The difference between scanning and pentesting

A vulnerability assessment focuses on scanning hosts for vulnerabilities as individual entities. Penetration tests might start by scanning for vulnerabilities just as a regular vulnerability assessment but pentesting gives more information on how an attacker can chain vulnerabilities to achieve specific goals.

During pentesting, focus remains on identifying vulnerabilities and establishing measures to protect the network, but it also considers the network as a whole ecosystem and how an attacker could profit from interactions between its components.

What needs testing?

Web application penetration tests focus on vulnerabilities found in web application components; including frameworks, server software, API’s, forms, and anywhere where user input is accepted.

A mobile penetration test focuses on trying to exploit how a mobile application accepts user input, how securely it is stored on the phone, how securely data is transmitted across the internet, and the web service vulnerabilities which may be present in the API.

External infrastructure tests checks for ports open on all externally facing ranges, and attempts to fingerprint and exploit services discovered, bypass authentication mechanisms, and brute force VPN gateways.

Internal infrastructure penetration tests attempt to get full system administrator privileges from within the internal network by checking for vulnerable services and software, and using exploits to obtain access. Network traffic is sniffed, ARP poisoning is tried in order to capture credentials and other sensitive traffic in transit.

Wireless penetration tests try cracking WEP and WPA encryption, and other attacks such as Man in the middle (MitM), and tricking wireless clients into connecting to a dummy access point.

End point/Kiosk PC penetration tests try to break out of a PC or other locked down device to gain elevated privileges or access to sensitive data.

Bureaucracy required

Pentesters can be contractors or internal employees who regularly test the network with insider knowledge. Traditional pentests often provide a small number of testers on site for two weeks once a year. For some compliance testing it is required to use external testers. Pentesters must respect the legal contracts they have signed with clients, and they must work within the scope defined in the contract. These are the laws of the forest.