Author: PenTest.WS

Findings Groups, Reporting Briefs, and File Shares – Version 2.5

On By PenTest.WS

Version 2.5 is here, and it comes with three major features that elevate your work inside PenTest.WS — from organizing findings, to building reports, to managing files during engagements.

Findings Groups

Findings Groups give you a new way to organize your findings inside an engagement. By default, findings are still just a flat list — nothing changes unless you want it to. But Pro Tier members can now create custom groups and drag findings into them.

Want to separate issues by External, Internal, and Social Engineering workstream? Easy! Create groups that match your own workflow, methodology, or reporting style. You’re in control.

These groups carry over directly into reporting, so the structure you set in your engagement automatically shows up in your exported reports. To take advantage of this capability, you’ll need to update your reporting templates with the new grouped fields. Once that’s done, your reports will reflect the same organization you defined during the engagement — resulting in cleaner structure, clearer communication, and less manual sorting later on.

For detailed documentation:

Reporting Briefs

Reports are more than just technical data — they need a narrative. That’s where Reporting Briefs come in. Briefs give you a starting point of reusable content that can be customized for each engagement. Whether it’s a methodology section, an executive summary, or a tailored explanation for C-level readers, you can maintain a library of briefs and then fine-tune them as needed.

This means no more copy-paste from old documents. Your content lives directly inside PenTest.WS, ready to be reused, edited, and adapted whenever you need it.

For detailed documentation:

File Shares (On-Premise Exclusive)

Version 2.5 also introduces File Shares, a brand new way to manage files directly inside PenTest.WS. This feature is built for pentesters who need a secure, team-friendly way to store and share files without relying on third-party services.

  • Secure – Files are stored locally on your server, never uploaded to the cloud.
  • No AV/EDR Scanning – Nothing interferes with your payloads, tools, or artifacts.
  • Versioning Built In – Track file changes over time.
  • Shared With Your Team – Files are available right inside your PenTest.WS workspace, without extra permissions or ACL headaches.

When you need to push files out to a live target during an engagement, File Shares makes it simple. You can generate a short-lived public URL that expires automatically, giving you a safe, temporary way to deploy files without setting up separate hosting. Once the link is gone, so is the exposure.

File Shares is available exclusively in the Pro Tier On-Premise edition of PenTest.WS.

For detailed documentation:

What This Means for You

Version 2.5 isn’t just about new buttons — it’s about making reporting faster, more professional, and more repeatable. With Findings Groups to structure your data, Reporting Briefs to tell the story, and File Shares to manage and deploy files, you’ll spend less time wrangling reports and infrastructure, and more time delivering results.

Ready to take your reporting to the next level? Findings Groups, Reporting Briefs, and File Shares are available now in Pro Tier. File Shares is exclusive to the On-Premise edition. If you’re on Free or Hobby Tier, upgrade today and unlock these new tools built for professional engagements: https://store.pentest.ws/

Thanks for reading!
PenTest.WS Development Team

A New Way to Work – Version 2.4

On By PenTest.WS

We’re excited to drop a massive quality-of-life upgrade in version 2.4 — one that reflects how professional red teams actually operate. Here’s what’s new:

🧭 Pro Tier: Engagements Replace the Dashboard

The old dashboard was built around shells and rooting boxes — but that’s not how pros manage a real engagement. We’ve replaced it with the new Engagements screen, purpose-built for tracking scope, timelines, findings, and more.

🛡️ New Global Findings View (All Tiers)

Free, Hobby, and Pro users now get access to a consolidated Findings screen. It gives you a sortable, filterable view across engagements, sorted by risk, category, or environment.

📅 Engagements Now Have Planning Metadata

Engagements now include Status, Start Date, and End Date fields — all of which are user-configurable and filterable. You can use this for planning, tracking, or just keeping your team organized.

🧪 Matrix Filters for Hosts and Ports

Tired of binary filters? The new triple-filter switch gives you full control: filter for “Yes”, filter for “No”, or don’t filter at all. It’s more intuitive, especially when tracking host review status and port exposure.

