AutoSploit
AutoSploit copied to clipboard
NullArray
Not hate mail.
You realize you just opened Pandora’s box on every able body in the world right? I love it, keep it up man.
Lol thanks. Version 2 is going to be a team effort. Feel free to contribute if you'd like :+1:
Lol I’ll see what I can do, question about it though. Can you set proxies for the searches, haven’t had a chance to actually look at it yet.
On Feb 2, 2018, at 5:15 PM, NullArray [email protected] wrote:
Lol thanks. Version 2 is going to be a team effort. Feel free to contribute if you'd like 👍
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
The way in which the hosts are gathered is through Shodan. Using shodan.io to find internet connected devices is not illegal so i don't know why you would want to proxy the connection to the search engine.
Fair enough, thank you.
On Feb 2, 2018, at 5:32 PM, NullArray [email protected] wrote:
The way in which the hosts are gathered is through Shodan. Using shodan.io to find internet connected devices is not illegal so i don't know why you would want to proxy the connection to the search engine.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
FWIW after reading the reply here I located a passage in a book where Shodan's founder notes it's "not an anonymous service" and expresses approval of law enforcement action; one of the authors has worked extensively in government. This code is not illegal in itself and I'm not for such activity but SOCKS5 and/or Tor support would not be that hard.
Also congrats on earning the attention of the White House. :)
Thank you for looking that information up @aegis and yeah lol, i was pretty surprised someone from the White House was even commenting on this. AutoSploit really went viral.
Also, @Ekultek i think it should work fine through proxychains yeah. Haven't personally tested it, and it might be possible to add proxy support natively, if that's not a bit overkill.
AutoSploit is also mentioned over here - Digi.no is a Norwegian tech publishing news site. They raise concern that more users would be able to perform attacks. Great work, would be fun to test drive it. Keep up the good work.
People are ridiculous. How about instead of bashing the creator of it, they say thanks for showing us where we have issues I'm gonna help you develop this thing into a security experts fucking nightmare because they deserve it.
Lol, i suppose i am. Not quite sure whether this is a good or a bad thing yet.
Gotta respect this man for seeing the real problem:
On the other hand, Chris Roberts, chief security architect at Acalvio states:
” The kids are not more dangerous. They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem”.
Interestingly Rapid7 had something to say about this as well. I thought their assessment was reasonable.
On Random Shell Generators by Rapid7
Also, i like that they updated the article to include the fact that i intend to have functionality to load a single host or custom list in the new version. The reason why i am adding it is to make the tool more precise and enhance it's utility no matter the engagement, Shodan lookup will remain as an option as well though.
@NullArray Rapid7 is usually pretty good at these kinds of things. I have massive respect for their teams and their company.
It’s really easy to use tor, check my Mjolnir repo ( it’s a DoS tool :p)
Hey @Ekultek got a way of contacting you via IM? Or something similar, i'd like to discuss some things with you. Perhaps add you as a collaborator with push/write access to the AutoSploit repo as well. Since you have been contributing so much. I'd love to get in touch, if you'd be interested.
Nah i don't have discord but if you have a way for me to send you a private message i will send you my XMPP, addy so we can speak directly.
send an email there and i'll direct you to my secure email
@Ekultek I've sent you message and i am looking forward to your reply. :+1:
At this point you could open up a Discord server to chat with contributors
@NatoBoram discord server setup here's the invite https://discord.gg/9BeeZQk
Hey, i've been away for a while, so i am out of the loop. Will catch up around Monday when i have some time on my hands.
So since this is basically the general 'off-topic' discussion thread with regards to this project, i just wanted to let people know that if they need to contact me through any other media than Github please feel free to DM me on twitter at https://twitter.com/Real__Vector
Alternatively i respond to PMs over at GreySec Security Forums
Oh and since i had a corrupted filesystem on one of the boxes i use, i haven't been around on the discord server either, since i happened to use that box for discord. Haven't gotten around to fixing it yet so i figured i would post some alternatives.
A general discussion with regards to the project of course. Feel free to change the label if you can think of a more suitable one. Just figured i would label the conversation here as off topic and non-technical for the most part.
Well, I have read the tread, guys, and it seems that this tool is very powerfull. And I like it because I am a scrypt kidddy, can I use it to sneak into my ex's computer? haha
@N1kRolexx I mean if thats' what you want to do. It's not that it's powerful it's that it brings to light a whole new playbook
@Ekultek Yep, I know. Just a joke, I'm not that interested in my ex :) Anyway the tool is very powerful, It can gather a huge amount of hosts, then you load your exploit pack and here it goes. A thousands (maybe) of exploited devices. However I'm not interested in this :) I'm interested in bypassing https. Do you know maybe some ways of making this possible?
@N1kRolexx I’m serious, find a website that allows connections to port 80, redirect to HTTP use Burp. If you’re talking about deciphering the SSL itself, you’ll need the certificate key
I was just thinking how awesome it is that through collaboration with multiple devs and contributions small or big, AutoSploit has really evolved into something amazing. I love the fact that this has become an Open Source endeavor in the truest sense of the word, and i would like to thank everyone who has been involved with the project thus far,
You guys are great (n_n")
I hear AutoSploit got mentioned at Thotcon, if you're reading this Thotcon attendees, hi!
Made a drastic change to the system call for starting services see https://github.com/NullArray/AutoSploit/commit/b998ad8b26ed10b8bd8b095241a808b111ffa574
@Ekultek Opened a Pandora's box with a Metasploit wrapper? Oh, I don't think so
@TheSecondSun it’s a little more advanced then a metasploit wrapper. I can see how people could get confused though. Have you even actually used it?
@Ekultek Not really, thus I definitely will give it a try in my homelab :) But in my opinion, this tool is a bit too noisy and aids only with blind exploitation against blackbox environments exposed in the web. Correct me if I am wrong
@TheSecondSun i use it as a pentest automation tool when I have other things to do, it has the ability to pass your own IP addresses into it and use those instead of blind exploitation.
@TheSecondSun it’s specifically geared towards exploitation. There has been talk about implementing a full pentest framework
Hello everyone, I'll be working on all the bug fixes tomorrow. So there should be a fix here soon