Sniper – Automatic Exploiter

Demo: how to use Sniper for automated vulnerability exploitation

Here’s how Sniper works, including a full results walkthrough:

Sniper Auto-exploiter tutorial – how to use this automated vulnerability exploitation tool

* Sniper Auto-Exploiter is only available with one of our paid plans .

Sniper is the automated vulnerability exploitation tool that helps you validate the real impact of critical, widespread CVEs or deploy client-side attacks in ethical hacking engagements.

Use it to simulate both remote (external and authenticated) and client-side attacks in a safe, controlled sequence. Results include solid proof of compromise, along with a visualization of the target’s network configuration, highlighted exploit paths, and more in-depth data.

Sign up to unlock the full power of Sniper and detect Log4Shell, OMIGOD, ProxyShell, and more high-risk CVEs from our up-to-date list of vulnerabilities!

Discover all 151 exploits →

Reporting

Sample Sniper Auto-Exploiter results

Every Sniper scan produces rich results that include all the exploitation and post-exploitation steps the tool safely – and automatically – carries out, along with extracted artefacts. In your Pentest-Tools.com dashboard, you’ll find Sniper results that incorporate:

  • Console - the full output of each Sniper Automatic Exploiter scan activity exploitation

  • Exploitation summary - provides an overview of the conclusive proof of compromise

  • System - enumerates Local users defined at operating system level

  • Processes - lists running processes on the target OS, along with their owners, antivirus solution, and the full paths for each executable

  • Disk drives - reveals interesting files that Sniper extracts from the filesystem and which you can use as proof of concept

  • Network - delivers the target’s network configuration, including adjacent hosts from nearby network subnets, available as console output and as a visual network graph.

  • Almost every detail in your dashboard is available in a downloadable PDF report like the one below.

Sniper Result Sample

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com offers faster pentest reporting and better vulnerability discovery.

How to use this automated exploitation tool

How offensive security pros use Sniper – Automatic Exploiter

Sniper automatically does exploitation and post-exploitation of known, widespread vulnerabilities in high-profile software. Notorious examples include Log4Shell, ProxyShell, ProxyLogon, Ghostcat, and many other critical CVEs that never got named.

Sniper can also generate a crafted malicious file to use in client-side attacks during your engagements.

In just a few minutes, this powerful tool gains RCE (remote command execution) on vulnerable targets. It also runs post-exploitation modules automatically and extracts interesting data (artefacts) as solid proof for vulnerability validation.

  • Fast Vulnerability Validation

    Sniper is an effective and time-saving vulnerability validation tool. Use it to check if vulnerabilities reported by scanners like Nessus, OpenVAS, or Qualys are exploitable. When Sniper successfully exploits a vulnerability, it confirms the risk is real. It also makes remediation urgent because attackers are actively exploiting it.

  • Safe, Controlled Exploitation

    As opposed to Metasploit, Sniper doesn’t give unrestricted shell access to the target system. Instead, it does full automatic exploitation by itself, with all steps listed in the results. This is a safer approach which eliminates potential human errors during the attack phase. It also leaves the target system in a good, clean state after exploitation.

  • Automatic Initial Access

    Pentesters and red teamers use Sniper to simulate realistic attacks and gain access to the machines in the target network much faster. Our software exploitation tool speeds-up this phase by automatically obtaining the initial foothold. Plus, the post-exploitation modules automatically gather information from the compromised system for lateral movement and reconnaissance.

  • Network Topology Visualization

    The visual summary in Sniper results provides an of your target host. It automatically creates a diagram of all incoming and outgoing connections between your target and other network hosts, the exploit paths which Sniper used to compromise the machine, and a list of adjacent hosts. Use this to also demonstrate real risk to decision-makers.

  • Methodic Attack Surface Reduction

    When a high-risk vulnerability like Log4Shell hits, a top exploitation tool makes you more methodical and effective. Sniper helps you identify and prove how adversaries use critical CVEs to gain access and/or control of the target. Using the results it produces, you can validate which entry points in your attack surface to prioritize for urgent patching or remediation.

