Conducting phishing campaigns and hosting Metasploit sessions from a trusted VPS is important to any professional security researcher, pentester, or white hat hacker. However, the options are quite limited since most providers have zero-tolerance policies for any kind of hacking, good or bad. After researching dozens of products, we came out with 5 potentials that are ideal for Null Byte readers.
First things first ... what's a VPS? Well, it stands for virtual private server and is a virtualized server that a lot of users perceive as a dedicated or private server even though it is installed on a physical computer running multiple operating systems simultaneously. VPSs are most commonly used for hosting websites online.
When we purchase a VPS from a provider, we're in essence "renting" a partition on a powerful high-performance physical machine which houses many virtual servers. Each VPS is connected to the internet, grants individual customers the ability to use different operating systems, and gives full root access to the operating systems. Each customer (or server administrator) operates independently of other customers sharing the physical computer provided by the VPS company.
Essentially, a virtual private server is a computer we can control remotely from any internet-connected device in the world. This gives us a lot of power. From a remote server, these are just a few of the things that can be done:
- create VPN connections
- host phishing sites
- perform brute-force attacks
- create IRC bots
- server proxies
- host payloads
- use port scanners
- create honeypots
- host Metasploit sessions
To get right to it, from our research, BulletShield is by far the best VPS provider for white hats and pentesters, followed closely by BuyVM and ClientVPS. Runners-up were VPSDime and OneHost Cloud. You can see why in our chart below, but jump below that to delve deeper into what each comparison point means.
There are several VPS comparison charts online, but none are relatable to me as a pentester and white hat. In most professional penetration testing scenarios, we need to spin up a VPS for several days to host a payload, receive exfiltration data, or perform a phishing attack.
Whether or not the VPS provider offers live tech support, incomprehensible hardware specifications, or an excessive selection of operating systems rarely matters. Ideally, we want to use Bitcoin (BTC) to quickly purchase the latest Debian release from a VPS provider based in a privacy-respecting country.
When comparing VPS providers featured in this article, I tried to be as objective and fair as possible. No VPS provider in this article paid to be featured in the comparison chart. I used the criteria below to come up with the above chart.
I believe in pricing transparency. This means the provider is completely honest about how much their monthly fees are. The prices listed in my chart may not always reflect pricing advertised on a given provider's homepage. The prices in my chart are the checkout prices after all mandatory and hidden fees have been calculated. These are also the prices of the cheapest VPS plan I could find on the website. That meant 512 MB of RAM and 1 CPU core, in most cases.
The terms of service (ToS) and acceptable use policy (AUP) were probably the highest priorities going into this comparison chart. While dozens of VPS providers were considered at first, most explicitly disallowed or discouraged port scanners, payload distribution, phishing, and/or hacking of any kind. With a few exceptions, this immediately disqualified the VPS provider from the comparison chart.
IT professionals, security researchers, and self-taught white hat hackers do plenty of great work on remote servers. It was important to me that the VPS providers featured here maintained ToS policies that best fit the needs of the Null Byte audience. The VPS providers in my chart were among the few that did not have ToS policies which were entirely hostile toward "hacking."
The providers which are noted as being pentester-friendly don't explicitly state in their ToS that "hacking" (or any related terminology) is allowed. No VPS provider would ever do that. Most of these providers either make no mention of hacking in their ToS or they don't have a ToS available on their website at all. This was believed to be an indication that hacking activities are strongly frowned upon, but may not result in account termination.
Submitting our real name, address, phone number, and other personally identifiable information to any website is never desirable. Even if anonymity isn't a priority for you, the VPS provider could still someday become compromised and have all their customer data leaked online.
Purchasing VPS subscriptions are ideally accomplished anonymously, as there's no telling what trouble we may get into during research or pentesting. Legal action may someday be taken against the VPS provider for something that transpired on a server you purchased, so it would be wise to store as little information about yourself on the provider's customer database.
In most cases, I found it was possible to submit a completely fake name, address, and phone number during registration but I didn't count that as a "good feature" for the provider. Submitting false information to any legitimate company will almost certainly break the provider's ToS and result in immediate termination of the account.
An email address required from a VPS provider did not constitute as "personal information," as it's easy to anonymously acquire a disposable email address. It also makes sense that VPS providers establish some method of communication with their customers.
If obtaining Bitcoin (BTC) is no obstacle, this might be the preferred method of payment for you. Most providers accept BTC these days, but the benefits of using an anonymous cryptocurrency are mostly negated by the VPS providers request for personally identifiable information. I've found that using BTC to make online purchases can be quicker and more convenient than using credit cards.
Acquiring BTC to make anonymous transactions can be difficult. Purchasing a prepaid or disposable debit card with cash may be a more convenient option. This was difficult to verify without actually submitting a payment with a prepaid debit card. In most cases, I was able to contact a customer service representative and get a direct answer from them regarding transactions made with prepaid cards.
If you make an online purchase using a credit card over a secure VPN connection or anonymously over Tor, VPS providers will sometimes suspend your account. Contacting customer support and resolving the suspension can take days.
