Why isn’t a vulnerability scan part of a penetration test? A scan looks for vulnerabilities the way hackers do – but hackers are MUCH better at it. Scans look for what they are programmed to look for – hackers look for holes.
Penetration testing certainly involves scanning, but most professional pentesters don’t waste time with scanners. They’re nice to have if you have a lot of money and only a little time to check your security. But the guy who gets in doesn’t usually have one in his kit. Scanning software tends to be huge (think database on the backend) and cumbersome.
Don’t get me wrong; there are some terrific pieces of software out there that can and should be used on a regular basis. They can catch the misconfigured server and identify the “low hanging fruit” that needs to be cleaned up. They are a part of a security audit, and VERY handy to have. I’d like to have a few in MY toolkit.
Do I use them for pentesting? No.
The first two or three steps in a penetration test have nothing to do with scanning the network for vulnerabilities, and often are far more effective than a scan will ever be. The nice man who lets me in the door does far more for me than a scan….why do a whole bunch of scanning when I can access the server physically? Ten minutes (or less) with your server and it’s MINE.
Of course, because I’m an auditor, and the First Rule is usually: “Don’t break anything,” I settle for leaving my business card on the back of the chassis or a little file in the root directory. But a thumb drive with some fun software can capture the SAM database pretty quickly and erase traces of itself pretty fast.
So don’t let anyone call a scan a pentest – it just means they don’t know their business.