Sign in to follow this  
Followers 0
jaime_lion

Data center pen testing?

5 posts in this topic

So I am curious how this works lets say I am a company that has all their servers in AWS or such. How would one go about pen testing that? Would one try and get access in the company or directly attack amazon?

0

Share this post


Link to post
Share on other sites

Directly attacking Amazon would be illegal.  If your company doesn't own the server attacking it is illegal.

1

Share this post


Link to post
Share on other sites

Companies host IT infrastructure in AWS all the time.  Its quite common.  When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from.  Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.

 

0

Share this post


Link to post
Share on other sites

I think this is an interesting question that was not answered. The question wasnt well asked so let me ask it another way.

How do you pentest a company's infrastructure that is hosted by another company such as AWS?

 

If the company is hosted by a cloud then it is not that company that owns the infrastructure and you can't pentest that. The company should declare to you that there is this hosting service hosting their infrastructure and that's all you can do is note its existence.

0

Share this post


Link to post
Share on other sites
On 10/4/2016 at 0:46 PM, pentestgeek said:

Companies host IT infrastructure in AWS all the time.  Its quite common.  When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from.  Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.

 

Uh no. Can you show me the documented communication channels to legally notify you're going to hack Amazon's cloud infrastructure on behalf of pentesting some company's random crap virtual servers?

I want to see the place that says "send this department a 1 page letter that says you're going to pentest within our infrastructure and how and when."

First of all that just means to LEGALLY hack Amazon all I'd have to do is create a company...buy some AWS services...then legally pentest myself.

I think your advice is just flat out WRONG.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.