Sn1per Professional v8.0 Box

Sn1per Professional v8.0 – What’s New?

Sn1per Professional v8.0 Box
Sn1per Professional v8.0

If you’re a new or returning customer, you might be wondering what’s new in Sn1per Professional v8.0. In this post, I’ve highlighted the key features and differences compared to Sn1per Professional v7.0 and below.

Secure Web UI & Dynamic Reporting

One of the biggest changes you’ll notice is a complete transition from static client-side HTML reports to dynamic server side PHP code. This has several advantages:

  • Improved reporting performance (no need to regenerate reports after each scan).
  • View multiple remote and local Sn1per instances from a secure HTTPS enabled web UI with built-in authentication. This includes utilizing Sn1per on remote VPS instances where you might only have SSH and web access with no X windows GUI environment.
Sn1per Professional v8.0 Secure Web UI
Sn1per Professional v8.0 Secure Web UI
  • Compatibility with Docker on any OS (ie. Mac/Linux/Windows, etc). Simply map port 1337/tcp on your Docker instance to your local IP (ie. docker run -p 1337:1337 -it sn1per /bin/bash) and navigate to the web UI (ie. https://127.0.0.1:1337).
Sn1per Professional v8.0 Docker VPS
Sn1per Professional v8.0 Docker VPS

Modular Design & Add-ons

Another big improvement in v8.0 is a new modular design which allows importing of additional features and add-ons without modifying the core code (ie. Sn1per Professional Command Execution Add-on).

Command Execution Add-on

With the Command Execution Add-on, you can now easily manage multiple Sn1per Professional instances from the web interface without ever touching the command line.

  • Initiate Sn1per scans from the web UI.
    • Single & multi target selections.
    • Mode selection.
    • Auxiliary mode selection.
    • Scheduled/recurring scan selection.
  • Manage workspaces from the web UI.
    • Create workspaces.
    • Add hosts.
    • Delete hosts.
    • Delete workspaces.
  • View scan status and command output.
  • Check for Sn1per updates.
Sn1per-v8.0-command-exec-addon1
Sn1per Professional v8.0 Command Execution Add-on
Sn1per Professional v8.0 Command Execution Add-on Task Manager
Sn1per Professional v8.0 Command Execution Add-on Task Manager

New Viewing Options

New split screen or single pane views were added for easy navigation and viewing of workspaces, host reports and command status. This allows you to simultaneously view the workspace report in one panel while you browse each individual host report in the other panel. Alternatively, you can also choose 100% responsive single panel for full screen width viewing.

Sn1per-Professional-v8.0-command-execution-addon2
Sn1per Professional v8.0 Command Execution Add-on

CSV Exporting

Another big change in v8.0 was the addition of CSV reporting and exports of all inventory (ie. domain, IP, server headers, HTTP status codes & open ports) via the workspace host list. This allows full text searching, sorting and advanced filtering options of all inventory.

Sn1per Professional v8.0 CSV Report
Sn1per Professional v8.0 CSV Report

Host Filters

New host filters and views were added to show “All Hosts”, “Open Ports” and “Web Hosts”. This makes finding interesting hosts much easier when browsing the host table and improved performance dramatically.

Sn1per Professional v8.0 Host List
Sn1per Professional v8.0 Host List

Host Table Sorting

Improved host table allows filtering and sorting for domain/IP, DNS, HTTP headers, HTTP status codes and open ports. Use the filter input to further narrow the search.

Sn1per Professional v8.0 Web Hosts View
Sn1per Professional v8.0 Web Hosts View

Host Jump

The new host jump input field allows you to enter the hostname or IP address of the target to view the detailed host report. This is handy when you need to view the exact targets report immediately. No need to search, sort or filter!

Sn1per Professional v8.0 Host Jump
Sn1per Professional v8.0 Host Jump

NMap Vulnerability Reporting

NMap CVE vulnerability reporting was also added to the “Vulnerabilities” section using the “Vulners” CVE scripting engine to report open CVE’s based on service banners detected.

Sn1per Professional v8.0 NMap Vulnerabilities
Sn1per Professional v8.0 NMap Vulnerabilities

Updates Panel

A new “Updates” panel was added to the workspace navigator to view all add-on modules and updates for Sn1per. This allows seamless notifications and updates for all Sn1per updates and new modules as they get released. This will become increasingly useful as we add more modules or release more updates in the future.

Sn1per-v8.0-updates-panel1
Sn1per Professional v8.0 Updates Panel

Web Links

Prior to version 8.0, the “Web Files” and “Web URL’s” section of the report contained text based output of all links detected. Now in version 8.0, we changed to links to actual web links to easily view all hosted content from the detailed host reports. This makes viewing discovered content extremely easy and fluid.

Sn1per Professional v8.0 Web File Links
Sn1per Professional v8.0 Web File Links

Additional Features

In this post, we’ve outlined the major changes of Sn1per Professional version 8.0, but it’s important to note that we have kept all the existing features and functionality from version 7.0 and below as well. If you are not familiar with all of these features, feel free to check our blog post for more details here.

Buy now!

As always, feel free to reach out to us at [email protected] with any questions!

Sn1per Professional v7.0 Released!

Sn1per Professional v7.0

Sn1per Professional v7.0 is now available from the XeroSecurity website!

Buy Now

Features

  • New workspace navigator with sortable/searchable tables and usage stats
Sn1per Professional v7.0 Workspace Navigator

Sn1per Professional v7.0 Workspace Navigator

  • Added quick links to view scan tasks, unique IP’s, live hosts, like web hosts, subnets and discovered IP’s to top menu
Sn1per Professional v7.0 Workspace Dashboard

Sn1per Professional v7.0 Workspace Dashboard

  • New sortable/searchable Bootstrap 4 host list table with pagination, screenshots and full web and network meta data
Sn1per Professional v7.0 Host Table

Sn1per Professional v7.0 Host Table

  • New scan tags added for “Vulnerable”, “Takeover”, “New”, “Shelled”, “Cracked”, “Updated”, “Live”
  • Added collapsible functional sections to main report for more streamlined viewing (ie. Quick Commands, Scan Tasks, Scheduled Scans, OSINT, Takeovers, etc.)
Sn1per Professional v7.0 Accordion1

Sn1per Professional v7.0 Accordion

  • New “Quick Commands” section for quick copy/paste Sn1per commands
Sn1per Professional v7.0 Quick Commands

Sn1per Professional v7.0 Quick Commands

  • New “Scan Tasks” section to view all Sn1per scan times/dates
Sn1per Professional v7.0 Scan Tasks

Sn1per Professional v7.0 Scan Tasks

  • New “Scheduled Tasks” section to view all Sn1per scheduled scan tasks
Sn1per Professional v7.0 Scheduled Tasks

Sn1per Professional v7.0 Scheduled Tasks

  • New “OSINT” section to view OSINT data for the workspace
Sn1per Professional v7.0 OSINT1

Sn1per Professional v7.0 OSINT

  • New “Credentials” section to view all successful brute force credentials
Sn1per Professional v7.0 Credentials1

Sn1per Professional v7.0 Credentials

  • New “Vulnerabilities” section to view all vulnerabilities from various tools for the entire workspace
Sn1per Professional v7.0 Vulnerabilities1

Sn1per Professional v7.0 Vulnerabilities

  • Improved wide-screen visibility of reports
  • Added quick links to view loot folders and files
  • Added command to regenerate all detailed host reports in a workspace ‘sniper –reimportall’ command
  • Improved report generation performance via ‘sniper –reimport’ command for differential report generation
  • 100% responsive web UI resizes to fit any resolution or device.
  • Scan progress bar indicates overall scan status to ensure 100% scan coverage of the entire workspace.
  • Scan dashboard gives high level overview of workspace, including downloadable lists to all domains, scanned targets and unscanned targets. These can be easily referenced and used to scan the entire attack surface using Sn1per.
  • Reports menu includes links to all Sn1per console reports which can be downloaded and viewed from the main report.
  • Sidebar shortcuts added to both the main Sn1per report and all detailed host reports to quickly jump to each section of the report.
  • Slideshow for all gathered screenshots
  • Improved host table allows searching for scan mode tags, IP/DNS, HTTP titles, status codes, HTTP headers, WAF detection and open ports.
  • Quick links for both the HTTP and HTTPS versions for each host in the host table.
  • Scan tags to indicate which hosts has been scanned and which mode (ie. Stealth, Web, Portscan, Bruteforce, etc.) and which are new in the host table section of the report.
  • Email security section indicates any email spoofing vulnerabilities for the workspace.
  • Improved takeovers security section indicates any potential domain takeovers or hijacking vulnerabilities.
Sn1per Professional v7.0 Email Takeovers1

