Skip to content
Loading...

Sniper - Automatic Exploiter

Automatically exploit known CVEs with Sniper to validate their real impact. Its post-exploitation modules also extract interesting data from the target host as solid evidence of compromise.

Latest exploits in Sniper:

Software type Vendor Product CVE Vuln date Codename Capability
Web Server Apache Server CVE-2021-42013 Oct 2021 - RCE/File Read
Web Server Apache Server CVE-2021-41773 Oct 2021 - RCE/File Read
Azure Cloud Microsoft Open Management Interface (OMI) CVE-2021-38647 Sep 2021 OMIGOD RCE
Collaboration Software Atlassian Confluence CVE-2021-26084 Aug 2021 - RCE
Email server Microsoft Exchange Server CVE-2021-34473 Aug 2021 ProxyShell RCE
Virtualization VMware vCenter Server CVE-2021-21985 May 2021 - RCE
Email server Microsoft Exchange Server CVE-2021-26855 Mar 2021 ProxyLogon RCE
VPN Gateway F5 BIG IP CVE-2021-22986 Mar 2021 - RCE
Virtualization VMware vCenter Server CVE-2021-21972 Feb 2021 - RCE
Web server Sebastian Hildebrandt System Information Library for Node.JS CVE-2021-21315 Feb 2021 - RCE
> See all 18 exploits

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our Sniper - Automatic Exploiter! Compare pricing plans and discover more tools and features.

Sample Report

Here is a Sniper - Automatic Exploiter sample report:

  • Shows the full list of activities the tool performs to achieve successful exploitation
  • Includes all data extracted from the target machine (artefacts)
  • Serves as solid proof for vulnerability validation
  • Provides details you can use for further manual exploitation

Download Sample Report

Sample report

Sniper - Automatic Exploiter - Use Cases

Sniper automatically exploits known, widespread vulnerabilities in high-profile software. The tool gains remote command execution on the vulnerable targets and automatically runs post-exploitation modules to extract interesting data (artefacts) as solid proof for vulnerability validation.

Gaining Initial Access

As a pentester or read teamer, your objective is to simulate realistic attacks and gain access to the machines in the target network. Sniper speeds-up this exploitation phase by automatically obtaining the initial foothold. Furthermore, the post-exploitation modules automatically gather information from the compromised system for lateral movement and recon.

Vulnerability Validation

Sniper is an excellent vulnerability validation tool. Use it to check if vulnerabilities reported by scanners like Nessus, OpenVAS, or Qualys are exploitable (or not). When Sniper successfully exploits a vulnerability, it confirms the risk is real. It also means system administrators must act immediately to remediate the issue, as attackers are actively exploiting it in the wild.

Controlled Exploitation

As opposed to Metasploit, Sniper does not give unrestricted shell access to the target system. Instead, it does full automatic exploitation by itself. This is a safer approach which eliminates the possible human errors during the attack phase and ensures that the target system is left in a good and clean state after exploitation.

Technical Details


About

We developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers commonly focus on a few highly effective and targeted intrusion techniques.

Sniper is a custom tool that implements a set of modules for exploiting the most critical vulnerabilities in high-profile software that the majority of companies in the world use. The tool mimics the exploits and attack techniques found in real world scenarios to determine the truly vulnerable systems.

After a successful exploitation, Sniper automatically runs post-exploitation modules which extract interesting data from the target system as solid proof of intrusion. We call this data artefacts. Here are some artefact examples:
  • Current user (ex. nt authority/system)
  • System information
  • List of local users
  • List of running processes
  • Network configuration
  • Network neighbors
  • Network connections
Security teams and specialists can use all this data to continue their pentesting work into the network (manually, by the pentester) and for vulnerability validation.

When Sniper succeeds in exploiting a vulnerability, system administrators must act straight away, as the risk is real and attackers can exploit it at any given moment. This tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter.


Exploit modules

This is the complete list of modules and capabilities currently available in Sniper:
Software type Vendor Product CVE Vuln date Codename Capability
Web Server Apache Server CVE-2021-42013 Oct 2021 - RCE/File Read
Web Server Apache Server CVE-2021-41773 Oct 2021 - RCE/File Read
Azure Cloud Microsoft Open Management Interface (OMI) CVE-2021-38647 Sep 2021 OMIGOD RCE
Collaboration Software Atlassian Confluence CVE-2021-26084 Aug 2021 - RCE
Email server Microsoft Exchange Server CVE-2021-34473 Aug 2021 ProxyShell RCE
Virtualization VMware vCenter Server CVE-2021-21985 May 2021 - RCE
Email server Microsoft Exchange Server CVE-2021-26855 Mar 2021 ProxyLogon RCE
VPN Gateway F5 BIG IP CVE-2021-22986 Mar 2021 - RCE
Virtualization VMware vCenter Server CVE-2021-21972 Feb 2021 - RCE
Web Server Sebastian Hildebrandt System Information Library for Node.JS CVE-2021-21315 Feb 2021 - RCE
Web Framework Apache Struts CVE-2020-17530 Dec 2020 - RCE
Firewall Sophos SG UTM CVE-2020-25223 Sep 2020 - RCE
VPN Gateway Cisco ASA CVE-2020-3452 Jul 2020 - File Read
Firewall Citrix ADC/Gateway CVE-2020-8193 Jul 2020 - File read
Firewall Citrix ADC/Gateway CVE-2020-8194 Jul 2020 - RCE
VPN Gateway F5 BIG IP CVE-2020-5902 Jun 2020 - RCE
VPN Gateway Fortinet FortiGateway SSL VPN CVE-2018-13379 Jun 2019 - File read
VPN Gateway Pulse Connect Secure CVE-2019-11510 May 2019 - File read


Artefacts

Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. Their purpose is to provide solid proof that the target is vulnerable and to help in further manual exploitation, if necessary.

The artefacts are extracted by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command whoami whereas on Windows it will run the command net user.

This is the list of artefacts that Sniper is able to extract:
Artefact Description
Current user The name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data)
System information Information about the operating system like OS type, version, kernel, processor architecture, memory size, etc.
List of local users A listing of the users currently configured on the operating system (ex. from /etc/passwd)
List of running processes A listing of the operating system processes that are currently running.
Network configuration The settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc)
Network neighbors A list of devices existent in the same local network as the target (layer 2).
Network connections The list of open ports and established TCP connections of the target with other systems in the network.


Parameters

Parameter Description
Target Specifies the system that will be scanned. Target can be an IP address, hostname or an URL.
Ports to scan These are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range or list.


How it works

Sniper runs a number of predefined steps for each target:

1. Scanning for open ports

This is the first phase the attack, which checks if the TCP ports specified as input are open or not. The result of this phase is a list of open ports, together with the protocol, type of service and its version.

2. Fingerprinting web services

Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc) and which technology sits behind it. This information is needed to select the appropriate exploit to run against it.

3. Looking for compatible exploits

Based on the fingerprint data about the target system, Sniper then filters a list of possible compatible exploits that match it.

4. Checking if the target is vulnerable

At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable – without extracting any data.

5. Exploiting and extracting all artefacts

If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the output report.

6. Cleaning up

Most exploit modules do not create any files or processes on the target system so no cleanup is necessary. However, when they do, Sniper makes sure that they are deleted, so the system is left unaltered and clean.