Hello, I have enrolled in a security major in my computer course. The stuff we have been doing in class is basically just reading examples and not actually doing a 'hands-on' approach towards the things we have been learning. I would like to somehow have a 'hands-on' approach with this stuff so it will sink in better then just reading from a textbook. So my question is, if I contacted small website owners', do you think they would allow me to do penetration testing free of charge? If so, as webmasters, what would be the best thing for someone to say to you without sounding like they intend to do damage? Thanks for your replies.
Not a good idea for a couple of reasons 1. If the host is watching closely, or their IPS/IDS system reports any activity to them, they could end up banning you from connecting if they are worried and report the attempt to your host or upstream provider. You may end up with losing your ISP account as well as get a visit from law enforcement. 2. It is not the decision of the web site owner to tell you whether you can do penetration testing on their web site. You are effectively attempting to hack the hosts server and the host would not look kindly on one of their customers authorizing a 3rd party to try to break into the server without their permission (permission you will not get). Chances are they would shut the clients site down without warning and charge them for the time taken to repel any attacks. Mosts hosts have specific clauses in the T&Cs that deal with this scenario. We run penetration tests every couple of months but this is for our own purposes on our own network. If you want "practice" contact the hosting company directly.
Thanks for your reply. Yeah I see what you mean by contacting the hosting company and not the website owner. If I were to test for vulnerabilities in the web applications (SQL injects, XSS etc) on the website, would I still need to contact the host or could I contact the website owner directly?
I work for a hosting company so I'm not the most impartial advisor, but I'd say it was always best that the host knows about these things. They might be more willing to allow that kind of testing, but the web site owner should have the permission of the hosting company first. Also, make sure you aren't in breach of any conditions that your ISP has or your upstream provider. Most of them don't take kindly to any kind of attack (authorized or not) coming from their network. When we do our testing from an outside network the owner of that network knows what we are doing. We inform them of the tests we are carrying out, when the test will start, how long they will run for, and what the targets are. We do this transparently and with permission so we don't have any problems. If you want to do it ethically, make sure everyone that needs to know is aware and has consented.
Oh ok then. Well thank-you for your input. I think I might finish this course first then go and contact host/website owners because by the sounds of it, I won't get many people interested and I really don't have the time at the moment to go running around the Internet. Thanks again
Setup a 2nd computer to run like a server and install various scripts (just find some free dodgy php ones, there are a ton with holes) and play around with that. It's all on your own home network so no harm done. You could easily get a second hand machine for the less than $100 that'd do the job if you don't have one.
Hello, First off all glad that you'r now part of the Internet Security as it's one of the biggest treat present in the world. Im SysAdmin, CISSP certified and actualy as other say it's better to contact the hosting compagny first to do so. People here say you will not get permision, i must say most of compagny would accept under certain condition and terms with some kind of contract that you'll have to accept. I would haves tons of things to say about it but to make it short if you want real enviroment to test your skill and learn goto hackthissite[DOT]com from there i learn a lot. Keep your self update, pratice, pratice, pratice over and over ! You might say " but hey i dont want to be a hacker " Ill say "To protect your network from hackers you have to think like them, and know how they work beind the scene" and then protect your self from commun pratice Cheer
Speaking of Pen tests, I am trying to learn how to market our security services. I work with one of the best hacker/Penetration Professionals in the country. We just started out on our own with a very unique and beneficial SIM ( system information management)program. We believe we have a Gold Mine, and we do have clients (large companies). Sales is our weak link, any help would be most appreciated Perhaps the person who is going to school on this will need some work down the road, or even classes to enhance your abilities, we may be able to help you. Thanks folks!
I agree with dnhype a lot. Excellent and informative reply mate. Will follow your advice. Specially where you said, to beat them learn how they work. Exactly what needs to be done for the sake of it.
You still haven't been specific IMHo. Do you just want to penetrate web apps? Or the servers gateways too?
Who to ask for permission really depends on the kind and intensity of the penetration testing you're planning. When testing web applications, for example, it's usually a good option to run the tests locally (i.e. on the web server). In this case, you only have to deal with the owner of the server, as these tests shouldn't affect the network. When testing the firewall, on the other hand, your "attacks" will come from the network and might trigger a provider's alarm as well.