Contact Form

Name

Email *

Message *

Tips for an Information Security Analyst/Pentester career - Ep. 56: Autosploit

There are several online discussions and controversies about a new tool called Autosploit, which promises to widely automate exploitation of vulnerable devices based on the shodan API and Metasploit framework.

Some have voiced concerns over a possible delinquent use of this tool, talking about irresponsibility with reference to its author.

Prep stage

I deeply dislike political debates and so I decided to form my opinion by testing the tool, available here, myself.

It is essentially a Python script, which requires two Python tools, called shodan and blessings.

Autosploit also requires for you to have a Shodan API key.  

You can get one by signing up for Shodan.


How it works

Autosploit will check for Postgresql and Apache services to get started and will then display a menu with four choices.


I first started gathering hosts by using the Windows keyword. 

Before moving to the exploitation stage, I redirected all traffic through Tor.

When we choose option 4 (Exploit), Autosploit will automatically return all relevant Windows exploits.

There seems to be no way to select an individual exploit at this point. However, any evaluation about this tool can't overlook it's still in a very early development stage.

The way it is structured so far, it looks like all available exploits are run one after another, which can be good in terms of automation but not always desirable for an effective pentest.

In the wrong hands, it could surely cause a lot of mayhem and noise.


Wrap-up

Automation allowed some of the greatest achievements of mankind to be possible.

However, in information security, automation isn't always possible or desirable.

Sure, such a tool in the wrong hands could wreak havoc, but any tools can be used for good or bad and the author isn't necessarily to blame for this.

I'm not personally convinced that, the way this tool is structured so far, it might help with an efficient penetration test.

No two systems are created equal and, without a proper reconnaissance stage, tools like Autosploit can be a total waste of time.

However, rather than the Autosploit author, others should be blamed. 

Corporations and organizations not following best practices, not updating their devices and exposing themselves to a Shodan scan for this reason, have no one to blame but themselves.

We might surely witness an increase in dumb script kiddies arrests, so I strongly advise you not to do anything stupid you might regret one day.

Given the political witch-hunt climate, all authorities want is to send some hackers to the stake, so please please think twice before ruining your life.

Episode 55

Comments

Related Posts Plugin for WordPress, Blogger...