Poll: Should Hacking Tools Be Released As Open Source Software?
You do not have permission to vote in this poll.
Yes
83.33%
5 83.33%
No
16.67%
1 16.67%
Idk
0%
0 0%
Total 6 vote(s) 100%
* You voted for this item. [Show Results]

Is releasing hacking tools a bad idea?
#1
This question has been asked on twitter quite a bit. Should you release hacking tools to the public as open source projects? On one side people say that you're arming cybercriminals, APTs, and script kiddies with effective weapons. Why would you release offensive tools knowing you'll be fighting against them in just a short time? I haven't heard much for the other side. A lot of big names in infosec support the "don't release tools" side. I've already made up my mind on the issue (and some of you could probably guess my position) but I am open to having my mind changed. I want to hear what you guys think. Vote on the poll and reply to the thread.
Reply
#2
To an extent.

First it's important to understand the duality.
If open-source security tools aren't released publicly and in an open-sourced manner to show software developers how attacks can potentially be carried out against a piece of code, then developers will simply overlook learning how to write secure code since they don't know what's considered insecure and why.

So, in a sense, open-source software enforces security as a tool for developers to learn how to mitigate the most common attacks and that's probably the best argument we have for the sharing of open-source applications and exploits.
And yes, 0days exist, so someone might argue that open-source tools shouldn't be shared because even learning from them won't stop a 0day.

But to quickly address that, 0days typically aren't open-source anyway until they get patched/leaked, so that's a bit of a strawman.



But, as counterpoint, since it's certainly not fair to entirely bias myself to one side of a two-sided argument...

Consider what sqlmap did to the webdev community.
Absolute hellscape given its power, and the severity of SQLi is pretty massive. Yeah, the DB shouldn't store data that's too sensitive like plaintext credit card info, so that's on the developer of the site.

But still, it's the main driving factor behind tons of SQLi attacks, and even if stuff like credit card info isn't dumped, stuff like hashed passwords (typically something insecure, over the last two years more migration to bcrypt) and emails, which can later be used for spamming (or trying to blackmail maybe if they get the password dehashed.

I use sqlmap as an example specifically because it's insanely powerful. Lots of scripts and tools you find online just scan for something, then using whatever data it finds, plugs it into exploit-db, then spits out what the server might be vulnerable against (take wpscan for instance.) But in sqlmap's case, it's incredibly feature-rich in defining injectable parameters, does full blind injections, tries conditional injections, tries different SQL syntaxes based on the DB backend running on the machine, tries different encoding schemes, header data, basically anything you could possibly ask for in a sqli script.

If things like sqlmap (or the even skiddier but also more useless SQLdumper) were closed-source or somewhat unavailable to the general public, not only would we encounter less cyber attacks than we currently do, and we'd also have WAY less skids online. Don't get me wrong, the same number of people would still be coming to sites like these and asking stupid questions, but unless they were actually dedicated to the craft, they wouldn't get far enough to skid around too hard.



Consider another counterpoint, for the hell of it.

What about fuzzers? Nightmare, AFL++, etc. If you're going to get literally ANY value out of using something like that for regular binaries or source code, you're going to actually know something about development, probably to the same degree that you'd need to know how to write the exploit anyway. Of course, code sample always help from people trying to exploit something before you, but at the end of the day, it's still up to you to put something together for your specific use-case.

But sqlmap is a fuzzer, isn't it?



So, my opinion?

Yeah, but only to some extent. It's a pretty subjective boundary.

sqlmap is great. It deserves to exist, alongside all sorts of other tools. But when it can do something to the extent of doing literally ALL of the work for you in both vulnerability scanning AND exploitation, then you've got yourself a problem.

AFL++ is also great. It does all the really hard vuln scanning for you, yeah, but still, writing your exploit is still up to you to figure out and will most likely involve some pretty niche topics.

Now consider a company like Tenable and their flagship product: Nessus Scanner.
Nessus is insanely powerful in finding vulnerabilities and even claims to find 0days.
The difference is that:
1. Nessus is closed-source (SaaS)
2. Nessus is paid (and extremely expensive -- way out of the budget of your average skid.)
(Yes I know they have a free version. You're better off just using Nikto it's such fucking ass.)

Now, I want you to consider the fact that detection rates are going up on unsigned code or applications. Like, just for making your hello world in an unconventional way, you're going to probably just get 4 or 5 detections for using a B64 string somewhere in there. But throw a code certificate on there and you've got yourself a whole fucking greencard that lets you more or less do whatever you want (and ask for admin permissions from the user without hesitation.)

