Changelog

Scan diff for your scan results is finally here! We know you’ve been asking for it, so we’ve listened and delivered. 

Available for port scanning, vulnerabilities, and subdomains, scan diff highlights new and updated findings compared to your previous scan on the same target within a set workspace. 

• Use it for continuous monitoring of all targets in your workspace 

• Get automatic notifications when anything changes, on your preferred channel (email, Slack, Teams, Discord, etc.)

• Create an automatic scan baseline and use scheduled scans for easier tracking

We've increased the URL crawling speed by 30%, making the Website Scanner more efficient from start to finish. 

Our proprietary web app scanner now uses parallelization when detecting cloud hosted URLs. Expect faster discovery, quicker scan completion, and more timely results. 

We’ve also improved the tool’s passive detection method with: 

• Disclosure of OS paths in the HTTP response

• Detection for session tokens in the request URLs

We're giving you even more control over our most powerful offensive security tool - Sniper Auto-Exploiter.

You can now automatically get proof of exploitation for specific CVEs.

Plus, our team developed new custom exploits for these critical CVEs:

• CVE-2024-36401 (CVSSv3 9.8) - this GeoServer RCE can fully compromise your server and allow unauthenticated attackers to pivot to your internal network. 

• CVE-2024-28995 (CVSSv3 7.5) - prove this Arbitrary File Read vulnerability found in SolarWinds Serv-U is exploitable.

Don’t forget that, whenever we add new exploits in Sniper, it means our Network Scanner can also detect those CVEs for you.

Want to see it in action? Here’s a practical demo on how Sniper works:

This month, we’ve fine-tuned the Network Vulnerability Scanner to handle details more efficiently, so you don’t lose focus with too much manual work:

• Get end-of-life findings for Nmap-detected products and operating systems.

• The “How to reproduce section” got tidier as we’ve moved the curl command from Nuclei here. 

Find weak credentials with the Password Auditor and also get these effective operational improvements:

• Informational findings for HTTP server-side errors now have screenshots to make them easier to check.

• We’ve introduced scan logs for this tool, so you always know what scan is active at any given time.

If you’re running the Wordpress Scanner to find core vulnerabilities, outdated plugins, and other critical issues, now you’ll see a lot of visual improvements to your findings.

We’re always looking for ways to make our product easy on your eyes so you can find - and focus on - what’s important.

Our Password Auditor expands its effectiveness and can now find weak credentials in a broader range of network services and web technologies:

• We've improved the weak credentials checks on Joomla, Kibana, Grafana, Plesk, and Webmin.

• Plus, bruteforce attacks with this tool now run in parallel for open services to speed up your workflow. 

Are you on the lookout for more efficiency in your workflows? (Who isn't, right?) 

We've got a growing list of integrations so you run your security operations smoothly.

Just added:

• Discord - a popular request in our community! Get custom notifications for scan results, set different channels for specific alerts, and make sure everyone sees the relevant findings.

• Vanta - another popular request! Use it to automatically get PDF reports from scheduled scans only straight to your Vanta account and make compliance operations a bit smoother.

  

• You can now use the CLI version for our Website Vulnerability Scanner to set up vulnerability tests in your CI/CD flow.     

Our colleague Mihai explains how to use it in this quick video: 

Wordlists got better in our Subdomain Finder!

For the DNS Enumeration test, you now have a more comprehensive wordlist available for deep scans — created from the most popular 5000 names that our team of security researchers found.

The Network Vulnerability Scanner is always expanding its reach and getting stronger for you.

New CVEs you can now detect cover:

• CVE-2016-7406 (CVSSv3 9.8) - RCE in Dropbear SSH. A remote attacker can execute arbitrary code via format string specifiers in the username or hostname argument and fully compromise the server.

• CVE-2024-0692 (CVSSv3 8.8) - RCE in SolarWinds Security Event Manager. This vulnerability allows an attacker to abuse SolarWinds' service. 

• CVE-2024-6387 (CVSSv3 8.1) - RegreSShion - the critical OpenSSH vulnerability and its technical details are still relevant, so you may want to get up to speed if you haven't had a chance.

Other improvements to the Network Scanner include:

• Get informational findings when a version-based engine doesn't return anything on a port, so you are aware of it.

• Get end-of-life findings for products Wappalyzer detects.

• Scan logs are now available to easily keep track of all your active scans.

Find security vulnerabilities and misconfigurations in your Kubernetes clusters - from reconnaissance (e.g. Node/Master cluster components) to initial access vulnerabilities (e.g. exposed Kubelet API critical endpoints, etc.).

Light, deep, and custom scan settings let you control port ranges and even give you the option to emulate an authenticated adversary - if you have a service account token.

Curious to see how we report findings? See a sample below or log in and check it out for yourself! 

Use our most powerful offensive tool, Sniper Auto-Exploiter, to exploit the following 7 newly added critical CVEs:   

• CVE-2020-3250 (CVSSv3 9.8) - this REST API vulnerability in the Directory Traversal in Cisco UCS Director allows an unauthenticated remote attacker to get sensitive info.

• CVE-2020-3243 (CVSSv3 9.8) - exploit this RCE in Cisco UCS Director and prove how an unauthenticated remote attacker can bypass auth and execute arbitrary actions with admin privileges.

• CVE-2019-1935 (CVSSv3 9.8) - this RCE in Cisco UCS Director enables an unauthenticated remote attacker to use the SCP User account (scpuser) to log in to the CLI.

• CVE-2012-1823 (CVSSv3 9.8) - known as the PHP CGI Argument Injection, this RCE allows a remote attacker to fully compromise the server. 

• CVE-2024-4577 (CVSSv3 9.8)  - another critical argument injection flaw in PHP that can fully compromise the server. Yikes! 

• CVE-2020-2950 (CVSSv3 9.8) - prove how a remote attacker can fully compromise a server using this RCE in Oracle Business Intelligence. 

• CVE-2024-34102 (CVSSv3 9.8) - this XML External Entity Injection in Magento can result in arbitrary code execution and allow an unauthenticated remote attacker to compromise the server.

Our Website Vulnerability Scanner also has new improvements:

• We've added an active detector for HTTP2 in the HTTP request smuggling.  

• Get new findings when scanning and detecting the H2.TE (Transfer-Encoding) and H2.CL (Content-Length) vulnerabilities.

• File upload input detection now available in the passive scanner module. 

The latest updates to our Network Vulnerability Scanner now let you: 

• Detect CVE-2024-6387 (CVSSv3 8.1), aka RegreSSHion, the critical OpenSSH vulnerability that got a CVE assigned yesterday - and for which we integrated detection today so you can be truly ahead of attackers (technical write-up for context)

• Detect CVE-2023-48788 (CVSSv3 9.8), the SQL Injection in Fortinet FortiClient EMS, which a remote attacker can use to run SQL commands on the vulnerable target and fully compromise the database that the FortiClient EMS uses

• Get individual findings for publicly exposed services such as PostgreSQL, MongoDB, OracleDB, and Redis 

• Get an informational finding when a port redirects to another port, which leads to skipping the vulnerability checks for that target

• See the steps to replicate a finding in a dedicated section called “How to reproduce” to make it easier to browse through details

After this month’s updates, Sniper Auto-Exploiter, our most powerful offensive security tool, can gain unauthenticated RCE on the target and extract multiple artefacts as evidence for the following CVEs:

• CVE-2024-23108 (CVSSv3 9.8) - RCE in Fortinet FortiSIEM. This exploit helps you validate that a remote, unauthenticated attacker can leverage this vulnerability to fully compromise the server and steal confidential information, install ransomware, or pivot to the internal network.

• CVE-2024-24919 (CVSSv3 8.6) - Information Disclosure in Check Point CloudGuard Network Security. This Arbitrary File Read through a Path Traversal vulnerability can give an unauthenticated attacker remote access to any file on the target’s filesystem. 

• CVE-2020-29390 (CVSSv3 9.8) - RCE in Zeroshell. Incorrect handling of the User parameter, which doesn't correctly sanitize user-controlled input, causes this vulnerability. An attacker can use a special character to achieve RCE on the target, as the user that is running the webserver process.

If you’re relying on our Password Auditor to test for weak credentials, we’ve improved the experience of using it in four ways.

It’s now easier to understand why the brute force attack finished much earlier than you expected:

• We generate a screenshot when the Password Auditor finds weak credentials using Basic Authorization. 

• If a port redirects to another port, we skip the bruteforce on that port and you get an informational finding.