  • Pivoting & Lateral Movement

    Through the rich context it provides through console results and the network graph, Sniper helps red teamers move faster and single out targets to which to pivot next. Blue teamers can use the same data to identify unknown connections that reveal potential backdoors and data exfiltration attempts.

Compare pricing plans

to use Sniper Auto-Exploiter and 20+ pentesting tools and features

Showcase evidence of the complete attack chain

The Sniper tool within Pentest-Tools.com helped me in two major ways.

First, it provides me with a way to increase (automatically) the severity of major vulnerabilities found during the Vulnerability Assessments by showing the possibility of exploitation.

Second, you can showcase evidence of the complete attack chain to end consumers of your work (management, developers, and so on), basically demonstrating how to achieve a Remote Code Execution from zero knowledge up to compromise.

How Sniper Auto-Exploiter works

Sniper has two major exploitation mechanisms: remote and client-side.

Here is the automatic sequence of predefined steps that our application exploitation tool runs during a remote unauthenticated attack scenario.

Remote attacks

Good to know: Sniper Automatic Exploiter also features an authenticated attack option. We dive into its specs while walking you through the technical details.

  • 1

    Scans for open ports

    In the first stage of the attack, Sniper checks if the TCP ports specified as input are open or not. This phase produces a list of open ports, together with their protocol, type of service and its version.

  • 2

    Fingerprints web services

    Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc.), and which technology sits behind it. This information is required to select the appropriate exploit to run against it.

    Good to know: Sniper also incorporates exploits that target other protocols besides HTTP/HTTPS, including SMTP, Redis, AJP, SMB, and more.

  • 3

    Looks for compatible exploits

    Based on the fingerprint data about the target system, Sniper then filters through a list of potentially compatible exploits that match it, across protocols.

  • 4

    Checks if the target is vulnerable

    At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable – without extracting any data.

  • 5

    Exploits and extracts all artefacts

    If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the results.

  • 6

    Cleans up

    Most exploit modules do not create any files or processes on the target system, so no cleanup is necessary. However, when they do, Sniper makes sure they are deleted, so the system is left unaltered and clean.

Passive, client-side attacks

  • 1

    User generates a handler

    In the first stage of the attack, the user generates a handler that will be associated with the client-side attack scenario.

  • 2

    Generated handler ready for use

    Next, the user can download the malicious file or copy the URL where the file is located to send the file to their targets.

  • 3

    Asynchronous scan

    When the victim opens the file, a connection to our command and control server is established. As a result, Sniper automatically proceeds to extract all the artefacts and display them in the results.

  • 4

    Cleans up

    Sniper makes sure that all created files are deleted, so the system is left unaltered and clean.

How to simulate client-side attacks in pentests with Sniper Auto-Exploiter

Sniper – Automatic Exploiter

Technical details

We initially developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers frequently focus on a few, highly effective, and targeted intrusion techniques.

Adversaries have plenty of opportunities to do this by using the constant stream of high-risk, high-impact vulnerabilities. To help offensive security specialists cope, we enhanced Sniper with capabilities designed to help them react with precision and speed in time-sensitive situations.

Sniper is a custom vulnerability exploitation tool that simulates exploits and attack techniques – which adversaries use in real world scenarios – to determine which systems are truly vulnerable. It offers both remote (unauthenticated and authenticated scan options) and client-side attacks, with the ability to extract data from the target as an adversary with access to login credentials.

After successful exploitation, Sniper automatically runs post-exploitation modules that extract interesting data from the target system as solid proof of successful intrusion. We call this data artefacts and the list includes:

  • Current user (e.g. nt authority/system)
  • Current directory ( e.g. C:\Program Files\Apache Software Foundation\Tomcat 9.0 )
  • System information (e.g. operating system, equipment type and version, software type and version, running applications, architecture, hotfixes, etc.)
  • List of local users with privileges on the target machine, together with password hashes, if the current user has a privileged account
  • List of running processes, including full paths for each executable
  • Visual summary of the network configuration that offers rich and actionable context
  • Network neighbors (live hosts) from the same local area network as the target host
  • Network connections with their communication protocols
  • Network services with open TCP ports.