💻 Pro On-Premise – HTTP Log View

If you’re running Pro on-premise, you’ll now see an HTTP access log printed directly in your terminal. It’s great for troubleshooting or just keeping an eye on what’s happening under the hood.

🛠️ Admin Control Over Status Field (Pro)

The new status field isn’t hardcoded — it’s company-wide and admin-configurable in the Pro Tier admin panel.

🧠 Smart CIDR Expansion

Adding hosts via CIDR just got easier. If you paste in a range (like 192.168.0.1/24), you’ll be prompted to automatically expand it into individual IPs. (IPv4 only.)

Support System Overhaul

Some support tickets were falling into the void (thanks, spam filters and silent failures). We’ve rebuilt our support system behind the scenes and are actively monitoring the system.

If you’re on Hobby or Free Tier and want access to the new Engagements screen, now’s the time to check out Pro. We’ve got more in the pipeline — stay tuned.

Thanks for reading!
PenTest.WS Development Team

The Human Attack Surface – Version 2.3

On By PenTest.WS

We just launched PenTest.WS v2.3, and it’s a big one, especially if your red team ops go beyond just scanning ports and popping shells. With this release, we’re giving Pro Tier users new tools to track and understand the people behind the infrastructure. Because sometimes the weakest link isn’t a host, it’s a human.

People Hacking

Social engineering is more than just an attack vector, it’s a workflow. And now you can track it like one.

People Hacking gives you a dedicated space to track social engineering targets, tactics, and outcomes. Each person is a first-class object, complete with contact details, tags, profile URLs, locations, and communication history.

People Hacking lets you:

  • Log phone calls, phishing attempts, texts, or in-person interactions
  • Assign custom tags to track roles, regions, risk levels, or anything else
  • Link SE engagements directly to findings as supporting evidence
  • Capture everything in one searchable, structured view

No more scattered notes or one-off spreadsheets. With People Hacking, social engineering becomes a trackable, repeatable part of your red team ops.

For more information, visit the docs:
https://docs.pentest.ws/people-and-events/people-hacking

Available now in Pro Tier. Because real-world attackers don’t stop at the firewall, and neither should you.

Events Timeline

Every op leaves behind a trail of actions, commands, and interactions. Now you can see them all – organized, timestamped, and linked – in the new Events Timeline.

The Events Timeline tracks everything you do across:

  • Hosts
  • Services
  • People
  • Detections
  • Social Engineering interactions

Quickly log any event with built-in shortcuts – like when you vish a target, phish credentials, or run a tool. Just click “Add Event” to capture everything: summary, metadata, related objects, and context.

Better yet: every time you launch a command from the Service Command Library (via Copy Command in Hosts or Services), an event is automatically created and linked to the relevant host or port. No extra clicks, no forgotten steps.

All events are UTC timestamped to simplify cross-system correlation.

🔒 Evidence Locking

When an event becomes critical to your story, tag it as Evidence. From that moment on, it’s immutable – locked from edits or deletion – to preserve the integrity of your timeline and findings. This ensures you have a defensible, auditable chain of actions tied directly to your report.

For more information, visit the docs:
https://docs.pentest.ws/people-and-events/events-timeline

Available now in Pro Tier. Build a real timeline. Back it with real evidence.

Report Engine Update

Breaking Change: Report Template Syntax Update
PenTest.WS now uses {{ and }} as the default delimiters for report template commands, replacing the previous { and } syntax.

This update improves compatibility with more complex templating scenarios.

If you maintain custom report templates, you’ll need to update any placeholders like {engagement.name} to {{engagement.name}} to ensure they continue rendering correctly.

Until then, use the "Generate Legacy Report" button to generate reports using the old syntax.

We’ve officially sunset support for LibreOffice in the main report engine. You’ll still find “Generate Legacy Report” available for now, but moving forward, all reports are optimized for Microsoft Word (.docx).

This change was made to ensure full compatibility with embedded HTML content – like rich text from summaries, notes, and evidence fields – which LibreOffice often struggles to handle cleanly. Over the years, these issues have created friction for users and undermined the reliability of the reporting experience.

