Can I just ask from a non-tech perspective (please bare this in mind with your responses), when you do network pen testing or vulnerability scanning services for your clients, perhaps simulating an “internal employee” angle, how do you get your set of vulnerability scanning and exploitation tools into your clients network – i.e. if there network admin says something along the lines of…

“you can’t install any vulnerability scanning tools on any of my servers, and you can’t attach your own vulnerability scanning laptop to our network to use that, plus all our devices use full disc encryption so you can’t use boot discs, and you won’t have administrator rights on any corporate device we give you to install whatever you chose”

- where do you store and run your tools from? Are network admins typically like this? Can your tools be run as “portable apps” from a USB device? But then I guess there may also be USB policies restricting those. I don’t even know which tools are current, but I have always wondered how you get your armoury in a position to scan the network if the admin has demanded compliance and restraints.

Second part of the question - If there are ways to run vulnerability scanning tools direct from USB, can you recommend any free ones that will run from USB and produce a management freidnly vulnerability report on say a windows file server, so OS vulns, 3rd party software vulns, server software vulns etc. I am not bothered about exploit just a top level scan with potential issues.

Apologies for the basic level of the question but it is something that has always interested me. I guess from a network admin perspective their priority is keeping services online and at optimum performance, and not facilitating a platform for an ethical hacker. Please keep your answers pretty basic if at all possible and thanks in advance for any responses.

Cheers

Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?

I haven't used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles? I haven't used the paid version either, but have read a little bit about it.

There' a fairly recent post on here discussing OpenVAS vs Nessus which may be of interest: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9379.0/

The professional feed does have additional features: http://www.tenable.com/plugins/

Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it's been that way for a few years now.

It's quite common to bring our laptops on-site, and sometimes even scanner appliances as well, which can be quite huge and bulky. Sometimes when we do a host security assessment, remotely via a VPN connection or via another encrypted channel, we are told that we should save all our files in /tmp, and that any tools we install must in some cases be installed by them, or in other cases, be removed immediately after we have used them.
That's pretty much how we perform those kinds of tests. When we do wireless penetration tests, we bring our own laptops and alpha cards with good antennas as well. Otherwise, how would we be able to perform a test adequately and to e.g. high standards? 

Just to add an obvious point, I have never seen once a client that would allow me to install backdoors, rootkits or other malware. And I can understand them!

That being said, I tell them in my report that once I have got a system shell, I could have install them.

Also, bringing my own laptop also implies bringing my personal notes, scripts, etc. I don't know about you guys, but if I have, let's say, performed a VA on an Oracle database a year ago and haven't touched it since then, I would be a bit rusty...

Anyways, obvious but worth mentioning.