Notification for ports that shouldn’t be open
You can get a scan notification if the open ports found are other than the ones you defined.
Tag: CVE
February 2021
Custom payload in URL Fuzzer
Now you can specify a custom location in URL Fuzzer for the payload using the FUZZ marker in the URL or in query strings.
Custom headers in URL Fuzzer
The URL Fuzzer now allows you to specify custom headers to be sent with each request.
2FA for Pro Advanced
The two-factor authentication is now also available to all the Pro Advanced users (besides Enterprise).
Custom e-mail subject
Now you can further customize the subject of the mail by changing the placeholders.
E-mail subject changed
The subject of the e-mail generated by a scan will contain the name of the tool, the target and the workspace.
E-mail address changed
All scan results will be sent from the following email address: reports-noreply@pentest-tools.com
Deprecated Citrix and BigIP scanners
The vulnerability scanners for Citrix CVE-2019-19781 and BIG-IP CVE-2020-5902 have been deprecated.
January 2021
Robots improvements
Multiple stability issues have been fixed.
Robots through VPN
Pentest Robots can now be used to scan the internal networks through VPN.
December 2020
Robots
We’ve launched the Pentest Robots – a new automation method to create custom scanning flows. This helps you greatly reduce the manual work during a pentest.
November 2020
Screenshots added to Website Scanner
The Website Scanner now takes the screenshot of the target website. You can find it in the output of “Server software and technologies” test.
Scan Groups
A Scan Group is automatically generated when starting/scheduling multiple scans at once and allows for easier management of those related scans.
Screenshots in Attack Surface
The screenshots of target websites generated by Website Recon are automatically embedded into the Attack Surface view.
October 2020
Recorded login for Website Scanner
We have added a new authentication method to the Website Scanner which allows you to record and replay the login steps so you can perform authenticated scans easier.
Custom wordlists for Password Auditor
The Password Auditor now supports custom wordlists for usernames and passwords.
Automatically ignore dead targets
When adding/importing new targets, now you can automatically exclude the ones which are not alive. Very useful when adding IP ranges.
Custom wordlists for URL Fuzzer
Now you can create your own custom wordlists and use them with URL Fuzzer (and soon with other tools also).
Deprecated GhostCat and SMBGhost tools
The individual scanners for GhostCat and SMBGhost have been deprecated as they have been included into the full OpenVAS scanner.
Configure scan authentication from Targets page
Authentication options can now be configured from the Targets page for the Website Scanner.
Scheduler page updates
The scheduled scans are now being displayed by workspace. This can be configured from View Settings.
September 2020
Configure scan notifications from Targets page
Now you can configure scan notifications directly from the Targets page, when you choose ‘Scan with Tool’. These allow you to receive emails when certain events occur.
Session timeout increased
We have increased the timeout of your Pentest-Tools.com session to 2 hours, following multiple requests from our customers.
Target description included in reports
The custom description of your targets is now automatically included in your scan reports.
August 2020
Automatically mark False Positives for future scans
When you mark a vulnerability as False Positive for a target, it will be automatically marked as False Positive for every future scan result for this target.
Pentest Report (docx) improvements
The Pentest Report (docx format) now has an appendix section containing the list of tools used during the test. Furthermore, we have added Low risk findings to the executive summary when no High/Medium issues are found.
More options for generating single-scan reports
When generating reports from tool results (individual scans), now you have more options to specify what to exclude from the reports: Ignored or Fixed findings, tool configuration details.
July 2020
VPN Agent in VirtualBox format
Now the VPN Agent can be downloaded also in VirtualBox format (besides VmWare and Hyper-V).
New API methods and updates
We have added new API methods for target management: add_target, update_target_description, start_scan_by_targetid. Furthermore, we have updated the get_scans method to return more granular results based on workspace_id and target_id.
Scanner for BIG-IP CVE-2020-5902
We have added a new tool to detect the critical Remote Code Execution vulnerability in BIG-IP devices (CVE-2020-5902).
Aggregated scan results
Multiple scan results can now be aggregated and exported into a single report. You can select which scan results to include in the report, both Vulnerability and Discovery scans.
Scan notifications
Now you can configure email notifications when your scan matches certain conditions (is Finished, found High Risk, discovered some open port, etc). These notification filters also apply to Scheduled scans.
Deduplicate findings
We have added the option to automatically group similar findings (obtained by multiple scans against the same target) in order to have a cleaner Findings view and to be easier to manage.
June 2020
Two-Factor Authentication
Now you can increase the security of your account with Two-Factor Authentication (2FA). Use your mobile device with any authenticator app to login with the second factor.