Our focus is on stability and precision, especially for users generating formal deliverables. Supporting LibreOffice was a well-intentioned effort to reduce cost barriers, but ultimately, Word is the only platform that consistently handles the full range of features we support.

For an updated Report Template which includes People & Events:
https://docs.pentest.ws/clients-and-reporting/reporting-templates

This update applies to all tiers: Free, Hobby, and Pro.

Defenders, Meet Your New Ally

PenTest.WS is built for red teams. ChallengeWord is built for blue.

Social engineering remains one of the most effective attack vectors. While technical defenses are essential, empowering your team to verify identities in real time is just as critical.

ChallengeWord introduces a human-centric layer of security by providing your team with a rotating, shared secret word, on-demand. It gives employees a discreet, low-friction way to confirm the legitimacy of unexpected calls, texts, or in-person interactions, without confrontation.

By integrating ChallengeWord into your security protocol, you equip your team to:

  • Quickly identify impersonators attempting to breach your organization.
  • Enhance existing training with a practical, real-time verification tool.
  • Reduce the risk of falling victim to vishing, smishing, and other social engineering tactics.

It’s a straightforward solution to a complex problem, designed to bolster your organization’s human firewall.

Learn more about ChallengeWord or request a demo today!

Community Repo & Multi-Step Commands – Version 2.2

On By PenTest.WS

PenTest.WS v2.2 includes a new collaboration tool called Community Repo where you’ll find command templates for everything from PowerShell and Bash commands to BloodHound custom queries. Also, your General Command Library gets a new super power with the Multi-Step Commands feature.

Community Repo: Commands

Search by keyword, operating system, category, or service and you’re one click away from importing community repo commands into your General Command Library (GCL) or your Service Command Library (SCL). Be sure to up vote the commands you find helpful, clever, or inspiring.

Clicking either the “Import to GCL” or “Import to SCL” buttons brings up a window where you can make any necessary changes to the command’s metadata before its pulled into your account. For GCL, this lets you update the category and sub category to match your own category names.

Show Off Your Awesome Commands

Contribute to the Community Repo from either your GCL or SCL using the highlighted icons below:

Submit individual commands one at a time, or as a group of commands all in one batch. Once submitted, you can no longer make modifications to the command in the repo. However, you can still make changes to your own GCL or SCL version of the commands.

Need to remove a command from the repo? Find your command in the repo and click the Delete button (only available on commands you’ve submitted).

Sharing a direct link to a repo command is easy with the Share button. This generates a link you can send to your teammates:

https://pentest.ws/repo/commands/ecbbb6aa-297e-4dcd-857f-d97bfe910d27

The Community Repo requires a Hobby Tier or Pro Tier membership.

Multi-Step Commands

Your General Command Library (GCL) just got a lot more useful with Multi-Step Commands. A single GCL entry can now contain several steps to complete a task. Each step includes its own copy-paste shortcut as well as notes about that specific step.

Another useful trick is to group information and commands related to each other into a single GCL entry. For example, Step #1 of the following multi-step command contains C source code for a shellcode testing program. Step #2 builds the executable and Step #3 executes the test program.

More good news, the Community Repo supports importing and exporting of Multi-Step Commands!

Multi-Step Commands are now available to all tier members.

More Version 2.2 Upgrades

  • Matrix – Copy Targets
    Quickly generate a “WebServers.txt” targets file using the Matrix. Filter down your list of hosts, for example those with port 80/443 open, and click the “Copy Targets” button in the toolbar. Paste this content into a file to be used with tools such as Nmap or GoWitness.
  • API Upgrades:
    • Findings Library now included
    • Boards now included
    • Field lengths are now validated
  • Adjustable Sidebar
    The sidebar’s width is now adjustable

Thanks for reading!
PenTest.WS Development Team

Large Engagements & General Notes Library – Version 2.1

On By PenTest.WS

PenTest.WS v2.1 brings the much anticipated Large Engagements capability to Pro Tier, supporting Engagements with thousands, or tens of thousands of Hosts in a single Engagement. Additionally, Hobby Tier receives the new General Notes Library!

