![]() ![]() ![]() The purpose of gray-box pentesting is to provide a more focused and efficient assessment of a network’s security than a black-box assessment. Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. If a black-box tester is examining a system from an outsider’s perspective, a gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. The next step up from black-box testing is gray-box testing. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerabilities of internal services remain undiscovered and unpatched. The limited knowledge provided to the penetration tester makes black-box penetration tests the quickest to run, since the duration of the assignment largely depends on the tester’s ability to locate and exploit vulnerabilities in the target’s outward-facing services. ![]() Black-box penetration testers also need to be capable of creating their own map of a target network based on their observations, since no such diagram is provided to them. A black-box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network. Testers are not provided with any architecture diagrams or source code that is not publicly available. In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. This spectrum of knowledge makes different testing methodologies ideal for different situations. The spectrum runs from black-box testing, where the tester is given minimal knowledge of the target system, to white-box testing, where the tester is granted a high level of knowledge and access. Pentesting assignments are classified based on the level of knowledge and access granted to the pentester at the beginning of the assignment. What are black, gray and white-box testing? ![]()
0 Comments
Leave a Reply. |