Would Pentesters use vulnerability scanners like Nessus?

walterbyrdwalterbyrd Member Posts: 39 ■■■□□□□□□□
The CSA exam had a lot of questions about such vulnerability scanners, and that made sense. But should such questions be on the Pentest+ exam?


  • E Double UE Double U Member Posts: 1,790 ■■■■■■■■■□
    edited April 8
    Not strange for a pentester to scan for vulnerabilities that can be exploited.
    Alphabet soup: CISSP, CCSP, CISM, CISA, GDSA, GPEN, GCIA, GCIH, GCCC, CEH, Azure Fundamentals, Azure Security Engineer Associate, ITIL 4 Foundation, and more.

    2020 goals: AZ-900, AZ-500, GDSA, ITILv4

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • beadsbeads Senior Member Member Posts: 1,511 ■■■■■■■■■□
    Nessus gives you a good baseline because its relatively up to date, even a week off for the community edition. So, its a decent product in the field. Well known and accessible by most everyone.

    Today with containers, cloud based everything the old Nessus isn't going to cut it but working hard to catch up to Twistlock and other scanners. To be frank, there are so many now that I forget them all. Do we use vulnerability scans in large enterprise? Sure along with intelligence feeds and all the other goodies though intel feeds vary in quality on a daily basis always best to check with more than one tool.

    - b/eads
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,948 Admin
    I would use Nessus to find old vulns in systems that have proven public exploits. New vuls can require too much tinkering to get results--if there are any results to be had. I don't have the patience for anything other than "instant respawn" games of any type, especially pentests.
  • p0sitron_col1drp0sitron_col1dr Junior Member Member Posts: 18 ■■■□□□□□□□
    edited April 23
    I'll echo anyone who states pentesters use vulnerability scanners like Nessus. It can be considered an activity ran in parallel. Specifically, when I receive finding reports from external pentesters, I often receive exported Nessus scan data labeled as complementary documents apart from the primary deliverables of the engagement. I use the information to supplement vulnerability management from an internal perspective and compare it to the current baseline, as well as a comparison to our recent internal scans. I've personally used Nessus and/or OpenVAS to scan targets and adjust the scanner aggressiveness depending on the sensitivity of the host. Again, this is something that I perform in parallel to other tasks or have used as an additional method of validating either the existence of a vulnerability or remediation of a known vulnerability. Some of the pentesters I've contracted prefer to be somewhat "loud" when testing, which can indicate how well our detection and response capabilities are. That aspect can make it into the report, as well.
  • walterbyrdwalterbyrd Member Posts: 39 ■■■□□□□□□□
    Thanks for all the responses. I thought of vulnerability scanners are being the sort of the thing that would be permanently installed, and used in-house, to routinely check that everything is up-to-date and patched. I figured they might not be stealthy, or fast, enough for pentesters. I thought pentesters would  tools more like metaploit.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,174 ■■■■■■■■□□
    You should use several tools, depending on the scope of the engagement. We use Tenable (Nessus) to run periodic scans of our network and website/apps. But we also use them to scan specific components for further testing. If I'm testing a web app, I'll scan it with Tenable and ZAP and then attack the vulnerabilities they find using other tools and manually.
  • yoba222yoba222 Senior Member Member Posts: 1,207 ■■■■■■■■□□
    They're not stealthy, but they're fast. Being stealthy takes much longer and often the client isn't willing to spend 3X the money to pay for a stealthy 6-week engagement. The same stuff will be found in a non-stealthy 2-week engagement, where the testers use vulnerability scanners to do the heavy lifting and come from whitelisted IP addresses.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
Sign In or Register to comment.