Results 1 to 6 of 6

Thread: Procedure for dealing with hosted servers during pen-test?

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    11

    Default Procedure for dealing with hosted servers during pen-test?

    I'm curious how everyone else handles 3rd party hosted servers when you're doing a pen-test or vulnerability assessment.
    Say you're doing a test against a company, and their email, and website are hosted by another company.

    In an ideal world, I would think you would get written permission from the hosting company and add them to the scope. But I seriously doubt that would happen often.
    So how does everyone handle this?


    Thanks

    .

  2. #2
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: Procedure for dealing with hosted servers during pen-test?

    Not just in an ideal world - in the real world as well; at the very least, they must be aware of the testing underway. It's really a coordination effort between your client and their hosting provider.

    Remember, a lot of hosting providers are hosting multiple domains/apps on a single node. In this case, not only will you potentially disrupt your client's services (which your client is expecting anyway, so not a big deal), but you can potentially disrupt unrelated services. As well, you don't want the hosting company to think they're under a real attack and start an investigation, alerting authorities, etc.

    You'll need to check with your legal team on how your agreement(s)/contract(s) spell out resolution on this situation (if they even do). Better to check twice and be annoying about it, than not check and leave yourself open to legal trouble.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Procedure for dealing with hosted servers during pen-test?

    I agree with orgcandman, you need to get permission. If the systems to be tested are owned and managed by the client and just "housed" in a hosted environment, you might be able to get away with having the client inform the hosting provider, but dont count on that. Some hosting providers will also already have some sort of widely available policy covering testing of their clients systems which might describe the process of getting permission - case in point.

    If something like that does not exist, you might want to be safe and go through the process of getting something in writing that you can use to shield your posterior - get the client to facilitate the required communications and check with your lawyer as to what you require.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Procedure for dealing with hosted servers during pen-test?

    The more things in writing you have covering your self the better. I have it written in my contract that the client must provide all get out of jail free cards and if I have to get them myself, I bill for it.

  5. #5
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    11

    Default Re: Procedure for dealing with hosted servers during pen-test?

    Thanks everyone.

    I guess one thing you can do is just basic non-intrusive enumeration, right?
    Things like looking for login pages, seeing if there are any version tags on the webpages themselves to indicate old vulnerable webapps. Stuff like that?

    Now the next question is assuming that kind of 'looking around' is generally fine, how would you word that in a report so that the hosting company doesn't freak if they see it.

  6. #6
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Procedure for dealing with hosted servers during pen-test?

    I think you are missing the major point here, since the above posts have already answered your last question.

    The more you have in writing the safer you will be. Why take the chance that your non-intrusive enumeration of other hosts, servers, networks etc. could be connected to your activities. Speak with the company that you have contracted with to get it in writing. Further it might be a good idea to also consult your attorney in regards.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Similar Threads

  1. DAVTest: Test fast and exploits for WebDAV Servers
    By firebits in forum Tool Requests
    Replies: 3
    Last Post: 11-18-2010, 08:58 PM
  2. SQL Servers
    By MutantKeyboard in forum Beginners Forum
    Replies: 2
    Last Post: 03-25-2010, 09:51 AM
  3. Procedure for vulnerability weakness
    By SBerry in forum OLD General IT Discussion
    Replies: 18
    Last Post: 10-17-2008, 07:31 AM
  4. Name of "procedure" -> dont know it :P
    By sesshoumaru in forum OLD Newbie Area
    Replies: 1
    Last Post: 07-19-2008, 07:32 PM
  5. Find other websites hosted on a specific IP
    By KMDave in forum OLD General IT Discussion
    Replies: 3
    Last Post: 01-29-2008, 06:13 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •