Combining Penetration Testing with Active and Passive Vulnerability Scanning

While similar, a penetration test and a vulnerability assessment are not the same thing. Used together however, especially if you are doing both active and passive vulnerability scanning, they can be extremely complementary.

Vulnerability assessments and penetration tests are similar because they both look for holes or vulnerabilities

Vulnerability assessments and penetration tests are similar because they both look for holes or vulnerabilities. In a vulnerability assessment, the process is to identify, quantify and prioritize the vulnerabilities in a system. A vulnerability assessment is often highly automated and in many organizations, will identify hundreds if not thousands of vulnerabilities. A penetration test, sometimes called a pentest, is an attack that exploits a vulnerability so that a tester (pentester) can gain access to systems and data. Pentesters use tools to assist in attacks; modern tools like the Social Engineering Tool Kit and Pen Testers Framework make pentesting much easier today. But even with tools, a pentester’s manual skill and creativity are just as important to successfully find an exploitable system, map the network, gain access to other systems, and test defenses.

Focus penetration testing with active scanning

Active scanning for vulnerabilities can complement the penetration test. For example, if a pentester is looking for an exploitable hole in a website, the tester could use a web application scanner to identify where web applications are vulnerable to cross-site scripting or SQL injection and then explore those areas more using a penetration testing tool or manual methods.

Even more important, from a time and resources perspective, you can use the scan results to identify areas to ignore in a pentest. For example, if scan results show Adobe Flash as vulnerable but you can easily mitigate the vulnerability by applying a patch, apply the patch instead of using pentest resources to explore it more.

The goal for active scanning should be to focus the penetration testing efforts; not expand them

The goal for active scanning should be to focus the penetration testing efforts; not expand them. If you’re using penetration testing to double check everything your active scanning solution is finding because you’re not confident in the results, you’re just adding more work.

Vulnerability scanning is necessary for hardening systems to ensure information security. And it’s also a useful way to focus penetration testing. At Tenable, our Nessus scan results can be integrated with popular penetration testing tools, including Core IMPACT, Immunity CANVAS and Rapid7's Metasploit, making it easy to start penetration testing from a solid foundation.

Find the unknowns with passive scanning

While active scanning can help you focus penetration testing efforts, passive scanning can help you identify those unknown assets and applications that may exist on your network but aren’t managed. Passive scanning, using a tool such as Tenable’s Passive Vulnerability Scanner (PVS), continuously monitors network traffic in real time and automatically discovers users, infrastructure and vulnerabilities. For example, by identifying communication taking place on non-standard ports and/or identifying unknown web applications hosted behind the firewall, PVS can guide pentesters to apply testing to areas they might have otherwise overlooked.

Preceding a penetration test with passive scanning can make life extremely easy for the pentester. Unmanaged assets with vulnerabilities and/or with settings that aren’t consistent with policy are great targets to exploit.

As a bonus, Tenable’s Passive Vulnerability Scanner can detect the use of penetration testing software like Metasploit. If someone is using a penetration testing tool to poke around your network without authorization, it’s a good thing to know about.

Both penetration testing and vulnerability assessments (active and passive) are useful and necessary for protecting your network

Both penetration testing and vulnerability assessments (active and passive) are useful and necessary for protecting your network. At Tenable, we recommend you use them together for best results.