Perhaps something like ISS Internet Scanner or eEye Retina? Both allow you to plug in predefined 'known users' and then use the access to do specific version/file checking, which IMHO could be considered passive b/c you are not actively attacking the system or attempting to exploit it, but rather going through the registry/file system to check for file/dll versions to determine vulnerability...Of course you still have to take other things into account (since it does some actual exploit attempts) when you build the policy, but it can serve in a very passive role...

Overall it sounds to me like you are a little torn on pen testing/vulnerability assessment. To me, V/A is something that should be frequent and ongoing and can do a good job at evaluating the individualsystem/network device security (as in configs/patch levels); whereas; pen-testing is more about the taking the 'if someone got into X, how could they use X to get into Y and Z' and therefore more about evaluating how you have architected the security in your network on a macro level (yes, pen testing does involve V/A and then active exploitation of any vulnerabilities found) but to me its essence is about evaluating how well insulated a publically accessible thing on your network from anything else on the network...(note this was intentionally very vague and could run the gamut from a public web server down to the desktop that uses a mail client (ie, an entry point into your network would be SMTP->mail server->desktop) )...