When we speak of black, grey, and whiteboxes, we are not talking about the color of the PC on a desktop once called beige box. We are speaking of the amount of access a pentester has been given before attempting to breach a system or network.
The amount of information shared prior to an engagement can have a huge influence on its outcomes. Most pentesting styles are usually defined as either whitebox, blackbox, or greybox testing and all have their own unique challenges.
Let’s dig into the core differences between black, grey, and whitebox penetration testing:
Whitebox penetration testing, sometimes referred to as crystal box pentesting, involves sharing full system information with the company doing your pentest. This can include IP addresses, source code, server configurations, and elevated access rights.
With this information from the start of a test, your pentesters can check for known loopholes in software code, network ports, and other setup errors more readily. Having and sharing this information helps save time and reduce the overall cost and time of the engagement.
A whitebox penetration test is useful for simulating a targeted attack on a specific system, on as many attack vectors as possible. Testing will still need a team of dedicated pentesters since automated testing can only find about 15% of cyber security vulnerabilities.
In a greybox penetration test, only limited information is shared with the tester. This may be useful for testing from the view of an outsider trying to compromise a system. Usually, the test company will share login credentials with the pentesters. This is useful to understand the level of access any privileged user could gain, and the potential damage they could cause.
Although this type of engagement takes longer to complete, greybox testing strikes a good balance between a test and real-world scenarios and can be used to showcase both inside and outside attacks by someone who has breached the network.
Greybox testing is usually considered the best balance between efficiency and authenticity, stripping out potentially time-consuming reconnaissance and development time. It is also the preferred testing method of Mitnick Security, especially for web app pentesting.
In a blackbox penetration test, no information is provided to the tester at all. The pentester follows the approach of an unprivileged attacker, from initial access and execution through to exploitation.
This scenario can be seen as the most realistic, demonstrating how an adversary with no inside knowledge would target and compromise an organization. However, this typically makes it the costliest and most time-consuming option.
All three types of pentesting boxes typically have one thing in common: a persistent adversary will conduct reconnaissance by scraping open-source intelligence from LinkedIn and other corporate overviews, giving them the company knowledge they need to launch social engineering exploits.
For example, after the World Surf League (WSL) hired the Mitnick Security team for an engagement, we were able to compromise their systems by targeting internet-facing infrastructures and employees with a specially crafted spear-phishing email campaign. We then gained complete access to several servers and exfiltrated a small sample of WSL’s proprietary data to simulate a real adversary — proving the success of the pentest.
Curious to see real pentesting results for yourself? Check out our WSL Pentesting Case Study.