Skip to content
Buy Now

Architecture

6 min read Updated April 18, 2026 Sn1per Pro 2026
Documentation/Architecture

Sn1per Professional 2026 pairs a bash-based scan engine with a modernized PHP web UI on Apache, and optionally integrates with an AI / RAG stack for augmented analysis. This doc describes how the components fit together.

High-level stack

Browser (HTTPS :1337)
      |
      v
Apache 2.4  --- Digest Auth --- /etc/htdigest/.htdigest
      |
      v
PHP 8.4 Web UI  (mod_php, www-data)
      |
      |---> JSON API v1.0 (api.php)
      |
      |---> Scan launcher (server-*.php) --- sudo / sn1per-exec --> sniper CLI
      |
      |---> File-based state (loot/workspace/<target>/)
      |
      |---> PostgreSQL (via msfdb) for Metasploit
      |
      |---> Optional RAG Engine (HTTP :8000) for AI-augmented analysis
      |
      |---> Optional Ollama / OpenAI / Claude / Gemini for LLM calls

Components

Scan engine (bash)

  • Entry point: /usr/share/sniper/sniper — the main sniper CLI
  • Mode scripts: /usr/share/sniper/modes/*.sh — 27 scan modes
  • Shared functions: /usr/share/sniper/modes/functions.sh
  • Config: /usr/share/sniper/sniper.conf (global), plus templates under /usr/share/sniper/conf/
  • Output: /usr/share/sniper/loot/workspace/<target>/ — per-target tree of raw tool output, CSV parsing, and findings

The scan engine is the same core that ships with Enterprise and SE editions. Pro 2026’s additions are primarily in the web UI and the AI / RAG hooks.

Pro web UI (PHP)

Served by Apache from /usr/share/sniper/pro/. Layout:

pro/
├── api.php                 # JSON API v1.0 router
├── settings.php            # Per-install configuration (license key, limits)
├── workspace-navigator.php # Dashboard (all workspaces)
├── workspace-report.php    # Per-workspace summary
├── host-report.php         # Per-host detail
├── addons/                 # Nav pages + drawer content + sidebar widgets
│   ├── nav-*.php           # Top-level pages / drawer content (notes, scheduled tasks, config editor, scan tasks, endpoints, …)
│   ├── server-*.php        # Backend endpoints for scan launch, bruteforce, fuzzer, masspwn, export, …
│   ├── sidebar-*.php       # Quick Commands offcanvas widgets
│   └── workspace-*.php     # Per-workspace action handlers
├── lib/                    # PHP helpers (CSRF, sanitize, cache, workspace, html, bootstrap)
├── assets/                 # Bootstrap 5 + Tabler + DataTables 2.x + Chart.js + Font Awesome
├── data/                   # Admin password (.admin-password), runtime state
├── bin/                    # SUID wrappers (sn1per-exec)
└── docs/                   # This documentation

UI framework

  • Bootstrap 5.3 via the Tabler theme (upgraded from legacy Bootstrap 3.3.7)
  • DataTables 2.x with export buttons (CSV, Excel, PDF, Copy)
  • Chart.js for severity gauges and timeline charts
  • Font Awesome icon set
  • Custom: pro/assets/js/sn1per-ui.js handles topbar drawer, scan-form interception, offcanvas, theme toggle

Topbar drawer

A universal slide-over replaces legacy modals for notes, scheduled tasks, config editing, scan tasks, and terminal output. It’s defined in pro/addons/nav-header.php, opened by openTopbarDrawer(url, title) in sn1per-ui.js, and content is fetched over AJAX with CSRF tokens. Edit forms inside the drawer post through the same server-*.php endpoints as the full-page equivalents.

CSRF / input sanitization

Every state-changing endpoint requires a valid CSRF token:

  • Token stored at /usr/share/sniper/pro/.csrf_token (www-data 0640), rotated every 1 hour
  • csrf_field() emits the hidden form input; csrf_verify() validates POSTs; csrf_url() appends ?csrf_token=... to GET links
  • Input paths are validated against a required base directory via validate_file_path() in pro/lib/sanitize.php, which resolves through realpath() and enforces the base prefix

Privilege escalation

The web UI runs as www-data. Scan tools require root (raw sockets, nmap SYN scans, nuclei JIT, Metasploit post modules, packet-capture tools). Pro 2026 resolves this three ways:

  1. Passwordless sudo for www-data — the installer appends www-data ALL=(ALL) NOPASSWD: ALL to /etc/sudoers. Used by most server-side endpoints.
  2. SUID wrapper/usr/share/sniper/bin/sn1per-exec (compiled from pro/bin/sn1per-exec.c) is a small SUID binary that sets ROOT env and execs its arguments as root. Symlinked into /usr/local/bin/sn1per-exec.
  3. systemd drop-in/etc/systemd/system/apache2.service.d/sniper-override.conf disables Kali’s Apache hardening (Protect*=false, Restrict*=false, MemoryDenyWriteExecute=false, empty SystemCallFilter=). Without this, www-data-forked scan tools hit seccomp/AppArmor walls.

