Sn1per-logo1

Sn1per Community Edition v8.4 Released!

In case you missed it, Sn1per v8.4 was released today 6/8/2020 and features a slew of new improvements and fixes which will further enhance the speed and functionality of Sn1per.

Introducing Project “Sc0pe”

To start with, Sn1per v8.4 features a completely new active and passive vulnerability scanner called “Sc0pe” which will serve as the backbone of Sn1per’s new vulnerability scan engine. The new framework will make it quick and easy to scan for the latest CVE’s and web vulnerabilities as well as open up a slew of possibilities for users to create and share their own exploits and scanners (Submit your PR’s!). For a full list of scan templates, check here.

Sc0pe Templates

Sn1per Sc0pe Templates

For anyone interested in writing or porting existing exploits over to Sc0pe, the process is super simple. First, you will need to create a new template.sh file under /usr/share/sniper/templates/active/ for active scanners and /usr/share/sniper/templates/passive/ for passive scanners. You can now copy an existing template to rename or create a new file with the following format:

AUTHOR='@xer0dayz'
VULN_NAME='Apache Solr Detected'
URI='/'
METHOD='GET'
MATCH='Solr Admin'
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

Passive scanners use grep regex matching of any local file to determine vulnerability detection and use the following format:

AUTHOR='@xer0dayz'
VULN_NAME='CORS Policy - Allow-Credentials Enabled'
FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt"
MATCH='Access-Control-Allow-Credentials: true'
SEVERITY='P4 - LOW'
GREP_OPTIONS='-i'
SEARCH='positive'
SECONDARY_COMMANDS=''

One thing to note is that when saving template.sh file you created, be sure to not use spaces in the files (ie. CORS Policy – Allow-Credentials Enabled.sh). Instead, use underscores like “CORS_Policy_-_Allow-Credentials_Enabled.sh”.

Once your new template is created, all you need to do is run a scan. For active checks, you can choose from ‘normal’, ‘web’, ‘vulnscan’, ‘webporthttp’ and ‘webporthttps’ as well as any of the mass scan modes (ie. massweb, etc.). All other modes will only use passive scan modules to detect vulnerabilities.

Sn1per Sc0pe vulnerability report

OWASP ZAP Integration

Another major improvement added in v8.4 is the integration with OWASP ZAP. For this to work properly, you will need to have OWASP ZAP running on the same host as Sn1per and listening on port 8081/tcp.

OWASP ZAP Proxy Configuration

In addition, you will need to enable the ZAP API service and disable the API key.

OWASP ZAP API Service

The last step is to update your /root/.sniper.conf file and enable the following setting:

ZAP_SCAN="1"

After, you can run the ‘webscan’ mode (ie. sniper -t 127.0.0.1 -m webscan -w 127.0.0.1). After the scan completes, all HTML reports will be saved to /usr/share/sniper/loot/workspace/<workspace>/web/zap-report-$TARGET-$DATE.html.

Sn1per Configuration Templates

Sn1per Configuration Templates

Another major addition to Sn1per v8.4 is eight new configuration templates which can be referenced and loaded dynamically to fine tune each Sn1per scan. In the following example, we can quickly run all Metasploit web exploits against the target and skip most of the default modules to quickly scan for web vulnerabilities.

Usage: sniper -t 127.0.0.1 -m web -c /usr/share/sniper/conf/webpwn_only -w 127.0.0.1

The possibilities are endless, but you can save and reference your own custom configuration templates or use the default options and templates as a reference. Check here for some examples and feel free to submit your PR’s with your own unique templates.

Changelog

  • v8.4 – Added project “Sc0pe” active/passive vulnerability scanner
  • v8.4 – Added 68 new active sc0pe templates
  • v8.4 – Added 14 new passive sc0pe templates
  • v8.4 – Added OWASP ZAP API integration
  • v8.4 – Added 8 new Sn1per configuration templates (see /usr/share/sniper/conf/)
  • v8.4 – Added Gau (https://github.com/lc/gau)
  • v8.4 – Added rapiddns subdomain retrieval
  • v8.4 – Updated web content wordlists
  • v8.4 – Improved efficiency of ‘web’ and ‘recon’ mode scans
  • v8.4 – Disabled legacy Metasploit web exploits (check Sn1per conf to re-enable)
  • v8.4 – Fixed issue with dirsearch asterisk being used incorrectly
  • v8.4 – Fixed issue with airstrike mode not updated Sn1per Professional v8.0 host list
  • v8.4 – Fixed issue with webtech re.error: invalid group reference 1 at position 130

Updating

To apply the update, run ‘sniper -u’ if Sn1per is already installed to automatically download the latest release. For new users, run: ‘git clone https://github.com/1N3/Sn1per’ and run the install.sh file.