• We also generate a screenshot when the bruteforce attack exceeds current capabilities, including: account lockout detection, website access blocked during the bruteforce, CAPTCHA found, Login form could not be found, and Third Party Authentication or Two Step Authentication detected.

• And, finally, to reduce false positives, we've added new checks when the tool finds weak credentials.

Our well-loved Website Vulnerability Scanner also got updates, as it does every single month:

• SSTI code context - we've improved the capabilities of our Server Side Template Injection detector by adding payloads that work in code context.

• JWT phase 2 - And we've finished the second part of our JWT detector by adding payloads that work in code context. It can now detect: Weak HMAC Secrets and Algorithm Confusion issues.

Until now, our DOCX reports were very dependent on Microsoft Word. 

We spent a lot of time and effort to change this and we have good news: DOCX files are now compatible with Google Docs!

If you’re already using GDocs in your day to day work, you can work together with your team to speed up the review process. Plus, other editors can benefit from this update too.

Choose the findings you want to report to see this new option in action!

How do you zero in on the assets really worth your hacking energy and focus? 

The awesome NahamSec explains how he combs through hundreds of domains that branch into even more subdomains to find targets with the highest potential of having a bounty-worthy vulnerability (which he actually finds)!

Check out his latest video, which we had the pleasure of sponsoring:

We evaluated our Website Vulnerability Scanner with some of the most-known tools in Dynamic Web Application Security Testing, both commercial and open-source options: Burp Scanner, Acunetix, Qualys, Rapid7 InsightVM, and ZAP. Find out which was the most accurate scanner and which had the most false positives!

For a look behind the scenes, check out our blog article.

For all the data behind the results in the benchmark, download the white paper.

We tested the most used network vulnerability scanners: Nessus Professional, Nmap vulnerability scripts, Nuclei, OpenVAS, Qualys, and Rapid7 Nexpose, including our own Network Vulnerability Scanner.

Find out how these popular network vulnerability scanners perform in a benchmark so you can validate yourself.

We explained the testing methodology and benchmark results in this blog article.

To get all the details, download the white paper.

Our Network Scanner packs a big punch (which this benchmark confirms). The list of findings it can get you has just gotten stronger with:

• IP information - uncover the physical location, Autonomous System (AS) details, and associated company names of your network hostnames

• Wappalyzer integration - our Network Scanner now uses Wappalyzer to identify the underlying technologies of web apps, giving you richer insights for results coming from our version-based scanning engine (one of 4 engines this tool uses)

• More individual findings for publicly exposed services, including SSH (with exposed authentication), RPC, WinRM, FTP, POP3, and Telnet

• CVE-2024-24919 (CVSSv3 8.6) - can remote, unauthenticated attackers read the contents of any file on affected Check Point VPN servers, including password hashes for local accounts or SSH private keys?

• CVE-2022-31137 (CVSSv3 9.8) - can ransomware actors gain remote access to Roxy Wi, the server management GUI, using this vulnerability? 

• CVE-2024-27198 (CVSSv3 9.8) - can attackers use this critical CVE to get RCE on your JetBrains TeamCity server? 

These three custom exploitation modules our team added to Sniper will give you the answers - and proof! (The module for CVE-2024-24919 is coming in the next 48 hours).

Our Website Vulnerability Scanner now has: 

• Better spider results table - you now get a broader view of what the web spider did, including page title, page size, and status codes.

• More verbose vulnerability evidence - we've revamped some of the explanations around more complex detections so you get more details about the methods our scanner uses.

We did two things to make light scans with the URL Fuzzer finish much quicker:

• changed the default wordlist

• included the ability to automatically add links and words from the HTML page source to the wordlist.

Your scheduled scans now sit next to your finished scans (in separate tabs, don't worry). 

Moving scheduled scans from the Automation tab to Scans makes it easier to keep an eye on them and adjust them as your needs change. 

Powerful and easy on the eyes - that's exactly what customers expect our tools to be. It's why we're systematically updating the look and feel of our results page for our entire range of tools.

In the past month, our DNS Server Scanner, Drupal Scanner, and SharePoint Scanner got their visual refresh. They're ready for you when you are! 

