The black box testing model is done from the perspective of an outsider with limited knowledge of the application, network, systems or policies in place. This simulates a realistic attack scenario but can also come with disadvantages. Time spent by the tester in this scenario might not be fully maximized and some components might go untested.
The white box testing model is done with full knowledge of the relevant target, which can be obtained from functional and technical specification documents, network and architecture diagrams, privileged account access, and other information sources. This results in a more thorough test that would ideally reach all areas of the application, such as the architecture design and issues arising from coding practices. However, this form of testing requires more effort to conduct and might present a pessimistic view of the issues and risks regarding the target.
The gray box testing model lies somewhere in between the black and white box testing, with the tester having partial knowledge of the target.
There are many ways to describe the penetration testing process, but in general it can be structured into 6 steps:
- Threat Modeling
- Testing and Exploitation
- Post Exploitation
In the planning phase, the aim is to ensure the smooth execution of the penetration test. In this stage, we would decide:
Scope of the test, including type of test (white, gray, black box), the hosts while addressing any other limitations such as timeframe and rules of engagement. Logistical requirements such as test accounts, keys, IP whitelisting or Technical Specifications Documents, Functional Specification Documents and Architecture Design Documents.
In the reconnaissance phase, we are gathering information about the target to gain information about possible attack vectors. In general, this is Open Source Intelligence gathering from public sources, which can range from passive to active methods.
Passive methods do not involve direct interaction with the target, and consist of information gathered from third parties, such as WHOIS queries.
Active methods can include port scanning, banner grabbing and zone transfers. There are many tools that can accomplish this, such as nmap, as well as different query methods to avoid detection by the host.
In the threat modeling phase, we define the assets and processes that could be targeted in an attack and the potential impact on the company. Potential threat agents and capabilities are also part of the analysis and are taken into account.
During testing and exploitation, we will discover vulnerabilities in the systems and applicationsvulnerabilities in the systems and applications and attempt to validate them by affecting Confidentiality, Integrity and/or Availability.
Once we have found a potential vulnerability, exploiting it could happen in a variety of ways. It could be as simple as providing unexpected input, writing a python script to produce a sequence of inputs, a large amount of text for buffer overflow or using metasploit modules to execute a reverse shell, to upload and execute a webshell.
Post Exploitation describes a number of actions, but generally it would include data exfiltration, maintaining persistence, and covering the tracks of the exploit. Extracting the data can be done via FTP transfers, display via shell access or a number of other methods. Maintaining persistence ensures that the attacker, for example, Horangi, is able to stay within the target environment, even if an event such as a password change occurs, or the host is restarted. Examples of this could be uploading a webshell or activating a remote access service and creating an account for access.
Ideally, we would also want to erase traces of our access and exploit, from erasing system logs, returning original privilege levels, restarting crashed services or any other changes made that could be detected.
Last but not least, the reporting phase is essential in communicating the findings. The scope of testing, risk assessment, recommendations for remedy, approach and objectives should be clearly stated.