General Command Library – Version 1.8.0 Release

Today we are announcing the release of PenTest.WS Version 1.8.0 and with it comes the General Command Library!

General Command Library

The General Command Library (GCL) is a place to store all your frequently used, and not so frequently used, general system commands. Much like how the Service Command Library works for services, the GCL works for:

  • System enumeration
  • Privilege escalation
  • Shell escapes
  • File transfer shortcuts
  • Powershell download cradles
  • Pivot tunnels
  • … and anything else!!

Each command can be organized by Operating System, Category, and Sub-Category values. These filters are user-created and self-populated as more and more commands are entered into your GCL system. Additionally, you can quickly search for keywords such as “wmic” or “iex” if you’re looking for a specific functionality.

Filters are sticky, so you can navigate away from the GCL screen and when you return later, you’re dropped right back into the list of commands you were previously viewing.

Availability: the General Command Library has been pushed to all platforms and is ready for immediate use.
– Free Tier: currently limited to five commands
– Hobby & Pro Tier: unlimited command capacity
– Pro Tier: run your Software Update from the Admin Panel

Service Command Library – Free Tier Availability Update

The Service Command Library (SCL) is now accessible on the Free Tier. The SCL is one of the most popular features of the PenTest.WS platform and its usefulness has proven to be an incredible time saver.

SCL on the Free Tier includes up to two commands per service.

New Template List Format

All template list pages have been updated to a more compact table format. This allows more commands per screen real estate.

New Template List Format

Misc Improvements & Bug Fixes

SCL Notes: requested on the Support Forums, SCL records now include a Notes field. These notes will appear on the Port page alongside the service command entry.

Note Pages Clobber Bug: in certain circumstances, it was possible for Note Pages to overwrite the wrong Note Page. However, the content could be recovered through the History functionality. This bug has been fixed.

Note Page Rename Bug: tab renaming functionality has been restored. Double click on a Note Page tab to rename each tab.

Coming soon… IP » Target

An exciting change is coming to the PTWS system. Currently, Hosts are tracked by IP Address. After the IP->Target mod included in the next release, it will be possible to enter a fully qualified domain name (FQDN) as the Host’s primary identifier.

All tools will be updated to support a Target in addition to an IP Address. Import an Nmap XML scan based on a FQDN? No problem. Need to launch a dirsearch command against a FQDN? Sure!

This change will be a big boost for all the Bug Bounty Hunters in our community. Each sub-domain in the program’s scope could have its own Host record, with separate port lists, notes and findings.

We’re always looking for ways to improve the PenTest.WS platform. Head on over to the Support Forums and submit a Feature Request.

Thanks for reading!
PenTest.WS Development Team

Pro Tier Release

Two years after initial development began on PenTest.WS, today we are officially releasing Pro Tier!

PenTest.WS Pro is an offline stand-alone version of the online web application designed to run directly inside your Kali Linux virtual machine. The Pro Tier was developed for professional penetration testers who must comply with strict non-disclosure agreements or those who operate within a restricted network environment.

Get Pro Tier at store.pentest.ws

All the benefits of the Hobby Tier, plus:

  • Pro Tier Software Updates
  • Offline Stand-Alone Application
  • Two Modes of Operation:
    • Solo Mode
    • Intranet Mode
  • Host Subnetting System
  • Host Filtering System
  • User Maintenance Control Panel

Pro Tier’s subnetting system allows a penetration tester to breakdown a large engagement, maintain scope, and focus on individual segments of a target network.

These subnets can be used in scan templates:

Intranet Mode:

PenTest.WS Pro installed on your intranet server allows your entire team of penetration testers to track hosts, services and record their findings as they work on client engagements.

Solo Mode:

For individual penetration testers, or field work operatives, PenTest.WS Pro runs directly inside your Kali Virtual Machine.

FAQs:

Who owns the application’s data?

You! The PenTest.WS Pro Tier Application maintains a PostgreSQL database stored on the same physical machine or virtual environment as the binary Application. The data contained in this database is the property of the licensee.

[ Read More ]

How do renewals work?

