There are 3 vectors that define a penetration test engagement.
I. Knowledge of the attacker
Blackbox
The attacker has no previous knowledge of the scope, its technology stack nor the security controls implemented.
Graybox
The attacker has limited knowledge of the architecture of the applications/infrastructure in scope, the technology stack being used and the security controls that are implemented.
Whitebox
The attacker has full access on the source code of the applications in scope and full view of the configuration/setup of the infrastructure in scope and of the security controls that are implemented.
II. Attacker Vector (each vector is a superset of the previous vectors)
Web App
- Unauthenticated User
- Simple User
- Simple User with 2FA enabled
- Multiple User Roles
- Administrator User
Infrastructure
- Unauthenticated Internet/Internal network user
- Network access authenticated on OSI Layer 2
- Network access authenticated on OSI Layer 2 with local user credentials
- Network access authenticated on OSI Layer 2 with local administrator credentials
- Network access authenticated on OSI Layer 2 with simple Active Directory user credentials
III. Scope/Target
- External Perimeter
- Internal Network
- VPN
- DMZ
- Web Application
- Mobile App
Conclusion
Thus, combining these 3 vectors (Knowledge – AV – Scope), we can define a penetration test [e.g Blackbox External (Perimeter) Penetration Test with the Attacker vector of an unauthenticated internet user or Graybox Web Application Penetration Test from the Attacker vector of simple user, authorizer and administrator].