Security teams and independent specialists can use all this data to continue their pentesting work with manual methods for reconnaissance, lateral movement, and pivoting to sensitive and important targets. The automatically generated network graph is particularly useful to navigate complex infrastructures, as it eliminates the need to spend time correlating information.

When Sniper succeeds in exploiting a vulnerability, it validates the risk is real and attackers can exploit it at any given moment, indicating that system administrators must act straight away.

Using Sniper as your vulnerability exploitation tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter. Here's how many of them we detect compared to other security platforms like Detectify or Invicti.

Exploit modules

Below you can see a shortlist of modules that Sniper currently uses to automatically exploit known critical vulnerabilities in high-profile software and get you proof of compromise.

Pentest-Tools.com Vulnerabilities
NameDetectable withDetection addedSeverityExploitable with Sniper
Cybersecurity Infrastructure Security Agency (CISA)Palo Alto Networks Expedition - Remote Code ExecutionNetwork ScannerNov 26, 2024Yes
Palo Alto Networks Expedition - Remote Code ExecutionNetwork ScannerOct 15, 2024Yes
GiveWP Donation Plugin - Remote Code ExecutionNetwork ScannerSep 17, 2024Yes
Cisco Small Business RV Series - Remote Code ExecutionNetwork ScannerSep 17, 2024Yes
Cybersecurity Infrastructure Security Agency (CISA)Progress Telerik Report Server - Remote Code ExecutionNetwork ScannerSep 10, 2024Yes
Cybersecurity Infrastructure Security Agency (CISA)Apache OFBiz - Remote Code ExecutionNetwork ScannerSep 3, 2024Yes
Zyxel - Remote Code ExecutionNetwork ScannerSep 3, 2024Yes
Cybersecurity Infrastructure Security Agency (CISA)GeoServer - Remote Code ExecutionNetwork ScannerAug 27, 2024Yes
Cybersecurity Infrastructure Security Agency (CISA)SolarWinds Serv-U - Arbitrary File ReadNetwork ScannerJul 20, 2024Yes
Magento - XML External Entity InjectionNetwork ScannerJul 16, 2024Yes

You can click here to browse the complete database of vulnerability detections and exploitable vulnerabilities.

As you can see, many of these CVEs are also part of CISA’s Known Exploited Vulnerabilities Catalog, which indicates they are under active attack. Our dedicated security research team focuses on integrating exploitation and post-exploitation capabilities for new CVEs as they emerge, as we are fully aware of the time-sensitive nature of these vulnerabilities.

We constantly update this list with new critical CVEs and you can find out the moment they’ve live:

Artefacts for vulnerability validation

Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. They provide solid proof that the target is vulnerable and support security specialists with further manual exploitation, if necessary.

Sniper Auto-Exploiter extracts artefacts by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command whoami whereas on Windows it will run the command net user.

This is the list of artefacts that Sniper extracts:

ArtefactDescription
Current userThe name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data).
Current directory The name of the directory that the exploit code is running as ( e.g. /var/atlassian/confluence or C:\Program Files\Apache Software Foundation\Tomcat 9.0 )
System informationInformation about the operating system like OS type, version, kernel, processor architecture, memory size, hotfixes, etc.
List of local users A listing of the users currently configured on the operating system (e.g. from /etc/passwd file or from net user command), along with their password hashes, if the system user has administrative privileges.
List of running processesA listing of the operating system processes that are currently running on the target system.
Network configurationThe settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc.)
Network neighborsA list of live hosts from the same local network as the target (layer 2).
Network connectionsThe list of open ports and established TCP connections of the target to other systems in the network.

