The White Hat's Guide to Choosing a Virtual Private Server

          
          

          
          

          
          

          Conducting phishing campaigns and hosting Metasploit sessions from a trusted VPS is important to any professional security researcher, pentester, orhat hacker. However, the options are quite limited since most providers have zero-tolerance policies for any kind of hacking, good or bad. After researching dozens of products, we came out with 5 potentials that are ideal for Null Byte readers. First things firstwhat's a VPS? Well, it stands for virtual private server and is a virtualized server that a lot of users perceive as a dedicated or private server even though it is installed on a physical computer running multiple operating systems simultaneously. VPSs are most commonly used for hosting websites online. When we purchase a VPS from a provider, we're in essence "renting" a partition on a powerful high-performance physical machine which houses many virtual servers. Each VPS is connected to the internet, grants individual customers the ability to use different operating systems, and gives full root access to the operating systems. Each customer (or server administrator) operates independently of other customers sharing the physical computer provided by the VPS company. Essentially, a virtual private server is a computer we can control remotely from any internet-connected device in the world. This gives us a lot of power. From a remote server, these are just a few of the things that can be done: To get right to it, from our research, BulletShield is by far the best VPS provider forhats and pentesters, followed closely by BuyVM and ClientVPS. Runners-up were VPSDime and OneHost Cloud. You can see why in our chart below, but jump below that to delve deeper into what each comparison point means. UPDATE: BulletShield no longer exists. We will be looking at more VPS providers to see if any are worthy enough to make our list, and we'll update accordingly when we do. In the meantime, BuyVM is the next best thing


There are several VPS comparison charts online, but none are relatable to me as a pentester andhat. In most professional penetration testing scenarios, we need to spin up a VPS for several days to host a payload, receive exfiltration data, or perform a phishing attack. Whether or not the VPS provider offers live tech support, incomprehensible hardware specifications, or an excessive selection of operating systems rarely matters. Ideally, we want to use Bitcoin (BTC) to quickly purchase the latest Debian release from a VPS provider based in a privacy-respecting country. When comparing VPS providers featured in this article, I tried to be as objective and fair as possible. No VPS provider in this article paid to be featured in the comparison chart. I used the criteria below to come up with the above chart. Don't Miss: How to Sell Your Stellar, Ripple & Other Alt-Coins for Bitcoin or Ethereum in Binance

The terms of service (ToS) and acceptable use policy (AUP) were probably the highest priorities going into this comparison chart. While dozens of VPS providers were considered at first, most explicitly disallowed or discouraged port scanners, payload distribution, phishing, and/or hacking of any kind. With a few exceptions, this immediately disqualified the VPS provider from the comparison chart. IT professionals, security researchers, and self-taughthat hackers do plenty of great work on remote servers. It was important to me that the VPS providers featured here maintained ToS policies that best fit the needs of the Null Byte audience. The VPS providers in my chart were among the few that did not have ToS policies which were entirely hostile toward "hacking." The providers which are noted as being pentester-friendly don't explicitly state in their ToS that "hacking" (or any related terminology) is allowed. No VPS provider would ever do that. Most of these providers either make no mention of hacking in their ToS or they don't have a ToS available on their website at all. This was believed to be an indication that hacking activities are strongly frowned upon, but may not result in account termination

Submitting our real name, address, phone number, and other personally identifiable information to any website is never desirable. Even if anonymity isn't a priority for you, the VPS provider could still someday become compromised and have all their customer data leaked online. Purchasing VPS subscriptions are ideally accomplished anonymously, as there's no telling what trouble we may get into during research or pentesting. Legal action may someday be taken against the VPS provider for something that transpired on a server you purchased, so it would be wise to store as little information about yourself on the provider's customer database. In most cases, I found it was possible to submit a completely fake name, address, and phone number during registration but I didn't count that as a "good feature" for the provider. Submitting false information to any legitimate company will almost certainly break the provider's ToS and result in immediate termination of the account. An email address required from a VPS provider did not constitute as "personal information," as it's easy to anonymously acquire a disposable email address. It also makes sense that VPS providers establish some method of communication with their customers


