back to article New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them

Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets. You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to …

Silver badge

"Just because you can do something etc"

Also, don't hire elvish contractors to evaluate whether your IT systems are secure, because they will say both yes and no.

12
0
Silver badge
Coat

"Oh You Never Would Believe...

...where those Keebler hackers come from."

Mine is the hoodie with the Fudge-Striped Array drives in the pockets.

8
0
Silver badge

Re: "Just because you can do something etc"

Actually, intuitionistic/constructivist logic should be used instead.

"Is it secure?" will be left unanswered until a concrete exploit is on the table, upon which the answer becomes "no".

10
0

This post has been deleted by its author

Silver badge

This will be out there, no matter the admonishments

Kid sploiters will find all and won't read the TOS.

Batten your hatches instead of suggesting that nice people don't do these things.

8
0
Silver badge

Script kiddies will use it

And they will get caught.

And then we'll have another teen fighting an extradition to Gitmo.

6
0
Bronze badge

Re: Script kiddies will use it

There will always be the type ready and willing to chuck themselves under the bus. Then there will be the type who combine this type of automated drive by attack from the safety of someone else's compromised box

13
0
Silver badge

Re: Script kiddies will use it

And then we'll have another teen fighting an extradition to Gitmo.

Yes, it must be quite disconcerting for those with Aspergers, and their families, to watch as yet another low skilled hacker retrospectively discovers they have the condition, which will suddenly clear up five minutes after the trial ends.

If I provided evidence that some medical condition, lets call it Smallus Equipmentus, inadvertently led me to speed whenever I went near a car, and there was no cure for Smallus Equipmentus, then either society forever runs the risks associated with my speeding, or it bans me from driving until cured (effectively then, for life).

If we changed extradition law such that the reliance on an incurable condition as part of your defence would automatically result in a permenant ban from using a computer, in the case of hacking charges, a lot of these wannabe's would have to think twice before engaging in the hacking that will saddle our legal system with massive costs.

5
12
Gold badge
Unhappy

"We're surprised it took this long."

TBH....

Me too.

OTOH this is the open world.

If I were a Black hat I'd develop this for my personal toolkit to increase my "productivity." You'd not know I had it unless you got hold of personal development environment. You'd only be aware of it by the number of hits on the .io database and (possibly) the activity of a metasploit run if I'd hosted it on a (compromised) cloud account.

Think of it as the Black hat equivalent of constructing your own light saber.

So my suspicion* would be top grade Black hats have tools like this but they are smart enough to fly below the radar by keeping them to themselves.

*Just a deduction. I don't know any Black hats. I don't know how to talk to any and I don't know how to find them.

18
0

"As with anything, it can be used for good or bad," the security researcher added. "The responsibility is with the person using it. I am not going to play gatekeeper to information. I believe information should be free and I am a fan of open source in general."

It is important to have an open mind, but not so open that your brains fall out.

11
0
Anonymous Coward

If exploits exist then what better way to have them removed

Like with Intel waiting months after being told of vulnerabilities before admitting the fault but not stopping sales of the effected hardware, vendors often wait too long before fixing problems.

Once a vendor is told a problem exists then every victim who suffers after that point is down to the vendor and people should be able to sue to any losses.

If every known hole is closed then it will take time for any new exploits to filter down to someone who is going to make them public domain like this dev has. More than enough time for the vendors to plug the holes in their sinking ships.

As the saying goes "if we don't make giant mutant firebreathing camels first then someone else will and we will be caught with our pants down"

8
1
Silver badge

Re: If exploits exist then what better way to have them removed

> Once a vendor is told a problem exists then every victim who suffers after that point is down to the

> vendor and people should be able to sue to any losses.

No. The vast majority of systems that get pwned are due to known exploits for which a vendor patch exists. The fault for these lies with the stupid moron user / IT dept that did not install that patch.

5
0
Megaphone

What is this Shodan.io database? Can it be searched to see if a particular corp/enduser shows up, meaning...?

2
0
Silver badge

A quick Google and Bob's your uncle: https://en.wikipedia.org/wiki/Shodan_(website)

4
0

The time has come

I've been in hardware and software design for over 30 years; I cut my teeth on an IBM 1130 and I haven't looked back since.

I am glad these tools come out - the tools that make fuzzing easier make me a better engineer. If an IT pro is worried about how this will impact his/her company then grow the fuck up.

You either pay your staff to make secuity their full time job, or your companies stock drops. It is so easy to let yourself in the back door or even the front door in todays infrastructure, automated sploits should be the least of your worries.

With state sponsored espionage the norm these days, that Fortune 500 companies continue to farm out work to the lowest bidder if at all, I am the person that you shouldn't detest, but be glad that I exist.

