Pentesting

[killadaninja]

No one ever seems to mention W3AF which in my opinion is an excellent and somewhat configurable front end web vuln scanner.
To answer the op`s question "In a real world pentest, how many of you prefer to use vulnerability scanners", I would have to say, 99% of the people 99% of the time. Securityxxxpert you mention pentest, now, even if you read a banner, throw the corresponding exploit at it, and pwn a box inside of 60 seconds, there could still be another 10 underlying problems on the front end of the "website"/etc/etc, I am sure maybe back in the past you could do a "web" security audit manually, but these days with new platforms,apps,programs,etc being created, deployed and implemented like theres no tomorrow, pentesting, (the front end of a website for example), manually AND ACCURATELY WITHOUT MISSING A THING, if possible at all, would be a waste of time.

[lupin]

There are a stupendous number of skriddies who come in to these forums and seem to think that "pen test" equals "unauthorized attack", and that they must be quiet to avoid getting caught, and MartinBishop's post seems to reflect that all too common attitude. If I took post out of context, I apologize. My point to him was that a legitimate tester doesn't usually need to be stealthy unless they're also testing the admins ability.

Thats the way I took it too. In my mind there is a sutble difference between issues of "noise" which is connected with being detected and issues of malformed traffic and traffic volume, which are more likely to be the cause of fragile servers going down.

I'll admit though that the distinction is minor and that ahjohnston25 made a good point.

[Archangel-Amael]

Noise is only an problem if you're running a "black ops" test against both the actual network as well as the security abilities of the admins.

I think you hit on a very important note right there, that some may easily glance over. The ability of the admin(s) running things.
If they don't understand what is in their logs then all the noise in the world is not going to matter. 1 exploitable service or a hundred is not going to make a whole lot of difference if they don't know what's coming at them, and how to mitigate it.

[crweedon]

definitely use both for effectiveness and accuracy, doing a pentest/vuln ass. by manually would inflate the LOE/SOW hourly to astronomical proportions. also archangel makes a great point, assuming you have client xyz that has some sort of monitoring staff and/or SIM in place, it's better for them to see the traffic and escalate it so you know they are doing their job and understand the difference between "good" and "bad" traffic