Sniper network graph - explore the visual summary

Understanding the network architecture behind the exploited host is an essential step for both offensive and defensive information security specialists. So we built this capability into Sniper Auto-Exploiter with the visual summary section in the tool results.

The visual summary feature in Sniper results helps you instantly visualize the network configuration of your target host. Explore the automatically generated network graph to see:

  • All TCP connections (inbound or outbound) between your target and other hosts on the network (routers, workstations, etc.) and their system information
  • Interfaces configured on the exploited host
  • The exploit path(s) which Sniper used to safely compromise the machine
  • Communication protocols for each connection (SSH, HTTPs, HTTP, ms-wbt-server, etc.)
  • A list of adjacent hosts from nearby network subnets
  • ARP routes and host groups, especially helpful for multiple targets that communicate on the same port with the exploited target.
Sniper Network Graph – Automatic vulnerability exploitation with network visualization capabilities

The Sniper network graph pulls data from the artefacts it extracts and automatically correlates the network information when the tool gains RCE on a target. With this feature, Sniper removes time-consuming manual work, gives you the big-picture context of your target, and frees up your schedule for more stimulating work.

With the elements of your target’s network topology already arranged for you, you can identify top targets to pivot to much faster as a red teamer. If you’re on the blue team, Sniper’s network graph helps you discover all unknown connections originating from your target and to it. With this information, you can audit these connections to determine if the system has been exploited before and if it has a backdoor connection to malicious endpoints.

This visual representation of the target’s network architecture makes it easy to understand how systems are connected, even for complex infrastructures. It also highlights the impact of a vulnerability, offering persuasive proof for peers in security and IT, but also to decision-makers in other business units.

For example, the Sniper network graph helps you see if multiple targets communicate on the same port with the exploited target, essentially opening them up to malicious exploitation.

Sniper visual summary
Sniper visual summary
Sniper visual summary

You can use Sniper to see the network topology after a successful automatic exploit and even after an authenticated scan, no matter the depth of your expertise in the field of networking. If you need this visual representation for any other system, you can also run Sniper against targets that aren’t vulnerable.

Sniper Auto-Exploiter currently supports SSH, WinRM, SMB, and MySQL scanning, and we continue to add options for our Pentest-Tools.com customers.

SSH, WinRM, SMB and MySQL scanning

Scanning parameters for remote attacks

When you choose a paid plan and log into your Pentest-Tools.com account, you can select and combine the following scanning parameters for safe vulnerability exploitation with Sniper:

ParameterDescription
TargetSpecifies the system that will be scanned. Target can be an IP address, hostname or an URL.
Attack type Selecting the unauthenticated scan option instructs Sniper to simulate an unauthenticated attack against the target and try to exploit any vulnerability it finds. Artefacts will be extracted after successful exploitation. Otherwise, during an authenticated scan, Sniper authenticates to the target service using the credentials you provide. Then it extracts the artefacts as an authenticated user.
Ports to scan This option is available only for unauthenticated scans. These are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range, or list.
Protocol This option is available only for authenticated scans. This is the protocol used for authentication. Available options: SSH, WinRM, and SMB.
PortThis option is available only for authenticated scans. This is the port used for authentication.
Username & passwordThis option is available only for authenticated scans. These are the credentials used for authentication.
SSH private key This option is available only for authenticated scans, when the SSH protocol is selected. This is the SSH private key used for authentication.
WinRM authentication type This option is available only for authenticated scans, when the WinRM protocol is selected. This is the authentication type ( NTLM / Basic ) used for authentication.
SMB authentication type This option is available only for authenticated scans, when the SMB protocol is selected. This is the authentication type ( Local / Domain ) used for authentication.
Check if host is alive before scanning Enables the check alive mechanism before searching for any open ports during the discovery phase.