We've introduced crucial detections for security issues that expand your attack surface:

• Publicly exposed VNC, MSSQL, and LDAP services - findings now flag if these services are publicly accessible on the Internet, so you can tighten your network's security posture

• CVE-2023-3824 (CVSSv3 9.8) - stack buffer overflow in PHP that leads to RCE

• CVE-2023-44487 (CVSSv3 7.5) - we enhanced detection accuracy for HTTP/2 Rapid Reset by checking if the target supports the HTTP/2 protocol and the HTTP/2 RST_STREAM directive

• Comprehensive DNS records - see a new finding when a target has DNS records available (A, AAAA, MX, NS, SOA, TXT, SPF, CAA, CNAME) and get deeper visibility into the target’s domain structure.

Sniper just got sharper with new exploits for two critical CVEs:

• CVE-2024-0204 (CVSSv3 9.8) - assess the business risk of the Authentication Bypass vulnerability in GoAnywhere MFT, which leads to RCE by uploading a webshell 

• CVE-2024-1212 (CVSSv3 10) - validate the threat of exploiting this Remote Code Execution vulnerability in Progress Kemp LoadMaster

Our Website Vulnerability Scanner now: 

• Detects flaws in JWT implementations by checking if web apps that use JWTs for authentication allow them to have a None or random signature, creating security risks

• Runs faster light web app scans that also come with detailed requests and responses for each finding 

• Provides extra information about spidered responses in evidence which now includes the status code, page title, and page size for each URL

• Extracts proof of exploitation for Linux OS command injection in the form of hostnames and usernames.

3 improvements you’ll notice as you log into your account:

• Single sign-on with Microsoft - jump straight into action using your existing Microsoft account

• View all assets across workspaces - easily search for, identify, and manage duplicate assets from all your workspaces at once.

• Unified notifications across integrations: you can now get the same notification through multiple services, in preparation for even more integration options we’ll launch in the future.

The Subdomain Finder now uses external APIs tests in light scans to return subdomains faster by accessing online databases. We also increased the list of external APIs so it extracts more subdomains for your targets.

Want to put a face to these updates? 

Our fresh new Teams page is a great way to see who’s behind this email and the entire Pentest-Tools.com toolkit.

We upgraded the reporting limit for Light scans by 10x! The Subdomain Finder now provides up to 1000 entries and includes unresolved results so older subdomains are available.

Thanks to our security research team, you can now detect:

• CVE-2024-23897 (CVSSv3 7.5) - Unauthenticated Arbitrary File Read in Jenkins

• CVE-2023-41056 (CVSSv3 8.1) - Remote Code Execution in Redis

• CVE-2023-5631 (CVSSv3 5.4) - Cross-Site Scripting in Roundcube

Speaking about Roundcube, a couple of months ago we published an analysis - and public exploit - for CVE-2021-44026, an SQL injection vulnerability in the open-source mail client.

The Network Scanner now also generates explicit findings for sensitive services that shouldn't be exposed on the internet (e.g. SMB, RDP, MySQL), which are easier to include in your reports.

The Scan with Tool button has a fresh look and a new location. It's now called New Scan and you’ll find it at the very top of the sidebar. We are working to make your scanning experience even better in the future!

This is something we promise you’ll always see in our new status page. 🤞The page includes statuses for our public website, the blog, the platform, the API, and more!

As some of our customers requested, we enhanced the evidence section of findings that the Nuclei engine generates. Now, you’ll receive more relevant details about how the engine produced a finding.

We streamlined the look and feel of the Scan results section, keeping it as valuable as ever. We’re rolling out more visual updates for all our tools in the coming months, so stay tuned!

See what happens when The XSS Rat combines his methods with our toolkit and features.

PS: Sniper Auto-Exploiter gets a lot of love - and for good reason! 

People Hunter identifies the people associated with the target, using publicly available information from web server responses. 

Details such as email addresses (and their patterns) and social media profiles help you identify potential targets for social engineering attacks.

We introduced a new view in the Team feature: Shared with me to help you identify who has shared which information with you. Additionally, the table view has returned, making visual comparisons easier.

Two new modules in the Website Vulnerability Scanner:

• Detection for misconfigured CSP Headers - identifies misconfigured content-security-policy headers on your website, enabling you to control resource loading and their allowed URLs.

• Enumerable Parameter Detector - explores possible enumerable parameters in your website. Some findings might reveal insecure direct object references after manual examination.