JSON API v1.0

pro/api.php provides a router over scan state. Supports both HTTP Digest authentication and an X-API-Key header. Actions include workspace listing, host listing, vulnerability query, scan-status polling, and cache management. See Usage for examples.

SC0PE vulnerability framework

Sn1per’s vulnerability detection pipeline (parses tool output → structured findings in CSV / JSON / SARIF). Key scripts:

  • sc0pe.sh — main orchestrator
  • sc0pe-active-webscan.sh — active web vuln scanning
  • sc0pe-network-scan.sh — network vuln scanning
  • sc0pe-passive-webscan.sh — passive web recon
  • static-grep-search.sh — static code analysis via grep patterns
  • javascript-analysis.sh — JavaScript code analysis

Advanced modules

  • ReverseAPK — APK decompilation (jadx, apktool, dex2jar) with web upload form and vulnerability pass over decompiled source
  • MassPwn — multi-target exploitation from a curated exploit-module database (masspwn-modules.txt) and payload repository (masspwn-payloads.txt)
  • Threat Intel — RSS feed aggregation, CISA KEV CSV, nuclei template integration
  • Nessus integration — imports and parses Nessus .nessus files into the findings DB
  • Burp Suite integration — configurable upstream proxy; also supports Burp’s MCP integration

AI integration

When AI_ENABLED=1 in sniper.conf, the scan engine calls an LLM for scan analysis, decisioning, vulnerability triage, and report enhancement. Providers:

Provider AI_PROVIDER Notes
Ollama ollama Default. Local or remote Ollama endpoint
OpenAI openai GPT models
Anthropic claude Claude API (Opus/Sonnet/Haiku)
Claude Code CLI claude-code Autonomous tool use via the Claude Code CLI
Google gemini Gemini API

Phase 2 (active verification) can optionally use a different model via AI_PHASE2_* settings for WAF bypass / payload generation.

RAG Security Knowledge Engine (optional)

If a RAG engine is running at RAG_API_URL (default http://localhost:8000), Sn1per Pro pushes scan findings into the KB via /ingest and retrieves context for AI prompts via /retrieve. The RAG KB is seeded from OWASP Top 10, CWE Top 25, Exploit-DB source code, Nuclei templates, SecLists payloads, NVD CVEs, and verified scan findings. See the RAG engine’s own docs for setup.

Data pipeline

sniper CLI
  -> /usr/share/sniper/modes/*.sh (tool invocation)
  -> /usr/share/sniper/loot/workspace/<target>/
       ├── scans/                # Raw tool output per module
       ├── web/                  # HTTP probes, screenshots, katana crawl
       ├── domains/, ips/        # Recon lists
       ├── vulnerabilities/      # Parsed findings (CSV / JSON / sc0pe format)
       ├── notes/                # User notes (editable from web UI)
       └── scans/scheduled/      # daily.sh / weekly.sh / monthly.sh
  -> Pro web UI (PHP reads the file tree + PostgreSQL) -> HTML reports / JSON API

Docker architecture

The same stack inside a single container:

Docker container (kalilinux/kali-rolling or equivalent)
├── Apache 2.4 + PHP 8.4 (port 1337 exposed)
├── PostgreSQL (local socket)
├── Metasploit Framework
├── Scan engine + 50+ bundled tools
├── SSL certs (server.crt / server.key, regenerated at install)
├── Digest auth (/etc/htdigest/.htdigest, random admin password)
└── systemd-equivalent via --privileged (or --cap-add for narrower runs)

The container must be started with --privileged (recommended) so that raw sockets, the full capability set, and an unrestricted seccomp profile are available. See Docker for rationale and alternatives.

Filesystem layout

Path Purpose
/usr/share/sniper/ Install root
/usr/share/sniper/sniper.conf Scan engine config
/usr/share/sniper/sniper CLI entry point
/usr/share/sniper/modes/ Scan mode scripts
/usr/share/sniper/conf/ Config templates selectable from the UI
/usr/share/sniper/pro/ Pro web UI root
/usr/share/sniper/pro/settings.php Per-install PHP config
/usr/share/sniper/pro/data/.admin-password Generated admin password
/usr/share/sniper/loot/workspace/<target>/ Per-target scan loot
/usr/share/sniper/bin/sn1per-exec SUID exec wrapper
/etc/htdigest/.htdigest Apache Digest auth DB
/etc/apache2/sites-enabled/apache_remote_ssl_digest_auth_port_1337.conf Apache site config
/etc/systemd/system/apache2.service.d/sniper-override.conf Apache hardening override
/sniper/uninstall.sh De-register + remove Sn1per Pro

See Also

Something missing, unclear, or out-of-date?

Email the team