So you wanna do bug bounties?
Maybe you already are doing bug bounties and you’re starting to notice some fun issues you run into when you conduct these tests from your home network.
For instance, ever run sql mapper and get banned from the internet? Yes, that’s correct, certain attack patterns will flag your IP with services like Akamai and they will ban you from connecting to their servers. Try explaining to your significant other why they can’t go to Target.com or a million other sites because you were running a test.
Akamai, if you don’t know, controls 240,000 servers in 120 countries and have almost all of the most popular services behind them. So getting banned from their portion of the internet is not only noticeable, but also painful. Thankfully, these bans are short term, a few days usually.
Why even deal with that though? Why not just run your traffic through a VPN or over Tor? Well, this works for a while, but then you run into other issues like exfiltration, reverse shells, and a slew of other little problems including bandwidth speed.
The conclusion I’ve come to, and that I think most people doing bug bounties will come to, is that the best option is in fact using a VPS host. It costs a little money but not having to worry, having a dedicated machine and being able to destroy it when you’re done, are all very nice options. So let’s dive in and take a look at some of the VPS hosts I’ve been testing out over the last couple weeks.
So the first VPS that I started with, and fell in love with is Vultr.com. Their service was working great for me for a few tests before it all went to shit. They allow you to upload a custom image from a URL, so just point it at a Kali download or Parrot download and it’ll setup your machine for you. SUPER nice!
Also Vultr is pretty cheap. I found most of the services all comparable in price but I thought Vultr wasn’t bad. They have a very nice user console as well.
Here’s where the shit hit the fan though. I made the mistake of attempting to conduct some non-bug bounty research which required me to masscan the worlds IPV4 address space. I won’t go into details because it’s an ongoing project, but I will say, I swept about 1% of the worlds IPV4 address space, one time, looking for one port, and I got shut down. Vultr sent me some not kind emails to the effect of
“We received a complaint from a German company that you’re scanning one of their clients. You’re breaking the law and our TOS, so we killed your machine, destroyed your data and are warning you not to do it again”
Just so we’re clear, scanning with nmap isn’t illegal. Especially since all I was doing was 1. checking if an ip was up and 2. checking if a port was open… THAT’S IT. Nmap sends a
packet then waits for a
sny-ack response. If it gets it, it doesn’t complete the TCP 3 way handshake and it knows the port is open. Saying that this is illegal in any way is saying that every internet connection on the planet is illegal…
Well, once this was done, I was under a microscope. So as soon as I started my next bug bounty, they flagged my very first nmap scan, killed my machine and banned my account…. rip vultr
Nice service, great interface, SUPER shitty policies. I don’t recommend doing anything serious off this service. Not worth having your machine destroyed.
LunaNode is another cheap VPS. They also allow you to upload custom image files. So you can upload your own copy of Parrot or Kali with a URL. This is my favorite feature of these VPS’s so far.
LunaNode also caught me doing a bug bounty. Their support staff reached out to me, killed my box (multiple times) but finally agreed to let me test. I spoke extensively with their security team about what I was doing. At first they told me I was getting flagged by their DOS detection system, which I told them was bs because I wasn’t conducting a DOS attack. Then they told me I was getting flagged by their malware system because I was attempting to open a connection on port 445????
Super weird, but regardless they were very cool about it. They offered to whitelist my account so that I could test what ever I wanted without worry of being shut down again. LunaNode is cheap, understanding and a good all around service.
That said, having to get whitelisted is a huge pain in the ass and you will definitely run into this if you’re port scanning. Nothing is more obnoxious then getting your live boot killed with all your data because your own VPS provider thinks you’re doing something you’re not allowed to do.
3. Azure Hosting
So if my handle didn’t give it away (DotNetRussell), I’m a huge Microsoft Fan Boi. So I would be lachrymose if I didn’t at least try and use azure for this.
The service was meh. It wasn’t bad. It was pretty easy to setup but Azure does SO MUCH, I kinda want a simple service for this. I want something fast to spin up and kill boxes. This isn’t Azure. Azure is verbose, and drawn out. It’s not really made for burner boxes.
Also, the VNC service they offer is really shitty. The connection is slow and just seemed brutal for testing. I did some light bug bounty tests on it and I just found it underwhelming.
This all said, they are actually very pro-pentest. Not only have they been very publicly okay with this, but they even provide a kali distro made for their VM’s! I was really impressed with this but unfortunately the other facts still remain and they outweigh this in my mind. I was also really confused on the pricing. It’s not unheard of to use gigs of bandwidth while testing so I’m not sure how much that would run me on an Azure VM. There wasn’t a clear cost model anywhere.
So would I recommend running your hacker box on Azure? Meh, probably not. If you just wanted to test out some local stuff or maybe do some light testing against your own server, sure, why not. Anything real though is probably a bad idea.
The VPS I reluctantly landed on was Digital Ocean. I say reluctantly, not because they’re a bad service or because they have bad policies. The opposite in fact, their service is great, their prices are EXTREMELY cheap and I asked their support up front about pentesting from their machines and they responded with “they don’t give affffffffff” (as long as you don’t disrupt other clients on their boxes)
So why was I reluctant? BECAUSE THEY DONT LET YOU UPLOAD ISO IMAGES….. wtf right?
They offer the ability to download an OS from a link but they don’t let you download iso files. It has to be an img or some random zip formats. Really really REALLY obnoxious. I tried turning my Parrot OS iso into an IMG file and uploading it but the upload time was ridiculous so I killed it.
No, there’s really only one way to go to get Digital Ocean working and that was, I was going to have to build a custom install script that setup my Debian box for me after I provisioned it.
The script actually wasn’t that bad to write. I just had to think of all the tools I use on a regular basis, all their dependencies and create a bash script to install them. Not really a big deal.
The real issues for me came with setting up gnome and a vnc server. I’ve done neither of these things in the past so there was some learning curve here for me. That said, Digital Ocean, since they’ve probably had this question a million times, took the time to create a very easy to follow tutorial on setting up vnc
Once I had the tools installed, a gui working and an operational vnc server, I was pretty much good to go. The best part is now I’m not coupled to Digital Ocean. I can use any VPS that has a Debian image, pull down my script and run it to have a full blow attacking box.
So far Digital Ocean has been super nice, the prices are insanely cheap compared to others, they openly don’t care about pentesting, they have a nice interface and they provision machines quickly. I’m probably going to stick with them for a little while. I’ll update this post if my opinion on them changes.
Services I didn’t test, and why
- OnehostCloud.hosting – Way too expensive
- LineNode – Killed my signup before I could even start because I used a burner credit card (they refunded my money though)
- AWS – Still waiting on AWS to activate my account….
There were actually a couple others that I didn’t even make it past the registration but they’re not worth mentioning.
In the end, I think Digital Ocean is your best bet followed closely by LunaNode. Both seemed on board with pentesting from there boxes and they’re both super super cheap.
If you have services that you use that I did or didn’t mention please share your input! I’d love to hear what everyone has to think on this topic.