Thus, it may be likely that in the future, unsigned code may only be allowed to run in a VM or something, and people would need to apply from Microsoft/Apple (or some other partner) and actually register themselves as a developer before they can write applications to share (of course developing for personal use is fine, but you can only run your compiled code in some kind of VM since it isn't signed, so open-source isn't completely impeded)

Now, that's an extreme scenario, but we really are seeing a push for more signed code, and if pushed too far, might completely kill off the field of computer science lmfao.

Anyway, back to my points, and my conclusion.

If tools like sqlmap that were so insanely powerful were paywalled (or if the user had to register for a license properly, and cracks were actually 'cracked down' on lol) then we wouldn't see as much skidding. We also wouldn't see as many cyber attacks because it would be much easier to see what tool was used to carry out an attack, then tie the IP to a user, and find someone who had a license to that tool in their general area, and ultimately get a warrant.



Now, I need to clarify.

Christ, I don't fucking support a world like that.
Let me tool if I want to. Let me code if I want to, and let me share my damn code if I want to. And finally, if someone does something naughty and blames it on my code, tell them to fuck off and legally protect me from the fucker with my code if I want to.

And of course, let me learn from other code samples.

But, at the end of the day, there's tons of incredible tools out there that, if they were paywalled, could probably earn the developers a shitload of money on top of the salary from wherever they're working at now. I use sqlmap as an example, but honestly it can apply to a variety of things. What about QuasarRAT (1.4 released 2 weeks ago btw) that takes over a user's (windows) system entirely? Or PSEmpire, for a fileless solution that does basically the same thing? Or the whole PRISM-AP framework that can get you all the data you want from everyone at your local coffee shop (or your neighbor since it's social distancing season)?

Stuff like this makes things a bit --too easy-- and as a result, become a really hot topic for all the skids.
But reduce availability of tools that suffer from these circumstances, and you should notice a pretty big drop in attacks.
I mean hell -- If you only provide source, 90% of them won't figure out how to compile it or fix it so that it compiles on their machine, so that'll also mitigate most of the problem. Not even open-source being the problem, it's that too much is done to help people get into the field, and as a result, the field as a whole both suffers from the negative reputation, but also stays in employment because now they have a bunch of new threats to deal with.



Double-edged sword.
I say keep em, but powerful stuff that doesn't need to be compiled (i.e. run a script or download the binary) shouldn't be so readily available.
Reply
#3
Quality OSS tools help the industry, individuals and take some wind out of the sails of Blackhat Enterprises. What i mean by that is that if tooling of high quality would not be readily available as OSS, BH Enterprises would have another market to sell their wares in.

If i write an OffSec framework that makes hacking into high value targets a breeze, consider the following. For one, it will kickstart innovation with regards to defensive tooling and techniques. We all know how a lot of big businesses fail to take security seriously. Say it's a creditcard company, now, i'm not a socialist but i don't lose any sleep over big banks losing money. However the customers of this hypothetical CC company are the ones that will be most affected by say a databreach, where a boatload of CC gets stolen.

If we can make companies like the one in my example and real life ones take security more seriously by releasing tooling that could potentially affect their bottom line and/or reputation in a serious manner, then that is a win in my book.

If organizations take their security seriously it will benefit the end users/clients of those organizations.


Another thing i think is important is making tooling and research available for people trying to get into the field. I can't tell you how much i've learned just by reading the source code from projects i thought were interesting.
Not only that, if i feel like i want to release a tool i think i should be able to do that. Even if it's a very powerful tool that can be potentially damaging. What people do with my tools is not my responsibility, we have laws for cyber crime. And i shouldn't have to police my users, let the police, police the users if they want to and the users are doing stuff that was illegal to begin with.

Some of you may not like this analogy but i think it's applicable. If i were a gunsmith and made guns for a living all i am doing is creating tools. How they are used is up to the people using them. Back to cyber...

A notable exception is tools i build for personal or professional use, whether it's a type of malware or vuln scanner. I won't Open Source tools that i employ in active engagements generally speaking.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Security/Hacking Ebook Collection Insider 134 222,421 07-18-2020, 08:20 AM
Last Post: Vice
  Vigilante Hacking - Heroes or Menaces DeepLogic 12 6,257 07-14-2020, 04:34 PM
Last Post: poppopret
  Can you name a few open source tools for offline password cracking? ShadowRaider 2 2,181 06-30-2020, 01:54 AM
Last Post: poppopret
  Is learning Games Hacking useful? Bass_R33v3s 8 4,106 06-16-2020, 12:58 AM
Last Post: Bass_R33v3s