Vulnerability assessment is what we use tools to find out the vulnerability or loop holes in a system.
Penetration testing is what we do identify threat or to analyse how secure is the system . All the ways like an legitimate hacker would do.
Penetration testing is basically of three
White box testing is done with the organization knowing that attack is happening. Testers know all about the organization.
Grey box testing .only few people knows about attack is going to happen , only half the information is given to pen testers .
Black box testing is where only higher officials know that an attack is going to happen . No information would be given to the hired pen testers . They should try the attack without connecting to the company network .