Would Pentesters use vulnerability scanners like Nessus?

walterbyrd

The CSA exam had a lot of questions about such vulnerability scanners, and that made sense. But should such questions be on the Pentest+ exam?

E Double U

Not strange for a pentester to scan for vulnerabilities that can be exploited.

beads

Nessus gives you a good baseline because its relatively up to date, even a week off for the community edition. So, its a decent product in the field. Well known and accessible by most everyone.

Today with containers, cloud based everything the old Nessus isn't going to cut it but working hard to catch up to Twistlock and other scanners. To be frank, there are so many now that I forget them all. Do we use vulnerability scans in large enterprise? Sure along with intelligence feeds and all the other goodies though intel feeds vary in quality on a daily basis always best to check with more than one tool.

- b/eads

JDMurray

I would use Nessus to find old vulns in systems that have proven public exploits. New vuls can require too much tinkering to get results--if there are any results to be had. I don't have the patience for anything other than "instant respawn" games of any type, especially pentests.

p0sitron_col1dr

I'll echo anyone who states pentesters use vulnerability scanners like Nessus. It can be considered an activity ran in parallel. Specifically, when I receive finding reports from external pentesters, I often receive exported Nessus scan data labeled as complementary documents apart from the primary deliverables of the engagement. I use the information to supplement vulnerability management from an internal perspective and compare it to the current baseline, as well as a comparison to our recent internal scans. I've personally used Nessus and/or OpenVAS to scan targets and adjust the scanner aggressiveness depending on the sensitivity of the host. Again, this is something that I perform in parallel to other tasks or have used as an additional method of validating either the existence of a vulnerability or remediation of a known vulnerability. Some of the pentesters I've contracted prefer to be somewhat "loud" when testing, which can indicate how well our detection and response capabilities are. That aspect can make it into the report, as well.

walterbyrd

Thanks for all the responses. I thought of vulnerability scanners are being the sort of the thing that would be permanently installed, and used in-house, to routinely check that everything is up-to-date and patched. I figured they might not be stealthy, or fast, enough for pentesters. I thought pentesters would  tools more like metaploit.

tedjames

You should use several tools, depending on the scope of the engagement. We use Tenable (Nessus) to run periodic scans of our network and website/apps. But we also use them to scan specific components for further testing. If I'm testing a web app, I'll scan it with Tenable and ZAP and then attack the vulnerabilities they find using other tools and manually.

yoba222

They're not stealthy, but they're fast. Being stealthy takes much longer and often the client isn't willing to spend 3X the money to pay for a stealthy 6-week engagement. The same stuff will be found in a non-stealthy 2-week engagement, where the testers use vulnerability scanners to do the heavy lifting and come from whitelisted IP addresses.

FluffyBunny

walterbyrd said:

I thought of vulnerability scanners are being the sort of the thing that would be permanently installed, and used in-house, to routinely check that everything is up-to-date and patched.

Well yes, but no. 

This stuff can be expensive and many clients won't actually have the budget or manpower to run a full vulnerability management programme.

JDMurray

Large organizations that describe themselves as an "Enterprise," such as in the Fortune 100, will have a dedicated vulnerability management team.