It's not unrealistic to believe a company which offers secure crypto transactions will fully cooperate with authorities to catch a hacker. It doesn't always matter if the VPS IP address is originating from a country which respects privacy. If the company providing the VPS to you is located in the US or UK, it's very likely they will not hesitate to relinquish your personal information to any authority figure. Going further into privacy concerns, the UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group are known as the Five Eyes. These countries are notorious for having invasive privacy laws and policies. Choosing a VPS provider in the most privacy-respecting country probably isn't the highest priority, but it makes sense to at least consider the providers in countries with decent privacy laws

An "offshore VPS" would imply that the server is outside of the company's national boundary location and may allow for some degree of discretion. This is important for you as a pentester and the company which you are commissioned to secure as you may acquire compromising and sensitive information that should not be shared or leaked. Readers are encouraged to independently inquire with the VPS providers to determine whether their offshore solutions are right for you. Providers noted as offering offshore solutions usually do so at a premium. It should not be assumed that their cheapest available VPS solution is also the price of their offshore option

BulletShield was my top pick as the best VPS provider for Null Byte readers. BulletShield did not require or request any kind of personal information when registering an account or preparing to submit a BTC transaction. They also make BTC transactions mandatory and don't have a ToS that explicitly forbids any kind of penetration testing activities. The downsides are that they don't accept prepaid credit cards and the cheapest price is a little expensive, but if you value your privacy, price isn't necessarily the main thing to consider. When it comes to the company's headquarters, BulletShield does not disclose this information. A quick domain name search showed that it was purchased by Tucows Domains Inc., a Canadian company, but was purchased from Charlestown, a city located on a remote island in the West Indies. However, that does not mean that's where BulletShield is headquartered, it's just where the domain registrar BulletShield used registered the domain from. They do offer offshore solutions and a Tor-friendly website, which puts BulletShield in the lead overall. However, a customer service representative mentioned to me that "pentesting" is "only allowed onbulletproof services," which may be a problem cost-wise


BuyVM is the runnerup for allowing legal penetration testing where explicit and legal written consent is given by the company or person(s) in question. A representative confirmed this by saying they "need a full document from the legal team representing the target in question authorizing it." Their starting prices really elevated them up the ranks with VPS solutions as low as just $2.42 a month. However, they do request your personal information, and in order to register an account, "account details must match information provided by payment method," so that could mean anonymous prepaid cards are out. Bitcoin is accepted, though. And while they do have a Tor-friendly website, they are headquartered in Canada and do not offer offshore solutions, which could be a negative depending on what you're using the VPS for

ClientVPS has a ToS, but there's not much in there except that they will take no blame for any actions you perform that result in "injury" to person or property, copyright infringement, etc., holding you completely responsible. Overall, their prices were the most expensive, but highlights include accepting Bitcoin (prepaid Visa cards are unclear), having a Tor-friendly website, being headquartered in Russia (where requests for information are regularly ignored), and offering an offshore solution, all of which solidified its current position in their ranking. Aside from the high price, other downsides include their lack of information about legal pentesting (they did not return my inquiries) and they do request your personal data

OneHost Cloud is the only VPS provider that I could find which offers a Kali Linux VPS and penetration-testing solutions. Their prices start at just $6.59/month, which is another major benefit of this provider, and they accept BTC payments. OneHost Cloud seemed like the optimal choice forhats with no intention of ever illegally scanning a website or hacking an entity without consent. It would also be extremely confusing for customers if they offered Kali solutions but did not allow legal pentesting. However, when I inquired about legal penetration testing, they simply replied: All future email messages from this address will be blocked. This was sent to me with no reason or explanation. For this reason, OneHost Cloud came in last place and I recommend readers independently inquire with OneHost Cloud about their ToS policies before performing any kind of penetration testing. Other downsides to this provider are requesting personal information; being located in London, UK; not having an anonymous-ready website; and lack of information about offshore solutions and prepaid cards.