Large Engagements – Pro Tier

With Pro Tier’s new Large Engagement support, a single Engagement can easily handle thousands, or tens of thousands of Hosts. Need to import an Nmap scan of a /20 network? An entire Class B network? No problem.

Several systems have been updated in Pro Tier to work with such large network ranges:

  • Import XML – the import routine now shows it’s progress log in real time, giving you live feedback of the Hosts & Ports the system is either creating or updating as it works its way through your XML file.
  • Infinite Scrolling – the application now implements infinite scrolling, only loading enough Hosts to fill the page. As you scroll through various lists, more Hosts are loaded in the background until all Hosts are displayed. The affected systems are:
    • Application’s Main Sidebar
    • Boards
    • Matrix
    • Subnets
  • Updated Matrix – filtering by operating system, flags, ports or keywords now effects all Host list queries for a faster and more intuitive user experience. Looking for systems with port 80 or 443 running Linux? Set your Matrix and the Sidebar, Boards & Subnets screens will also be filtered.
  • Boards – combined with the Matrix, you can create boards such as “Web Servers” and easily move all of your port 80/443 Hosts. Want to break up 4,094 Hosts into ten Boards? Use the “Auto Distribute” feature, now compatible with Infinite Scrolling.
  • Subnets – using the web servers example we’ve been discussing, jump over to the Subnets screen and copy the “IPs – One Per Line” field into a file for EyeWitness and speed up your recon.

Note: the Large Engagement mod is only available in Pro Tier’s stand-alone application and is not available through our online platform at https://pentest.ws

General Notes Library

All the functionality of Scratchpad, but for general notes not specifically related to a Host:

  • Code editing with syntax highlighting for over 150 programming languages.
  • Hierarchical file structure with drag-and-drop.
  • Download files through the browser or using wget/curl/downloadstring.
  • Instantly switch between code & rich text editing.
  • Import CherryTree XML files!

Your new General Notes Library is a great place to store your favorite pieces of C# code, common or rarely used procedural steps, or your exciting new research ideas and references. General Notes are linked to your account and not associated with an Engagement.

General Notes Library is available on Hobby Tier and Pro Tier, with limited access from Free Tier.

For a full feature comparison between PenTest.WS Tiers, visit https://pentest.ws/pricing

Also New In Version 2.1

  • New Credential Fields
    Credential records now have “domain” and “notes” fields
  • Ignore-Cert
    Pro Tier has a new command line option “–ignore-cert” which allows the stand-alone application to function behind an HTTPS inspection proxy
  • Misc Bug Fixes
    You can submit bug reports to [email protected]

Thanks for reading!
PenTest.WS Development Team

Version 2.0 Release – Findings & Reporting

On By PenTest.WS

Welcome to PenTest.WS Version 2.0! Our biggest update yet with the all new Findings System, DOCX Based Reporting Templates, Boards & The Matrix, Full Featured API and Shared Engagements in Pro Tier. Lots to cover, lets dig into it.

Findings System & Findings Library

During a security assessment we often discover vulnerabilities in web applications, network infrastructure, and active directory environments, generally called Findings. These issues need to be documented and later reported back to the client for remediation. The new Findings System in PenTest.WS aims to make this process of collection & documentation as easy as possible.

PTWS now contains a user-defined Findings Library where users can build documentation templates for vulnerabilities such as SQL Injection and add generic text for background information, descriptions, impact, recommendations, as well as a default risk level and reference links. During a live security assessment, these findings templates can quickly be added to the engagement in real-time as you discover them. Further refinements can then be captured with unique details about each specific finding.

Don’t need to capture Validation Steps or track a Remediation Log? Simply visit the Findings Admin utility and hide these fields. Want to rename the References field to External Links? No problem. Add/remove environments and categories. You can even change the color of your Risk Levels!

  • Free Tier: no access to Findings System.
  • Hobby Tier: limited to 5 Findings per Engagement. Findings Library is attached to a single user.
  • Pro Tier: unlimited. Findings Library is global in Pro Tier.

