Website Exploit and Server Penetration Testing

[c4n10]

We have three types of exploit/penetration testing:

1. Code-Level Exploit Testing - Tests your website's code and scripts for vulnerabilities. This includes vulnerability to: code injection (sql, java, css, etc...), form hijacking, cross site scripting (XSS), cross site request forgeries and more... The fee for this service is 3 BTC

2. Server-Level Penetration Testing - Tests your server for vulnerabilities including vulnerability to: Man in the Middle attacks, open port and port service vulnerabilities for the most common and less common services (telnet, pcAnywhere, smtp, esmtp, steam, etc..), DoS vulnerability and more... The fee for this service is 3 BTC

3. Comprehensive Exploit/Penetration Testing - A combination of the first two services. Tests your site at the code level and server level for every possible vulnerability we are able to test for. The fee for this service is 5 BTC.

All tests include a full report on the tests completed, list of possible vulnerabilities with detailed information about each vulnerability and the recommended fix for each vulnerability.

Before we can do anything I need a few things from you:

First and most important I need verification that you are authorized to give me permission for testing. Please create a page on your site, it doesn't have to be fancy, with some text along the lines of "I authorize c4n10 to do penetration testing on my website located at http://www.yourwebsitehere.com". Please be sure the text includes that you are giving me permission and please ensure that the site's domain is mentioned as well.

Please ensure that this page is hosted on the site's domain.

If you require only code-level testing you may skip the next paragraph:
If a third-party is hosting your site's content, I will need you to contact them to get permission and schedule a time for the testing. Please schedule at least 24 hours for testing.
This is only necessary for server-level and comprehensive exploit/penetration testing.

Payment:

You pay 25% up front and the remaining balance when we are done testing your site AND you are satisfied that your site is secure against vulnerabilities.

Should you suffer an attack after our testing and the attack is successful, we will investigate the attack, assist in locating the attacker if possible and help you to fix the vulnerability free of charge for the life of your website's domain. Should you sell, trade or gift the domain to someone else, the guarantee stays with the domain and is transferred to the new owner.

If you have any questions, comments or concerns, please feel free to let me know.

[c4n10]

Updated Prices and Description on 1/1/2013

[🏰 TradeFortress 🏰]

We have three kinds of exploit/penetration testing:

1. Code-Level Exploit Testing - Tests your website's code and script's for vulnerabilities. This includes vulnerability to: code injection (sql, java, css, etc...), form hijacking, cross site scripting (XSS) and more... The fee for this service is 3 BTC

2. Server-Level Penetration Testing - Tests your server for vulnerabilities including vulnerability to: Man in the Middle attacks, open port and port service vulnerabilities for the most common and less common services (telnet, pcAnywhere, smtp, esmtp, steam, etc..), DDoS vulnerability and more... The fee for this service is 3 BTC

3. Comprehensive Exploit/Penetration Testing - A combination of the first two services. Tests your site at the code level and server level for every possible vulnerability we are able to test for. The fee for this service is 5 BTC.

Before we can do anything I need a few things from you:

First and most important I need verification that you are authorized to give me permission for pen-testing. Please create a page on your site, it doesn't have to be fancy, with some text along the lines of "I authorize c4n10 to do penetration testing on my website located at http://www.yourwebsitehere.com". Please be sure the text includes that you are giving me permission and please ensure that the site's domain is mentioned as well.

Please ensure that this page is hosted on the site's domain.

If you require only code-level testing you may skip the next paragraph:
If a third-party is hosting your site's content, I will need you to contact them to get permission and schedule a time for the testing. Please schedule at least 24 hours for testing.
This is only necessary for server-level and comprehensive exploit/penetration testing.

Payment:

You pay 25% up front and the remaining balance when we are done testing your site AND you are satisfied that your site is secure against vulnerabilities.

Should you suffer an attack after our testing and the attack is successful, we will investigate the attack, assist in locating the attacker if possible and help you to fix the vulnerability free of charge for the life of your website's domain. Should you sell, trade or gift the domain to someone else, the guarantee stays with the domain and is transferred to the new owner.

If you have any questions, comments or concerns, please feel free to let me know.

