Jump to content

Data center pen testing?


jaime_lion

Recommended Posts

  • 2 weeks later...
  • 3 weeks later...

Companies host IT infrastructure in AWS all the time.  Its quite common.  When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from.  Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.

 

Link to comment
Share on other sites

  • 4 months later...

I think this is an interesting question that was not answered. The question wasnt well asked so let me ask it another way.

How do you pentest a company's infrastructure that is hosted by another company such as AWS?

 

If the company is hosted by a cloud then it is not that company that owns the infrastructure and you can't pentest that. The company should declare to you that there is this hosting service hosting their infrastructure and that's all you can do is note its existence.

Link to comment
Share on other sites

On 10/4/2016 at 0:46 PM, pentestgeek said:

Companies host IT infrastructure in AWS all the time.  Its quite common.  When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from.  Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.

 

Uh no. Can you show me the documented communication channels to legally notify you're going to hack Amazon's cloud infrastructure on behalf of pentesting some company's random crap virtual servers?

I want to see the place that says "send this department a 1 page letter that says you're going to pentest within our infrastructure and how and when."

First of all that just means to LEGALLY hack Amazon all I'd have to do is create a company...buy some AWS services...then legally pentest myself.

I think your advice is just flat out WRONG.

Link to comment
Share on other sites

On 2/19/2017 at 10:38 AM, IDNeon said:

I think this is an interesting question that was not answered. The question wasnt well asked so let me ask it another way.

How do you pentest a company's infrastructure that is hosted by another company such as AWS?

 

If the company is hosted by a cloud then it is not that company that owns the infrastructure and you can't pentest that. The company should declare to you that there is this hosting service hosting their infrastructure and that's all you can do is note its existence.

So my original question was similar to what IDNeon said. But also I was wondering if I went to a company and they said something like "All of our servers are in AWS and every employee here basically has laptops that they just use to get to the servers on AWS." Would I even need to sneak into the company to plant wifi pineapples and such or could I just stay in my lab and attack amazon over the internet?

On 2/19/2017 at 10:42 AM, IDNeon said:

Uh no. Can you show me the documented communication channels to legally notify you're going to hack Amazon's cloud infrastructure on behalf of pentesting some company's random crap virtual servers?

I want to see the place that says "send this department a 1 page letter that says you're going to pentest within our infrastructure and how and when."

First of all that just means to LEGALLY hack Amazon all I'd have to do is create a company...buy some AWS services...then legally pentest myself.

I think your advice is just flat out WRONG.

https://aws.amazon.com/security/penetration-testing/

I believe that is what you would fill out.

Link to comment
Share on other sites

16 hours ago, jaime_lion said:

So my original question was similar to what IDNeon said. But also I was wondering if I went to a company and they said something like "All of our servers are in AWS and every employee here basically has laptops that they just use to get to the servers on AWS." Would I even need to sneak into the company to plant wifi pineapples and such or could I just stay in my lab and attack amazon over the internet?

https://aws.amazon.com/security/penetration-testing/

I believe that is what you would fill out.

Thanks for providing me some of the nuts-and-bolts.

A cursory glance at the AWS site shows that they have a procedure to pentest a company's ENTIRE environment that they own (with restrictions to EC2/RDS for instance).  Which is good for you as a pentester.

Just request permission and follow their restrictions to the letter and you'd be good.

Furthermore there is a qualifier "to prevent adverse impact of services shared by others".  So be mindful of that no matter if you are within the scope or not, because legally that qualifier takes precedence over any other.

If you inadvertently damage a car it may be an accident but you may still be liable :)

This is the world we've created so you gotta learn it.  AWS is probably forgiving but still...it'll only get more controlled and procedural over time.

Link to comment
Share on other sites

22 hours ago, barry99705 said:

Okay, which one of your assholes killed Amazon's E2 environment?  :lol::lol:

Still waiting for Google Chrome to say Amazon.com is a known malware distributor and redirect you to their security page lol

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...