AutoSploit recently made news as a potential cyber security threat. The threat comes from the perspective that AutoSploit is an automated version of the metsploit package found in Kali Linux, a popular open source Linux distro popular with pen testing.
I was curious to read peoples reaction to AutoSploit – I was wondering why automating features of a Kali Linux distro would be a problem. I didn’t understand the threat of configuring and using 5 tools manually versus configuring the same 5 tools and hitting one button to start the process.
AutoSploit was authored by Real_Vectors, who announced the release on Twitter and made the code available on GitHub. I read the comments and determined there’s generally two camps of responses; one is ‘this is a terrible!’ and the second is, ‘nice tool’.
The nay-sayers surface arguments about empowering the ‘Script Kiddies’ with automated hacking and how unethical it is. Those who view it as a useful tool couldn’t wait to use it in their current workflows.
There’s nothing new here. Automated scripts are nothing new in computer security, the necessary discussion is one of ethics and intended use. Anyone can take a valid tool or service and use it for criminal purposes – be it a car, a gun, a pencil sharpener or a hairdryer. Keeping products and services out of the hands of ill-intended individuals isn’t realistic, especially from an open-source perspective where we want people to have and use the tools others have made. It’s what makes open-source so powerful and useful. Without open-source, we wouldn’t have Kali or Parrot, we’d only have expensive proprietary products.
It’s up to the individual to either use pen tools ethically or to cross the line. An automated process isn’t going to change a person’s character.
There will always be people seeking more efficient ways to perform a task. If networks are protected against individual metaspoilt attacks, then automating these attacks shouldn’t matter.