Overview
Sniper is an automated exploitation tool that identifies and exploits known vulnerabilities in widely-deployed software. After a successful exploit, it automatically extracts artifacts (system information, users, network data) as evidence of compromise.
Sniper is an exploitation tool: it actively attempts to exploit vulnerabilities to gain remote command execution. It does not add data to your Attack Surface or generate findings. Instead, it produces detailed reports with extracted artifacts as evidence.
Supported targets
| Target type | Examples |
|---|
| IP address | 192.168.1.1, 10.0.0.5 |
| Hostname | server.example.com, mail.corp.local |
Attack modes
Unauthenticated mode
Sniper scans for open ports, fingerprints services, and attempts to exploit known vulnerabilities to gain access.
Authenticated mode
Sniper uses provided credentials to establish a legitimate session and extracts artifacts without exploitation. Useful for post-authentication reconnaissance.
| Protocol | Authentication | Use case |
|---|
| SSH | Username/password or private key | Linux/Unix systems |
| WinRM | Username/password (NTLM or Basic) | Windows systems |
| SMB | Username/password with optional domain | Windows file shares |
| MySQL | Username/password with database name | Database servers |
Parameters
Port selection
| Option | TCP ports | Description |
|---|
| Top 100 ports | ~112 | Quick scan (default) |
| Top 1000 ports | ~1,009 | Standard assessment |
| Top 5000 ports | ~5,003 | Extended coverage |
| Full port range | 65,535 | All ports (slow) |
| Port range | Variable | Specify start and end port (e.g., 1-1024) |
| Port list | Variable | Comma-separated list (e.g., 22,80,443,3389) |
Scan options
| Option | Description |
|---|
| Check alive | Verify the host is reachable before scanning |
| Safe exploits only | Exclude exploits that may crash the target (e.g., EternalBlue) |
| Extensive modules | Include modules that run longer due to fuzzing (e.g., CVE-2022-42889 Text4Shell) |
CVE targeting
You can target specific CVEs (up to 10) to focus the scan on particular vulnerabilities. The CVEs must be part of Sniper’s exploit module database.
Choose which artifacts to extract after successful exploitation:
| Extractor | Description |
|---|
| Basic system information | Current user, computer name, IP, architecture, domain, hotfixes |
| Local users | Users configured on the operating system |
| Processes | Currently running processes |
| Screenshot | Desktop screenshot (Windows only, if user logged in) |
| Filesystem | Listing of interesting files and folders |
| Network data | Network interfaces, neighbors, connections, services |
| Interesting files | Files extracted via Local File Inclusion modules |
| Secrets | Information extracted via custom capability modules |
How it works
Sniper executes a predefined attack workflow:
1. Port scanning
Scans the specified TCP ports to identify open services. Results include port number, state, service name, and version.
2. Web fingerprinting
For HTTP/HTTPS services, Sniper identifies the web application type (e.g., Outlook Web Access, VMware, Jenkins) and underlying technologies.
3. Exploit matching
Based on the fingerprint data, Sniper filters its database to find compatible exploit modules.
4. Vulnerability checking
Runs non-destructive checks to determine if the target is actually exploitable.
5. Exploitation and extraction
If vulnerable, Sniper exploits the vulnerability to gain remote command execution, then runs extractors to collect artifacts.
6. Cleanup
Removes any files or processes created during exploitation to leave the system unaltered.
Exploit modules
Sniper includes custom exploit modules developed for critical vulnerabilities in widely-used software. These modules target:
- Web servers and applications: Apache, IIS, Exchange, SharePoint, Confluence, etc.
- Network services: SSH, SMB, RDP, databases
- Known CVEs: Actively maintained database of exploitable vulnerabilities
Sniper performs active exploitation. Only use against systems you have explicit authorization to test.
Artifacts
Artifacts are data extracted from the target system after successful exploitation. They provide solid proof that the target is vulnerable and help with further manual testing.
| Artifact | Description |
|---|
| Current user | The user context the exploit runs as (e.g., root, SYSTEM) |
| System information | OS type, version, kernel, architecture, memory |
| Local users | List of configured system users |
| Running processes | Active processes with PIDs and owners |
| Network configuration | IP addresses, network masks, gateways |
| Network neighbors | Devices in the same local network (layer 2) |
| Network connections | Open ports and established TCP connections |
Use “Safe exploits only” when testing production systems to avoid potential service disruption.
Follow-up actions
After successful exploitation:
- Prioritize remediation: Exploitable vulnerabilities require immediate attention
- Expand testing: Use extracted network data for lateral movement assessment
- Run Network Scanner: Find additional infrastructure issues
- Document evidence: Use artifacts for penetration test reports