Your choice - talk to me now, or see me later.

12
2
Silver badge

Re: The time has come

You sound like such a charming fellow.

1
6
Anonymous Coward

Re: The time has come

You sound familiar..Didn't you used to work for Equifax?

1
0
Silver badge
Thumb Up

Re: The time has come

Amen to all of that, YetAnotherJoeBlow.

Know what you are doing and why you are doing it far better than anyone/anything else, and you are priceless and that makes you a valuable asset to be garnered/milked/protected/bought and brought inside systems rather than be left outside to continue to decimate them.

7
1
Silver badge

This is nothing new , or we wouldnt have had the term "Script kiddie" since the eighties

8
0
Silver badge

This is nothing new , or we wouldnt have had the term "Script kiddie" since the eighties

True, this is just a case of leaving a more efficient chainsaw out near the reach of chubby reeces pieces stained fingers, when they already had hold of a circular saws and other nasties.

3
0
Anonymous Coward

"As with anything, it can be used for good or bad"

It's pretty hard to invent a "good" use for this, although perhaps I'm lacking imagination. You can make that argument for Shodan and Metasploit in isolation as they can be used by ethical pen testers in a focused way, but tying them together to allow indiscriminate pwnage by the completely unskilled is hard to justify.

Although as others have pointed out, it's not hard to do this kind of scripting and within reach of even marginally skilled bad guys. I imagine if you have an exploitable system indexed in Shodan, you're pretty much toast anyway.

3
0
Silver badge

It's pretty hard to invent a "good" use for this, although perhaps I'm lacking imagination.

Automating security updates to vulnerable kit?

2
0
Anonymous Coward

"Automating security updates to vulnerable kit?"

This script doesn't do that. Other tools do...

0
0
Silver badge
FAIL

I believe information should be free said "Vector"

Hmm, not too keen on liberating his own information I see, it's just other people's information that needs to be freed....

4
0
Silver badge

"Python 2.7"

How unfashionable.

1
0
Anonymous Coward

if those naughty TLAs hadn´t found all those bugs in the first place ....

or if they hadn´t hoarded them all up because this really is just a major case of ¨what goes around, comes around¨ or ¨not everything that should stay in Vegas, will stay in Vegas ...¨ or ¨wouldn´t it be grand if all software was formally proven to be bug-free ...¨

2
0

Shodan is evil

Shodan has long been, if not created for the sole purpose of exploiting others.

#1 use of it, hacking web cams, #2 looking for exploitable PCs and servers, now maybe loading crypto miners.

I have had nasty conversations with Shodan from them port scanning us every day for a year. They denied it, and said they scan things at most once a month - Unless they are hired to scan - anyone can hire them to scan anyone - I hope they all get cancer and die slowly.

0
4

Anyone who scans me...

...will have their subnet automatically and permanently blocked at the firewall, Shodan included.

1
1
Anonymous Coward

Re: Anyone who scans me...

"...will have their subnet automatically and permanently blocked at the firewall, Shodan included."

That should work well, if they're scanning you from Azure or AWS

2
0
Anonymous Coward

Defending Shodan

In Shodan's defence; one can either choose to blithely carry on, or one can use such services to identify and close holes.

The one thing you can depend upon is human fallibility when it comes to the design of complex systems. Mistakes will be made; particularly so where systems evolve. Checking back for them is just plain common sense.

The old advice to airgap systems has conclusively been proven as a non-starter. Shodan and Metasploit serve a useful service for those charged with defense. Eliminate the bloody obvious, and what's left will generally only be identified by the highly skilled and determined. Last I checked; the latter two categories are damn near impossible to block.

With minor tweaks the autosploit script is a useful, and in hindsight, bloody obvious tool in it's own right.

And yes, it's a script kiddies dream too. :-)

2
0
Gold badge
Unhappy

It's true you can't keep a *really* determined attacker out, but $deity can you stop the

f**kwitted stupid s**t from happening.

And I'd suggest a lot of the time it is the f**kwitted s**t that happens.

And as the Internet_of_Trouble grows more of it will accumulate with more core builds by code monkeys despite best practice reference builds being available.

Let's be real. Patching is always going to be a thing. It's a process, not an event. Get used to it and plan to do it. The test environment and the automation you will need to acquire can (and should) pay for itself in the various other tests you can run on new hardware for security, usability and compatibility. This is Systems Administration for adults, not running round like a headless chicken.

Tell your PHBs "Either we look for the holes in our security now, or let the Black hats find them first and f**k us (and by "us" I mean your bosses) up at their convenience." Because that's about the situation.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018