Track Hosts & Services
During a CTF or Pentest Lab

Join for Free!


Import Nmap scans and quickly gain situational awareness during active engagements.


Global Service Notes and Custom Command Templates help you find vulnerabilities fast.


Capture screen shots and code snippets as you gain administrative privileges.

PenTest Workshop News

Penetration Testing Workshop News & Announcements

Multi-File Import – Version 1.8.3 Released

On September 13, 2020

Multiple files, masscan, bookmarks, print… lets dig into what’s new in version 1.8.3

Multi-File Import

Multi-File Import

Importing several XML files just got a lot easier! You can now load multiple XML files at once, either through the file browser or simply drag-and-drop. Data from each host always gets placed where it belongs. The filename, file type and contents are displayed for each file. Delete as needed, or click the “Import XML” button to run your import. v1.8.2 brought us the Import Log which has been updated to support multiple files.

Masscan Support

Import now supports Masscan XML files. The Import routine also supports a mixture of Nmap files and Masscan files in the same batch. Have a large IP space to scan? Run a fast Masscan first and follow up discovered hosts with a detailed Nmap scan.

Bookmark Library

Bookmark Library

Store your security related bookmarks all in one place with the new Bookmark Library. Add notes and assign keywords for easy retrieval later using filters, sort and search. You can also store local PenTest.WS links. Bookmark where you left an engagement Friday night and easily pick back up Monday morning.

Print Engagements, Hosts & Ports

v1.8.3 adds a Print functionality to the online Free and Hobby Tiers. Its an easy way to view all you data on a single page. Look for the printer icon in the upper right corner of the Console, Host and Port pages.

Misc Improvements & Bug Fixes

Double Paste Bug – A long time coming, but the double paste bug in the Notes fields has been fixed!

Venom Builder – Additional Parameters – The Venom Builder tool now has a free-type field called Additional Parameters.

Hash Type for Credentials – Credentials now include a Hash Type field, used later to identify what hashcat mode you might need.

Maximize Notes Fields – got lots of notes? Now there is a Maximize button on all Notes fields.

What’s Next?

We have version 2.0 in our sights, which brings an incredible number of new features and capabilities. But more on that as we get closer.

The next major release of PenTest.WS, version 1.9.0, has a completely rewritten save mechanism. Beyond bringing more reliability to the platform, the aim is to provide more transparency into the state of your data. As fields are updated and auto-save timers are set, clear indications of this process will be visible in the user interface.

Many of the improvements in v1.8.3 came directly from user requests. Head over to the Support Forums and submit a Feature Request with your ideas!

Thanks for reading!
PenTest.WS Development Team

IP » Target – v1.8.2 Release

On April 6, 2020

Version 1.8.2 includes several new features and improvements, with maybe the most important being the long awaited IP»Target mod announced last November. Lets step through the major changes in this release…

IP » Target

It is now possible to enter a fully qualified domain name (FQDN) as the Host’s primary identifier. In this example, we’ve shown the possibility for “” and “” as separate hosts. Of course you can still use an IP address to identify a host.

The Import routines have been updated to capture domain names when they have been used to scan a target. For example:

nmap -sC -sV -oA tcp -vv

will now create/update records for the “” host. The Service Command Library automatically uses the Host’s domain name when used as the host identifier:

We’re hoping this change will greatly benefit our pentest community, as well as be a big boost for our bug bounty hunters! Each sub-domain in the program’s scope could have its own Host record, with separate port lists, notes and findings.

Capturing Port State

The Import routines have also been updated to capture Port State. This information is included in Nmap’s XML output, and the possible values are Open, Closed, Filtered, Unfiltered, Open|Filtered, or Closed|Filtered.

Port State is displayed in two places. First, on the left side of the screen in the Host List Panel shown in the screenshot at the top of this article. Second, on the Port page, shown in the screenshot above.

As this is a new feature, previously captured ports will need to have their value set manually, or you can re-import the associated Nmap XML file.