DOCX Based Reporting Templates

Now that you have collected an impressive set of findings for your client, you need to build a client deliverable document with these details. PenTest.WS’s new Reporting Module processes user-uploaded DOCX files with embedded {tags} to generate fully customized reporting documents with a single click.

Download a sample report template:
https://pentest.ws/docx/report_template.docx

View the list of available data fields:
https://gist.github.com/PenTestWS/c5d378e789e06e81a142495ea3823a52

As shown in the screenshot above, the Reporting Module’s capabilities includes For loops, If statements, and HTML content from your Findings entries including embedded images like screenshots for evidence. Using the new Client Manager you can add tags such as {client.name} and {client.shortName}, its just one less thing you need to fill out in the final report. Once the Reporting Module is finished processing, your browser downloads the new DOCX file where you can further customize the report as needed.

  • Free Tier: no access to Reporting Module
  • Hobby Tier: limited to 2 reporting templates. Reporting Templates are attached to a single user.
  • Pro Tier: unlimited. Reporting Templates are global in Pro Tier.

Shared Engagements – Pro Tier

Left Side: user Alice – Right Side: user Bob

One of our most advanced features to-date, today we’re launching Shared Engagements for Pro Tier.

Note: Shared Engagements is available in Pro Tier running in Intranet Mode for multi-user accounts

As the owner of an Engagement (the user who created the Engagement), you can grant Read Only or Full Access to your PTWS teammates on an individual basis. These Shared Engagements appear on the remote user’s Dashboard under a new Team Missions section.

Alternatively, you can choose to make an Engagement Public, granting full access to all teammates. Engagements default to Restricted Access with all teammates in the No Access bucket. An Engagement’s Access Control is available in the Console tab.

All Shared Engagement details are synchronized in real-time between users. Shown in the example above, fields are temporarily locked while being edited and updated as that data is saved to the server. Pop-up notifications are displayed about important events, such as adding/delete hosts, ports, credentials or findings.

Boards (see below) is a shared environment when working with teammates, allowing you to group hosts into logical buckets. The Matrix (also described below) is a personal filter system in Shared Engagements, so you can focus on your interesting targets without affecting the filters of others.

Working on a specific Subnet (Pro Tier only)? Click the filter column in the Subnets tab, or use The Matrix subnet filter. Subnet filtering is also a personal filter system in Shared Engagements.

Pro Tier v2.0 Bottom Line: Using all the new PTWS v2.0 features:

  • Teammates can work through an engagement together, adding notes & status to hosts & ports along the way
  • Everyone stays informed and duplicate work is minimized
  • When a vulnerability is found, use the Findings Library to instantly bring in all the generic text
  • Immediately add screenshots to the Finding’s Evidence
  • Use the Reporting Module to generate your client deliverable with one click
  • Project Done!

Boards

Most of us are familiar with Boards style organization. These boards are user-defined for each Engagement and can contain any number of hosts. Sort each Board and the Hosts using this intuitive drag-and-drop interface. Group your hosts however is most effective for your environment:

  • Status (in-progress, vulnerable, cleared)
  • Environments (web, int/ext, s.e., wifi)
  • AD Domains (us, europe, asia)
  • Phases (group1, group2, group3)

Once you have defined your Boards, use the Board Filter in the sidebar to limit your view to a selected Board. During a Shared Engagement (Pro Tier) this is a great way to designate different targets to different pen testers. Playing HackTheBox? Setup your Boards for Active Testing, Pwned, Archived, the possibilities are endless.

  • Boards is available on all tiers

The Matrix

The Matrix gives you a 10,000 foot view of your entire Engagement, broken down by Host & Port. An extensive filtering system is available to narrow your view by OS, Host Type, Host Flags (including the new Color flag), Port Number/State/Status, all integrated with the Boards system.

As you refine your filters in The Matrix, your sidebar will synchronize so you can delve into the selected hosts and quickly jump between your active targets. During a Shared Engagement in Pro Tier, The Matrix is a personal view, allowing different teammates to focus on their own objectives.

