AutoSploit: Automated mass exploitation of remote hosts using Shodan and Metasploit

A “cyber security enthusiast” that goes by VectorSEC on Twitter has published AutoSploit, a Python-based tool that takes advantage of Shodan and Metasploit modules to automate mass exploitation of remote hosts.


“Targets are collected automatically as well by employing the API. The program allows the user to enter their platform specific search query such as; Apache,IIS, etc, upon which a list of candidates will be retrieved,” the tool’s creator explained.

“After this operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programmatically comparing the name of the module to the initial search query. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions.”

Users of the tool can add more modules by merely editing the used modules.txt file.

Mixed reactions

The public release of the code has elicited mixed reactions from the information security community.

Most of those who lamented the move noted that the tool is a boon for script kiddies, and some said it might be even considered malware.

It is true that every tool can be used for good and bad purposes, but AutoSploit is much more likely to be used for the latter.

Others pointed out that the idea behind the tool and the tool itself is so simple that any script kiddy could have written it, and chances are that some variant of this script has been created and is being used by many attackers already.

Errata Security CEO Rob Graham, says that the release of AutoSploit is a good thing for cybersecurity.

“Anything that makes a script-kiddy’s job easier means such systems are hacked then fixed with little actual damage, making them less vulnerable to well-funded cybercriminals and nation-states,” he opined.

Others still argued that AutoSploit doesn’t make any more people a target. “It just makes those targets an order of magnitude more likely to be popped because of the accessibility and ease of use of this tool.

But whatever your opinion is on this issue, the fact of the matter is that the code is now public, and already in the hands of many – there is no going back.

With that in mind, some have decided to help users not become a victim of AutoSploit (or anyone else who uses Shodan to pinpoint vulnerable servers):

The AntiAutoSploit tool obviously has its limitations and is a poor substitute for fixing the actual vulnerabilities/implementing patches regularly, but could be of some help as script kiddies (and possibly other attackers) rush to take advantage of AutoSploit.