Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 25

You can follow several different strategies when performing a penetration test. You can go with a black box text, a white box test, or a gray box test:

 Black box: In a black box penetration test, the penetration testers are given zero information about the environment and the targets. The goal of the black box test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environment. In a black box test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the Internet such as web sites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets.

 White box: In a white box penetration test, the penetration testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information.

 Gray box: In a gray box penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges being used by the company or addresses of your public Internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems.

For the PenTest+ certification exam, remember the different pentest strategies. Black box is when no details about the target are given, white box is when all known information about the targets is given to testers, and gray box testing is when limited information such as IP addresses or server names are given to keep the pentest focused on those targets.