Sn1per Professional v7.0 Email Takeovers

  • HTML5 notepad saves automatically to the main report elevating the need to save your work (keep in mind, it uses the local browser cache, so switching browsers or clearing your browser cache will remove your notes!).
  • Detailed host reports are now separate from the main report and include the following features:
    • Updated recon and google dork links
    • 34 customized recon links.
    • 26 customized Google dork links.
    • HTTP/HTTPS quick links.
    • Reports menu to download the full HTML console reports for each host.
    • Added Arachni HTML report imports for all “webscan” mode scans
    • Sn1per Professional v7.0 Arachni Report1

      Sn1per Professional v7.0 Arachni Report

    • Sidebar quick links to jump to each section of the report.
    • HTTP/HTTPS screenshots
    • DNS
    • Sub-domains
    • Open ports
      • Links to full NMap HTML host reports.
      • Sn1per Professional v7.0 NMap HTML Report1

        Sn1per Professional v7.0 NMap HTML Report

    • Fingerprint info
    • HTTP headers
    • Web files
      • Links to download all discovered web files for each host
    • Web URL’s
      • Links to download all discovered URL’s for each host
    • SSL/TLS info
    • New Web Application Scans
    • Sn1per Professional v7.0 Web Application Scans1

      Sn1per Professional v7.0 Web Application Scans

    • New Credentials
    • New Vulnerabilities
  • Single user license
  • Professional technical support

Documentation

https://xerosecurity.com/wordpress/documentation/

Legal Agreement and Disclaimer

By purchasing and/or using Sn1per, you are agreeing to the following end user license agreement referenced here:

https://xerosecurity.com/wordpress/legal/

Sn1per-Professional-Discover-The-Attack-Surface1

Sn1per Community Edition v7.0 Released!


We’re excited to announce the release of Sn1per Community Edition v7.0. Version 7 features brand new scan modes and command switches to help make life easier and offers more versatility to get the results you’re after.

New Scan Modes:

For started, we’ve introduced a new “webscan” mode which can be initiated from the command line via ‘sniper -t <target> -m webscan’ to initiate an automated Burpsuite 2.x and Arachni web application spider and full audit for OWASP Top 10 vulnerabilities. This is now separate from the traditional ‘web’ mode scans which is now focused more on web recon than scanning for actual OWASP vulnerabilities.

Slack API Integration:

The next major change you’ll notice is the addition of a new Slack API integration which can be enabled via the ~/.sniper.conf file by setting the “SLACK_NOTIFICATIONS” setting to “1” and editing the /usr/share/sniper/bin/slack.py script with your Slack API token (https://api.slack.com/custom-integrations/legacy-tokens). This allows notification via your own private Slack channel of new scan tasks and scan completion.

Scheduled Scans:

In addition to the new scan modes and integrations, we’ve also added the ability to easily schedule Sn1per scans direct from the command line. To initialize scheduled scans, you first need to edit your crontab via the ‘crontab -e’ command as ‘root’ and add the following to your crontab:

# m h dom mon dow command
0 0 * * * find /usr/share/sniper/loot/workspace/ -type f -name “daily.sh” -exec bash {} \;
0 0 * * 0 find /usr/share/sniper/loot/workspace/ -type f -name “weekly.sh” -exec bash {} \;
0 0 1 * * find /usr/share/sniper/loot/workspace/ -type f -name “monthly.sh” -exec bash {} \;

After your crontab is setup properly, you can simply run the ‘sniper -w <workspace_alias> -s daily|weekly|monthly’ command to edit the workspace’s scheduled commands. Just add the full sniper commands you want to run on a schedule (ie. ‘sniper -t 127.0.0.1 -w 127.0.0.1’) and save. That’s it!

New Exploits:

Sn1per v7.0 also features new exploits and auxiliary modules for Apache Axis web servers which may land a full automatic Meterpreter shell if you’re lucky!

Subnet Retrieval:

We also added automatic subnet retrieval based on the targets existing IP space and known/registered ASN’s. This can help automate reverse IP lookups and virtual hosts or simply to scan a targets existing/known IP space.

