Fifty shades of black, white and gray box penetration testing

The market for penetration testing is going to grow from $594.7 M in 2016 to $1,724.3 M by 2021, according to the research by MarketsandMarketsTM. Little wonder, actually. Large and small enterprises annually or even quarterly spend substantial sums on penetration testing services to enjoy its benefits: preventing financial losses, complying with security regulations and maintaining a security-aware image in the eyes of customers.

Fifty shades of black and white and gray box penetration testing

Information security providers usually offer several types of penetration testing: black box, white box and gray box. What is the backbone of each type? What are the advantages and disadvantages? Let’s take a closer look.

Black box penetration testing

Overview

When penetration testing engineers (a.k.a. ethical hackers or pentesters) use a black box model, they have strictly limited knowledge of the network (e.g., a host name of a public server, IP address) and no information on the customer’s security policies, network structure, operating systems, software and network protection used. With only these details at hand, an ethical hacker has to penetrate the furthest into the network and detect as many vulnerabilities as possible.

Paul Midian, CISO at Dixons Carphone suggests five phases of black box testing.

1.Reconnaissance

Before the testing, ethical hackers investigate the customer to form a clear picture of the target. Different sources of public information come in handy: the customer’s web site, WHOIS databases (online repositories of domain names), web search engines, trade magazines and even yellow pages.

2.Scanning

At this stage, ethical hackers may get information about listening services and ports to determine the type of operating system that the customer uses. For example, TCP-UDP ports 137, 138, 139, 445 suggest Microsoft OS; SSH on port 22, FT on port 21 or DNS on port 53 indicate Linux OS.

Another way to determine the type of OS is to use NMap – a utility that uses TCP/IP stack fingerprinting. The hacking team will also search for faulty dial-in modems in the network (as they can be employed to bypass perimeter defenses) and launch a vulnerability scanner (an automated tool that inspects the network for security breaches and generates a detailed report on the search results).

3.Enumeration

The enumeration phase aims at connecting target hosts to expose attack vectors in the network. Here, ethical hackers focus on open network services and shares that may have a direct link to the customer’s critical resources, usernames and user groups (to spot default user or administrator accounts) and banner screens (if misconfigured, they may expose the software and device type).

4.Gaining access

Gaining access is the climax of the whole penetration testing operation. This is where the fun begins, as the testing team attempts to compromise the target system using password cracking, buffer overflow or DoS against specific network nodes.

5.Privilege escalation and access maintaining

Once the hacking team has penetrated into the network without any privileged rights, they aim to gain administrator level access with the help of password cracking tools and maintain access to the network. To do this, pentesters create backdoors which are, of course, removed by ethical hackers before the project finishes.

Pros and cons

The five phases described above represent the full cycle of penetration process. The major advantage here is that ethical hackers work in life-like conditions, so they are close to discovering a maximum number of vulnerabilities. Besides, with black box penetration testing pentesters usually use open source tools, as, most probably, cyber criminals will resort to them as well. Because of these free tools, the cost of penetration testing for a customer is much lower in comparison with white or gray box testing.

However, the use of open source tools in black box penetration testing has its disadvantages, as they have functional limits. Another disadvantage of black box penetration testing is that testers can’t see the whole infrastructure, because the customer provides little information on the network. So, pentesters may miss some significant vulnerabilities.

White box penetration testing

Overview

White box penetration testing assumes that ethical hackers are privy to the customer’s network ‘secrets,’ such as admin rights and access to configuration files. Let’s consider an example when a company requires white box penetration testing of their online service. In this case, the team of pentesters can see server configurations, who it communicates with and database encryption principles.

Pros and cons

White box penetration testing is a deterministic approach, as ethical hackers know everything about the target system. This factor works in a pentester’s favor because it helps to cope with project time constraints. At the same time, this type of testing doesn’t provide any information on the ways a criminal gets into the network, so these vulnerabilities remain unpatched. Moreover, customers are often not ready to share insights into their network with pentesters, as it involves security risks.

Black box vs White box report

Both white box and black box testing end up with a report on the vulnerabilities detected in the customer’s network. In the black box model, a report features so-called remediation – possible preventive measures, based on contractor’s experience. A white box report, in its turn, provides the customer with recommendations addressing a customer’s security needs. Remediation steps after black box tests are not implemented, as they represent best practices and are not as detailed as recommendations after white box testing. When white box penetration testing is completed, a contractor may implement these recommendations. Here, the customer should consider this option only if the penetration testing service provider performed well and proved to be a trusted partner, who won’t try to take money for non-existent vulnerabilities. Otherwise, it’s better to change the contractor. This provider will double-check for the vulnerabilities and implement the recommendations.

Gray box testing

Overview

Gray box penetration testing encompasses the approaches above. Still, it is closer to black box testing. A customer partially shares information on their network, such as user login details or the network’s overview. In case of penetration testing of a web app, a testing engineer will try to discover potential entry points. Some of them are freely available (file download form, feedback form), some are for corporate users only (authentication form). The company may provide the testing engineer with a corporate account to move deeper into the network.

Pros and cons

In the gray box model the customer doesn’t provide all the insights into their network. This factor together with limits on the scope and timeframe of testing may be the reason for ethical hackers to overlook nontrivial vulnerabilities. So, before opting for this approach, the customer should define what network areas need penetration testing and which of them should be accessed by a pentester.

Black, gray or white?

In a nutshell, penetration testing types give the view of the network security state from different perspectives:

  1. Black box: an outsider’s perspective
  2. White box: a privileged insider
  3. Gray box: an outsider with the elements of insider’s information

Before choosing their favorite color of penetration testing, companies should determine what kind of information their network’s security they want to get. Opt for black box if you want to simulate real-life hacks on the external network’s perimeter; white box – if you want to check whether network systems are configured correctly; gray box – if you want black box testing but with deeper insights.

 

About the Author: Uladzislau Murashka

Certified Ethical Hacker at ScienceSoft with 5+ years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.