A blackbox test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. The idea is to CHECK how deeply potential attackers can compromise your systems without any kind of internal information or ACCESS. All knowledge has to be gathered with classical reconnaissance (finding as MUCH information as possible about the target) and enumeration (a deeper look at individual systems).

Despite the requirement of having as little information in the beginning as possible, at least a few specifications for the test have to be given, lest to unwillingly target uninvolved third parties. This does not pose a restriction for real attackers, but for every reputable company it should go without saying that all phases of a penetration test are only performed where explicit consent is given. This is not the case for third party systems, that would for example be affected by a portscan of a range of systems that presumably belong to the client the penetration test is conducted for.

In contrast, there is the whitebox test (sometimes also denoted as crystal-box test). In a whitebox test, the penetration testers already have internal knowledge about the target systems (for example network plans or a web application's source code) and possibly various access permissions. The latter could be an unprivileged user account to the company network, as it is available to employees, or login credentials for a web application like any normal customer would have.

This ALLOWS to test to what extent users with access to a system can misuse their permissions. Additionally, internal information may be provided that is also available to every staff member of company. This can be information about internal systems like web servers, mail servers, LDAP servers etc., but also for example organisational structures like employee's responsibilities and positions in the company. If only selected parts of information are divulged, this kind of test is also OFTEN called a graybox test. 

A blackbox test is normally defined as a test where the penetration testers do not have any more information than attackers without internal knowledge might have. The idea is to check how deeply potential attackers can compromise your systems without any kind of internal information or access. All knowledge has to be gathered with classical reconnaissance (finding as much information as possible about the target) and enumeration (a deeper look at individual systems).

Despite the requirement of having as little information in the beginning as possible, at least a few specifications for the test have to be given, lest to unwillingly target uninvolved third parties. This does not pose a restriction for real attackers, but for every reputable company it should go without saying that all phases of a penetration test are only performed where explicit consent is given. This is not the case for third party systems, that would for example be affected by a portscan of a range of systems that presumably belong to the client the penetration test is conducted for.

In contrast, there is the whitebox test (sometimes also denoted as crystal-box test). In a whitebox test, the penetration testers already have internal knowledge about the target systems (for example network plans or a web application's source code) and possibly various access permissions. The latter could be an unprivileged user account to the company network, as it is available to employees, or login credentials for a web application like any normal customer would have.

This allows to test to what extent users with access to a system can misuse their permissions. Additionally, internal information may be provided that is also available to every staff member of company. This can be information about internal systems like web servers, mail servers, LDAP servers etc., but also for example organisational structures like employee's responsibilities and positions in the company. If only selected parts of information are divulged, this kind of test is also often called a graybox test.