shodan puts it over the edge."
There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn't make it wise to do so. This will end in tears.
However, the developer doesn't agree along with a few others in the industry. "I have seen the comments as well, and I mean, the same critique can be applied to anyone releasing offensive tools as open source," Vector told Motherboard. "Personally I believe information should be free and I am a fan of open source, so why not?"
"If anybody is concerned about this, your threat model collapses at kids being bored running python scripts," security expert, Kevin Beaumont, warned in a tweet. "Automated break ins to lateral movement to internal cryptoware and ransomware to $$$ is coming."