  • The Matrix is available on all tiers

Full Featured API

Swagger Documentation: https://pentest.ws/docs/api/v1/

The new PTWS API provides access to your Engagements, Hosts, Ports, Scratchpad, Note Pages, Credentials, Clients & Findings through a RESTful architecture, including GET, PUT, POST, & DELETE capabilities for each object. You can now build automation scripts and integrate external tools into your PenTest.WS environment.

Scanning hosts and importing results now becomes a one-click operation!

Consider the following Nmap Scan Template:

nmap -sC -sV -oA tcp -vv %tip% && curl -X POST "https://pentest.ws/api/v1/e/%eid%/import/nmap" -H "X-API-KEY: %apikey%" -F "[email protected]"

The first half of this command runs a typical nmap scan on a target IP address, IP range or CIDR block, then outputs the results to a file called “tcp.xml”. The second half of this command uses curl to immediately post these results to your engagement in PenTest.WS.

Embedded in this command are several interesting variables:

%tip%Target IP Address, Range or CIDR Block
%eid%Current Engagement ID
%apikey% Your API Key – when you click on a command with this variable, the application will prompt for your password before swapping the variable for your API Key. You can view your API key at https://pentest.ws/settings/api-key

The full list of variables are available in the Edit Templates screens:

  • PenTest.WS API is available on all tiers

A Few More Things…

  • Engagement wide Credentials Tab – attach a credential to an Engagement, not just a Host/Port
  • Host Colors – a visual way to mark interesting Hosts
  • Old Reporting Tab is now Write-Up – this data is now search from Keyword Search
  • Service Command Library: Service aliases such as “http, https” in the Service Name field
  • Pro Tier: LDAP & SMTP Integration

We’ll cover some of these additional features in another post.

Thanks for reading!
PenTest.WS Development Team

Data Status Indicators – Version 1.9.0 Released

On By PenTest.WS

Data Status Indicators for added reliability & Two-Factor Authentication Backup Codes for enhanced security!

Data Status Indicators

Data Status Indicators

The PenTest.WS platform automatically saves your data so you can focus on investigating your targets. Until now, this process remained completely in the background leaving you with little indication that your data is safe, stored securely in the cloud.

Version 1.9.0 introduces transparency into the save process with Data Status Indicators. As seen in the image above, each auto-save field now has an independent status indicator along its left edge:

  1. While actively editing an auto-save field, this indicator will turn grey
  2. During the auto-save process, it will turn red
  3. Once the save process is complete, the indicator will disappear

In addition to the individual field indicators, there is a new general data transfer indicator in the top right corner:

Data Transfer Indicator

Whenever PenTest.WS is sending or receiving data, this new data transfer indicator, with its animated three red squares, will provide further insight into the status of your valuable information.

2FA Backup Codes

Two-Factor Authentication Backup Codes

Accidents happen. Phones are lost, upgraded or simply fail. Backup codes are essential to recovering your account when two-factor authentication (2FA) is enabled.

https://pentest.ws/settings/2fa/codes-show

If you already have 2FA enabled, the system will generate your new backup codes when you visit the link above. Otherwise, you will be prompted to enable two-factor authentication, a process which greatly enhances the security of your PTWS account.

Using a Backup Code

You can only use each backup code once. Be sure to keep these backup codes somewhere safe but accessible.

When all ten codes have been used, you’ll need to generate a new set by revisiting the link above. This link is available from your Account Settings page in the 2FA section. You can generate new codes at any time, which will invalidate all existing backup codes.

Go get your 2FA Backup Codes now!

The PenTest.WS 2021 Road Map

Version 2.0 is a big milestone for any application and one we are incredibly excited about. Today we are announcing two of the most anticipated features coming to PTWS in 2021.

New Report Writing Engine

With all professional penetration tests, the client deliverable is naturally a report describing the engagement’s findings and remediation recommendations. This can be a tedious and time consuming effort, one that is often repetitive and prone to mistakes.

PTWS v2 allows the tester to collect relevant information during a live penetration test and easily generate an engagement report at its conclusion. Report templates start as a Word Document and are fully customizable with loops and conditional statements. Finally, a new data merged Word Document is generated, allowing you to further refine the report as needed.

