> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Sniper: Auto-Exploiter

> Automatically exploit known vulnerabilities and extract evidence from compromised systems

## Overview

Sniper is an automated exploitation tool that identifies and exploits known vulnerabilities in widely-deployed software. After a successful exploit, it automatically extracts artifacts (system information, users, network data) as evidence of compromise.

Sniper is an **exploitation tool**: it actively attempts to exploit vulnerabilities to gain remote command execution. It does not add data to your [Attack Surface](/capabilities/attack-surface) or generate [findings](/core/findings/findings). Instead, it produces detailed reports with extracted artifacts as evidence.

## Supported targets

| Target type    | Examples                                |
| -------------- | --------------------------------------- |
| **IP address** | `192.168.1.1`, `10.0.0.5`               |
| **Hostname**   | `server.example.com`, `mail.corp.local` |

## Attack modes

### Unauthenticated mode

Sniper scans for open ports, fingerprints services, and attempts to exploit known vulnerabilities to gain access.

### Authenticated mode

Sniper uses provided credentials to establish a legitimate session and extracts artifacts without exploitation. Useful for post-authentication reconnaissance.

| Protocol  | Authentication                         | Use case            |
| --------- | -------------------------------------- | ------------------- |
| **SSH**   | Username/password or private key       | Linux/Unix systems  |
| **WinRM** | Username/password (NTLM or Basic)      | Windows systems     |
| **SMB**   | Username/password with optional domain | Windows file shares |
| **MySQL** | Username/password with database name   | Database servers    |

## Parameters

### Port selection

| Option              | TCP ports | Description                                 |
| ------------------- | --------- | ------------------------------------------- |
| **Top 100 ports**   | \~112     | Quick scan (default)                        |
| **Top 1000 ports**  | \~1,009   | Standard assessment                         |
| **Top 5000 ports**  | \~5,003   | Extended coverage                           |
| **Full port range** | 65,535    | All ports (slow)                            |
| **Port range**      | Variable  | Specify start and end port (e.g., 1-1024)   |
| **Port list**       | Variable  | Comma-separated list (e.g., 22,80,443,3389) |

See [Port lists](/core/scans/portlists) for the exact ports covered by each preset.

### Scan options

| Option                 | Description                                                    |
| ---------------------- | -------------------------------------------------------------- |
| **Check alive**        | Verify the host is reachable before scanning                   |
| **Safe exploits only** | Exclude exploits that may crash the target (e.g., EternalBlue) |

### CVE targeting

You can target specific CVEs (up to 10) to focus the scan on particular vulnerabilities. The CVEs must be part of Sniper's exploit module database.

### Extractors

Choose which artifacts to extract after successful exploitation:

| Extractor                    | Description                                                     |
| ---------------------------- | --------------------------------------------------------------- |
| **Basic system information** | Current user, computer name, IP, architecture, domain, hotfixes |
| **Local users**              | Users configured on the operating system                        |
| **Processes**                | Currently running processes                                     |
| **Screenshot**               | Desktop screenshot (Windows only, if user logged in)            |
| **Filesystem**               | Listing of interesting files and folders                        |
| **Network data**             | Network interfaces, neighbors, connections, services            |
| **Interesting files**        | Files extracted via Local File Inclusion modules                |
| **Secrets**                  | Information extracted via custom capability modules             |

## How it works

Sniper executes a predefined attack workflow:

### 1. Port scanning

Scans the specified TCP ports to identify open services. Results include port number, state, service name, and version.

### 2. Web fingerprinting

For HTTP/HTTPS services, Sniper identifies the web application type (e.g., Outlook Web Access, VMware, Jenkins) and underlying technologies.

### 3. Exploit matching

Based on the fingerprint data, Sniper filters its database to find compatible exploit modules.

### 4. Vulnerability checking

Runs non-destructive checks to determine if the target is actually exploitable.

### 5. Exploitation and extraction

If vulnerable, Sniper exploits the vulnerability to gain remote command execution, then runs extractors to collect artifacts.

### 6. Cleanup

Removes any files or processes created during exploitation to leave the system unaltered.

## Exploit modules

Sniper includes custom exploit modules developed for critical vulnerabilities in widely-used software. These modules target:

* **Web servers and applications**: Apache, IIS, Exchange, SharePoint, Confluence, etc.
* **Network services**: SSH, SMB, RDP, databases
* **Known CVEs**: Actively maintained database of exploitable vulnerabilities

<Warning>
  Sniper performs active exploitation. Only use against systems you have explicit authorization to test.
</Warning>

## Artifacts

Artifacts are data extracted from the target system after successful exploitation. They provide solid proof that the target is vulnerable and help with further manual testing.

| Artifact                  | Description                                               |
| ------------------------- | --------------------------------------------------------- |
| **Current user**          | The user context the exploit runs as (e.g., root, SYSTEM) |
| **System information**    | OS type, version, kernel, architecture, memory            |
| **Local users**           | List of configured system users                           |
| **Running processes**     | Active processes with PIDs and owners                     |
| **Network configuration** | IP addresses, network masks, gateways                     |
| **Network neighbors**     | Devices in the same local network (layer 2)               |
| **Network connections**   | Open ports and established TCP connections                |

<Tip>
  Use "Safe exploits only" when testing production systems to avoid potential service disruption.
</Tip>

## Follow-up actions

After successful exploitation:

* **Prioritize remediation**: Exploitable vulnerabilities require immediate attention
* **Expand testing**: Use extracted network data for lateral movement assessment
* **Run [Network Scanner](/tools/network-scanner)**: Find additional infrastructure issues
* **Document evidence**: Use artifacts for penetration test reports