PenTest.WS Pro Tier licenses are purchased on a per-user-per-year basis. The date of first purchase becomes your license anniversary date and the license will be renewed on this date each year.

[ Read More ]

Can I purchase additional licenses?

Additional user licenses may be purchased throughout the year, with each user license sold at a prorated price based on the number of days remaining on your current license.

[ Read More ]

More FAQs can be found at store.pentest.ws

Pro Tier Status Update

At the end of June, we were fortunate enough to engage with some amazing penetration testers who have been reviewing the Pro Tier binary, ecosystem and auto-update mechanisms. Reports have been positive surrounding both the product itself and the security of the environment.

The release window has been a moving target, and a big appreciation must be given to the entire PTWS community for your patience. We’re working towards a release on August 3rd, 2019.

Pricing Announcement

Today we are announcing Pro Tier pricing!

PenTest.WS Pro Tier is priced at $249.00 per user, per year

All the benefits of the Hobby Tier, plus:

  • Pro Tier Software Updates
  • Offline Stand-Alone Application
  • Two Modes of Operation:
    • Solo Mode
    • Intranet Mode
  • Host Subnetting System
  • Host Filtering System
  • User Maintenance Control Panel

As new Pro Tier features are released, free software updates will be available through an in-app update system so you can easily stay up-to-date.

Pro Tier FAQs are now available in the new support system.

New Support System Launched

To better support the PenTest.WS community at all levels, we have launched a new support website:

support.pentest.ws

  • Submit A Ticket
  • Feature Requests
  • General Discussions
  • FAQs
  • Announcements

Support accounts are separate from PTWS accounts, but they’re free! Head on over and submit a Feature Request or be the first to start a thread in the General Discussions section.

Email support is also available at [email protected]

r/PenTestWS Now Open

Today the PenTestWS subreddit went public.

www.reddit.com/r/PenTestWS

Bare bones for the moment. Just another way to keep in touch.

Final Thoughts…

We’re nearly there. Thanks again for the continued patience and encouraging emails received throughout this year long process.

Point Release – v1.5.3

PenTest.WS Pro is just around the corner! Today we’re pushing a small point release to the online version, including both the Free Tier and the Hobby Tier.

Echo Up Goes Base64

Echo Up now uses base64 encoding

One of the first dedicated tools built into PTWS was Echo Up. This tool is used to easily create files through a terminal interface and relies on the echo command. Previously, Echo Up would double encode single quotes and double quotes, and echo the contents line by line into an output file.

Thanks to @4lph4b and the b64chunk.py script, Echo Up is getting new capabilities. More resilient to non-alphanumeric characters, Echo Up now encodes your file into Base64 and uses a series of targeted shell commands to create the file on a remote server.

There are three options: bash, cmd, and Powershell. Each one works slightly differently, but the end result is the same: an exact copy of your file, on the remote server, using nothing but shell commands. You simply copy and paste these commands into your terminal session, no additional ports or protocols needed.

Note: b64chunk.py supports binary files, while the PTWS version currently supports text only.

Venom Builder NOP Sled

Venom Builder NOPs Option

A late addition to this point release, the Venom Builder tool now includes a NOP Sled option.

-n, --nopsled <length> Prepend a nopsled of [length] size

There are a number of options missing from Venom Builder that are available directly through the msfvenom command line. The NOPs option is a great addition and has been requested a few times, and today its here! Keep that feedback coming!

Last, But Not Least – Export Creds

Export credentials tool

Have you captured usernames, passwords, hashes? Need a quick way to password spray a new service login you just discovered? Want to kick-off a hashcat or john-the-ripper session?

Use the Export Creds button to generate a list of every known username, password, hash in your credentials list and a few different mixtures of each.

Each of the sections in the Export Creds tool is useful in different situations. Sometimes its as simple as reporting your findings – “UN:PW”. Other times it can be a little more complicated.

