The following is a transcript of Christian Espinosa’s explanation of Gray Box Penetration Testing. Christian sold Alpine Security to CISO Global in 2020 and recently founded Blue Goat Cyber.
What’s going on? This is Christian Espinosa with Blue Goat Cyber. In this video, we’ll go over gray box penetration tests. So these are the topics we’ll discuss. So the differences between black, white and gray box. So gray box falls between black and white box penetration test. So with a black box penetration test, you typically don’t know much about the target other than maybe the IP address or the URL and that’s really about it. So a black box is considered unauthenticated. You don’t know much about the target.
With a gray box, a little bit about the target, pretty much from the perspective of the user, your user on the target. So you have user level access to the target. With white box, you know quite a bit about the target. So you may have access to the network diagram, schematics, design documents, source code, administrator level access, et cetera. So black have pretty much little limited access, gray in the middle, then white. And as the next bullet there says, gray box, you have authenticated or credentialed user level access to the system.
There’s really two broad categories for gray box penetration testers, internal and external. We’ll go over those in the next couple of slides. And the threats we’re trying to emulate, which with a penetration test you’re trying to emulate some sort of threat. The threats we’re trying to emulate with gray box typically are these two threats we have listed on the slide there. A user account is compromised. So let’s say I’m Larry, I’m a user on your web application. What can the attacker do from Larry’s account’s perspective? Or I’m Nancy, a user on your active directory domain, and my account is compromised via a phishing email. So what can the attacker do from Nancy’s perspective on the internal network? And then what if Larry is just malicious or what if Nancy, she’s malicious as well? So those are like the threats we’re trying to emulate.
So for external gray box penetration test, typically, and this is one of the categories I’ve mentioned, we have external and internal. Typically with external gray box penetration test, it’s against some sort of web application. A common example as we have here on the slide is a patient portal. So a lot of hospitals and clinics have a patient portal. So this is if you’re a patient, you can log on, pay your bill, look at your last visit, look at the details, maybe schedule an appointment, et cetera.
So with a gray box penetration test, what we’re trying to do is test the patient portal in this scenario from the perspective of, like I mentioned earlier, a compromised user or a malicious user. So if I am Larry and I’m logging on to the patient portal as Larry, from Larry’s account, what can I get access to on the patient portal? If there’s a vulnerability, can Larry for some reason exploit that vulnerability and somehow get access to Pam’s account, for instance? Because it would not be good if Larry can horizontally get access to Pam’s account and then read Pam’s medical history. That’s an example of a horizontal privilege escalation.
The other scenario is what if Larry can somehow exploit a vulnerability on the patient portal and get admin or root level permissions, then Larry can see everybody’s information, including Pam’s, Sam’s, Dan’s, et cetera. So that would not be good. So with a gray box penetration test, we’d look at the vulnerabilities of the application from the perspective of the user.
Let me give an example here. So I’ll bring over a patient portal here. So this is just an example. I just search for… If I go to Google and search for “patient portal,” and you’ll see quite a few of them pop up here. I just went to the first one right here. This is whatever, NextGen Healthcare, it doesn’t really matter. But right now if we’re looking at the patient portal and we’re not logged in, and let’s say we do some testing, this would be black box penetration testing. Once we’ve logged in as a user such as Larry, then we would be testing it from a gray box perspective.
So an example like let’s say from a black box perspective, if I type in tick or one equals one dash dash and I just put whatever here as a test for a SQL injection, that’s a black box test. With gray box, we would test a lot of different things, but logged on as Larry, as I mentioned. With Alpine Security, we include the black box portion of testing with our gray box because we test it from both an unauthenticated perspective and an authenticated perspective. So that’s an example of a external gray box penetration test.
The other type of gray box penetration test is an internal gray box penetration test. With an internal gray box penetration test, what we’re looking at is what sort of damage could an internal user do with user level permissions on an internal network inside a firewall such as an active directory domain? So if Sally’s computer was compromised or Sally clicked on a phishing email and her account was compromised, from the perspective of Sally’s credentials, which are user level credentials, what could the attacker do? Could the attacker somehow get access to sensitive data? Could they get access to Bruce’s account? Could they somehow find a vulnerability and exploit it on the network that gave them administrative level permission such as domain admin, et cetera?
So we’re looking at it from that perspective and we’re also looking at from the perspective like what if Rodrigo, let’s say, is malicious and Rodrigo wants to steal secrets and steal secrets and send them to China? So if Rodrigo is a malicious user, what can Rodrigo get access to using his user level permissions? So that’s the other sort of use case or threat we’re emulating.
And another use case is, let’s say a user’s laptop was compromised. Let’s say Jessica takes her laptop home and her boyfriend who is a spy for Russia, let’s say, gets his hands on the laptop. If the boyfriend, the spy from Russia gets the hands on Jessica’s laptop and that boyfriend can get into Jessica’s laptop, let’s say the boyfriend’s name is Ivan. Ivan can get into Jessica’s laptop as Jessica or Jessica leaves the laptop unlocked, what sort of damage could Ivan do to that laptop or to the systems the laptop has access to? So if the laptop can VPN into the corporate network, what can Ivan get access to as Jessica?
Also, if Ivan can try to get access to secret stuff on the laptop, can he escalate privileges to local admin on the laptop? Can he circumvent controls, et cetera? So again, that is an internal gray box penetration test and we’re looking at it from the perspective of really two broad categories of threats, a malicious user or a compromised user that really didn’t mean to be malicious but their account was compromised.
So as a summary, we talked about these main points here, the differences between black and white and gray. Gray is in the middle, black you have little limited information, maybe just an IP address or URL. White, you have a lot of information. Gray, you have user-level information and user-level access which is also authenticated or credentialed. We explained a little bit the differences between internal and external. External is typically with a web application such as a patient portal. We’re testing if we can escalate privileges horizontally or vertically. With internal, we’re testing from a domain user or internal user typically inside your firewall. And we’re seeing what we can do, same concept from escalating privileges horizontally or vertically, and what data an insider or internal user can get access to.
If you have any questions about gray box penetration testing, you can leave them beneath the video. If you are interested in us performing a gray box penetration test against your environment, either externally or internally, you can contact us.