Procedure for dealing with hosted servers during pen-test?

[jmpebx]

I'm curious how everyone else handles 3rd party hosted servers when you're doing a pen-test or vulnerability assessment.
Say you're doing a test against a company, and their email, and website are hosted by another company.

In an ideal world, I would think you would get written permission from the hosting company and add them to the scope. But I seriously doubt that would happen often.
So how does everyone handle this?


Thanks

.

[orgcandman]

Not just in an ideal world - in the real world as well; at the very least, they must be aware of the testing underway. It's really a coordination effort between your client and their hosting provider.

Remember, a lot of hosting providers are hosting multiple domains/apps on a single node. In this case, not only will you potentially disrupt your client's services (which your client is expecting anyway, so not a big deal), but you can potentially disrupt unrelated services. As well, you don't want the hosting company to think they're under a real attack and start an investigation, alerting authorities, etc.

You'll need to check with your legal team on how your agreement(s)/contract(s) spell out resolution on this situation (if they even do). Better to check twice and be annoying about it, than not check and leave yourself open to legal trouble.

[lupin]

I agree with orgcandman, you need to get permission. If the systems to be tested are owned and managed by the client and just "housed" in a hosted environment, you might be able to get away with having the client inform the hosting provider, but dont count on that. Some hosting providers will also already have some sort of widely available policy covering testing of their clients systems which might describe the process of getting permission - case in point.

If something like that does not exist, you might want to be safe and go through the process of getting something in writing that you can use to shield your posterior - get the client to facilitate the required communications and check with your lawyer as to what you require.

[purehate]

The more things in writing you have covering your self the better. I have it written in my contract that the client must provide all get out of jail free cards and if I have to get them myself, I bill for it.

[jmpebx]

Thanks everyone.

I guess one thing you can do is just basic non-intrusive enumeration, right?
Things like looking for login pages, seeing if there are any version tags on the webpages themselves to indicate old vulnerable webapps. Stuff like that?

Now the next question is assuming that kind of 'looking around' is generally fine, how would you word that in a report so that the hosting company doesn't freak if they see it.

[Archangel-Amael]

I think you are missing the major point here, since the above posts have already answered your last question.

The more you have in writing the safer you will be. Why take the chance that your non-intrusive enumeration of other hosts, servers, networks etc. could be connected to your activities. Speak with the company that you have contracted with to get it in writing. Further it might be a good idea to also consult your attorney in regards.