Until a few days ago, our product updates were a bit hidden from view, which made it harder for you to find out about them and actually use them. 

So we added two new sections to your dashboard:

• What’s new - that brings product updates (text and video) and fresh pentesting guides 

• Help - which makes it easier to dip into how-to’s, video tutorials, and FAQs

We noticed some of our customers needed an easier way to start scans from the (obviously named) Scans section, so we added it! 

The New scan button makes it easy to jump into action the moment you know where you want to dig deeper. 

Our Website Vulnerability Scanner gets stronger with each monthly update!

We’ve integrated the fingerprinting capabilities from Nuclei into our proprietary tool - and it’s just the kickoff!

Soon, we’ll start incorporating many more templates. Until then, the 40+ vulnerability checks our Website Scanner runs can surely keep you - and your team - focused and making progress. 

We’ve also integrated a bunch of new Nuclei category templates on top of the configured ones our Network Scanner is already using (CVE, CNVD, SSL, network, WAF, DNS).

New ones include: default-logins, exposed-panels, exposures, honeypot, IoT, miscellaneous, misconfiguration, takeovers, and vulnerabilities.

Want to refresh your knowledge of what our Network Vulnerability Scanner can do? We just updated its public page: 

Sniper can exploit a Remote Code Execution vulnerability found in Ivanti Connect Secure (CVE-2024-21887).

If you (and your team) use Microsoft Teams, set up this integration to get custom notifications for your scan results.

You can also configure different channels for specific notifications, making sure everyone gets alerts about findings that are relevant for them.

Network Scanner detects if CVE-2022-1471 (CVSSv3 10), a Remote Code Execution in SnakeYAML library - Atlassian Confluence, impacts your targets.

Network Scanner detects if CVE-2023-46805 (CVSSv3 8.2), an authentication Bypass in Ivanti Connect Secure, affects your targets.

And one more thing: we added a method to detect if the Website Scanner spider finds an OpenAPI file. When it does, you can dig deeper with the API Scanner in just one click, right from your finding.

By the way, we love to see customers truly make the most of our tools:

We had a tool to scan our websites and endpoints automatically; the reports were not so good, and each additional URL was charged additionally (this doesn't scale in a micro-services architecture).

Pentest-Tools.com solved all our problems; you can scan up to 1000 targets, the reports are so professional, and you can choose from dozens of different tools to analyze all aspects of an enterprise architecture.

We've also introduced a new Session Fixation Detector to help you identify session hijacking risks. Using the mitigation recommendations will help you prevent unauthorized access to user sessions and sensitive data.

Here’s a preview of what the finding looks like:

Sniper can exploit a Remote Code Execution vulnerability found in Apache ActiveMQ (CVE-2023-46604).

Sniper can exploit a Remote Code Execution vulnerability found in SysAid (CVE-2023-47246).

You can now check the status of your VPN Agents in the VPN Profiles section (under Settings). 

We update their status in real-time, which makes it easier for you to check if your Agents are still up and running before starting scans against your internal infrastructure.

We've implemented Input Reflected in DOM to enhance protection against XSS attacks, ensuring coverage of more vulnerabilities lying in the DOM. It is already implemented in the XSS detector so if you select the XSS detector you are covered.

Here’s what it’ll look like in your report: 

Service detection is now enabled by default in Light mode for Port Scanner.

We added the option to select automatic detection of the spidering approach that the target needs. Auto is the engine option used in the deep scans too.

We've combined TCP Port Scanner and UDP Port scanner into a single tool called Port Scanner. A protocol parameter was added to the scan config to choose between TCP and UDP.

We've changed our URL Fuzzer to support 3 running modes (light, deep, and custom) that allow you to scan targets with a predefined configuration.

All OpenVAS NVTs that can be detected with Network Scanner are now displayed on our Vulnerability & Exploit database, along with Sniper & Nuclei detections

Sniper can exploit an authenticated RCE vulnerability found in Cisco IOS XE (CVE-2023-20273), based on an Authentication Bypass vulnerability (CVE-2023-20198).

We tweaked the spider results table from the Website Scanner so you can focus more on the things that matter the most: the url, the method, the query and body parameters. So, we removed the listing of headers and cookies and made the table more dynamic.