Sn1per Community Edition v7.0 Released!


We’re excited to announce the release of Sn1per Community Edition v7.0. Version 7 features brand new scan modes and command switches to help make life easier and offers more versatility to get the results you’re after.

New Scan Modes:

For started, we’ve introduced a new “webscan” mode which can be initiated from the command line via ‘sniper -t <target> -m webscan’ to initiate an automated Burpsuite 2.x and Arachni web application spider and full audit for OWASP Top 10 vulnerabilities. This is now separate from the traditional ‘web’ mode scans which is now focused more on web recon than scanning for actual OWASP vulnerabilities.

Slack API Integration:

The next major change you’ll notice is the addition of a new Slack API integration which can be enabled via the ~/.sniper.conf file by setting the “SLACK_NOTIFICATIONS” setting to “1” and editing the /usr/share/sniper/bin/slack.py script with your Slack API token (https://api.slack.com/custom-integrations/legacy-tokens). This allows notification via your own private Slack channel of new scan tasks and scan completion.

Scheduled Scans:

In addition to the new scan modes and integrations, we’ve also added the ability to easily schedule Sn1per scans direct from the command line. To initialize scheduled scans, you first need to edit your crontab via the ‘crontab -e’ command as ‘root’ and add the following to your crontab:

# m h dom mon dow command
0 0 * * * find /usr/share/sniper/loot/workspace/ -type f -name “daily.sh” -exec bash {} \;
0 0 * * 0 find /usr/share/sniper/loot/workspace/ -type f -name “weekly.sh” -exec bash {} \;
0 0 1 * * find /usr/share/sniper/loot/workspace/ -type f -name “monthly.sh” -exec bash {} \;

After your crontab is setup properly, you can simply run the ‘sniper -w <workspace_alias> -s daily|weekly|monthly’ command to edit the workspace’s scheduled commands. Just add the full sniper commands you want to run on a schedule (ie. ‘sniper -t 127.0.0.1 -w 127.0.0.1’) and save. That’s it!

New Exploits:

Sn1per v7.0 also features new exploits and auxiliary modules for Apache Axis web servers which may land a full automatic Meterpreter shell if you’re lucky!

Subnet Retrieval:

We also added automatic subnet retrieval based on the targets existing IP space and known/registered ASN’s. This can help automate reverse IP lookups and virtual hosts or simply to scan a targets existing/known IP space.

As a quick tip, you can easily scan each subnet using sniper via the ‘sniper -m discover -t <subnet> -w <workspace>’ command 😉

There are many more changes that were added, but these are the main ones. Keep an eye out for the next release of Sn1per Professional which will leverage of the latest improvements in the Community Edition later this month!

Change Log:

  • v7.0 – Added “webscan” mode for automated Burpsuite 2.x and Arachni web application scans only
  • v7.0 – Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
  • v7.0 – Added new command switch to add daily, weekly or monthly sniper scheduled scans… check README
  • v7.0 – Added scheduled scan tasks command switch (Needs additional configuration to setup… check README)
  • v7.0 – Added Axis2 authenticated deployer MSF exploit
  • v7.0 – Added Axis2 login brute force module
  • v7.0 – Added subjack tool to check for subdomain hijacking
  • v7.0 – Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
  • v7.0 – Added subnet retrieval for all ‘recon’ mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
  • v7.0 – Added Webscreenshot.py and disabled cutycapt from default config
  • v7.0 – Added Gobuster (Disabled by default..check ~/.sniper.conf)
  • v7.0 – Fixed issue with SubOver not working due to bad path
  • v7.0 – Fixed issue with flyover mode running twice per scan

Update Instructions:

To update to version 7.0, simply run the ‘sniper -u’ command or clone the github repo (git clone https://github.com/1N3/Sn1per) and run the install.sh file.

Recent Comments