Ethical hackers who perform penetration tests use one of these models:
- Black box model
- Gray box model
- White box model
Pentesting assignments are classified based on the level of knowledge and access granted to the pentester at the beginning of the assignment. The spectrum runs from black-box testing, where the tester is given minimal knowledge of the target system, to white-box testing, where the tester is granted a high level of knowledge and access. This spectrum of knowledge makes different testing methodologies ideal for different situations.
In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
This indicates that dynamic analysis of systems and applications that are already executing on the target network is a key component of black-box penetration testing. A black-box penetration tester needs to be knowledgeable about manual penetration testing techniques and automated scanning technologies. Since no such picture is provided to them, black-box penetration testers also need to be able to draw their own map of a target network from their observations.
The limited knowledge provided to the penetration tester makes black-box penetration tests the quickest to run, since the duration of the assignment largely depends on the tester’s ability to locate and exploit vulnerabilities in the target’s outward-facing services. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerabilities of internal services remain undiscovered and unpatched.
The next step up from black-box testing is gray-box testing. If a black-box tester is examining a system from an outsider’s perspective, a gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.
Gray-box pentesting’s goal is to offer a more targeted and effective evaluation of a network’s security than a black-box evaluation. Pentesters can save time by focusing their assessment efforts on the systems with the most risk and value from the start by using the network design documents rather than spending time figuring this information out on their own. A system account that is internal to the organization enables security testing inside the protected perimeter and simulates an attacker with extended access to the network.
White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing: penetration testers are given full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing.
Unlike black-box and gray-box testing, white-box penetration testers are able to perform static code analysis, making familiarity with source code analyzers, debuggers and similar tools important for this type of testing. However, dynamic analysis tools and techniques are also important for white-box testers since static analysis can miss vulnerabilities introduced by misconfiguration of target systems.
White-box penetration testing provides a comprehensive assessment of both internal and external vulnerabilities, making it the best choice for calculation testing. The close relationship between white-box pentesters and developers provides a high level of system knowledge but may affect tester’s behaviors, since they operate based on knowledge not available to hackers.