Autosploit, a new tool that basically couples Shodan and Metasploit, makes it easy for even amateurs to hack vulnerable IoT devices.
“As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts,” its creator, who goes by the handle “Vector,” wrote on Github.
Using the Shodan.io API, the program automatically collects targets and lets users enter platform-specific search queries, for instance, Apache. Based on the search criteria it retrieves a list of candidates.
The tool then runs a set of Metasploit modules – selected by programmatically comparing module names to the search query – against the potential targets in an effort to exploit them. “I have added functionality to run all available modules against the targets in a ‘Hail Mary’ type of attack as well,” Vector wrote, adding that “the available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions.”
The pseudonymous security researcher explained that “workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the ‘Exploit’ component is started.
“Metasploit reduced the barrier of skill required to hack over a decade ago. Shodan is search engine that can find and identify any and every system connected to the internet,” Chris Morales, head of security analytics at Vectra, explained. “The ability to find and exploit systems isn’t new. The idea that these two highly automated tools are combined to make life even easier for someone to hack systems lowers the bar much more.”
While Autosploit “makes being a script kiddie infinitely easier” by “combining a whole set of automated tools for identifying exposed hosts and then executing exploits,” Morales said that where it likely “will have the most dramatic effect, and what scares me most, is with IoT,” predicting there will be “a rash of new IoT DOS attacks, cryptocurrency mining, and general debauchery.”
Saying it was “good to know we’ve weaponized for the masses now” and that “everyone can now be a script kiddie simply by plugging, playing and attacking,” Chris Roberts, chief security architect at Acalvio, cautioned that “before we hang this out to dry and assassinate the bearer of the tool, let’s take an introspective look at two facts – the tools have been out there for a while AND other folks have built very nice interfaces for all sorts of tools over the years; and the tools ONLY exist because bad products, code, systems and infrastructures are constantly acceptable and justified by everyone.”