Lastly, it should be noted Port State is separate from Port Status, which is a self assigned note to track which ports have been reviewed or may be vulnerable.

Engagement Archives

Got old engagements cluttering up your Mission Control? Click the new Archive button in the top right corner of each Engagement card and it will drop down into the Archived Engagements section. Don’t worry if this section is not visible, it will appear once you archive your first engagement. Click any of the archived engagements to reinstate it to active mode.

And So Much More…

CVE Database –
The Common Vulnerabilities and Exposures (CVE) database is now searchable directly in PTWS ( This functions similar to the Exploit-DB feature with full keyword search capabilities.

Engagement Wide Credentials –
On the Engagement Console tab, there is a new Engagement Credentials section which shows credentials from all Hosts within that Engagement.

Export as CSV –
Now you can export Engagements and Hosts as CSV files, in addition to JSON files. Use the Export button in the top right of their respective pages.

Hobby Tier, Yearly Payment Option –
You can now pay a full year of Hobby Tier access through the Membership page. Simply change your plan to yearly, and on your next renewal date you will be changed a single yearly price (currently $39.80)

Be sure to head over to the Feature Request page on the PTWS Support site to submit your ideas for the next version.

Thanks for reading!
PenTest.WS Development Team

General Command Library – Version 1.8.0 Release

On November 14, 2019

Today we are announcing the release of PenTest.WS Version 1.8.0 and with it comes the General Command Library!

General Command Library

The General Command Library (GCL) is a place to store all your frequently used, and not so frequently used, general system commands. Much like how the Service Command Library works for services, the GCL works for:

  • System enumeration
  • Privilege escalation
  • Shell escapes
  • File transfer shortcuts
  • Powershell download cradles
  • Pivot tunnels
  • … and anything else!!

Each command can be organized by Operating System, Category, and Sub-Category values. These filters are user-created and self-populated as more and more commands are entered into your GCL system. Additionally, you can quickly search for keywords such as “wmic” or “iex” if you’re looking for a specific functionality.

Filters are sticky, so you can navigate away from the GCL screen and when you return later, you’re dropped right back into the list of commands you were previously viewing.

Availability: the General Command Library has been pushed to all platforms and is ready for immediate use.
– Free Tier: currently limited to five commands
– Hobby & Pro Tier: unlimited command capacity
– Pro Tier: run your Software Update from the Admin Panel

Service Command Library – Free Tier Availability Update

The Service Command Library (SCL) is now accessible on the Free Tier. The SCL is one of the most popular features of the PenTest.WS platform and its usefulness has proven to be an incredible time saver.

SCL on the Free Tier includes up to two commands per service.

New Template List Format

All template list pages have been updated to a more compact table format. This allows more commands per screen real estate.

New Template List Format

Misc Improvements & Bug Fixes

SCL Notes: requested on the Support Forums, SCL records now include a Notes field. These notes will appear on the Port page alongside the service command entry.

Note Pages Clobber Bug: in certain circumstances, it was possible for Note Pages to overwrite the wrong Note Page. However, the content could be recovered through the History functionality. This bug has been fixed.

Note Page Rename Bug: tab renaming functionality has been restored. Double click on a Note Page tab to rename each tab.

Coming soon… IP » Target

An exciting change is coming to the PTWS system. Currently, Hosts are tracked by IP Address. After the IP->Target mod included in the next release, it will be possible to enter a fully qualified domain name (FQDN) as the Host’s primary identifier.

All tools will be updated to support a Target in addition to an IP Address. Import an Nmap XML scan based on a FQDN? No problem. Need to launch a dirsearch command against a FQDN? Sure!

This change will be a big boost for all the Bug Bounty Hunters in our community. Each sub-domain in the program’s scope could have its own Host record, with separate port lists, notes and findings.

We’re always looking for ways to improve the PenTest.WS platform. Head on over to the Support Forums and submit a Feature Request.

Thanks for reading!
PenTest.WS Development Team