A penetration test can be classified into three models with regard to the information base made available to the penetration tester: whitebox, greybox and blackbox.
In a black box pentest, the pentester receives only minimal information about their actual target. This is intended to simulate the attack of a malicious hacker as closely as possible. The pentester only knows the company to be attacked, he has to find out all other information such as IP addresses or DNS entries himself. At the end you get the insight of how far a real attacker would have gotten in the same time spent.
The white box pen test is the opposite of the black box pen test: Here a penetration tester receives all potentially helpful information. This includes, for example, documentation about the IT systems or the source code of the applications to be tested. The information basis corresponds most closely to that of an internal employee who already has too much access to various areas of IT in the company.
A compromise between white box and black box pentest that is good in practice and often carried out is the grey box pentest. The pentester receives all the information that he could find out himself anyway, such as IP addresses and DNS entries. However, no comprehensive documentation or source code. If he encounters a problem where it would be helpful, for example, to know which database is being used in the background, he will get this information. The aim here is to make his work efficient as possible in order to be able to identify as many weak points and entry points as possible within the time invested for the pentest itself.
Last modified: Dec. 15, 2022