This announcement created quite a stir in the infosec community last week:
I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE.https://t.co/BNw6JvTVH9#OffSec #InfoSec #Programming #Security pic.twitter.com/hvc3vrNCEJ
— VectorSEC (@Real__Vector) January 30, 2018
Much of the debate is centered on the concern that any real use of the tool is likely to be illegal and that there is no particular security research utility from the tool; all the tools serves to do is make it simple for script kids to break into our systems.
Many people have rightly pointed out that this tool isn’t enabling anything, in terms of breaking into vulnerable systems, than is already possible – said another way, we shouldn’t see this tool as a problem – we should see the vulnerable devices as the problem, and if the tool can affect your devices because they are vulnerable, a) that’s not the tool’s fault, and b) you’re probably already pwnt or are living on borrowed time.
I think there are two big issues that autosploit raises that I haven’t seen discussed (not to say someone hasn’t brought it up before me):
- Autosploit will likely serve as a framework for future automated exploitation, and using shodan for targeting effectively allows an attacker to efficiently target all vulnerable systems accessible from the Internet which haven’t blocked shodan’s scanners. This means that we should expect the marginal time to compromise of our vulnerable internet-connected systems to drop precipitously for certain types of vulnerabilities.
- Largely because of #1 above, most of us should probably fear the second order impacts of autosploit possibly more than the first order impacts. By that I mean even if we are diligent in rapidly patching (or otherwise mitigating) our vulnerable systems, the ability for the baddies to quickly create new botnets that can be used to perpetrate attacks against other internet infrastructure, like we notably saw with Mirai, creates problems that are much harder and more expensive for us to mitigate than simply patching systems. And we, unfortunately, don’t get to choose when everyone else patches their systems.
Autosploit-style tools are inevitable, and indeed as some people have pointed out, the technique is not new. While that is true, autosploit may well accelerate some of the “innovation” (even for as simple of a code-base as it is), and that i going to drive us defenders to likewise have to accelerate our innovation. In the long run, tools like autosploit, which drive attack efficiency, will very likely change the way IT and infosec have to operate, both from a first-order defense perspective and a second-order defense perspective.