Is it ok to set up and run a private pen testing machine?

May 16, 2017 1.9k views
Security
tech662076
By:
tech662076

It would only be pointed at our servers.
We would like to set up one or 2 droplets to run some of / all of:
Security scan:
http://www.arachni-scanner.com/
https://cirt.net/Nikto2
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
http://w3af.org/
https://subgraph.com/vega/index.en.html
https://code.google.com/p/skipfish/
http://sunrisetech.gr/?page=websurgery&tab=overview

Stress Test:
https://www.joedog.org/2013/07/siege-3-0-3-url-encoding/
http://tsung.erlang-projects.org/
http://www.hping.org/wbox/

Log In to Comment
2 Answers
hansen May 16, 2017

Hi @tech662076

We cannot give you an official answer, since this is the community forum (user-to-user support).
You need to contact support by creating a ticket in the control panel.

Reply
jtittle1 May 16, 2017

@tech662076

From my previous tickets on stress testing, generally it's ok as long as it's not detrimental to service in terms of thrashing the disk or completely overloading the CPU to the point it begins to affect others.

As far as pen testing, normally I keep things like that local -- such as a dual boot w/ Kali Linux. I'm not sure on DigitalOcean's stance as far as running such on their network, so that one you'd want to get in touch with them on.

Reply
  • tech662076 May 16, 2017

    Thanks for the response. The machines being tested won't be DO machines. I am looking to do pen/stress (most importantly pen tests) against machines and IP addresses we control. The idea is to do the tests from the outside. We are a current DO customer, if that matters. We wouldn't need to hit those machines or at least stress test them.

    • jtittle1 May 16, 2017

      @tech662076

      The note about stress testing would still apply if you're using software that spawns multiple processes to do said testing. As long as what you're doing doesn't impact service, then I'd say you'll be fine.

      Some software does indeed spawn multiple child processes, span across multiple threads, and has the ability to really load up the host node, even when the target node is where you would think the load would result.

      ...

      In regards to the pen testing, I'd still go through support on that one as that's not something I've inquired about before. My initial thought would that as long as the intent is not to do damage, you'd be fine, though you'd also need to ensure that security is properly managed on those nodes as if they are broken in to (hacked), it's your account and you're going to be the one that's responsible -- whether you used the tools or not.

      That said, that's not just with DigitalOcean, that'd be the case with any provider.

Have another answer? Share your knowledge.

Related Questions