Home Pentest-Tools.com Logo
Exploit Helpers

Sniper – Automatic Exploiter

Automatically exploit known CVEs with Sniper to validate their real impact. Its post-exploitation modules also extract interesting data from the target host as solid evidence of compromise.

Sign up to unlock the full power and features of our Sniper – Automatic Exploiter, detect Log4Shell and a wide array of critical CVEs!

Discover all 59 exploits →
Scan type
  • Light scan

  • Full scan

/

Reporting

Sample Sniper – Automatic Exploiter report

Here is a sample report from our Sniper – Automatic Exploiter that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Shows the full list of activities the tool performs to achieve successful exploitation

  • Includes all data extracted from the target machine (artefacts)

  • Serves as solid proof for vulnerability validation

  • Provides details you can use for further manual exploitation

Sniper Report Sample

How to use the pentesting tool

Use Cases for Sniper – Automatic Exploiter

Sniper automatically exploits known, widespread vulnerabilities in high-profile software. The tool gains remote command execution on the vulnerable targets and automatically runs post-exploitation modules to extract interesting data (artefacts) as solid proof for vulnerability validation.

  • Gaining Initial Access

    As a pentester or read teamer, your objective is to simulate realistic attacks and gain access to the machines in the target network. Sniper speeds-up this exploitation phase by automatically obtaining the initial foothold. Furthermore, the post-exploitation modules automatically gather information from the compromised system for lateral movement and recon.

  • Vulnerability Validation

    Sniper is an excellent vulnerability validation tool. Use it to check if vulnerabilities reported by scanners like Nessus, OpenVAS, or Qualys are exploitable (or not). When Sniper successfully exploits a vulnerability, it confirms the risk is real. It also means system administrators must act immediately to remediate the issue, as attackers are actively exploiting it in the wild.

  • Controlled Exploitation

    As opposed to Metasploit, Sniper does not give unrestricted shell access to the target system. Instead, it does full automatic exploitation by itself. This is a safer approach which eliminates the possible human errors during the attack phase and ensures that the target system is left in a good and clean state after exploitation.

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Sniper Sample Report

Sniper – Automatic Exploiter

Technical details

We developed Sniper to bridge the gap between results that common vulnerability scanners produce (e.g. Nessus, Qualys, OpenVAS) and the attack methods real threat actors use. While vulnerability scanners generate a high volume of potential issues, which also include a lot of noise and false positives, real attackers commonly focus on a few highly effective and targeted intrusion techniques.

Sniper is a custom tool that implements a set of modules for exploiting the most critical vulnerabilities in high-profile software that the majority of companies in the world use. The tool mimics the exploits and attack techniques found in real world scenarios to determine the truly vulnerable systems.

After a successful exploitation, Sniper automatically runs post-exploitation modules which extract interesting data from the target system as solid proof of intrusion. We call this data artefacts. Here are some artefact examples:

  • Current user (e.g. nt authority/system)
  • System information
  • List of local users
  • List of running processes
  • Network configuration
  • Network neighbors
  • Network connections

Security teams and specialists can use all this data to continue their pentesting work into the network (manually, by the pentester) and for vulnerability validation.

When Sniper succeeds in exploiting a vulnerability, system administrators must act straight away, as the risk is real and attackers can exploit it at any given moment. This tool helps you become very effective at filtering out the noise that vulnerability scanners create, eliminating false positives, and helping you focus on the vulnerabilities that matter. Here's how many of them we detect compared to other security platforms.

Exploit Modules

This is the complete list of modules and capabilities currently available in Sniper:

Software type
Vendor
Product
CVE
Vuln date
Codename
Capability
CVSSv3 score
Collaboration Software Atlassian Confluence Jun 2022 - RCE -
Firewall ZyXEL Networks ZyXEL Firewall May 2022 - RCE 9.8
VPN Gateway F5 BIG IP May 2022 - RCE 9.8
API Management WSO2 Platform Apr 2022 - RCE 9.8
Web Framework Apache Struts Apr 2022 S2-062 RCE 9.8
Web framework Pivotal Software Spring Framework Mar 2022 - RCE 9.8
Open source CMS DotCMS DotCMS Mar 2022 - RCE -
Library Pivotal Software Spring Cloud Gateway Mar 2022 - RCE 10
Data store Redis Redis Feb 2022 - RCE 10
eCommerce Adobe Magento Feb 2022 - RCE 9.8
Monitoring solution Zabbix Zabbix Jan 2022 - RCE 9.8
Hypervisor ManageEngine Desktop Central Dec 2021 - RCE 9.8
Webserver Apache Tomcat Dec 2021 Log4Shell RCE 10
Logging library Apache Log4j Dec 2021 Log4Shell RCE 10
Web Framework Apache Struts Dec 2021 Log4Shell RCE 10
Hypervisor ManageEngine ServiceDesk, SupportCenter Nov 2021 - RCE 9.8
Monitoring solution Grafana Labs Nov 2021 - File Read 7.5
Webserver Apache Server Oct 2021 - RCE 9.8
Webserver Apache Server Oct 2021 - File Read 7.5
Webserver Apache Server Oct 2021 - RCE 7.5
Webserver Apache Server Oct 2021 - File Read 9.8
Password Management ManageEngine ADSelfService Plus Sep 2021 - RCE 9.8
Azure Cloud Microsoft Open Management Interface (OMI) Sep 2021 OMIGOD RCE 9.8
Email Server Microsoft Exchange Server Aug 2021 ProxyShell RCE 9.8
Collaboration Software Atlassian Confluence Aug 2021 - RCE 9.8
Monitoring System VisualTools DVR Jul 2021 - RCE 9.8
Virtualization VMware vCenter Server May 2021 - RCE 9.8
Virtualization VMware Workspace One Apr 2021 - RCE 9.8
Collaboration Software GitLab Server Apr 2021 - RCE 10
Planning System Apache OFBiz Mar 2021 - RCE 9.8
VPN Gateway F5 BIG IP Mar 2021 - RCE 9.8
Email Server Microsoft Exchange Server Mar 2021 ProxyLogon RCE 9.8
Webserver Sebastian Hildebrandt System Information Library for Node.JS Feb 2021 - RCE 4.6
Virtualization VMware vCenter Server Feb 2021 - RCE 9.8
Webserver Node Red Jan 2021 - File Read 7.5
Web Framework Laravel Laravel Jan 2021 - RCE 9.8
Web Framework Apache Struts Dec 2020 - RCE 9.8
Web server Oracle Weblogic Oct 2020 - RCE 7.2
Networking product Netgear Router Oct 2020 - RCE 6.5
Firewall Sophos SG UTM Sep 2020 - RCE 9.8
Web Framework Apache Struts Aug 2020 - RCE 9.8
Firewall Citrix ADC/Gateway Jul 2020 - File Read 6.5
Firewall Citrix ADC/Gateway Jul 2020 - RCE 6.5
VPN Gateway Cisco ASA Jul 2020 - File Read 7.5
VPN Gateway F5 BIG IP Jun 2020 - RCE 9.8
Webserver Apache Tomcat Feb 2020 Ghostcat File Read 9.8
Logging library Apache Log4j Dec 2019 - RCE 9.8
Firewall Citrix ADC Dec 2019 - RCE 9.8
Email service Exim Exim Jul 2019 - RCE 9.8
VPN Gateway Fortinet FortiGateway SSL VPN May 2019 - File Read 9.8
VPN Gateway Pulse Connect Secure May 2019 - File Read 10
Web Server Adobe Coldfusion Sep 2018 - RCE 9.8
Web Framework Apache Struts Aug 2018 - RCE 8.1
Web server Oracle Weblogic Jul 2018 - RCE 9.8
CMS Drupal Drupal Mar 2018 Drupalgeddon2 RCE 9.8
Webserver Apache Tomcat Oct 2017 - RCE 8.1
Web Framework Apache Struts Sep 2017 - RCE 9.8
Web Framework Apache Struts Jul 2017 S2-048 RCE 9.8
Utility GNU Project Bash Sep 2014 Shellshock RCE 9.8

Artefacts

Artefacts are data from the target system which Sniper automatically extracts after one of the exploits succeeds. Their purpose is to provide solid proof that the target is vulnerable and to help in further manual exploitation, if necessary.

The artefacts are extracted by running predefined shell commands on the target, depending on its operating system. For instance, to extract the current user on a Linux system, the extractor will run the command whoami whereas on Windows it will run the command net user.

This is the list of artefacts that Sniper is able to extract:

ArtefactDescription
Current userThe name of the current system user that the exploit code is running as (e.g. root, Administrator or www-data).
System informationInformation about the operating system like OS type, version, kernel, processor architecture, memory size, etc.
List of local usersA listing of the users currently configured on the operating system (e.g. from /etc/passwd)
List of running processesA listing of the operating system processes that are currently running.
Network configurationThe settings of the network interfaces of the target machine (e.g. IP address, network mask, default gateway, etc.)
Network neighborsA list of devices existent in the same local network as the target (layer 2).
Network connectionsThe list of open ports and established TCP connections of the target with other systems in the network.

Parameters

ParameterDescription
TargetSpecifies the system that will be scanned. Target can be an IP address, hostname or an URL.
Ports to scanThese are the ports that Sniper will try to automatically fingerprint and attack. Can be specified as common ports, range or list.

How it works

Sniper runs a number of predefined steps for each target:

1. Scanning for open ports

This is the first phase the attack, which checks if the TCP ports specified as input are open or not. The result of this phase is a list of open ports, together with the protocol, type of service and its version.

2. Fingerprinting web services

Next, Sniper iterates through each port that runs a HTTP/S service and tries to determine what type of web application is running, whether it is a standard app (e.g. Outlook Web Access, VMWare web interface, etc.) and which technology sits behind it. This information is needed to select the appropriate exploit to run against it.

3. Looking for compatible exploits

Based on the fingerprint data about the target system, Sniper then filters a list of possible compatible exploits that match it.

4. Checking if the target is vulnerable

At this stage, the tool runs the check routine for each compatible exploit that determines whether the target is exploitable – without extracting any data.

5. Exploiting and extracting all artefacts

If the previous step succeeds and the target is exploitable, Sniper automatically proceeds to extract all the artefacts and show them in the output report.

6. Cleaning up

Most exploit modules do not create any files or processes on the target system so no cleanup is necessary. However, when they do, Sniper makes sure that they are deleted, so the system is left unaltered and clean.