As a quick tip, you can easily scan each subnet using sniper via the ‘sniper -m discover -t <subnet> -w <workspace>’ command 😉

There are many more changes that were added, but these are the main ones. Keep an eye out for the next release of Sn1per Professional which will leverage of the latest improvements in the Community Edition later this month!

Change Log:

  • v7.0 – Added “webscan” mode for automated Burpsuite 2.x and Arachni web application scans only
  • v7.0 – Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
  • v7.0 – Added new command switch to add daily, weekly or monthly sniper scheduled scans… check README
  • v7.0 – Added scheduled scan tasks command switch (Needs additional configuration to setup… check README)
  • v7.0 – Added Axis2 authenticated deployer MSF exploit
  • v7.0 – Added Axis2 login brute force module
  • v7.0 – Added subjack tool to check for subdomain hijacking
  • v7.0 – Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
  • v7.0 – Added subnet retrieval for all ‘recon’ mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
  • v7.0 – Added Webscreenshot.py and disabled cutycapt from default config
  • v7.0 – Added Gobuster (Disabled by default..check ~/.sniper.conf)
  • v7.0 – Fixed issue with SubOver not working due to bad path
  • v7.0 – Fixed issue with flyover mode running twice per scan

Update Instructions:

To update to version 7.0, simply run the ‘sniper -u’ command or clone the github repo (git clone https://github.com/1N3/Sn1per) and run the install.sh file.

Sn1per Professional v6.0

Sn1per Professional v6.0 now available!

Sn1per Professional v6.0 is now available from the XeroSecurity website.

This is a BIG release with tons of new features and improvements, including:

  • 100% responsive web UI resizes to fit any resolution or device.
  • New scan progress bar indicates overall scan status to ensure 100% scan coverage of the entire workspace.
  • Improved scan dashboard gives high level overview of workspace, including downloadable lists to all domains, scanned targets and unscanned targets. These can be easily referenced and used to scan the entire attack surface using Sn1per.
  • New reports menu includes links to all Sn1per console reports which can be downloaded and viewed from the main report.
  • New sidebar shortcuts added to both the main Sn1per report and all detailed host reports to quickly jump to each section of the report.
  • Slideshow for all gathered screenshots
  • Improved host table allows searching for scan mode tags, IP/DNS, HTTP titles, status codes, HTTP headers, WAF detection and open ports.
  • New quick links for both the HTTP and HTTPS versions for each host in the host table.
  • New scan tags to indicate which hosts has been scanned and which mode (ie. Stealth, Web, Portscan, Bruteforce, etc.) and which are new in the host table section of the report.
  • New email security section indicates any email spoofing vulnerabilities for the workspace.
  • New takeovers security section indicates any potential domain takeovers or hijacking vulnerabilities.
  • New HTML5 notepad saves automatically to the main report elevating the need to save your work (keep in mind, it uses the local browser cache, so switching browsers or clearing your browser cache will remove your notes!).
  • New detailed host reports are now separate from the main report and include the following features:
    • 34 customized recon links.
    • 26 customized Google dork links.
    • HTTP/HTTPS quick links.
    • Reports menu to download the full HTML console reports for each host.
    • New sidebar links for each detailed host report to quickly jump to each section of the report.
    • HTTP/HTTPS screenshots
    • DNS
    • Sub-domains
    • Open ports
      • New links to full NMap HTML host reports.
    • Fingerprint info
    • HTTP headers
    • Web files
    • Web URL’s
      • New links to download all discovered URL’s for each host
    • SSL/TLS info

Documentation

For all questions regarding payment, licensing, installation or general usage, refer to our online documentation for more info or contact us at [email protected].

Documentation

Purchase Link

Sn1per Professional v6.0 (Pre-Order)

Bug Bounty Recon Like A Pro

Overview

In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github (https://github.com/1N3/Sn1per). Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (https://xerosecurity.com).

Installation

Installation is extremely easy. Just clone the Github repo (git clone https://github.com/1N3/Sn1per) and run ./install.sh from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. *.target.com). In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t target.com --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:
/usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt

Calling In The Airstrike…

 

Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace

Summary

After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.

Features:

– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.

Conclusion

This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.
@xer0dayz