Automated Pentest Recon Scanner – Sn1per

Last Release: 08/06/2019    

Automated Pentest Recon Scanner – Sn1per

Introduction

Sn1per is an automated scanner that you can use during a penetration testing to perform vulnerability scanning. There are two Sn1per versions available:

  • Community Edition, and
  • Professional Edition.

Sn1per Demo

Sn1per: Automated Pentest Recon Scanner

Sn1per Community edition is an automated pentest recon scanner that can be used during pentest to enumerate and scan for vulnerabilities. But there is also Sn1per Professional, a Xero Security’s premium reporting addon, available for :

  • Professional Penetration Testers
  • Bug Bounty Researchers
  • Corporate Security teams

Features (Community) – Sn1per automatically:

  • collects basic recon (ie. whois, ping, DNS, etc.)
  • launches Google hacking queries against a target domain
  • enumerates open ports via NMap port scanning
  • brute forces sub-domains, gathers DNS info and checks for zone transfers
  • checks for sub-domain hijacking
  • runs targeted NMap scripts against open ports
  • runs targeted Metasploit scan and exploit modules
  • scans all web applications for common vulnerabilities
  • brute forces ALL open services
  • tests for anonymous FTP access
  • runs WPScan, Arachni and Nikto for all web services
  • enumerates NFS shares
  • tests for anonymous LDAP access
  • enumerate SSL/TLS ciphers, protocols and vulnerabilities
  • enumerates SNMP community strings, services and users
  • lists SMB users and shares, check for NULL sessions and exploit MS08-067
  • exploits vulnerable JBoss, Java RMI and Tomcat servers
  • tests for open X11 servers
  • auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  • performs high level enumeration of multiple hosts and subnets
  • integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  • gathers screenshots of all web sites
  • creates individual workspaces to store all scan output

Auto-pwn:

  • Apache Struts CVE-2018-11776 RCE exploit
  • Android Insecure ADB RCE auto exploit
  • Apache Tomcat CVE-2017-12617 RCE exploit
  • Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 exploit
  • Drupal Drupalgedon2 RCE CVE-2018-7600
  • GPON Router RCE CVE-2018-10561
  • Apache Struts 2 RCE CVE-2017-5638
  • Apache Struts 2 RCE CVE-2017-9805
  • Shellshock GNU Bash RCE CVE-2014-6271
  • Apache Jakarta RCE CVE-2017-5638
  • HeartBleed OpenSSL Detection CVE-2014-0160
  • Default Apache Tomcat Creds CVE-2009-3843
  • MS Windows SMB RCE MS08-067
  • Webmin File Disclosure CVE-2006-3392
  • Anonymous FTP Access
  • PHPMyAdmin Backdoor RCE
  • PHPMyAdmin Auth Bypass
  • JBoss Java De-Serialization RCE’s

Sn1per Professional Features:

  • Professional reporting interface
  • Visual Recon: Slideshow for all gathered screenshots (you can flip through all collected screenshots)
  • Enumeration: Searchable and sortable DNS, IP and open port database
  • Detailed Host View: Categorized host reports (open ports, fingerprint, WAF, headers, Web files)
  • Quick links: To online recon tools and Google hacking queries (20+ online pentest tools and 15+ Google hacking queries)
  • Personalized notes field for each host
Sn1per Slideshow
Sn1per Host & Open Ports
Sn1per Recon Tools Links

Sn1per Install

Clone it from the github repo:

$ git clone https://github.com/1N3/Sn1per

Then go to the sn1per directory and change the permission of the installer.sh script:

$ cd Sn1per
$ chmod +x install.sh

Now you can install sn1per by executing the following:

$ ./install.sh

Docker Install

Check here for the sn1per docker install.

Usage example:

$ docker pull menzo/sn1per-docker
$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io

Usage

Type -h to get all available modes:

[*] NORMAL MODE
sniper -t|--target <TARGET>

[*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE
sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce

[*] STEALTH MODE + OSINT + RECON
sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon

[*] DISCOVER MODE
sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>

[*] FLYOVER MODE
sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>

[*] AIRSTRIKE MODE
sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike

[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>

[*] SCAN ONLY SPECIFIC PORT
sniper -t|--target <TARGET> -m port -p|--port <portnum>

[*] FULLPORTONLY SCAN MODE
sniper -t|--target <TARGET> -fp|--fullportonly

[*] PORT SCAN MODE
sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>

[*] WEB MODE - PORT 80 + 443 ONLY!
sniper -t|--target <TARGET> -m|--mode web

[*] HTTP WEB PORT HTTP MODE
sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>

[*] HTTPS WEB PORT HTTPS MODE
sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>

[*] ENABLE BRUTEFORCE
sniper -t|--target <TARGET> -b|--bruteforce

[*] ENABLE LOOT IMPORTING INTO METASPLOIT
sniper -t|--target <TARGET>

[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport

[*] SCAN STATUS
sniper --status

[*] UPDATE SNIPER
sniper -u|--update

Modes:

  • NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
  • STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
  • FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).
  • AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run:
    •  ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
  • NUKE: Launch full audit of multiple hosts specified in text file of choice.
    • Usage example: ./sniper /pentest/loot/targets.txt nuke.
  • DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
  • PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  • FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
  • WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  • WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
  • WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.
Documentation Box
Download Box