Here’s a short rundown of each section:

  • Usernames: Every known username in your credentials list
  • Passwords: Every known password in your credentials list
  • UN-PW: A simple combination of username:password
  • UN:PW All-U: All permutations of every known username:password, looped around the username
  • UN:PW All-P: All permutations of every known username:password, looped around the password. This mode is best for password spraying to reduce the chance of account lockout with large lists.
  • Uncracked Hashes: Every known hash in your credentials list that does not also have a password. This is ideal for starting a hashcat or john-the-ripper session.
  • UN:Hash All: Every credential record that contains a hash

Note: Export Creds is currently a Host level export and is available on the Host or Port page. Engagement wide credential management is coming in a future release.

PenTest.WS Pro – Status Update

We’re still on track for an end of June release of PenTest.WS Pro. The features are complete and currently being tested. Pricing is nearly settled. Store infrastructure is under heavy development but moving quickly.

We’ll be releasing more information on this blog and Twitter in the weeks ahead. Any unforeseen delays will be announced as soon as possible. Its been a lot of work to get this far, and we’re incredibly excited about the new product.

Thanks for reading, enjoy the new online features, and as always, keep the feedback coming!!

PenTest.WS Pro Enters Private Beta

With the release of PenTest.WS version 1.5.2 earlier this week, PTWS Pro has officially entered its Private Beta phase.

PenTest.WS Pro is an offline stand-alone version of the online web application designed to run directly inside your Kali Linux virtual machine. The Pro Tier was developed for professional penetration testers who must comply with strict non-disclosure agreements or those who operate within a restricted network environment.

PTWS Pro, once setup is complete, is an offline web application which does not connect to the internet unless instructed to do so by the user. During setup the application will need to verify its licensing and download copies of the Exploit Database, Metasploit Modules and Nmap Scripts. These locally cached repositories can be refreshed at anytime through the administrator panel.

Screenshot from 2019-03-09 17-06-48

Version 1.5.2 – Export / Import Account Items

Earlier this week version 1.5.2 was released bringing with it the ability to export and import account items. These items include:

  • Templates: Shells, Port Scans, Subnet Scans
  • Global Service Notes
  • Service Command Library (Hobby Tier)
  • Default Service Checklist (Hobby Tier)

This capability is useful for backing up your valuable notes & commands but it is essential if you’re planning to migrate from the online version to the soon to be released Pro Tier. The export routine creates a single json file which then can be loaded into your local offline Pro Tier application.

The Export & Import Account Items functionality is available now under the user menu located in the top right corner of PenTest.WS

Progress on the Pro Tier has been very exciting and public availability is expected in the second quarter of 2019.

Stay Tuned!

Version 1.5 Released – Scratchpad

scratchpad-demo-01

Scratchpad Now Available

  • Code editing with syntax highlighting for over 150 programming languages.
  • Hierarchical file structure with drag-and-drop.
  • Download files through the browser or using wget/curl/downloadstring.
  • Instantly switch between code & rich text editing.
  • Import CherryTree XML files!

* Scratchpad functionality is limited on the Free Tier

Also New In Version 1.5

Dark Theme
Hacking late at night? Switch over to Dark Mode and give your eyes a rest

Hostnames
Add hostnames to a host and select between IP address or hostnames for Service Commands

Updated Port List
See more information from the port list on the sidebar

And Much More
Import username:hashes – Ncat links – Fixed UDP nmap script links

 

Version 1.4 Released – Note Pages, Note History, Keyword Search

Notes, Notes & More Notes

v1.4-Note-Pages-02

Create Note Pages for Engagements, Hosts & Ports

Keep your notes organized by creating additional note pages for categories such as Discovered URLs, Possible Vulnerabilities, or Interesting Directories

* Note Pages are available on the Hobby Tier

Also New In Version 1.4

  • Note History
    Never lose a note again with a detailed change history for every note

  • Keyword Search
    Quickly scan your entire account for keywords

  • Code Snippets
    Add source code to notes & reporting data with syntax highlighting

  • And Much More…
    ◦ Export your data to JSON
    ◦ Revamped Dashboard & Engagement Console
    ◦ URL HashIDs & Clientside Error Logging

What’s coming in version 1.5?

Periscope – gain better situational awareness by viewing your engagements and hosts from 10,000 feet

Scratchpad – edit files in a hierarchical folder structure with syntax highlighting and Vim style keyboard bindings