Hi,

Could you tell me a bit about your skills? I'm not saying this specially to you, but I've dealt with people who offer pentesting services they learned from watching hackthissite walkthroughs...

[c4n10]

Could you tell me a bit about your skills? I'm not saying this specially to you, but I've dealt with people who offer pentesting services they learned from watching hackthissite walkthroughs...

There's really nothing wrong with learning to hack at HTS, I myself am a registered member there. It's a safe, legal way to learn valuable skills relative to realistic situations.

As far as my skills personally, I am entirely self-taught. I started with my first Apple pc when I was in 3rd grade, I wrote my first program in QBasic and I have owned more than one Tandy in my lifetime.

I am a member of the Legion of Ethical Hackers, have been for over 13 years.

I am skilled with nmap, ettercap, metasploit, wireshark, Hydra, Aircrack-ng, RFMON, Cain and Abel, John the Ripper and many other common and less common tools and I run all of my tools through proxychains and Tor.

[occulta]

Could you tell me a bit about your skills? I'm not saying this specially to you, but I've dealt with people who offer pentesting services they learned from watching hackthissite walkthroughs...

There's really nothing wrong with learning to hack at HTS, I myself am a registered member there. It's a safe, legal way to learn valuable skills relative to realistic situations.

As far as my skills personally, I am entirely self-taught. I started with my first Apple pc when I was in 3rd grade, I wrote my first program in QBasic and I have owned more than one Tandy in my lifetime.

I am a member of the Legion of Ethical Hackers, have been for over 13 years.

I am skilled with nmap, ettercap, metasploit, wireshark, Hydra, Aircrack-ng, RFMON, Cain and Abel, John the Ripper and many other common and less common tools and I run all of my tools through proxychains and Tor.

How do you use Aircrack-ng for server and code level testing?

I would love to know about CSS code injection, unless you are referring to cross-site scripting which you mentioned again in the same sentance.

Also can you explain the relevance of chaining through tor with proxychains if you are sort out NDA's
thanks

[c4n10]

How do you use Aircrack-ng for server and code level testing?

I don't. I really only mentioned aircrack-ng because TradeFortress was asking about my "skills" and it is a tool that I am proficient with. It relates to pentesting no more than what me writing my first program in QBasic or having owned a Tandy does.

I would love to know about CSS code injection, unless you are referring to cross-site scripting which you mentioned again in the same sentance.

CSS (Cascading Style Sheets) code injection is essentially HTML injection but deals specifically with style elements and can be used in many places where other types of scripting are being filtered.

CSS injection can be a valuable part of XSS (cross-site scripting) but should not be confused as actually BEING XSS.

XSS is an injection classification composed of different methods whereas CSS injection is a method which can be used to commit XSS.

If you have a genuine interest in learning XSS (and are not just trolling me as I suspect you to be) there are MANY resources available for reference and review, I recommend searching for them.
.

Also can you explain the relevance of chaining through tor with proxychains if you are sort out NDA's
thanks

I'm afraid I don't know what you mean by "if you are sort out NDA's" but the significance of running your programs through proxychains is that there are countless programs valuable to hacking which do not offer the ability to route through your proxy, proxychains captures all tcp activity across your network adapter and routes it through your proxy whether it's parent program is configured to use the proxy or not.

This is not important to pentesting either as when I am pentesting I have permission to "access" the site/server but I still like to use proxychains when testing to keep myself in good practice.

[CIYAM]

I would just like to to say that I have paid 5 BTC (txid 5728734a6c577dc479e6b4a0693745e7d53836f2ea99481dde6326ae0f4ddf07) for this service and I think he has done a pretty straight up job.

Although my understanding of security is pretty good it is always helpful to get a good analysis of your server to make sure you haven't made any stupid mistakes.

Thanks for a good service Steven!

[c4n10]

I would just like to to say that I have paid 5 BTC (txid 5728734a6c577dc479e6b4a0693745e7d53836f2ea99481dde6326ae0f4ddf07) for this service and I think he has done a pretty straight up job.

Although my understanding of security is pretty good it is always helpful to get a good analysis of your server to make sure you haven't made any stupid mistakes.

Thank you for the feedback!!! Greatly appreciated!!!