1. Sniper

Sniper

About this tool

Sniper automatically exploits known, widespread vulnerabilities in high-profile software. The tool gains remote command execution on the vulnerable targets and automatically runs post-exploitation modules to extract interesting data (artefacts) as solid proof for vulnerability validation.

We developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers commonly focus on a few highly effective and targeted intrusion techniques.

Sniper is a custom tool that implements a set of modules for exploiting the most critical vulnerabilities in high-profile software that the majority of companies in the world use. The tool mimics the exploits and attack techniques found in real world scenarios to determine the truly vulnerable systems.

After a successful exploitation, Sniper automatically runs post-exploitation modules which extract interesting data from the target system as solid proof of intrusion. We call this data artefacts. Here are some artefact examples:

  • Current user (ex. nt authority/system)

  • System information

  • List of local users

  • List of running processes

  • Network configuration

  • Network neighbors

  • Network connections

Security teams and specialists can use all this data to continue their pentesting work into the network (manually, by the pentester) and for vulnerability validation.

When Sniper succeeds in exploiting a vulnerability, system administrators must act straight away, as the risk is real and attackers can exploit it at any given moment. This tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter.

Exploit modules

This is the complete list of modules and capabilities currently available in Sniper:

Artefacts

Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. Their purpose is to provide solid proof that the target is vulnerable and to help in further manual exploitation, if necessary.

The artefacts are extracted by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command whoami whereas on Windows it will run the command net user.

This is the list of artefacts that Sniper is able to extract:

  • Current user: The name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data)

  • System information: Information about the operating system like OS type, version, kernel, processor architecture, memory size, etc.

  • List of local users: A listing of the users currently configured on the operating system (ex. from /etc/passwd)

  • List of running processes: A listing of the operating system processes that are currently running.

  • Network configuration: The settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc)

  • Network neighbors: A list of devices existent in the same local network as the target (layer 2).

  • Network connections: The list of open ports and established TCP connections of the target with other systems in the network.

Parameters

  • Target: Specifies the system that will be scanned. Target can be an IP address, hostname or an URL.

  • Attack type: Specifies whether to use Sniper in unauthenticated mode or in authenticated mode.

    • unauthenticated - Sniper loads all the exploit modules and tries to gain an exploit session through which it will run the extractors to obtain artefacts.

    • authenticated - Sniper will require valid authentication credentials for any of the supported protocols in order to establish a legitimate connection through which will only run the extractors.

  • Ports to scan: These are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range or list.

  • Extractors: Choose the artefacts you want to be extracted from the target:

    • Basic system information - information about the current user, current working directory, computer name, IP address, architecture, domain, language, hot-fixes.

    • Local users - a listing of the users currently configured on the operating system (ex. from /etc/passwd)

    • Processes - a listing of the operating system processes that are currently running.

    • Screenshot - a screenshot taken on Windows hosts, if an active user is logged on the target system.

    • File system - a listing of interesting files and folders extracted from the target.

    • Network data (network graph, configuration, neighbours, services) - an interactive network graph, settings of the network interfaces, a list of devices existent in the same local network as the target (layer 2), a list of open ports and established TCP connections of the target with other systems in the network.

    • Interesting files - a listing of interesting files and folders extracted from the target. (for Local File Inclusion modules)

    • Secrets - a listing of interesting information extracted from the target. (for custom capability modules)

  • Safe exploits only: Specifies whether to load or not the unsafe exploits for scanning. An exploit is deemed unsafe if it can crash the target system (e.g. Blue Screen of Death on Windows machines).

  • Currently available unsafe exploits:

  • Scan options: Additional scan options

    • Check alive - Checks if the host is alive before scanning for open ports.

    • Extensive modules - Includes modules that run for an extended period of time due to fuzzing on multiple endpoints and query parameters (CVE-2022-42889).

How it works

Sniper runs a number of predefined steps for each target:

1. Scanning for open ports

This is the first phase the attack, which checks if the TCP ports specified as input are open or not. The result of this phase is a list of open ports, together with the protocol, type of service and its version.

2. Fingerprinting web services

Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc) and which technology sits behind it. This information is needed to select the appropriate exploit to run against it.

3. Looking for compatible exploits

Based on the fingerprint data about the target system, Sniper then filters a list of possible compatible exploits that match it.

4. Checking if the target is vulnerable

At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable - without extracting any data.

5. Exploiting and extracting all artefacts

If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the output report.

6. Cleaning up

Most exploit modules do not create any files or processes on the target system so no cleanup is necessary. However, when they do, Sniper makes sure that they are deleted, so the system is left unaltered and clean.