VPN Agent for Hyper-V
Besides VmWare, now you can also download the VPN Agent in Hyper-V format, for using it with the Microsoft virtualization solution.
May 2020
Unique identifiers for vulnerabilities
Each finding/vulnerability produced by a scanner now has a unique identifier (ID). This can be used to easily compare scan results programmatically (exported as JSON or via API). These identifiers (vuln_id) look like WEBSCAN-00-0000012 or NETSCAN-01-0002349.
[Bugfix] Correctly set the CVSS and CVE
We have fixed a bug in the finding “Vulnerabilities found for server-side software” in order to set the CVSS score as the maximum of all vulnerabilities mentioned in the table (instead of ‘-1’). Furthermore, the CVE field is now populated with a comma-separated list of all CVEs from this finding (instead of ‘None’).
Import targets with descriptions
Now you can import targets from a file together with their descriptions. The target name and description must be comma separated, like: “www.example.com, Production web server”
VPN Agent for internal network scans
We have added a new method to connect to the internal network in order to make internal scanning much easier. You just need to download the VPN Agent virtual machine and run it inside the internal network. It initiates a VPN tunnel automatically from our scanning servers to your network.
Upgrade/downgrade subscription
Paying users can upgrade or downgrade their current plan directly from Pentest-Tools.com (without interacting with FastSpring). Just pick the new plan and it will be modified instantly.
April 2020
Announcing the Support Center
We have launched a dedicated support section on our website with multiple articles, product guides and answers to common questions.
Added ‘Getting Started’ page
We have added the Getting started page, which is an introduction to the platform to help customers get familiar with the platform.
New filters for Findings page
Users have a new filtering method to display only the relevant findings in the Findings page. They now have the option to exclude False Positives, Informational or Ignored findings, such that the Findings view is cleaner and easier to manage.
Custom logo in docx report (whitelabel)
This is a bug fix that now allows custom logos to appear in the header of a Docx report generated from the Findings page.
New filters for Attack Surface page
We have added advanced filters for the Attack Surface functionality in order to easily search for interesting ports, services or technologies.
View invoices in MyAccount
Now you can download your invoices directly from the MyAccount page, without accessing the FastSpring payment provider.
Launching the Attack Surface view (beta)
The attack surface view aggregates hosts, ports, services and technologies from all the targets in the current workspace in order to show a summary view of the possible attack entry points.
Updates to web scanner authentication module
We have rewritten the authentication module that performs automatic login with username and password. We have added support for Single Page Applications and improved the authentication logic.
Major updates to Findings editor
We have added a WYSIWYG editor to add rich-text elements when creating a Manual Finding, such as images, tables, hyperlinks, code, bold, italic, underline, etc. All these elements are being properly translated to the .docx format, when you want to generate an editable pentest report.
Edit findings produced by tools
Users can edit all the details of a finding produced by a tool/scanner by cloning it into a new manual finding. This new finding can be manually adjusted as needed (change name, description, risk level, etc).
March 2020
Export scan results as JSON
Users can export scan results of any tool in JSON format. This allows easier data parsing and integration with external tools.
Announcing COVID-19 services
We are offering limited free penetration testing services for organizations fighting the COVID-19 outbreak to better secure their websites.
Send tickets to Jira
Users can generate Jira issues directly from our Findings page and automatically send them as tickets to prioritize important tasks.
New tool: SSL/TLS Scanner
We have added a new tool for detecting vulnerabilities in SSL/TLS servers, which deprecates the existing tools (Heartbleed, ROBOT, POODLE, DROWN scanners). Those deprecated tools have been disabled.
New tool: SMBGhost Scanner
We added a new, dedicated scanner to detect the SMBGhost RCE vulnerability (CVE-2020-0796) in Windows 10, SMBv3.
New tool: Ghostcat Scanner
We have added a new scanner to detect the Ghostcat vulnerability (CVE-2020-1938) that affects Apache Tomcat servers.
February 2020
API support for port scanning tools
Now the TCP Port Scan and UDP Port Scan tools can be accessed programmatically through the API.
New API calls and updates
We have added a new API call – get_workspaces – which returns the list of workspaces of the current user. Furthermore, the start_scan function can be configured to start a scan in a specified workspace.
January 2020
New tool: Citrix vulnerability scanner
We have added a new, dedicated scanner on Pentest-Tools.com to detect the Citrix RCE vulnerability CVE-2019-19781.
Delete multiple scheduled scans
Users can now delete multiple scheduled scans at the same time. The new improvement simplifies the workflow for those who use the Scheduler feature.