Application Programming Interface (API)

Scripting is a big part of efficient hacking, so we’re giving PTWS its very own API. Using a simple but effective REST interface which speaks JSON, you’ll be able to build custom tooling around common tasks:

  • Import Nmap and Masscan XML files
  • Query Engagement, Host and Port records
  • Add Hosts and Ports to an Engagement
  • Upload and Download Scratchpad Documents

We’re looking forward to seeing what our hacker community can do with a PenTest.WS API to improve their workflow.

Thanks for reading!
PenTest.WS Development Team

Multi-File Import – Version 1.8.3 Released

On By PenTest.WS

Multiple files, masscan, bookmarks, print… lets dig into what’s new in version 1.8.3

Multi-File Import

Multi-File Import

Importing several XML files just got a lot easier! You can now load multiple XML files at once, either through the file browser or simply drag-and-drop. Data from each host always gets placed where it belongs. The filename, file type and contents are displayed for each file. Delete as needed, or click the “Import XML” button to run your import. v1.8.2 brought us the Import Log which has been updated to support multiple files.

Masscan Support

Import now supports Masscan XML files. The Import routine also supports a mixture of Nmap files and Masscan files in the same batch. Have a large IP space to scan? Run a fast Masscan first and follow up discovered hosts with a detailed Nmap scan.

Bookmark Library

Bookmark Library

Store your security related bookmarks all in one place with the new Bookmark Library. Add notes and assign keywords for easy retrieval later using filters, sort and search. You can also store local PenTest.WS links. Bookmark where you left an engagement Friday night and easily pick back up Monday morning.

Print Engagements, Hosts & Ports

v1.8.3 adds a Print functionality to the online Free and Hobby Tiers. Its an easy way to view all you data on a single page. Look for the printer icon in the upper right corner of the Console, Host and Port pages.

Misc Improvements & Bug Fixes

Double Paste Bug – A long time coming, but the double paste bug in the Notes fields has been fixed!

Venom Builder – Additional Parameters – The Venom Builder tool now has a free-type field called Additional Parameters.

Hash Type for Credentials – Credentials now include a Hash Type field, used later to identify what hashcat mode you might need.

Maximize Notes Fields – got lots of notes? Now there is a Maximize button on all Notes fields.

What’s Next?

We have version 2.0 in our sights, which brings an incredible number of new features and capabilities. But more on that as we get closer.

The next major release of PenTest.WS, version 1.9.0, has a completely rewritten save mechanism. Beyond bringing more reliability to the platform, the aim is to provide more transparency into the state of your data. As fields are updated and auto-save timers are set, clear indications of this process will be visible in the user interface.

Many of the improvements in v1.8.3 came directly from user requests. Head over to the Support Forums and submit a Feature Request with your ideas!

Thanks for reading!
PenTest.WS Development Team

IP » Target – v1.8.2 Release

On By PenTest.WS

Version 1.8.2 includes several new features and improvements, with maybe the most important being the long awaited IP»Target mod announced last November. Lets step through the major changes in this release…

IP » Target

It is now possible to enter a fully qualified domain name (FQDN) as the Host’s primary identifier. In this example, we’ve shown the possibility for “example.com” and “mail.example.com” as separate hosts. Of course you can still use an IP address to identify a host.

The Import routines have been updated to capture domain names when they have been used to scan a target. For example:

nmap -sC -sV -oA tcp -vv example.com

will now create/update records for the “example.com” host. The Service Command Library automatically uses the Host’s domain name when used as the host identifier:

We’re hoping this change will greatly benefit our pentest community, as well as be a big boost for our bug bounty hunters! Each sub-domain in the program’s scope could have its own Host record, with separate port lists, notes and findings.

Capturing Port State

The Import routines have also been updated to capture Port State. This information is included in Nmap’s XML output, and the possible values are Open, Closed, Filtered, Unfiltered, Open|Filtered, or Closed|Filtered.

Port State is displayed in two places. First, on the left side of the screen in the Host List Panel shown in the screenshot at the top of this article. Second, on the Port page, shown in the screenshot above.

As this is a new feature, previously captured ports will need to have their value set manually, or you can re-import the associated Nmap XML file.

Lastly, it should be noted Port State is separate from Port Status, which is a self assigned note to track which ports have been reviewed or may be vulnerable.

Engagement Archives

Got old engagements cluttering up your Mission Control? Click the new Archive button in the top right corner of each Engagement card and it will drop down into the Archived Engagements section. Don’t worry if this section is not visible, it will appear once you archive your first engagement. Click any of the archived engagements to reinstate it to active mode.

And So Much More…

CVE Database –
The Common Vulnerabilities and Exposures (CVE) database is now searchable directly in PTWS (https://pentest.ws/tools/cve). This functions similar to the Exploit-DB feature with full keyword search capabilities.

Engagement Wide Credentials –
On the Engagement Console tab, there is a new Engagement Credentials section which shows credentials from all Hosts within that Engagement.

Export as CSV –
Now you can export Engagements and Hosts as CSV files, in addition to JSON files. Use the Export button in the top right of their respective pages.

Hobby Tier, Yearly Payment Option –
You can now pay a full year of Hobby Tier access through the Membership page. Simply change your plan to yearly, and on your next renewal date you will be changed a single yearly price (currently $39.80)

Be sure to head over to the Feature Request page on the PTWS Support site to submit your ideas for the next version.

Thanks for reading!
PenTest.WS Development Team

General Command Library – Version 1.8.0 Release

On By PenTest.WS

Today we are announcing the release of PenTest.WS Version 1.8.0 and with it comes the General Command Library!

General Command Library

The General Command Library (GCL) is a place to store all your frequently used, and not so frequently used, general system commands. Much like how the Service Command Library works for services, the GCL works for:

  • System enumeration
  • Privilege escalation
  • Shell escapes
  • File transfer shortcuts
  • Powershell download cradles
  • Pivot tunnels
  • … and anything else!!

Each command can be organized by Operating System, Category, and Sub-Category values. These filters are user-created and self-populated as more and more commands are entered into your GCL system. Additionally, you can quickly search for keywords such as “wmic” or “iex” if you’re looking for a specific functionality.

Filters are sticky, so you can navigate away from the GCL screen and when you return later, you’re dropped right back into the list of commands you were previously viewing.

Availability: the General Command Library has been pushed to all platforms and is ready for immediate use.
– Free Tier: currently limited to five commands
– Hobby & Pro Tier: unlimited command capacity
– Pro Tier: run your Software Update from the Admin Panel

Service Command Library – Free Tier Availability Update

The Service Command Library (SCL) is now accessible on the Free Tier. The SCL is one of the most popular features of the PenTest.WS platform and its usefulness has proven to be an incredible time saver.

SCL on the Free Tier includes up to two commands per service.

New Template List Format

All template list pages have been updated to a more compact table format. This allows more commands per screen real estate.

New Template List Format

Misc Improvements & Bug Fixes

SCL Notes: requested on the Support Forums, SCL records now include a Notes field. These notes will appear on the Port page alongside the service command entry.

Note Pages Clobber Bug: in certain circumstances, it was possible for Note Pages to overwrite the wrong Note Page. However, the content could be recovered through the History functionality. This bug has been fixed.

Note Page Rename Bug: tab renaming functionality has been restored. Double click on a Note Page tab to rename each tab.

Coming soon… IP » Target

An exciting change is coming to the PTWS system. Currently, Hosts are tracked by IP Address. After the IP->Target mod included in the next release, it will be possible to enter a fully qualified domain name (FQDN) as the Host’s primary identifier.

All tools will be updated to support a Target in addition to an IP Address. Import an Nmap XML scan based on a FQDN? No problem. Need to launch a dirsearch command against a FQDN? Sure!

This change will be a big boost for all the Bug Bounty Hunters in our community. Each sub-domain in the program’s scope could have its own Host record, with separate port lists, notes and findings.

We’re always looking for ways to improve the PenTest.WS platform. Head on over to the Support Forums and submit a Feature Request.

Thanks for reading!
PenTest.WS Development Team