I viewed each site over Tor using the same stock Firefox browser. Providers which required visitors to complete a CAPTCHA to view their website or process a checkout were labeled as unfriendly to users who wish to remain anonymous. This doesn't explicitly mean transactions over Tor are allowed. When viewing these sites, I went only as far into the checkout process as possible without actually submitting a payment.
It's not unrealistic to believe a company which offers secure crypto transactions will fully cooperate with authorities to catch a hacker. It doesn't always matter if the VPS IP address is originating from a country which respects privacy. If the company providing the VPS to you is located in the US or UK, it's very likely they will not hesitate to relinquish your personal information to any authority figure.
Going further into privacy concerns, the UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group are known as the Five Eyes. These countries are notorious for having invasive privacy laws and policies.
Choosing a VPS provider in the most privacy-respecting country probably isn't the highest priority, but it makes sense to at least consider the providers in countries with decent privacy laws.
An "offshore VPS" would imply that the server is outside of the company's national boundary location and may allow for some degree of discretion. This is important for you as a pentester and the company which you are commissioned to secure as you may acquire compromising and sensitive information that should not be shared or leaked. Readers are encouraged to independently inquire with the VPS providers to determine whether their offshore solutions are right for you.
Providers noted as offering offshore solutions usually do so at a premium. It should not be assumed that their cheapest available VPS solution is also the price of their offshore option.
BulletShield was my top pick as the best VPS provider for Null Byte readers. BulletShield did not require or request any kind of personal information when registering an account or preparing to submit a BTC transaction. They also make BTC transactions mandatory and don't have a ToS that explicitly forbids any kind of penetration testing activities.
The downsides are that they don't accept prepaid credit cards and the cheapest price is a little expensive, but if you value your privacy, price isn't necessarily the main thing to consider.
When it comes to the company's headquarters, BulletShield does not disclose this information. A quick domain name search showed that it was purchased by Tucows Domains Inc., a Canadian company, but was purchased from Charlestown, a city located on a remote island in the West Indies. However, that does not mean that's where BulletShield is headquartered, it's just where the domain registrar BulletShield used registered the domain from.
They do offer offshore solutions and a Tor-friendly website, which puts BulletShield in the lead overall. However, a customer service representative mentioned to me that "pentesting" is "only allowed on ... bulletproof services," which may be a problem cost-wise.
- ToS: None available
- AUP: None available
- Privacy: None available
BuyVM is the runnerup for allowing legal penetration testing where explicit and legal written consent is given by the company or person(s) in question. A representative confirmed this by saying they "need a full document from the legal team representing the target in question authorizing it."
Their starting prices really elevated them up the ranks with VPS solutions as low as just $2.42 a month. However, they do request your personal information, and in order to register an account, "account details must match information provided by payment method," so that could mean anonymous prepaid cards are out. Bitcoin is accepted, though.
And while they do have a Tor-friendly website, they are headquartered in Canada and do not offer offshore solutions, which could be a negative depending on what you're using the VPS for.
ClientVPS has a ToS, but there's not much in there except that they will take no blame for any actions you perform that result in "injury" to person or property, copyright infringement, etc., holding you completely responsible.
Overall, their prices were the most expensive, but highlights include accepting Bitcoin (prepaid Visa cards are unclear), having a Tor-friendly website, being headquartered in Russia (where requests for information are regularly ignored), and offering an offshore solution, all of which solidified its current position in their ranking.
Aside from the high price, other downsides include their lack of information about legal pentesting (they did not return my inquiries) and they do request your personal data.
VPSDime was not an extremely desirable option, since they have no BTC payment option, don't allow customers to view their website anonymously, and don't have any offshore VPS solutions. However, their ToS only explicitly forbids "port scanning." They make no mention of penetration testing, vulnerability scanning, phishing, or other common penetration activities.
They did not respond to my email when inquired about clarifying their policies on legal penetration testing. Their ToS is too ambiguous and I was not able to determine if such (legal) activity was allowed. For that reason, I recommend readers contact VPSDime to clarify before using their service.
While there is no obvious benefit to VPSDime, they are one of the cheapest options.
OneHost Cloud is the only VPS provider that I could find which offers a Kali Linux VPS and penetration-testing solutions. Their prices start at just $6.59/month, which is another major benefit of this provider, and they accept BTC payments.
OneHost Cloud seemed like the optimal choice for white hats with no intention of ever illegally scanning a website or hacking an entity without consent. It would also be extremely confusing for customers if they offered Kali solutions but did not allow legal pentesting. However, when I inquired about legal penetration testing, they simply replied:
All future email messages from this address will be blocked.
This was sent to me with no reason or explanation. For this reason, OneHost Cloud came in last place and I recommend readers independently inquire with OneHost Cloud about their ToS policies before performing any kind of penetration testing.
Other downsides to this provider are requesting personal information; being located in London, UK; not having an anonymous-ready website; and lack of information about offshore solutions and prepaid cards.
The options for professional and independent penetration testers are quite limited. Most VPS providers have detection systems in place which automatically suspend customer accounts if any kind of scanning, phishing, or spamming is detected. It could take days to resolve suspensions and create major setbacks in our pentesting schedule.
Choosing a provider that's willing to work with us to better secure company websites is paramount. If you're a professional pentester or simply a novice hacker looking to step up your game in a safe and anonymous way, then pick the provider that best meets your needs and have some fun.