We've added the confirmed tag for findings generated by Sniper & Nuclei scanning engines.

Sniper can exploit another RCE vulnerability found in F5 BIG-IP (CVE-2023-46747).

Website Scanner: Fixed a bug in our logout detection mechanism that caused the Spider to sign us out of the session while crawling.

We came up with a way to show output from WPScan in real-time. This means you are not stuck with a scan running for 4 hours and get the findings as soon as we detect them.

We've just launched our Free license. Use our light tools to do quick assessments, export simple reports with up to 2 parallel scans.

Subdomain Finder: We improved our logic for parsing DNS responses. This previously resulted in incorrectly marking domain names as unresolved.

We fixed a bug in the Network Scanner that caused some aborted scans when all the open ports were tcpwrapped, although our scanning engines don't scan for this service.

We created an automatic CVE filtering mechanism for duplicated CVEs. For example, if the Sniper or the Nuclei engines find a CVE, only the Sniper finding will be displayed in the report. We'll show them based on prioritization (Sniper > Nuclei > OpenVAS).

All network tools will display only the open ports found (we remove the filtered and closed ones from the results).

Network Scanner detects if CVE-2023-44487 (DOS in HTTP/2 - Rapid Reset) affects your targets.

DNS Zone Transfer is now called DNS Server Scanner and it generates findings for DNS Zone Transfer Information Disclosure vulnerability (AXFR).

Sniper can exploit a File Read vulnerability found in SonicWall (CVE-2023-0126).

Sniper can exploit an Information Disclosure vulnerability found in Citrix (CVE-2023-4966 - Citrix Bleed).

Website Scanner: Fixed another bug in the logic driving the headless browser that crashed the page and prevented us from detecting new crawling targets.

Sniper can exploit an Authentication Bypass vulnerability found in Cisco IOS XE (CVE-2023-20198).

Sniper can exploit another RCE vulnerability found in Apache Cassandra (CVE-2021-44521).

Sniper can exploit an Authentication Bypass vulnerability in Atlassian Confluence (CVE-2023-22515).

Sniper can exploit a RCE vulnerability in Apache Kafka (CVE-2023-25194)

Sniper can exploit a RCE vulnerability found in JetBrains TeamCity (CVE-2023-42793).

Our REST API is now available. The old API is now legacy, but we’ll retire on December 31, 2023. The new API keeps all the existing features but adds new ones such as: a proper RESTful interface, cleaner JSON responses, the option to choose your redirect level for fewer connection errors, select the format for your callbacks (no more PDFs!), multiple API keys (with expiration dates for each of them), and more!

We've added multiple scan techniques (SYN, Connect(), ACK, Window, FIN, Xmas, etc.) to our TCP Port Scanner so you have multiple options to scan networks and find available hosts and their services.

We've added the basic authentication option when using the WordPress Scanner. Choose a custom scan type, enable Authentication, and fill in the credentials.

Website Scanner now gives you a complete list of the URLs it spidered, including all the duplicates. Rest assured knowing the scanner thoroughly inspected all paths. You can see them by clicking the details of the Spidered URLs finding and checking the references.

Network Scanner detects if CVE-2023-29357 (Authentication Bypass in Microsoft Sharepoint) affects your targets.

Network Scanner detects if CVE-2023-42115 (RCE in Exim) affects your targets.

Sniper can exploit a RCE vulnerability discovered in Juniper (CVE-2023-36845).

You can now find the URL Fuzzer in the Reconnaissance category.

The API Scanner now performs scans on GraphQL instances. Use it to check for Denial of Service attacks (circular reference, field duplication, alias overloading) or Information disclosure vulnerabilities (field suggestion, introspective enabled, console enabled).

My account section is now completely redesigned and easier to use than ever. We divided all the existing settings into specific categories so you can find what you are looking for in a matter of seconds.We've also added two new features: the option to add a profile picture and to see your login history. We'll include more updates soon, so stay tuned.

We've changed our SSL/TLS Scanner to support 3 running modes (light, full, and custom) that allow you to scan targets with a predefined configuration.

Network Scanner can now detect if CVE-2022-27510 (Authentication Bypass in Citrix ADC & Gateway) affects your targets.

Sniper can exploit a RCE vulnerability discovered in VMware Aria Operations for Networks (CVE-2023-34039).