How to scan all ports with Nmap
Posted in Articles on February 21, 2018
Posted in Articles on August 16, 2018
Hi, recently I was looking for a VPS for bug hunting. I didn’t find a comprehensive article on the subject, the information was scattered accross forums, talks and tweets. So I thought why not compile what I found and share it with you to save time!
There are many benefits to performing tests from a cloud VPS instead of a home network. But each case is different, depending on one’s hardware and network configurations.
Depending on where you live, you might already have enough bandwidth for all you pentesting & bug hunting purposes.
Having a very slow and buggy Internet connection (between 3 and 6 Mbps max), I found myself unable to use most tools recommended by the best bug hunters such as Massdns, Amass, Gobuster… They would not only start hanging a few seconds after running them, but they would also freeze my Kali “attack” VM and saturate my whole home network, causing all devices to loose their Internet connection until I restart the VM.
If you’re in this situation, or if running Massdns for example takes hours instead of 30 seconds, then you would benefit from using a cloud VPS, at least for running these tests that require high speed.
A VPS server may or may not be more powerful than your device. It depends on your setup.
Personally, I have a 2 year old laptop with 8GB of RAM, 120GB SSD, 1TB HDD, 4-core i7-6700HQ CPU. It’s not the most amazing configuration but it was more than enough for penetration testing. However, since I started bug hunting and tried power hungry tools, this setup started to show its limits. I also have a bad habit of opening dozens of browser tabs, so Firefox alone consumes a great share of RAM and often crashes.
In my case, a cloud VPS will not necessarily be more powerful than my current laptop, but combining the two will certainly be more effective.
When bug hunting, many WAFs will blacklist your IP. Using a remote server allows you to separate your personal public IP from your “attack” IP. It’ll avoid you being blocked when you go on a site to buy an airline ticket…
You could still get the VPS’s IP address blacklisted but if it happens, you can get a new IP by destroying the server instance and creating another one (use a script to automate its configuration).
If you run a tool or script that automates a whole chunk of your recon process, it might take hours or even days to finish. Using a remote server allows you to free yourself from the constraint of keeping your attack machine up and connected all that time. You can go out, take it with you, while the VPS is working for you non stop!
You can easily setup a reverse shell on your VPS without having to open a port on your home setup. You can also host phishing pages, or any service you need to be listening non stop for example to detect blind XSS.
I have already worked with shared servers, VPSs and dedicated servers with different good hosting providers such as 1and1 and Online.net. But it was for hosting web applications not for performing tests on the server.
The most important criteria in this case is that “offensive” tests for pentesting and bug hunting purposes must be tolerated by the cloud provider. You don’t want the pain of getting a server, configuring it, installing all your tools and starting your tests, only to get your contract terminated once they detect your “aggressive” traffic.
Another important criteria for me is that the monthly cost must have a fixed known upper limit. I prefer paying a fixed amount each month that having a surprise each time and risking a huge bill.
If you are interested in a particular provider, read everything you can on their site including the FAQ, contact them if necessary, and look for reviews (on Google & Youtube) especially from fellow hackers.
I searched for which providers tolerate offensive tests and got positive reviews from other bug hunters. I found that the three most mentioned are DigitalOcean, Vultr and Linode.
Amazon AWS also seems to be used by some hunters, but I was under the impression that it is harder to control your monthly spending with it. I haven’t tried it and I’m not tempted to, but if you have a positive experience and maybe tips on how to make the best of AWS for bug hunting, I would love to hear from you!
I also found some mentions to OneHostCloud but their plans start at $14.99/mo and these negative reviews are not encouraging.
Here is a comparison of the plans DigitalOcean, Vultr and Linode offer:
|Provider||Offer Name||Price||RAM||CPU cores||Storage||Transfer / Bandwidth||Network In||Network Out||Geekbench Score|
|Vultr||-||$2.50/mo ($0.004/h)||512 MB||1||20 GB SSD||0.50 TB||-||-||N/A|
|Vultr||-||$5/mo ($0.007/h)||1024 MB||1||25 GB SSD||1 TB||-||-||2413|
|Linode||Nanode 1GbB||$5/mo ($.0075/hr)||1 GB||1||25GB SSD||1TB||40 Gbps||1000 Mbps||-|
|DigitalOcean||-||$5/mo ($0.007/hr)||1 GB||1||25 GB SSD||1 TB||-||-||-|
|Vultr||-||$10/mo ($0.015/h)||2 GB||1||40 GB SSD||2 TB||-||-||3880|
|Linode||Linode 2GB||$10/mo ($.015/hr)||2 GB||1||50 GB SSD||2 TB||40 Gbps||2000 Mbps||-|
|DigitalOcean||-||$10/mo ($0.015/hr)||2 GB||1||50 GB SSD||2 TB||-||-||-|
In The bug hunters methodology v3(ish) Jason Haddix recommends the DigitalOcean $10/mo plan. But Patrick Fehrenbach only uses the $5/mo Digital Ocean plan.
This gives you an idea of the power and speed necessary to run tools like Masscan.
So if money is not an issue, go with either one of the three $10/mo plans, they seem comparable. Otherwise you can get a free trial of a $5/mo plan and try for yourself to see if it is enough for your own needs.
There are many coupons to try either one of these three VPS providers for free. Just search for “digitalocean free” / “vultr free” / “linode free” or “vultr coupon”…
Here are some free offers I found but they might have expired at the time you’re reading this:
I don’t know about DigitalOcean & Linode but Vultr will charge you for stopped instances:
“Instances in a stopped state continue to reserve dedicated system resources (RAM, SSD storage, IP aliases, CPU) and therefore incur charges until you destroy the instance. If you wish to no longer accumulate charges for a virtual machine, please use the DESTROY button in the customer portal.”
However, from what I understood, there are no surprises, the max that you would pay each month even if you keep your server running non stop is $10/mo or $5/mo depending on your plan.
I hope this helps. I’m currently trying Vulnr, so tell me if you are interested in a review or a setup guide. And as always, let me know if you have any tips, questions, or know of other good VPS providers for bug hunters.
See you next time!