Exploit Helpers

Sniper – Automatic Exploiter

Automatically exploit known CVEs with Sniper to validate their real impact. Its post-exploitation modules also extract interesting data from the target host as solid evidence of compromise.

Sign up to unlock the full power and features of our Sniper – Automatic Exploiter!
Scan type
  • Light scan

  • Full scan

Reporting

Sample Report

Here is a Sniper – Automatic Exploiter sample report that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Shows the full list of activities the tool performs to achieve successful exploitation

  • Includes all data extracted from the target machine (artefacts)

  • Serves as solid proof for vulnerability validation

  • Provides details you can use for further manual exploitation

Sniper Report Sample

How to use the pentesting tool

Use Cases for Sniper – Automatic Exploiter

Sniper automatically exploits known, widespread vulnerabilities in high-profile software. The tool gains remote command execution on the vulnerable targets and automatically runs post-exploitation modules to extract interesting data (artefacts) as solid proof for vulnerability validation.

  • Gaining Initial Access

    As a pentester or read teamer, your objective is to simulate realistic attacks and gain access to the machines in the target network. Sniper speeds-up this exploitation phase by automatically obtaining the initial foothold. Furthermore, the post-exploitation modules automatically gather information from the compromised system for lateral movement and recon.

  • Vulnerability Validation

    Sniper is an excellent vulnerability validation tool. Use it to check if vulnerabilities reported by scanners like Nessus, OpenVAS, or Qualys are exploitable (or not). When Sniper successfully exploits a vulnerability, it confirms the risk is real. It also means system administrators must act immediately to remediate the issue, as attackers are actively exploiting it in the wild.

  • Controlled Exploitation

    As opposed to Metasploit, Sniper does not give unrestricted shell access to the target system. Instead, it does full automatic exploitation by itself. This is a safer approach which eliminates the possible human errors during the attack phase and ensures that the target system is left in a good and clean state after exploitation.

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Sniper Sample Report

Sniper – Automatic Exploiter

Technical Details

We developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers commonly focus on a few highly effective and targeted intrusion techniques.

Sniper is a custom tool that implements a set of modules for exploiting the most critical vulnerabilities in high-profile software that the majority of companies in the world use. The tool mimics the exploits and attack techniques found in real world scenarios to determine the truly vulnerable systems.

After a successful exploitation, Sniper automatically runs post-exploitation modules which extract interesting data from the target system as solid proof of intrusion. We call this data artefacts. Here are some artefact examples:

  • Current user (e.g. nt authority/system)
  • System information
  • List of local users
  • List of running processes
  • Network configuration
  • Network neighbors
  • Network connections

Security teams and specialists can use all this data to continue their pentesting work into the network (manually, by the pentester) and for vulnerability validation.

When Sniper succeeds in exploiting a vulnerability, system administrators must act straight away, as the risk is real and attackers can exploit it at any given moment. This tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter.

Exploit Modules

This is the complete list of modules and capabilities currently available in Sniper:

Software typeVendorProductCVEVuln dateCodename
Monitoring SystemVisualToolsDVRCVE-2021-42071Oct 2021-
Web ServerApacheServerCVE-2021-41773Oct 2021-
Web ServerApacheServerCVE-2021-42013Oct 2021-
Azure CloudMicrosoftOpen Management Interface (OMI)CVE-2021-38647Sep 2021OMIGOD
Email serverMicrosoftExchange ServerCVE-2021-34473Aug 2021ProxyShell
Collaboration SoftwareAtlassianConfluenceCVE-2021-26084Aug 2021-
VirtualizationVMwarevCenter ServerCVE-2021-21985May 2021-
Collaboration SoftwareGitLabServerCVE-2021-22205Apr 2021-
VPN GatewayF5BIG IPCVE-2021-22986Mar 2021-
Email serverMicrosoftExchange ServerCVE-2021-26855Mar 2021ProxyLogon
Web ServerSebastian HildebrandtSystem Information Library for Node.JSCVE-2021-21315Feb 2021-
VirtualizationVMwarevCenter ServerCVE-2021-21972Feb 2021-
Web serverNodeRedCVE-2021-3223Jan 2021-
Web FrameworkApacheStrutsCVE-2020-17530Dec 2020-
FirewallSophosSG UTMCVE-2020-25223Sep 2020-
FirewallCitrixADC/GatewayCVE-2020-8194Jul 2020-
FirewallCitrixADC/GatewayCVE-2020-8193Jul 2020-
VPN GatewayCiscoASACVE-2020-3452Jul 2020-
VPN GatewayF5BIG IPCVE-2020-5902Jun 2020-
Web serverApacheTomcatCVE-2020-1938Feb 2020Ghostcat
FirewallCitrixADCCVE-2019-19781Dec 2019-
VPN GatewayPulseConnect SecureCVE-2019-11510May 2019-
VPN GatewayFortinetFortiGateway SSL VPNCVE-2018-13379May 2019-
Web FrameworkApacheStrutsCVE-2017-9791Jul 2017S2-048
UtilityGNU ProjectBashCVE-2014-6271Sep 2014Shellshock

Artefacts

Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. Their purpose is to provide solid proof that the target is vulnerable and to help in further manual exploitation, if necessary.

The artefacts are extracted by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command whoami whereas on Windows it will run the command net user.

This is the list of artefacts that Sniper is able to extract:

ArtefactDescription
Current userThe name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data).
System informationInformation about the operating system like OS type, version, kernel, processor architecture, memory size, etc.
List of local usersA listing of the users currently configured on the operating system (e.g. from /etc/passwd)
List of running processesA listing of the operating system processes that are currently running.
Network configurationThe settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc.)
Network neighborsA list of devices existent in the same local network as the target (layer 2).
Network connectionsThe list of open ports and established TCP connections of the target with other systems in the network.

Parameters

ParameterDescription
TargetSpecifies the system that will be scanned. Target can be an IP address, hostname or an URL.
Ports to scanThese are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range or list.

How it works

Sniper runs a number of predefined steps for each target:

1. Scanning for open ports

This is the first phase the attack, which checks if the TCP ports specified as input are open or not. The result of this phase is a list of open ports, together with the protocol, type of service and its version.

2. Fingerprinting web services

Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc.) and which technology sits behind it. This information is needed to select the appropriate exploit to run against it.

3. Looking for compatible exploits

Based on the fingerprint data about the target system, Sniper then filters a list of possible compatible exploits that match it.

4. Checking if the target is vulnerable

At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable – without extracting any data.

5. Exploiting and extracting all artefacts

If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the output report.

6. Cleaning up

Most exploit modules do not create any files or processes on the target system so no cleanup is necessary. However, when they do, Sniper makes sure that they are deleted, so the system is left unaltered and clean.