Information provided for client-side attacks

ColumnDescription
LabelThis is the identifier of the handler that also serves as the document’s name.
TargetsThis shows how many victims opened the document and, when expanded, details about the victims (i.e. IP address).
TypeShows the type of document that was created. Currently, the supported options are doc, .docm, .xls, .xlsm.
StatusShow days remaining until the handler expires and the status of each scan.
Start TimeAppears when the victim opens the document and the Sniper scan starts.

What to do after running Sniper Auto-Exploiter

You can now chain our Network scanner finding that only detects a vulnerability with the Sniper Auto-Exploiter tool with a custom button called “Exploit with Sniper”.

Besides Sniper Auto-Exploiter, you have a full arsenal of reconnaissance, vulnerability scanning, and offensive tools on Pentest-Tools.com to carry out a thorough and effective security assessment.

You can chain findings from the Network Vulnerability Scanner, focused on detecting vulnerabilities, and use the “Exploit with Sniper” button to gain proof of compromise.

Network scanner exploit with sniper

For example, if the Network Vulnerability Scanner finds that your application is vulnerable to the Proxyshell exploit chain, you can use the “Exploit with Sniper” button to go to the Sniper tool and quickly validate if it truly is vulnerable. At the same time, you gather important information about your system through the list of artefacts.

To save even more precious time, try out our ready-to-use scan templates which group multiple tools in one bundle, so you can launch them all at once. Scan templates are also customizable or you can build your own and reuse them to fine-tune engagements and do your best work.

With your Sniper results handy, you can start digging deeper and pursue the most interesting targets in it while also getting inspiration for lateral movement and ways to abuse business logic in your pentest engagements.

Get solid proof and accurate results

The most helpful thing about Sniper is to know I can quickly validate critical vulnerabilities for customers and show them how malicious actors can exploit it. Reliable proof-of-concepts help the client understand the risks of vulnerabilities found and urge remediation.

Another aspect I enjoy is the ease of use and how I can perform limited tests (without altering the production) and get solid proof and accurate results. It saves tons of time and the burden of manually exploiting vulnerabilities.

Tools to use after running the Sniper: Auto-Exploiter

Changelog

Latest updates

  • Prove these Palo Alto vulns with Sniper

    Not one month passes without adding new proof of exploitation to our proprietary offensive tool —  Sniper: Auto-Exploiter. 

    The tool can now exploit Authentication Bypass and Remote Code Execution vulnerabilities in Palo Alto Networks Expedition:

    • CVE-2024-0012 and CVE-2024-9474 (CVSSv3 9.8) - allow a remote attacker to bypass the authentication mechanism and compromise your internal network.

    Prove exploitation easily and integrate this update into your offensive workflows.

  • New proof of exploitation for this RCE with Sniper

    Our proprietary offensive tool, Sniper: Auto Exploiter, has a wide range of available exploits — but we want to make it even more up to date.


    Use Sniper to extract the proof of exploitation for a critical Palo Alto Networks Expedition RCE (CVE-2024-9463, CVSSv3 9.8) that can allow an unauthenticated attacker to inject an OS Command using special characters and fully compromise your server.

  • 7 new CVEs to check out with your Pentest-Tools.com toolkit!

    Detect these 2 high-risk CVEs with our powerful Network Vulnerability Scanner:

    • CVE-2024-5932 (CVSSv3 10) - this GiveWP Donation Plugin RCE can allow unauthenticated attackers to inject a PHP Object, gain full access, and compromise your server.

    • CVE-2023-43770 (CVSSv3 6.1) - this RoundCube Cross-Site Scripting vulnerability can lead to data theft, session hijacking, or defacement of the affected application.

    Get proof of exploitation for these 5 critical CVEs with our proprietary offensive tool, Sniper - Auto-Exploiter:

    • CVE-2024-29973 (CVSSv3 9.8) - RCE in Zyxel. Validate that an unauthenticated attacker can execute arbitrary commands on the device by exploiting improperly sanitized inputs in the "setCookie" endpoint.

