Hacking, like any form of security, is a numbers game. Attackers, even very capable ones, are limited in the number of targets that they are able to hit in accordance with the level of resources at their disposable. A larger team can attempt to seek out more targets, pinging them for vulnerabilities, but there are only so many hours in the day to compile lists of potential systems to p0wn and find the right exploit to break into a system and make off with the goods.
Now a new hacking program, AutoSploit, which was released last week on GitHub by a security researcher and hacker who uses the Twitter nom de guerre VectorSEC, is making it easier to erase this balance between resources and capacity.
AutoSploit is an apt name for this new tool, which essentially automates the majority of the hacking process. VectorSEC has combined two existing tools: Shodan.io, which works like Google for searching out connected devices, and the penetration testing tool Metasploit to create something interesting to some, dangerous to others. Essentially, the program uses the Shodan API for finding potential targets. As VectorSEC explains on his GitHub page, "The program allows the user to enter their platform specific search query such as Apache, IIS, etc, upon which a list of candidates will be retrieved."
Apache, for example, is a very commonly used open source project, which GitHub shows to have over 9 million commits. Being such a large project, many of its libraries are likely to have vulnerable versions that could be exploited, which is where VectorSEC uses Metasploit. Instead of looking up which versions of Apache (or any other project that the hacker wants to target) have known vulnerabilities, AutoSploit uses a "Hail Mary" method to try the system for all possible exploits until it determines that there are no holes in the security, or it hits paydirt. The bad news: because this entire process is automated, it could possibly be used by low-level hackers for great gain. It is safe to say that the thousands of organizations using popular Apache projects such as Struts and Tomcat could find themselves in a world of hurt if their systems are not patched.
So far the response to AutoSploit has been a mix of outrage, fear, some applause, and more than a few shrugs. Many have voiced concern that the tool could change the battlefield of security from a game of bows and arrows to one of carpet bombing, calling VectorSEC wildly irresponsible for putting a cyber weapon of this sort out for public consumption. Although these two tools have been around for some time, it is the combination of them in a single package that has folks worried. Others, like security expert Dan Tentler, point out that by taking two tools that can cause trouble on their own and then combining them in an automated process, VectorSEC has dumbed down the field of hacking.
The idea of people using tools developed by others for carrying out hacks is hardly new. Black markets for exploit kits have been around for years, populated by criminals who lack the proper technical understanding to write the malware themselves. However, by posting his tool on GitHub as open source under a GNU license for all to play with, VectorSEC has taken the hacking of systems to a whole new level with increased availability.
Those who view AutoSploit as a positive measure contend that by making exploitation so easy and available to the masses of script kiddies, it could encourage organizations to really implement solutions that can keep them safe not only from this exploit kit but from more-experienced hacker teams as well.
In the meantime, others in the open source community have stepped up to prevent some of the worst potential damage from AutoSploit. Security expert Jerry Gamblin posted to GitHub his own bit of code that he says will block Shodan from being able to scan your systems. However, it is questionable as to whether this response will be widely used, considering the generally poor performance of the software industry for implementing critical patches when they are announced from the project managers themselves.