Sniper – Automatic Exploiter
We developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers commonly focus on a few highly effective and targeted intrusion techniques.
Sniper is a custom tool that implements a set of modules for exploiting the most critical vulnerabilities in high-profile software that the majority of companies in the world use. The tool mimics the exploits and attack techniques found in real world scenarios to determine the truly vulnerable systems.
After a successful exploitation, Sniper automatically runs post-exploitation modules which extract interesting data from the target system as solid proof of intrusion. We call this data artefacts. Here are some artefact examples:
- Current user (e.g.
- System information
- List of local users
- List of running processes
- Network configuration
- Network neighbors
- Network connections
Security teams and specialists can use all this data to continue their pentesting work into the network (manually, by the pentester) and for vulnerability validation.
When Sniper succeeds in exploiting a vulnerability, system administrators must act straight away, as the risk is real and attackers can exploit it at any given moment. This tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter.
This is the complete list of modules and capabilities currently available in Sniper:
|Software type||Vendor||Product||CVE||Vuln date||Codename|
|Monitoring System||VisualTools||DVR||CVE-2021-42071||Oct 2021||-|
|Web Server||Apache||Server||CVE-2021-41773||Oct 2021||-|
|Web Server||Apache||Server||CVE-2021-42013||Oct 2021||-|
|Azure Cloud||Microsoft||Open Management Interface (OMI)||CVE-2021-38647||Sep 2021||OMIGOD|
|Email server||Microsoft||Exchange Server||CVE-2021-34473||Aug 2021||ProxyShell|
|Collaboration Software||Atlassian||Confluence||CVE-2021-26084||Aug 2021||-|
|Virtualization||VMware||vCenter Server||CVE-2021-21985||May 2021||-|
|Collaboration Software||GitLab||Server||CVE-2021-22205||Apr 2021||-|
|VPN Gateway||F5||BIG IP||CVE-2021-22986||Mar 2021||-|
|Email server||Microsoft||Exchange Server||CVE-2021-26855||Mar 2021||ProxyLogon|
|Web Server||Sebastian Hildebrandt||System Information Library for Node.JS||CVE-2021-21315||Feb 2021||-|
|Virtualization||VMware||vCenter Server||CVE-2021-21972||Feb 2021||-|
|Web server||Node||Red||CVE-2021-3223||Jan 2021||-|
|Web Framework||Apache||Struts||CVE-2020-17530||Dec 2020||-|
|Firewall||Sophos||SG UTM||CVE-2020-25223||Sep 2020||-|
|VPN Gateway||Cisco||ASA||CVE-2020-3452||Jul 2020||-|
|VPN Gateway||F5||BIG IP||CVE-2020-5902||Jun 2020||-|
|Web server||Apache||Tomcat||CVE-2020-1938||Feb 2020||Ghostcat|
|VPN Gateway||Pulse||Connect Secure||CVE-2019-11510||May 2019||-|
|VPN Gateway||Fortinet||FortiGateway SSL VPN||CVE-2018-13379||May 2019||-|
|Web Framework||Apache||Struts||CVE-2017-9791||Jul 2017||S2-048|
|Utility||GNU Project||Bash||CVE-2014-6271||Sep 2014||Shellshock|
Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. Their purpose is to provide solid proof that the target is vulnerable and to help in further manual exploitation, if necessary.
The artefacts are extracted by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command
whoami whereas on Windows it will run the command
This is the list of artefacts that Sniper is able to extract:
|Current user||The name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data).|
|System information||Information about the operating system like OS type, version, kernel, processor architecture, memory size, etc.|
|List of local users||A listing of the users currently configured on the operating system (e.g. from /etc/passwd)|
|List of running processes||A listing of the operating system processes that are currently running.|
|Network configuration||The settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc.)|
|Network neighbors||A list of devices existent in the same local network as the target (layer 2).|
|Network connections||The list of open ports and established TCP connections of the target with other systems in the network.|
|Target||Specifies the system that will be scanned. Target can be an IP address, hostname or an URL.|
|Ports to scan||These are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range or list.|
How it works
Sniper runs a number of predefined steps for each target:
1. Scanning for open ports
This is the first phase the attack, which checks if the TCP ports specified as input are open or not. The result of this phase is a list of open ports, together with the protocol, type of service and its version.
2. Fingerprinting web services
Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc.) and which technology sits behind it. This information is needed to select the appropriate exploit to run against it.
3. Looking for compatible exploits
Based on the fingerprint data about the target system, Sniper then filters a list of possible compatible exploits that match it.
4. Checking if the target is vulnerable
At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable – without extracting any data.
5. Exploiting and extracting all artefacts
If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the output report.
6. Cleaning up
Most exploit modules do not create any files or processes on the target system so no cleanup is necessary. However, when they do, Sniper makes sure that they are deleted, so the system is left unaltered and clean.