    • CVE-2024-38856 (CVSSv3 9.8) - RCE in Apache OFBiz. Validate this RCE through an especially crafted HTTP POST request that allows an attacker to fully compromise your server. 

    • CVE-2024-4358 (CVSSv3 9.8) - Prove how an attacker can fully compromise your server with this RCE in Progress Telerik Report Server through an insecure XML deserialization.

    • CVE-2022-20705 (CVSSv3 9.8) and CVE-2022-20707 - Validate these Cisco Small Business RV Series RCE and Authentication Bypass vulnerabilities.

    • CVE-2024-5932 (CVSSv3 9.8) - assess the business risk of this GiveWP Donation Plugin RCE. 

  • Exploit selected CVEs with Sniper

    We're giving you even more control over our most powerful offensive security tool - Sniper Auto-Exploiter.

    You can now automatically get proof of exploitation for specific CVEs.

    Plus, our team developed new custom exploits for these critical CVEs:

    • CVE-2024-36401 (CVSSv3 9.8) - this GeoServer RCE can fully compromise your server and allow unauthenticated attackers to pivot to your internal network. 

    • CVE-2024-28995 (CVSSv3 7.5) - prove this Arbitrary File Read vulnerability found in SolarWinds Serv-U is exploitable.

    Don’t forget that, whenever we add new exploits in Sniper, it means our Network Scanner can also detect those CVEs for you.

    Want to see it in action? Here’s a practical demo on how Sniper works:

  • Prove these 7 new critical CVEs are exploitable with Sniper

    Use our most powerful offensive tool, Sniper Auto-Exploiter, to exploit the following 7 newly added critical CVEs:   

    • CVE-2020-3250 (CVSSv3 9.8) - this REST API vulnerability in the Directory Traversal in Cisco UCS Director allows an unauthenticated remote attacker to get sensitive info.

    • CVE-2020-3243 (CVSSv3 9.8) - exploit this RCE in Cisco UCS Director and prove how an unauthenticated remote attacker can bypass auth and execute arbitrary actions with admin privileges.

    • CVE-2019-1935 (CVSSv3 9.8) - this RCE in Cisco UCS Director enables an unauthenticated remote attacker to use the SCP User account (scpuser) to log in to the CLI.

    • CVE-2012-1823 (CVSSv3 9.8) - known as the PHP CGI Argument Injection, this RCE allows a remote attacker to fully compromise the server. 

    • CVE-2024-4577 (CVSSv3 9.8)  - another critical argument injection flaw in PHP that can fully compromise the server. Yikes! 

    • CVE-2020-2950 (CVSSv3 9.8) - prove how a remote attacker can fully compromise a server using this RCE in Oracle Business Intelligence

    • CVE-2024-34102 (CVSSv3 9.8) - this XML External Entity Injection in Magento can result in arbitrary code execution and allow an unauthenticated remote attacker to compromise the server.

  • Custom Sniper exploits for RCE and file disclosure vulns

    After this month’s updates, Sniper Auto-Exploiter, our most powerful offensive security tool, can gain unauthenticated RCE on the target and extract multiple artefacts as evidence for the following CVEs:

    • CVE-2024-23108 (CVSSv3 9.8) - RCE in Fortinet FortiSIEM. This exploit helps you validate that a remote, unauthenticated attacker can leverage this vulnerability to fully compromise the server and steal confidential information, install ransomware, or pivot to the internal network.

    • CVE-2024-24919 (CVSSv3 8.6) - Information Disclosure in Check Point CloudGuard Network Security. This Arbitrary File Read through a Path Traversal vulnerability can give an unauthenticated attacker remote access to any file on the target’s filesystem. 

    • CVE-2020-29390 (CVSSv3 9.8) - RCE in Zeroshell. Incorrect handling of the User parameter, which doesn't correctly sanitize user-controlled input, causes this vulnerability. An attacker can use a special character to achieve RCE on the target, as the user that is running the webserver process.

Faq

Sniper Auto-Exploiter FAQs