What is a mechanic without his tools? Probably nothing much. Similarly, tools enable a penetration tester to perform repetitive tasks faster in a more timely manner, achieving the objective in the quickest time without increasing the time spent or manpower to complete. That is why we rejoice whenever there are new tools in the market to assist us in our work, especially when it is open-sourced.
Recently, a new tool called “AutoSploit” caused some controversy in the community. It is a python script containing around 400+ lines of code that automates the gathering of host information from Shodan API and perform exploitation using the Metasploit framework. One of the features allows one to run all exploit on the target host, regardless of the host. Some have bashed it, calling it a tool for “script kiddies”, while others gave positive feedback as this has opened up access for performing self-assessment. So what is our take on it?
By lowering the barrier to use the tool, someone with rudimentary cyber security knowledge can operate the tool to perform self-assessment on their own network, that is if it shows up on shodan. Although there are no formal reports from these tools, organizations can discover these “low-hanging fruits” and patch them up as soon as possible. If all it takes to access protected/sensitive systems is just to run a script, the system will be compromised in no time. This tool may be advantageous for large organization who want to look for exploits on their system in a quick way but have limited capability to do it.
For penetration testers, this tool would help to clear out the easy targets, allowing them to focus on other more interesting or new systems. Often, penetration testers have limited time to perform penetration testing engagements but the scope of the test may cause the timeline to be tight. Compromise in quality of work is not an option as that will cause more problems in the future so this tool may help in speeding up certain tasks.
Autosploit is also a showcase of how powerful security testing tools can be where they are chained and combined with other tools. Shodan and Metasploit on its own, has limited capability. Without Autosploit, human intervention is required to perform vulnerability assessment and penetration testing. This tool can be used as an initial assessment and baselining for more in-depth work to be done manually.
On the other hand, there are always “script kiddies” or “cyber security wanna-be” out there on the Internet looking for the latest scripts they can run to create havoc and ruin someone’s day. These script kiddies may not know the impact of the tools and cause their victim to suffer losses from their action. The exploits can cause a victim’s network to slow down, be unavailable, or at worst expose the sensitive information to the public when the exploit inevitably changes settings on the system.
When the tool gets in the hands of a malicious person, they can launch an attack on anyone. The compromised device can be used as part of a botnet for further attacks.
Organizations that depend on AutoSploit to determine their security posture may be in for a rude shock that having a clean bill on AutoSploit does not mean that their environment is secure. AutoSploit runs exploits from Metasploit that launch mostly network-based vulnerabilities and common or open source web applications. Custom web applications and those not within Metasploit capabilities will not be covered as they do not exist on the Metasploit database. These applications can still be exploited manually when found by a malicious person.
As for coverage, AutoSploit’s only source is from Shodan, which limits its capability of discovery to only devices discovered by Shodan. There is very little control on the inputs and we are not able to specify the targets, making it impossible to perform automatic exploitation of assets not found by Shodan. How about internal systems? Don’t even ask that question.
How to protect yourself?
There is no immediate threat with the release of this tool. However, one can perform a search on Shodan to determine if any of their assets are listed in its database. If it is listed, gather the information and get the security team to take a look to confirm if it poses a risk to the system.
There is a script written by a cyber security practitioner that attempts to use iptables to block Shodan scanners from reaching your system. This might be practical now but as the tool evolves, Shodan might not be the only scanner to block.
In our analogy, a mechanic with a spanner can fix a car or injure someone. It all boils down to the intention of the user using the tool. AutoSploit by itself does not present new vulnerabilities but makes it easier by chaining Shodan and Metasploit. In its infancy, the tool is limited in functionality and is unlikely to be used by malicious attackers with a specific target in mind. Script kiddies may occasionally create some noise but that is also unlikely to be a widespread issue. There are better tools and services in the market currently that will provide a more comprehensive assessment of an organization’s security posture.
The initial response to automated penetration testing tools are always met with critics, but time will tell if it will be used for malicious activities or further developed into a comprehensive tool for cyber security assessment.